b987bea37a
Is generally aligned with out SAML2 group sync functionality, but for OIDC based upon feedback in #3004. Neeeded the tangental addition of being able to define custom scopes on the initial auth request as some systems use this to provide additional id token claims such as groups. Includes tests to cover. Tested live using Okta.
371 lines
No EOL
12 KiB
Text
371 lines
No EOL
12 KiB
Text
# Full list of environment variables that can be used with BookStack.
|
|
# Selectively copy these to your '.env' file as required.
|
|
# Each option is shown with it's default value.
|
|
# Do not copy this whole file to use as your '.env' file.
|
|
|
|
# Application environment
|
|
# Can be 'production', 'development', 'testing' or 'demo'
|
|
APP_ENV=production
|
|
|
|
# Enable debug mode
|
|
# Shows advanced debug information and errors.
|
|
# CAN EXPOSE OTHER VARIABLES, LEAVE DISABLED
|
|
APP_DEBUG=false
|
|
|
|
# Application key
|
|
# Used for encryption where needed.
|
|
# Run `php artisan key:generate` to generate a valid key.
|
|
APP_KEY=SomeRandomString
|
|
|
|
# Application URL
|
|
# This must be the root URL that you want to host BookStack on.
|
|
# All URL's in BookStack will be generated using this value.
|
|
APP_URL=https://example.com
|
|
|
|
# Application default language
|
|
# The default language choice to show.
|
|
# May be overridden by user-preference or visitor browser settings.
|
|
APP_LANG=en
|
|
|
|
# Auto-detect language for public visitors.
|
|
# Uses browser-sent headers to infer a language.
|
|
# APP_LANG will be used if such a header is not provided.
|
|
APP_AUTO_LANG_PUBLIC=true
|
|
|
|
# Application timezone
|
|
# Used where dates are displayed such as on exported content.
|
|
# Valid timezone values can be found here: https://www.php.net/manual/en/timezones.php
|
|
APP_TIMEZONE=UTC
|
|
|
|
# Application theme
|
|
# Used to specific a themes/<APP_THEME> folder where BookStack UI
|
|
# overrides can be made. Defaults to disabled.
|
|
APP_THEME=false
|
|
|
|
# Trusted proxies
|
|
# Used to indicate trust of systems that proxy to the application so
|
|
# certain header values (Such as "X-Forwarded-For") can be used from the
|
|
# incoming proxy request to provide origin detail.
|
|
# Set to an IP address, or multiple comma seperated IP addresses.
|
|
# Can alternatively be set to "*" to trust all proxy addresses.
|
|
APP_PROXIES=null
|
|
|
|
# Database details
|
|
# Host can contain a port (localhost:3306) or a separate DB_PORT option can be used.
|
|
DB_HOST=localhost
|
|
DB_PORT=3306
|
|
DB_DATABASE=database_database
|
|
DB_USERNAME=database_username
|
|
DB_PASSWORD=database_user_password
|
|
|
|
# MySQL specific connection options
|
|
# Path to Certificate Authority (CA) certificate file for your MySQL instance.
|
|
# When this option is used host name identity verification will be performed
|
|
# which checks the hostname, used by the client, against names within the
|
|
# certificate itself (Common Name or Subject Alternative Name).
|
|
MYSQL_ATTR_SSL_CA="/path/to/ca.pem"
