
PHP Built-In Web Server - ZnZirconium
https://www.php.net/manual/en/features.commandline.webserver.php
======
mtmail
Ad hoc (one line) HTTP static servers in various programming languages
[https://gist.github.com/willurd/5720255](https://gist.github.com/willurd/5720255)

~~~
IgorPartola
Missed a couple:

    
    
      $ apache2
      $ nginx
    

My point is that while lots of languages include a web server in their
standard library (one of these was a damn install! Like yes you can _pip
/gem/npm/etc install_ a server, that doesn’t make it a one line web server),
it is by no means a one liner any more than the above two examples can be
considered bash one liners.

~~~
the_pwner224
On practically any linux (or mac) you can do $ python -m http.server 8080 to
instantly start up a server in that directory. You can do this in multiple
terminals to have multiple servers on different ports serving multiple
directories. Nginx, Apache require significant configuration and reboot to
apply changes. They're not at all comparable.

~~~
sgc
Apache usually just needs to reload the config file not reboot, and it's also
often only a few lines to get whatever you want done. Reload might take 1/2 a
second, but I doubt it takes even that long. Sure, if you want to load a
module with a bunch of new functionality you might need the 2 seconds it takes
to reboot unless you have thousands of sites, but that has been a rare
experience in the last 7 years or so for me. If you have thousands of sites
you are not using python server anyway. In the end apache config is relatively
easy -- especially to just test stuff quickly --, it's the overall server
security that is more nebulous due to the variety of attack vectors throughout
the stack. I would guess all that is similar on Nginx.

So sure, it is a little easier to just throw out a one liner, but it doesn't
give you an environment that is similar to deploy, so the extra 2 minutes to
open the apache config and reload is worth it to me for the implicit bug
testing going on. Of course none of us has a horse in the race and to each his
own on his own box. But it's fair to keep their names in the conversation at
least.

------
tardismechanic
> Warning This web server was designed to aid application development. It may
> also be useful for testing purposes or for application demonstrations that
> are run in controlled environments. It is not intended to be a full-featured
> web server. It should not be used on a public network.

~~~
phre4k
Want to bet some people will integrate this into their "prod" Docker
containers?

~~~
ClikeX
I smell a Medium article coming up.

~~~
akie
This built-in server has been around since March 2012. If there are any Medium
articles to be written, they're probably out there already.

------
superasn
This is really cool for making local apps which have a web-ui instead of
gtk/electron based ui.

I've been using this in a lot of small tools(1) where I use this server to
load the web-ui in the browser and a PHP script for file IO.

(1) [https://github.com/san-kumar/kanban](https://github.com/san-kumar/kanban)

(2) [https://github.com/san-kumar/devtodo2-web-
extension](https://github.com/san-kumar/devtodo2-web-extension)

~~~
mstade
I've been doing this with singe file html pages that bundle all dependencies
inline, no server necessary. It does put some restrictions on what you can do,
since local files are sandboxed pretty hard, but with all dependencies inlined
(and with WebAssembly you can get pretty crazy, like embedding SQLite in an
html file) you can do quite a lot.

Just the other week I made a little app that loads CSV files from a room
booking system to create monthly reports, which was done manually by the sole
employee of our housing association and took several hours – now it takes
minutes.

It's been my go to way to create easily deployed rich GUI apps for the past
year or so, and is pretty simple to build with a few shell scripts to put it
all together. The resulting html files can be big, but they load really quite
fast and since they're deployed on to a machine and not served over a network
the size doesn't matter that much. It's also _way_ less than an electron
deployment anyway.

~~~
erikw
What is the tooling and workflow you use for this? It's not something that had
occurred to me, but now that you mention it, it seems like something I'd like
to try.

