BookStack Code Mirror - website/blob - content/docs/admin/upload-config.md

1 +++

2 title = "Configuring File Uploads"

3 description = "Configuration for files uploads such as images and attachments"

4 date = "2018-01-12"

5 type = "admin-doc"

6 +++

7

8 BookStack allows users to upload both images for content and files as attachments.

9

10 {{<toc>}}

11

12 **For information relating to security for file uploads please refer to the [Security Page](/docs/admin/security).**

13

14 ---

15

16 ### Storage Options

17

18 Within BookStack there are a few different options for storing files:

19

20 * [**local**](#local) (Default)

21 - Files are stored on the server running BookStack.

22 - Images are publicly accessible, served by your web-sever.

23 - Attachments are secured behind BookStack's permission control.

24 * [**local_secure**](#local-secure)

25 - Same as local option but images are served by BookStack, with authentication (login required) on image requests.

26 - Is only useful while the BookStack "Public Access" setting is disabled.

27 - More system resource intensive than the default "local" option thus could induce performance issues.

28 - Attachments are secured behind BookStack's permission control.

29 * [**local_secure_restricted**](#local-secure---restricted)

30 - Same as local option but image access is controlled by user access permission to the item an image is uploaded to.

31 - Is the most system resource intensive and could induce performance issues.

32 - Has logical side-affects that can hinder ease-of-use.

33 - Attachments are secured behind BookStack's permission control.

34 * [**s3**](#s3)

35 - Store files externally on Amazon S3 (or [S3 compatible system](#non-amazon-s3-compatible-services)).

36 - Images are made publicly accessible on upload.

37 - Attachments are secured behind BookStack's permission control, as long as files are not exposed via other means.

38

39 For all options you can use the 'Enable higher security image uploads' in-app admin setting which appends a random string to each uploaded image name to make URL's hard to guess.

40

41 #### Local

42

43 This is the default storage mechanism in BookStack that stores uploads on the local filesystem.

44 It can be forced by setting the following in your `.env` file:

45

46 ```bash

47 STORAGE_TYPE=local

48 ```

49

50 * Image uploads location: `<bookstack_install_dir>/public/uploads/images`.

51 * Attachment uploads location: `<bookstack_install_dir>/storage/uploads/files`.

52

53 #### Local (Secure)

54

55 This storage option stores uploads on the local filesystem but does so in a non-publicly exposed folder,

56 where images are only served from if the user is logged-in to BookStack.

57 The local secure option can be enabled by setting the following in your `.env` file:

58

59 ```bash

60 STORAGE_TYPE=local_secure

61 ```

62

63 After setting this option ensure you test system performance creating a page with many images and reload on that page multiple times to ensure your server can keep up with the

64 multitude of image requests.

65

66 * Image uploads location: `<bookstack_install_dir>/storage/uploads/images`.

67 * Attachment uploads location: `<bookstack_install_dir>/storage/uploads/files`.

68

69 Refer to the [Migrating to “Secure” Images](#migrating-to-secure-images) for details about switching to this with existing file uploads.

70

71 #### Local (Secure - Restricted)

72

73 This option stores uploads on the local filesystem but controls access to image files based upon the

74 user having permission to view the content that the image has been uploaded to.

75

76 **Note:** This option is relatively new to BookStack and currently considered somewhat experimental.

77

78 Due to the rather restrictive & granular permission control enforced by this option, various logical scenarios can be encountered

79 that cause image visibility anomalies. For example if a page, with images uploaded to it, is copied to a new page with different

80 visibility permissions, you could have users that are able to see that page but the images within may not load, since their

81 visibility will remain controlled by the original source page. Another example is that deleting a page, where images were uploaded to, will prevent any user access to the related images.

82

83 This option can be enabled by setting the following in your `.env` file:

84

85 ```bash

86 STORAGE_TYPE=local_secure_restricted

87 ```

88

89 After setting this option ensure you test system performance creating a page with many images and reload on that page

90 multiple times to ensure your server can keep up with the multitude of image requests.

91

92 * Image uploads location: `<bookstack_install_dir>/storage/uploads/images`.

93 * Attachment uploads location: `<bookstack_install_dir>/storage/uploads/files`.

94

95 Refer to the [Migrating to “Secure” Images](#migrating-to-secure-images) for details about switching to this with existing file uploads.

96

97 #### S3

98

99 The Amazon S3 option can be enabled by setting the following in your `.env` file:

100

101 ```bash

102 STORAGE_TYPE=s3

103 STORAGE_S3_KEY=your-s3-key

104 STORAGE_S3_SECRET=your-s3-secret

105 STORAGE_S3_BUCKET=s3-bucket-name

106 STORAGE_S3_REGION=s3-bucket-region

107 ```

108

109 For performance reasons uploaded images are made public upon upload to your S3 bucket and fetched directly by the end user when viewing an image on BookStack. Attachments are not made public and are instead fetched by BookStack upon request. Exact security will depend on the configuration and policies of your bucket.

110

111 * Image uploads location: `<your_bucket>/uploads/images`.

112 * Attachment uploads location: `<your_bucket>/uploads/files`.