|
|
|
|
# Mail system to use
|
|
# Can be 'smtp' or 'sendmail'
|
|
MAIL_DRIVER=smtp
|
|
|
|
# Mail sending options
|
|
MAIL_FROM=mail@bookstackapp.com
|
|
MAIL_FROM_NAME=BookStack
|
|
|
|
# SMTP mail options
|
|
MAIL_HOST=localhost
|
|
MAIL_PORT=1025
|
|
MAIL_USERNAME=null
|
|
MAIL_PASSWORD=null
|
|
MAIL_ENCRYPTION=null
|
|
|
|
# Cache & Session driver to use
|
|
# Can be 'file', 'database', 'memcached' or 'redis'
|
|
CACHE_DRIVER=file
|
|
SESSION_DRIVER=file
|
|
|
|
# Session configuration
|
|
SESSION_LIFETIME=120
|
|
SESSION_COOKIE_NAME=bookstack_session
|
|
SESSION_SECURE_COOKIE=false
|
|
|
|
# Cache key prefix
|
|
# Can be used to prevent conflicts multiple BookStack instances use the same store.
|
|
CACHE_PREFIX=bookstack
|
|
|
|
# Memcached server configuration
|
|
# If using a UNIX socket path for the host, set the port to 0
|
|
# This follows the following format: HOST:PORT:WEIGHT
|
|
# For multiple servers separate with a comma
|
|
MEMCACHED_SERVERS=127.0.0.1:11211:100
|
|
|
|
# Redis server configuration
|
|
# This follows the following format: HOST:PORT:DATABASE
|
|
# or, if using a password: HOST:PORT:DATABASE:PASSWORD
|
|
# For multiple servers separate with a comma. These will be clustered.
|
|
REDIS_SERVERS=127.0.0.1:6379:0
|
|
|
|
# Queue driver to use
|
|
# Can be 'sync', 'database' or 'redis'
|
|
QUEUE_CONNECTION=sync
|
|
|
|
# Storage system to use
|
|
# Can be 'local', 'local_secure' or 's3'
|
|
STORAGE_TYPE=local
|
|
|
|
# Image storage system to use
|
|
# Defaults to the value of STORAGE_TYPE if unset.
|
|
# Accepts the same values as STORAGE_TYPE.
|
|
STORAGE_IMAGE_TYPE=local
|
|
|
|
# Attachment storage system to use
|
|
# Defaults to the value of STORAGE_TYPE if unset.
|
|
# Accepts the same values as STORAGE_TYPE although 'local' will be forced to 'local_secure'.
|
|
STORAGE_ATTACHMENT_TYPE=local_secure
|
|
|
|
# Amazon S3 storage configuration
|
|
STORAGE_S3_KEY=your-s3-key
|
|
STORAGE_S3_SECRET=your-s3-secret
|
|
STORAGE_S3_BUCKET=s3-bucket-name
|
|
STORAGE_S3_REGION=s3-bucket-region
|
|
|
|
# S3 endpoint to use for storage calls
|
|
# Only set this if using a non-Amazon s3-compatible service such as Minio
|
|
STORAGE_S3_ENDPOINT=https://my-custom-s3-compatible.service.com:8001
|
|
|
|
# Storage URL prefix
|
|
# Used as a base for any generated image urls.
|
|
# An s3-format URL will be generated if not set.
|
|
STORAGE_URL=false
|
|
|
|
# Authentication method to use
|
|
# Can be 'standard', 'ldap', 'saml2' or 'oidc'
|
|
AUTH_METHOD=standard
|
|
|
|
# Automatically initiate login via external auth system if it's the only auth method.
|
|
# Works with saml2 or oidc auth methods.
|
|
AUTH_AUTO_INITIATE=false
|
|
|
|
# Social authentication configuration
|
|
# All disabled by default.
|
|
# Refer to https://www.bookstackapp.com/docs/admin/third-party-auth/
|
|
|
|
AZURE_APP_ID=false
|
|
AZURE_APP_SECRET=false
|
|
AZURE_TENANT=false
|
|
AZURE_AUTO_REGISTER=false
|
|
AZURE_AUTO_CONFIRM_EMAIL=false
|
|
|
|
DISCORD_APP_ID=false
|
|
DISCORD_APP_SECRET=false
|
|
DISCORD_AUTO_REGISTER=false
|
|
DISCORD_AUTO_CONFIRM_EMAIL=false
|
|
|
|
FACEBOOK_APP_ID=false
|
|
FACEBOOK_APP_SECRET=false
|
|
FACEBOOK_AUTO_REGISTER=false
|
|
FACEBOOK_AUTO_CONFIRM_EMAIL=false
|
|
|
|
GITHUB_APP_ID=false
|
|
GITHUB_APP_SECRET=false
|
|
GITHUB_AUTO_REGISTER=false
|
|
GITHUB_AUTO_CONFIRM_EMAIL=false
|
|
|
|
GITLAB_APP_ID=false
|
|
GITLAB_APP_SECRET=false
|
|
GITLAB_BASE_URI=false
|
|
GITLAB_AUTO_REGISTER=false
|
|
GITLAB_AUTO_CONFIRM_EMAIL=false
|
|
|
|
GOOGLE_APP_ID=false
|
|
GOOGLE_APP_SECRET=false
|
|
GOOGLE_SELECT_ACCOUNT=false
|
|
GOOGLE_AUTO_REGISTER=false
|
|
GOOGLE_AUTO_CONFIRM_EMAIL=false
|
|
|
|
OKTA_BASE_URL=false
|
|
OKTA_APP_ID=false
|
|
OKTA_APP_SECRET=false
|
|
OKTA_AUTO_REGISTER=false
|
|
OKTA_AUTO_CONFIRM_EMAIL=false
|
|
|
|
SLACK_APP_ID=false
|
|
SLACK_APP_SECRET=false
|
|
SLACK_AUTO_REGISTER=false
|
|
SLACK_AUTO_CONFIRM_EMAIL=false
|
|
|
|
TWITCH_APP_ID=false
|
|
TWITCH_APP_SECRET=false
|
|
TWITCH_AUTO_REGISTER=false
|
|
TWITCH_AUTO_CONFIRM_EMAIL=false
|
|
|
|
TWITTER_APP_ID=false
|
|
TWITTER_APP_SECRET=false
|
|
TWITTER_AUTO_REGISTER=false
|
|
TWITTER_AUTO_CONFIRM_EMAIL=false
|
|
|
|
# LDAP authentication configuration
|
|
# Refer to https://www.bookstackapp.com/docs/admin/ldap-auth/
|
|
LDAP_SERVER=false
|
|
LDAP_BASE_DN=false
|
|
LDAP_DN=false
|
|
LDAP_PASS=false
|
|
LDAP_USER_FILTER=false
|
|
LDAP_VERSION=false
|
|
LDAP_START_TLS=false
|
|
LDAP_TLS_INSECURE=false
|
|
LDAP_ID_ATTRIBUTE=uid
|
|
LDAP_EMAIL_ATTRIBUTE=mail
|
|
LDAP_DISPLAY_NAME_ATTRIBUTE=cn
|
|
LDAP_THUMBNAIL_ATTRIBUTE=null
|
|
LDAP_FOLLOW_REFERRALS=true
|
|
LDAP_DUMP_USER_DETAILS=false
|
|
|
|
# LDAP group sync configuration
|
|
# Refer to https://www.bookstackapp.com/docs/admin/ldap-auth/
|
|
LDAP_USER_TO_GROUPS=false
|
|
LDAP_GROUP_ATTRIBUTE="memberOf"
