search
Changelog NotificationsAPIAikido login

FrankenPHP (Laravel Octane)

This guide will walk you through installing and setting up Zen Firewall by Aikido for your application. Follow the steps below to protect your application.

If you encounter any issues or problems, don't hesitate reach out on support chat or Github issues

https://github.com/AikidoSec/firewall-phparrow-up-right

hashtag
Requirements

hashtag
Installation & Configuration

1

hashtag
Install Zen Firewall by Aikido

Zen for FrankenPHP is installed as a system package.

Prerequisites:

  • Ensure you have sudo privileges.

  • Use a supported FrankenPHP version (8.2+).

For Red Hat-based systems (RHEL, CentOS, Fedora):

rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/latest/download/aikido-php-firewall.x86_64.rpm

For Red Hat-based arm64 / aarch64:

rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/latest/download/aikido-php-firewall.aarch64.rpm

For Debian-based systems (Debian, Ubuntu):

curl -L -O https://github.com/AikidoSec/firewall-php/releases/latest/download/aikido-php-firewall.x86_64.deb
dpkg -i -E ./aikido-php-firewall.x86_64.deb

For Debian-based arm64 / aarch64:

curl -L -O https://github.com/AikidoSec/firewall-php/releases/latest/download/aikido-php-firewall.aarch64.deb
dpkg -i -E ./aikido-php-firewall.aarch64.deb
2

hashtag
Start Zen Firewall in dry / detection-only mode

hashtag
Via Laravel Sail

Download Aikido installation package

In docker/version/Dockerfile:

ARG AIKIDO_VERSION=1.5.2

RUN curl -L -o /tmp/aikido-php-firewall.deb \
    "https://github.com/AikidoSec/firewall-php/releases/download/v${AIKIDO_VERSION}/aikido-php-firewall.$(uname -m).deb"

Pass the Aikido environment variables to FrankenPHP in Octane Caddyfile and configure the worker

In vendor/laravel/octane/src/Commands/stubs/Caddyfile:

{$CADDY_SERVER_SERVER_NAME} {
    route {
        php_server {
            env AIKIDO_TOKEN "AIK_RUNTIME_...."
            env AIKIDO_BLOCK "True"
        }
    }
}

Call \aikido\worker_rinit() and \aikido\worker_rshutdown() in Octane worker script

Wrap your request handler with these calls to ensure Aikido processes each request.

In vendor/laravel/octane/bin/frankenphp-worker.php:

<?php

// ... Octane bootstrap ...

$handleRequest = static function () use ($worker, $frankenPhpClient, $debugMode) {
    \aikido\worker_rinit();
    // Octane request handling logic
    \aikido\worker_rshutdown();
};

while ($requestCount < $maxRequests && frankenphp_handle_request($handleRequest)) {
    $requestCount++;
}

In docker/version/start-container, add the following installation steps towards the end of the script:

ls -sf /var/www/html/frankenphp /usr/bin/frankenphp
dpkg -i -E ./aikido-php-firewall.$(uname -m).deb

Now you can start Sail:

./vendor/bin/sail up --build

hashtag
Via Docker Image

Install Aikido in your Dockerfile

FROM dunglas/frankenphp:php${PHP_VERSION}-bookworm

ARG AIKIDO_VERSION=1.5.2

RUN apt-get update && apt-get install -y curl \
    && curl -L -o /tmp/aikido-php-firewall.deb \
    "https://github.com/AikidoSec/firewall-php/releases/download/v${AIKIDO_VERSION}/aikido-php-firewall.$(uname -m).deb" \
    && dpkg -i /tmp/aikido-php-firewall.deb \
    && rm /tmp/aikido-php-firewall.deb \
    && apt-get clean

COPY . /app

ENTRYPOINT ["php", "artisan", "octane:frankenphp"]

Pass the Aikido environment variables to FrankenPHP in Octane Caddyfile and configure the worker

In vendor/laravel/octane/src/Commands/stubs/Caddyfile:

{$CADDY_SERVER_SERVER_NAME} {
    route {
        php_server {
            env AIKIDO_TOKEN "AIK_RUNTIME_...."
            env AIKIDO_BLOCK "True"
        }
    }
}

Call \aikido\worker_rinit() and \aikido\worker_rshutdown() in Octane worker script

Wrap your request handler with these calls to ensure Aikido processes each request.

In vendor/laravel/octane/bin/frankenphp-worker.php:

<?php

// ... Octane bootstrap ...

$handleRequest = static function () use ($worker, $frankenPhpClient, $debugMode) {
    \aikido\worker_rinit();
    // Octane request handling logic
    \aikido\worker_rshutdown();
};

while ($requestCount < $maxRequests && frankenphp_handle_request($handleRequest)) {
    $requestCount++;
}

Start the container

docker run -e AIKIDO_TOKEN="AIK_RUNTIME_..." your-app

We recommend to start your app in dry mode to ensure it works as expected without blocking any requests. We advise running Zen Firewall in staging for two weeks to avoid false positives.

env AIKIDO_BLOCK "False"
circle-info

You can define an environment variable AIKIDO_DEBUG=true to enable debug mode for more detailed information about what the agent is doing. For more information about your environment variables: Configuration via Environment Variables

For example

AIKIDO_TOKEN=AIK_RUNTIME_...
AIKIDO_BLOCK=false

Restart your FrankenPHP process manager/web server after changes.

3

hashtag
Test your app

Browse to your application and perform a couple of actions or open a couple of pages. Zen will automatically discover the routes in your application.

You can verify a working agent by looking at the following pages of your Zen application:

  • Events: Should show an "Application started" event.

  • Routes: After some time your application routes will start showing here with the method, route and requests.

  • Instances: Should show the number of active instances for your application where Zen is installed.

4

hashtag
Enable Rate limiting and User blocking

Use should_block_request in your request pipeline:

if (extension_loaded('aikido')) {
    \aikido\set_user('123', 'John Doe');

    $decision = \aikido\should_block_request();

    if ($decision->block && $decision->type === 'blocked') {
        http_response_code(403);
        exit('You are blocked by Zen.');
    }

    if ($decision->block && $decision->type === 'ratelimited') {
        http_response_code(429);
        exit('You are rate limited by Zen.');
    }
}
5

hashtag
Setup rate limiting in the dashboard

After you've added the Zen Firewall middleware, you can test it out by logging in to your Aikido account and navigating to the Zen dashboard.

Agent start event logged with info severity and timestamp shown.

To protect a route from brute force attacks, set up rate limiting in the Aikido Dashboard:

  1. Click on the created app.

  2. Go to the Routes tab.

  3. Find the route you would like to limit and click Setup rate limiting.

  4. Follow the instructions to configure the rate limit (e.g., 5 requests per minute).

API route management interface showing authentication routes with protection and rate limiting options.
Set rate limiting for POST /auth/login to 5 requests per minute.

Verify Rate Limiting

Start your app and try to access the route you've rate limited 5 times within a minute. After the fifth attempt, you should receive a rate limit error:

You are rate limited by Aikido firewall. (Your IP: 1.2.3.4)
6

hashtag
Next steps

Congrats you've successfully installed Zen Firewall. If you encountered any problems, have concerns or feature requests, don't hesitate to reach out to support.

You can now go and explore the many features that Zen Firewall provides:

Additional information:

Last updated

Was this helpful?