setting STORAGE_TYPE to local_secure or local_secure_restricted breaks images

vmario89 commented 1 month ago

Attempted Debugging

[X] I have read the debugging page

Searched GitHub Issues

[X] I have searched GitHub for the issue.

Describe the Scenario

When changing the production environment file .env to use secured image storage location, some images will never work:

Logo and favicon are fine (after setting them again)
avatars are broken (newly created ones and the old ones, after moving!)
drawio images are broken (newly created ones and the old ones, after moving!)
attachments are working

before that migration from (local), everything was fine

i read the docs 10 times, searched 2 hours on the web, checked alot of stuff like

dir owers
dir permissions
existings dirs
nginx config
.env config
resetting cache
using private browser sessions
using different browser
checking the browser dev console

my nginx setup (redacted):

server {
    server_name wiki.redacted.org;
    listen 443 ssl;
    listen [::]:443 ssl;

    include /etc/nginx/ssl-config.conf;

    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-Xss-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy same-origin always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Permissions-Policy "fullscreen=(self), geolocation=*, camera=()";

    error_log /var/log/nginx/wiki.redacted.org.error.log;

    client_max_body_size 50M; #adjusted for larger uploads like photos or PDFs

    index index.php index.html;

    root /var/www/vhosts/wiki.redacted.org/public;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock; 
    }

    location /uploads {
        autoindex off;
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name wiki.redacted.org;
    location / {
        return 301 https://wiki.redacted.org$request_uri;
        }
}

my .env:

APP_KEY=redacted
APP_URL=https://wiki.redacted.org

DB_HOST=localhost
DB_DATABASE=bookstack
DB_USERNAME=bookstack
DB_PASSWORD=redacted

MAIL_DRIVER=smtp
MAIL_FROM_NAME="redacted"
MAIL_FROM=wiki.noreply@redacted.org
MAIL_HOST=smtp.redacted.org
MAIL_PORT=587
MAIL_USERNAME=redacted@redacted.org
MAIL_PASSWORD=redacted
MAIL_ENCRYPTION=tls

######## non-standard options
APP_ENV=production
APP_LANG=de
APP_AUTO_LANG_PUBLIC=true
APP_TIMEZONE=Europe/Berlin
APP_DEBUG=true

# https://www.bookstackapp.com/docs/admin/security/
# https://www.bookstackapp.com/docs/admin/upload-config/#local-secure---restricted
STORAGE_TYPE=local_secure_restricted
STORAGE_IMAGE_TYPE=local_secure_restricted
STORAGE_ATTACHMENT_TYPE=local_secure_restricted
# 50 MB Upload
FILE_UPLOAD_SIZE_LIMIT=50
ALLOW_ROBOTS=true
SESSION_SECURE_COOKIE=true
ALLOWED_IFRAME_HOSTS="https://redacted.org https://redacted.de"
ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.redacted.org https://*.redacted.de https://redacted.org https://redacted.de"
LOG_FAILED_LOGIN_MESSAGE="Failed login for %u"
#ALLOW_UNTRUSTED_SERVER_FETCHING=false

IP_ADDRESS_PRECISION=2

AVATAR_URL=https://seccdn.libravatar.org/avatar/${hash}?s=${size}&d=identicon

CACHE_DRIVER=memcached
SESSION_DRIVER=memcached
MEMCACHED_SERVERS=127.0.0.1:11211:100

REDIS_SERVERS=127.0.0.1:6379:0

# Session lifetime in minutes
SESSION_LIFETIME=240

EXPORT_PAGE_SIZE=a4

APP_DEFAULT_DARK_MODE=false
APP_VIEWS_BOOKS=list
APP_VIEWS_BOOKSHELVES=grid
APP_VIEWS_BOOKSHELF=grid
DRAWIO=true

i messed a lot with different options, disabled and enabled ...

what am i doing wrong? Bookstack never tries to use the storage/uploads/images dir. Instead it still looks for public/uploads/images

i tried this with different roles and users also. i also messed with php artisan commands to clear caches, etc.

Exact BookStack Version

v24.10

Log Content

php-fpm log is fine. no issues here.

nginx error log file: 2024/10/11 11:32:12 [error] 40924#40924: *473689 open() "/var/www/vhosts/wiki.redacted.org/public/uploads/images/user/2024-10/thumbs-80-80/2zlc5xeLywF24gfi-signet-256x256.png" failed (2: No such file or directory), client: 79.198.142.149, server: wiki.redacted.org, request: "GET /uploads/images/user/2024-10/thumbs-80-80/2zlc5xeLywF24gfi-signet-256x256.png HTTP/2.0", host: "wiki.redacted.org", referrer: "https://wiki.redacted.org/my-account/profile"

Hosting Environment

Ubuntu 22 Linux on a netcup vServer
conventional setup WITHOUT Docker
PHP8.3-FPM
nginx

ssddanbrown commented 1 month ago

Hi @vmario89, Can you temporarily try commenting-out/removing this part of your nginx config?:

    location /uploads {
        autoindex off;
    }

Then see if images start working. Remeber to reload/restart nginx after making the changes.

vmario89 commented 1 month ago

damn that simple snippet fixed it! I thank you very much!

BookStackApp / BookStack