|
|
LDAP_REMOVE_FROM_GROUPS=false
|
|
LDAP_DUMP_USER_GROUPS=false
|
|
|
|
# SAML authentication configuration
|
|
# Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/
|
|
SAML2_NAME=SSO
|
|
SAML2_EMAIL_ATTRIBUTE=email
|
|
SAML2_DISPLAY_NAME_ATTRIBUTES=username
|
|
SAML2_EXTERNAL_ID_ATTRIBUTE=null
|
|
SAML2_IDP_ENTITYID=null
|
|
SAML2_IDP_SSO=null
|
|
SAML2_IDP_SLO=null
|
|
SAML2_IDP_x509=null
|
|
SAML2_ONELOGIN_OVERRIDES=null
|
|
SAML2_DUMP_USER_DETAILS=false
|
|
SAML2_AUTOLOAD_METADATA=false
|
|
SAML2_IDP_AUTHNCONTEXT=true
|
|
SAML2_SP_x509=null
|
|
SAML2_SP_x509_KEY=null
|
|
|
|
# SAML group sync configuration
|
|
# Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/
|
|
SAML2_USER_TO_GROUPS=false
|
|
SAML2_GROUP_ATTRIBUTE=group
|
|
SAML2_REMOVE_FROM_GROUPS=false
|
|
|
|
# OpenID Connect authentication configuration
|
|
# Refer to https://www.bookstackapp.com/docs/admin/oidc-auth/
|
|
OIDC_NAME=SSO
|
|
OIDC_DISPLAY_NAME_CLAIMS=name
|
|
OIDC_CLIENT_ID=null
|
|
OIDC_CLIENT_SECRET=null
|
|
OIDC_ISSUER=null
|
|
OIDC_ISSUER_DISCOVER=false
|
|
OIDC_PUBLIC_KEY=null
|
|
OIDC_AUTH_ENDPOINT=null
|
|
OIDC_TOKEN_ENDPOINT=null
|
|
OIDC_ADDITIONAL_SCOPES=null
|
|
OIDC_DUMP_USER_DETAILS=false
|
|
OIDC_USER_TO_GROUPS=false
|
|
OIDC_GROUP_ATTRIBUTE=groups
|
|
OIDC_REMOVE_FROM_GROUPS=false
|
|
|
|
# Disable default third-party services such as Gravatar and Draw.IO
|
|
# Service-specific options will override this option
|
|
DISABLE_EXTERNAL_SERVICES=false
|
|
|
|
# Use custom avatar service, Sets fetch URL
|
|
# Possible placeholders: ${hash} ${size} ${email}
|
|
# If set, Avatars will be fetched regardless of DISABLE_EXTERNAL_SERVICES option.
|
|
# Example: AVATAR_URL=https://seccdn.libravatar.org/avatar/${hash}?s=${size}&d=identicon
|
|
AVATAR_URL=
|
|
|
|
# Enable diagrams.net integration
|
|
# Can simply be true/false to enable/disable the integration.
|
|
# Alternatively, It can be URL to the diagrams.net instance you want to use.
|
|
# For URLs, The following URL parameters should be included: embed=1&proto=json&spin=1&configure=1
|
|
DRAWIO=true
|
|
|
|
# Default item listing view
|
|
# Used for public visitors and user's without a preference.
|
|
# Can be 'list' or 'grid'.
|
|
APP_VIEWS_BOOKS=list
|
|
APP_VIEWS_BOOKSHELVES=grid
|
|
APP_VIEWS_BOOKSHELF=grid
|
|
|
|
# Use dark mode by default
|
|
# Will be overriden by any user/session preference.
|
|
APP_DEFAULT_DARK_MODE=false
|
|
|
|
# Page revision limit
|
|
# Number of page revisions to keep in the system before deleting old revisions.
|
|
# If set to 'false' a limit will not be enforced.
|
|
REVISION_LIMIT=50
|
|
|
|
# Recycle Bin Lifetime
|
|
# The number of days that content will remain in the recycle bin before
|
|
# being considered for auto-removal. It is not a guarantee that content will
|
|
# be removed after this time.
|
|
# Set to 0 for no recycle bin functionality.
|
|
# Set to -1 for unlimited recycle bin lifetime.
|
|