Edit: It looks like none of the major bundlers support this feature out of the
box, but there is a project called in inliner that does exactly this:
[https://github.com/remy/inliner](https://github.com/remy/inliner)

~~~
mstade
Nothing fancy, just a few home grown shell scripts to essentially replace
external dependencies in the html (e.g. script tags or link tags) with the
contents of those files. There's no minifying, optimization, or building or
anything. I only use vanilla js, css and html. The only exception to this is
if I have anything that needs compiling to wasm, which essentially is just
SQLite, but could be anything really.

Because I only deploy these locally on desktops it's pretty much pointless to
build/obfuscate/optimize anything for transport, it's so fast to load anyway
since it's all off the local drive.

Maybe I should write up a how-to or tidy up the workflow and publish, but it's
really nothing fancy.

------
incanus77
I was heavily into PHP in the late 90s and early 00s, including hosting
download mirrors, then left it for years for other tech in non-server areas. I
got back to it recently to start playing with Micropub implementations and
other indieweb stuff and was pleasantly surprised to find this server in
there. It’d been a long while since MAMP and configuring Apache for me so it
was nice to just not have to worry about unearthing that stuff again and hit
the ground running on the actual software.

~~~
Aeolun
To some extend. It running single threaded and doing only one request at a
time is a bit painful.

~~~
rawfan
It's not single threaded. There is `PHP_CLI_SERVER_WORKERS`.

------
adrianpike
Oh man, this sucker. I did some filthy stuff in a legacy PHP codebase using
this to get some ultra basic acceptance and smoke tests in place. It worked
fairly well, but there were a lot of weird edge casees where it didn't _quite_
work like a real webserver. I've got some notes hiding on an old laptop, I
should dust those off and post them up sometime.

------
sleavey
I use this to host a small WordPress blog on my server whenever I want to make
changes that I then compile into static HTML for public access. Works well
enough and avoids the need to lock down a public WordPress instance.

~~~
indigodaddy
So you just fire it up whenever you need to login and write a post, and then
shut it down or?

~~~
sleavey
Yeah, exactly. I edit or write posts once every few weeks or months so this
works for me.

~~~
geek_at
this is the only safe way to use wordpress or drupal imho :D

------
stunt
"You can configure the built-in webserver to fork multiple workers in order to
test code that requires multiple concurrent requests to the built-in
webserver."

The built-in web-server itself was released with PHP 5.4 (2012). The only
thing new about it is support for multiple workers to make it faster for
concurrent request handling. But, it's still only intended for development
environment and testing. I imagine multiple-workers support is very useful
with SPA development, and especially improves testing speed if you run
concurrent tests that rely on built-in web-server.

------
wnevets
this is pretty old, why is it on the frontpage now?

~~~
dylan604
because the are people that run MAMP/WAMP in a production environment?

~~~
wnevets
but this is for dev only

>It is not intended to be a full-featured web server. It should not be used on
a public network.

~~~
dylan604
That's my point. So is MAMP/WAMP. The devs have always stated their setup was
meant for development only, yet lots and lots of novices use a MAMP/WAMP setup
as their production environment.

------
aussieguy1234
I'm considering adding something like this to
[https://expose.sh](https://expose.sh) to serve static sites (like React apps)
publicly in one command.

Something like:

expose serve public

Your site is ready at [https://a3rd.expose.sh](https://a3rd.expose.sh)

Then your static side would be served from localhost over a public URL which
you could then use for demos (or helping your backend guy do the integration).
This wouldn't be too difficult to implement.

~~~
pixelatedindex
Are there any major differences between expose and ngrok? Why would I choose
one over the other?

~~~
milankragujevic
Expose is much cheaper.

~~~
aussieguy1234
Correct. Month to month it's about the same, but no minimum subscription term.

------
aussieguy1234
The PHP built in web server is useful in development. It's not intended for
production. Good for getting a quick example running locally

------
fomine3
I love PHP's buildin web server than other languages for quick use because its
command line is quite easy to remember.

php -S localhost:8080

~~~
aussieguy1234
While not built into node, I like "serve" best in terms of syntax, even if it
only supports static sites.

serve . Done

------
yegle
This sounds like a perfect solution to self-hosting websites (e.g. wiki,
grocy, monica) that's protected by an identity-aware proxy (e.g. Pomerium)
that are expected to receive <1qps traffic.

(Most of my self-hosted web services are written in Go, I've being able to
stay nginx-free thanks to Go's built-in web server.)

------
romanovcode
I don't get it. This is since 5.4 which is like 6 years ago.

