Creating Production-Ready Docker Environments for PHP

Using the correct PHP basic image and configuring a secure, performance-optimized Docker environment is the key to achieving production ready. 1. Use php:8.3-fpm-alpine as the basic image to reduce the attack surface and improve performance; 2. Disable dangerous functions through custom php.ini, turn off error display, and enable Opcache and JIT to enhance security and performance; 3. Use Nginx as the reverse proxy to restrict access to sensitive files and correctly forward PHP requests to PHP-FPM; 4. Use multi-stage optimization images to remove development dependencies, and set up non-root users to run containers; 5. Optional Supervisord to manage multiple processes such as cron; 6. Verify that no sensitive information leakage, log output to standard flow, configure health checks, scan for image vulnerabilities, and the application can run independently. Ultimately ensuring that the environment is safe, high performance, maintainability and observability is called production ready.

Setting up a production-ready Docker environment for PHP isn't just about getting your app to run—it's about security, performance, maintenance, and scalability. A lot of tutorials stop at "it works locally," but real production environments demand more. Here's how to build a robust, secure, and efficient Docker setup for PHP that's ready for real-world deployment.

✅ Use the Right PHP Base Image

Start with a minimum, secure base image. Avoid php:latest or development-focused tags like php:8.3-cli .

Recommended:

• php:8.3-fpm-alpine for backend services (lightweight, secure)
• Pair with nginx in a separate container for serving web traffic

Why Alpine?
Smaller attack surface, faster builds, and lower resource usage. But be cautious: some PHP extensions may require extra steps to install in Alpine due to musl vs. glibc.

 FROM php:8.3-fpm-alpine

# Install essential PHP extensions (compiled for Alpine)
RUN apk add --no-cache \
    nginx \
    supervisor \
    postgresql-dev \
    && docker-php-ext-install -j$(nproc) \
    pdo_pgsql \
    opcache \
    && docker-php-ext-enable pdo_pgsql

Avoid RUN apk add --update && pecl install ... unless absolutely necessary—each command increases image size and build time.

? Secure PHP Configuration

Default php.ini settings are not production-safe. Override them explicitly.

Create custom config files:

 ./docker/php/php.ini
./docker/php/opcache.ini

Example php.ini tweaks:

 ; Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen

; Limit exposure
expose_php = Off
display_errors = Off
log_errors = On

; Set reasonable limits
upload_max_filesize = 16M
post_max_size = 18M
max_execution_time = 30

Opcache (critical for performance):

 opcache.enable=1
opcache.validate_timestamps=0 ; Only in production (use rolling deploys to clear)
opcache.max_accelerated_files=20000
opcache.memory_consumption=256
opcache.jit=1205 ; Enable JIT in PHP 8

Copy these into the image:

 COPY ./docker/php/php.ini /usr/local/etc/php/conf.d/app.ini
COPY ./docker/php/opcache.ini /usr/local/etc/php/conf.d/opcache.ini

? Use a Reverse Proxy (Nginx) PHP-FPM

Never expose PHP-FPM directly. Use Nginx as a reverse proxy.

Typical structure:

 # docker-compose.yml (for staging/CI)
version: '3.8'
services:
  nginx:
    image: nginx:alpine
    Ports:
      - "80:80"
    Volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./public:/var/www/html/public
    depends_on:
      - php

  php:
    build: .
    Volumes:
      - ./:/var/www/html
    environment:
      - APP_ENV=prod

Nginx config highlights:

• Serve only the public/ directory
• Block access to .env , .git , and config files
• Set proper headers (security, caching)
• Pass PHP requests to php:9000

Example location block:

 location ~ \.php$ {
    fastcgi_pass php:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /var/www/html/public$fastcgi_script_name;
    include fastcgi_params;
}

? Optimize for Build and Runtime

Multi-stage builds (if needed for tools like Composer):

 # Build stage
FROM composer:latest AS composer
COPY composer.json composer.lock ./
RUN composer install --no-dev --optimize-autoloader --no-scripts

# Final stage
FROM php:8.3-fpm-alpine
COPY --from=composer /app/vendor ./vendor
COPY . .

Key runtime optimizations:

• Set APP_ENV=prod to enable framework optimizations (eg, Symfony, Laravel)
• Use --optimize-autoloader and --classmap-authoritative in Composer
• Run as non-root user:

   RUN adduser -D -s /bin/sh www
  USER www

?️ Add Supervisord (Optional but Useful)

If you need to run PHP-FPM and cron or other daemons:

 RUN apk add --no-cache supervisor
COPY ./docker/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

Supervisord config:

 [supervisord]
nodaemon=true

[program:php-fpm]
command=php-fpm
stdout_logfile=/dev/stdout
stderr_logfile=/dev/stderr

[program:cron]
command=cron -f

? Test Before Deploying

Before calling it "production-ready," verify:

• [ ] No sensitive info in environment or config
• [ ] Error logs go to stdout/stderr (for Docker logging drivers)
• [ ] Health check is defined:

   HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD curl -f http://localhost/health || exit 1

• [ ] Image is scanned for vulnerabilities (use docker scan or CI tooling)
• [ ] It works without volume mounts (ie, code is embedded)

---

Final Notes

A production-ready PHP Docker setup balances:

• Security (minimal image, secure configs, non-root user)
• Performance (Opcache, JIT, autoloader optimization)
• Maintainability (clear Dockerfiles, separation of concerns)
• Observability (logs to stdout, health checks)

You don't need Kubernetes on day one, but you do need a solid foundation. Start simple, automatic config, and test like it's already in production.

Basically: if it's not secure, fast, and observable, it's not production-ready.

The above is the detailed content of Creating Production-Ready Docker Environments for PHP. For more information, please follow other related articles on the PHP Chinese website!