> For the complete documentation index, see [llms.txt](https://help.aikido.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.aikido.dev/zen-firewall/zen-installation-instructions/zen-firewall-for-php/fly-io.md). # PHP on Fly.io This guide will walk you through installing and setting up Zen Firewall by Aikido for your application. Follow the steps below to protect your application. If you encounter any issues or problems, don't hesitate reach out on support chat or Github issues ## Requirements * PHP 7.2+ (tested up to PHP 8.5). * Fly.io PHP deployment runtime. * [Aikido account](/getting-started/setting-up-your-account.md) & [Zen Firewall token](/zen-firewall/zen-installation-instructions/creating-an-aikido-zen-firewall-token.md) ## Installation & Configuration {% stepper %} {% step %} **Install Zen Firewall by Aikido** Set Fly secrets: ```bash fly secrets set AIKIDO_TOKEN=AIK_RUNTIME_... fly secrets set AIKIDO_BLOCK=false ``` Create `.fly/scripts/aikido.sh`: ```bash #!/usr/bin/env bash cd /tmp curl -L -O https://github.com/AikidoSec/firewall-php/releases/latest/download/aikido-php-firewall.x86_64.deb dpkg -i -E ./aikido-php-firewall.x86_64.deb ``` Deploy: ```bash fly deploy ``` {% endstep %} {% step %} **Verify installation** Check module status: ```bash fly ssh console php -i | grep "aikido support" ``` Expected output includes `aikido support => enabled`. {% endstep %} {% step %} **Enable Request Blocking and User Identification** Use this middleware to enable rate limiting, user identification, and blocking features. Zen Firewall does not require this middleware to block attacks. Core attack protection works without it. The middleware provides additional request context that Zen uses for protections such as [rate limiting](/zen-firewall/zen-features/setting-up-rate-limiting-for-routes.md), [user blocking](/zen-firewall/zen-features/blocking-users-with-zen-firewall.md), [bot blocking](/zen-firewall/zen-features/blocking-bot-traffic-with-zen-firewall.md), [country blocking](/zen-firewall/zen-features/blocking-traffic-by-country-with-zen-firewall.md), and [threat actor](/zen-firewall/zen-features/blocking-known-threat-actors-with-zen-firewall.md) blocking. Adapt the example to fit how your application identifies users and handles requests. Use `set_user` and `should_block_request` in your request pipeline: {% @aikido-custom-code/code-highlight language="php" content="+if (extension\_loaded('aikido')) { * \aikido\set\_user('123', 'John Doe'); * * $decision = \aikido\should\_block\_request(); * * if ($decision->block && $decision->type === 'blocked') { * ``` http_response_code(403); ``` * ``` exit('You are blocked by Zen.'); ``` * } * * if ($decision->block && $decision->type === 'ratelimited') { * ``` http_response_code(429); ``` * ``` exit('You are rate limited by Zen.'); ``` * } +}" %} {% endstep %} {% step %} **Test your app** Browse to your application and perform a couple of actions or open a couple of pages. Zen will automatically discover the routes in your application. {% hint style="info" %} Zen sends data back to Aikido every 10 minutes {% endhint %} You can verify a working agent by looking at the following pages of your Zen application: * **Events**: Should show an "Application started" event. * **Routes**: After some time your application routes will start showing here with the method, route and requests. * **Instances**: Should show the number of active instances for your application where Zen is installed.
{% endstep %} {% step %} **Setup rate limiting in the dashboard** When you've added the Zen Firewall middleware you can test protecting a route from brute force attacks, you do this by setting up rate limit in the Aikido Dashboard: 1. Click on the created app. 2. Go to the **Routes** tab. 3. Find the route you would like to limit and click **Setup rate limiting**. 4. Follow the instructions to configure the rate limit (e.g., 5 requests per minute). ![API route management interface showing authentication routes with protection and rate limiting options.](/files/H4qm2eKvNG6xE7CatJh7) ![Set rate limiting for POST /auth/login to 5 requests per minute.](/files/3qBu7NWaVSbX5ok6o7FN) **Verify Rate Limiting** Start your app and try to access the route you've rate limited 5 times within a minute. After the fifth attempt, you should receive a rate limit error: ``` You are rate limited by Aikido firewall. (Your IP: 1.2.3.4) ``` {% endstep %} {% step %} **Next steps** Congrats you've successfully installed Zen Firewall. If you encountered any problems, have concerns or feature requests, don't hesitate to reach out to support. You can now go and explore the many features that Zen Firewall provides: * [Blocking Bot traffic with Zen Firewall](/zen-firewall/zen-features/blocking-bot-traffic-with-zen-firewall.md) * [Blocking or Monitoring Tor traffic with Zen Firewall](/zen-firewall/zen-features/blocking-tor-traffic-with-zen-firewall.md) * [Tracking Users with Zen Firewall](/zen-firewall/zen-features/blocking-users-with-zen-firewall.md) * [Blocking Known Threat Actors with Zen Firewall](/zen-firewall/zen-features/blocking-known-threat-actors-with-zen-firewall.md) * [Blocking Traffic by Country with Zen Firewall](/zen-firewall/zen-features/blocking-traffic-by-country-with-zen-firewall.md) * [Setting Up Rate Limiting for Routes](/zen-firewall/zen-features/setting-up-rate-limiting-for-routes.md) * [Monitor Outbound Domains](/zen-firewall/zen-features/monitor-outbound-domains.md) Additional information: * [Zen Performance & Reliability](/zen-firewall/miscellaneous/how-zen-works-performance-reliability.md) * [Blocking vs Detection Mode in Zen Firewall](/zen-firewall/zen-features/blocking-vs-detection-mode-in-zen-firewall.md) * [Understanding Your Zen Statistics](/zen-firewall/zen-features/understanding-your-zen-statistics.md) {% endstep %} {% endstepper %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://help.aikido.dev/zen-firewall/zen-installation-instructions/zen-firewall-for-php/fly-io.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.