~~~
ourcat
I wonder if the 'news' is the 7.4.0 change that allows for configuration for
multiple concurrent requests, by spinning-up numbers of workers as needed?

------
major505
/well this will help when running it from a docker container.

~~~
paledot
That was my thought too (the sarcasm). This was amazing when it was
introduced, but in the age of Docker it's no longer really relevant to
bootstrapping a basic dev environment.

~~~
hrktb
It is still nice for quickly running something and get rid of it. For instance
an ad-hoc script mocking an API endpoint that you can run on an arbitrary port
in seconds.

PS: a few years ago docker was not deemed production ready, and people only
used it as dev/testing environment. I find it funny that the reverse is
sometimes happening, where people prefer running this webserver locally for
speed and eventual debugging, while production runs on containers.

~~~
chromedev
> It is still nice for quickly running something and get rid of it. For
> instance an ad-hoc script mocking an API endpoint that you can run on an
> arbitrary port in seconds.

That is one of the many things Docker and Docker Compose are good at. If you
have a docker-compose.yml file you can do just that with any web server
backend.

~~~
hrktb
Say you wrote your 10 lines script that mocks your third party endpoint.

running it on port 7659 is

> php -S 0.0.0.0:7659 scripts/test.php

and done.

Compared to this one liner, the proposition is making a dockerfile with a base
image, perhaps your local extensions if you had to compile them, and
configuration if you changed from the default one.

Then a docker-compose to share your local file, which references the previous
Dockerfile, and specifies the right port. Knowing if your testfile is not self
contained, you’d need to map any services it needs to access to.

Then you run the whole.

It is by no mean complicated, and you could keep around a template of all of
that around in case you need it (or you copy it from your main application’s
docker files, and modify if you need to it more lax). As you say it also gives
you more freedom. It’s just a tad more tedious than literally one line.

~~~
paledot
That's a fair use case, although I might still wrap that one-liner in a Docker
container because the service consuming the mock is probably Dockerized. But
indeed it doesn't make sense to configure and run another nginx container just
for that 10-line mock.

------
jrururufuf666
php is great and this is not news. all the haters go to your hipster
frameworks and spend the time i need to build an app with just setting up your
boilerplates.

------
tinus_hn
As this apparently has been around for a while, hows the security of this
server?

------
guanzo
The node examples can be true one liners if you use npx

------
onion2k
I have an absolute hatred of putting unused code on a production server,
especially if it's something that can listen to network traffic. It's such an
unnecessary risk. The fact that you don't appear to be able to set PHP up in a
way that disables the use of this thing feels _horrible_. There's no way I'd
ever want to run PHP outside of a container that I have control over which few
ports are mapped to now.

~~~
7demons
Time to take some medication maybe? Such hatred against programming language
is not normal.

~~~
onion2k
I don't hate the programming language. PHP is a great language that I used for
a decade before moving over to the frontend. I don't use it any more but I
work in a company that does and I see good results when it's deployed. This is
not about PHP (or Python, or Ruby, as they also have built-in httpd servers).

What I hate is the idea of putting something on a server that's going to make
my life _harder_ , or create more work for my team. I don't want the
developers I work with having to give up their evenings or weekends to resolve
issues and incidents that arose from things shouldn't have existed in the
first place. That's why I don't want additional network services sneaking
their way on to production. I should _very easily_ be able to tell which
applications on a server are listening to external traffic.

Maintaining good security is hard enough without language runtimes including
things that should strictly only ever be a development dependency rather than
a production dependency.

If there are pills I can take to make this problem go away, sign me up.

~~~
Sysosmaster
How does a feature of the Command line version of php impact developers?
Developers should not run applications on production machines themselves
(either its a script, a deployement agent / engine or a operations guy that
does that work (including devops guy with operations)).

As for security you must keep up with the capabilities of the tools you use.
Php has been able to run as a webserver for years (even before 5) all they did
is implement a good sane dev server to run php code without setting up a
complex php environment (that is probably less secure).

