Set up App and API Protection for PHP in Docker

This product is not supported for your selected Datadog site. ().

You can enable App and API Protection for PHP services with the following setup options:

  1. If your PHP service already has APM tracing set up and running, then skip to service configuration
  2. If your PHP service doesn't have APM tracing set up, you can easily enable App and API Protection with Datadog's Automatic Installation
  3. Otherwise, keep reading the following manual setup instructions

Overview

App and API Protection leverages the Datadog PHP library to monitor and secure your PHP service. The library integrates seamlessly with your existing application without requiring code changes.

For detailed compatibility information, including supported PHP versions, frameworks, and deployment environments, see PHP Compatibility Requirements.

This guide explains how to set up App and API Protection (AAP) for PHP applications. The setup involves:

  1. Installing the Datadog Agent
  2. Enabling App and API Protection monitoring
  3. Running your PHP application with the Datadog Agent
  4. Verifying the setup

Prerequisites

  • Docker installed on your host
  • PHP application containerized with Docker
  • Your Datadog API key
  • Datadog PHP tracing library (see version requirements)

1. Installing the Datadog Agent

Install the Datadog Agent by following the setup instructions for Docker.

2. Enabling App and API Protection monitoring

Automatically enabling App and API Protection through Remote Configuration

You can enable remote configuration on your services dashboard. Simply check the box for the service you want to enable App and API Protection for under "Activate on your APM services".

Manually enabling App and API Protection monitoring

Add the following to your Dockerfile:

# Install dd-trace-php
RUN curl -LO https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php
RUN php datadog-setup.php --php-bin=all
# Enable appsec
ENV DD_APPSEC_ENABLED=true
# Configure your service
ENV DD_SERVICE=<YOUR_SERVICE_NAME>
ENV DD_ENV=<YOUR_ENVIRONMENT>

To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false.

Add the following to your Dockerfile:

# Install dd-trace-php
RUN curl -LO https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php
RUN php datadog-setup.php --php-bin=all
# Enable appsec
ENV DD_APPSEC_ENABLED=true
# Disable apm
ENV DD_APM_TRACING_ENABLED=false
# Configure your service
ENV DD_SERVICE=<YOUR_SERVICE_NAME>
ENV DD_ENV=<YOUR_ENVIRONMENT>

3. Run your application

Build your image and then run your container.

When running your container, ensure you do the following:

  1. Connect the container to the same Docker network as the Datadog Agent.
  2. Set the required environment variables.
docker run -d \
  --name your-php-app \
  your-php-app-image

4. Verify setup

To verify that App and API Protection is working correctly:

  1. Send some traffic to your application.
  2. Check for security signals and vulnerabilities in the Application Signals Explorer in Datadog.

Troubleshooting

If you encounter issues while setting up App and API Protection for your PHP application, see the PHP App and API Protection troubleshooting guide.

Further Reading

Additional helpful documentation, links, and articles:

How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more