RECYCLE_BIN_LIFETIME=30
|
|
|
|
# File Upload Limit
|
|
# Maximum file size, in megabytes, that can be uploaded to the system.
|
|
FILE_UPLOAD_SIZE_LIMIT=50
|
|
|
|
# Export Page Size
|
|
# Primarily used to determine page size of PDF exports.
|
|
# Can be 'a4' or 'letter'.
|
|
EXPORT_PAGE_SIZE=a4
|
|
|
|
# Allow <script> tags in page content
|
|
# Note, if set to 'true' the page editor may still escape scripts.
|
|
ALLOW_CONTENT_SCRIPTS=false
|
|
|
|
# Indicate if robots/crawlers should crawl your instance.
|
|
# Can be 'true', 'false' or 'null'.
|
|
# The behaviour of the default 'null' option will depend on the 'app-public' admin setting.
|
|
# Contents of the robots.txt file can be overridden, making this option obsolete.
|
|
ALLOW_ROBOTS=null
|
|
|
|
# Allow server-side fetches to be performed to potentially unknown
|
|
# and user-provided locations. Primarily used in exports when loading
|
|
# in externally referenced assets.
|
|
# Can be 'true' or 'false'.
|
|
ALLOW_UNTRUSTED_SERVER_FETCHING=false
|
|
|
|
# A list of hosts that BookStack can be iframed within.
|
|
# Space separated if multiple. BookStack host domain is auto-inferred.
|
|
# For Example: ALLOWED_IFRAME_HOSTS="https://example.com https://a.example.com"
|
|
# Setting this option will also auto-adjust cookies to be SameSite=None.
|
|
ALLOWED_IFRAME_HOSTS=null
|
|
|
|
# A list of sources/hostnames that can be loaded within iframes within BookStack.
|
|
# Space separated if multiple. BookStack host domain is auto-inferred.
|
|
# Can be set to a lone "*" to allow all sources for iframe content (Not advised).
|
|
# Defaults to a set of common services.
|
|
# Current host and source for the "DRAWIO" setting will be auto-appended to the sources configured.
|
|
ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com"
|
|
|
|
# The default and maximum item-counts for listing API requests.
|
|
API_DEFAULT_ITEM_COUNT=100
|
|
API_MAX_ITEM_COUNT=500
|
|
|
|
# The number of API requests that can be made per minute by a single user.
|
|
API_REQUESTS_PER_MIN=180
|
|
|
|
# Enable the logging of failed email+password logins with the given message.
|
|
# The default log channel below uses the php 'error_log' function which commonly
|
|
# results in messages being output to the webserver error logs.
|
|
# The message can contain a %u parameter which will be replaced with the login
|
|
# user identifier (Username or email).
|
|
LOG_FAILED_LOGIN_MESSAGE=false
|
|
LOG_FAILED_LOGIN_CHANNEL=errorlog_plain_webserver
|
|
|
|
# Alter the precision of IP addresses stored by BookStack.
|
|
# Should be a number between 0 and 4, where 4 retains the full IP address
|
|
# and 0 completely hides the IP address. As an example, a value of 2 for the
|
|
# IP address '146.191.42.4' would result in '146.191.x.x' being logged.
|
|
# For the IPv6 address '2001:db8:85a3:8d3:1319:8a2e:370:7348' this would result as:
|
|
# '2001:db8:85a3:8d3:x:x:x:x'
|
|
IP_ADDRESS_PRECISION=4 |