113

114 By default BookStack will generate a valid Amazon S3 URL for uploaded images. If you'd prefer to use a different URL, that you have pointed at your bucket, you can add the below option to your `.env` file which will be used as a base URL for all image uploads:

115

116 ```bash

117 STORAGE_URL=https://images.example.com

118 ```

119

120 #### Non-Amazon, S3 Compatible Services

121

122 Via the `s3` connection BookStack does support S3-compatible services such as [Minio](https://www.minio.io/). Read the above S3 details to get an idea of general setup.

123 For non-Amazon services the configuration, to be placed in the `.env` file, is a little different:

124

125 ```bash

126 STORAGE_TYPE=s3

127 STORAGE_S3_KEY=your-service-key

128 STORAGE_S3_SECRET=your-service-secret-key

129 STORAGE_S3_BUCKET=your-service-bucket-name

130

131 STORAGE_S3_ENDPOINT=https://your-service-base-endpoint.com:8080

132 STORAGE_URL=https://your-service-base-endpoint.com:8080/your-service-bucket-name

133 ```

134

135 Take note of how the first part of the `STORAGE_URL` path is the bucket name. This is important to ensure image URLs are set correctly.

136

137 BookStack's functionality to set image URL's as publicly accessible will likely not work for third-party services so you'll need to ensure files under the `<your_bucket>/uploads/images` path have policy or permissions to be publicly accessible. If using Minio you can add the following to the bucket policy:

138

139 ![Minio Bucket Policy](/images/2019/01/minio_s3_policy.png)

140

141 #### Separate Image and Attachment Storage

142

143 If you'd prefer to store images and attachments via different storage options, you can use the below `.env` options to do so:

144

145 ```bash

146 # Image storage system to use

147 # Defaults to the value of STORAGE_TYPE if unset.

148 # Accepts the same values as STORAGE_TYPE.

149 STORAGE_IMAGE_TYPE=local

150

151 # Attachment storage system to use

152 # Defaults to the value of STORAGE_TYPE if unset.

153 # Accepts the same values as STORAGE_TYPE although 'local' will be forced to 'local_secure'.

154 STORAGE_ATTACHMENT_TYPE=local_secure

155 ```

156

157 ---

158

159 ### Migrating to "Secure" Images

160

161 ***Back-up your BookStack instance before attempting any migration***

162

163 If you are migrating to the `STORAGE_TYPE=local_secure` or `STORAGE_TYPE=local_secure_restricted` options, with existing images, you will need to **move** all content from your previous image storage location (see above) to the `storage/uploads/images` folder within your BookStack instance.

164

165 **Do not simply copy and leave content** in the `public/uploads/images` as those images will still be publicly accessible.

166

167 After completing this migration you must re-upload the 'Application Icon' and 'Application Logo' images found in `Settings > Customization`, since these need to remain publicly accessible.

168

169 ---

170

171 ### Changing Upload Limits

172

173 By default, a lot of server software has strict limits on upload sizes which causes errors when users upload new content. BookStack enforces its own limit but there may also be limits configured as part of PHP and your web sever software. If you run into problems with upload size limits follow the below details for BookStack, PHP and whichever web server you use.

174

175 #### BookStack

176

177 The upload limit in BookStack is configured through an option in your `.env` file.

178 Find or add the follow option then configure to your requirements.

179

180 ```bash

181 # File Upload Limit

182 # Maximum file size, in megabytes, that can be uploaded to the system.

183 FILE_UPLOAD_SIZE_LIMIT=50

184 ```

185

186 #### PHP

187

188 PHP has two main variables which effect upload limits. Find your `php.ini` file and look for the following variables:

189

190 * `post_max_size`

191 * `upload_max_filesize`

192

193 If the values of these variables are low increase them to something sensible that's not too high to cause issues. Unless you need something higher 10MB is a sensible value to enter for these values:

194

195 ```ini

196 post_max_size = 10M

197 upload_max_filesize = 10M

198 ```

199

200 If wanting to upload files over 128MB, you may also need to adjust your PHP memory limit like so:

201

202 ```ini

203 memory_limit = 256M

204 ```

205

206 After updating these values ensure you restart your webserver and also PHP if using PHP-FPM or something similar.

207

208 #### NGINX

209

210 By default NGINX has a limit of 1MB on file uploads. To change this you will need to set the `client_max_body_size` variable. You can do this either in the http block in your `nginx.conf` file or in the server block set up for BookStack. Here's an example of increasing the limit to 100MB in the http block:

211

212 ```nginx

213 http {

214 #...

215 client_max_body_size 100m;

216 client_body_timeout 120s; # Default is 60, May need to be increased for very large uploads

217 #...

218 }

219 ```

220

221 As per the example above, If you are expecting upload very large files where upload times will exceed 60 seconds you will also need to add the `client_body_timeout` variable with a large value.

222

223 After updating you NGINX configuration don't forget to restart NGINX. You can test the configuration beforehand with `nginx -t`.

224

225 #### Apache

226

227 Apache does not have any built-in limits which you will need to change but something to note is that if you are using apache and mod_php with `.htaccess` files enabled you may be able to set the above PHP variables in your `.htaccess` file like so:

228

229 ```apache

230 php_value upload_max_filesize 10M

231 php_value post_max_size 10M

232 ```