Using DigitalOcean Spaces or Amazon S3 for file storage in XF 2.1+

[Imgbi]

Who has the same issue?
The stimulator is also reporting denying permission with the s3 bucket.
I copied and pasted the above-provided policy on Json.

 

[Jim Boy]

Post edit -
S3cmd throwing this error on config -


Thought that the s3:ListBuckets permission from the json should cover it?

There is no such permission as 's3:ListBuckets' - there is "s3:ListBucket" - and "s3:ListAllMyBuckets"
FWIW its worth these are my perms:

 {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetAccountPublicAccessBlock"
            ],
            "Resource": "*"
        }

TBH these are a bit excessive: using

s3:*

is bad practise,

s3:Get*

,

s3:PutObject*

and

s3:List*

would have been better, but meh

 

[Imgbi]

There is no such permission as 's3:ListBuckets' - there is "s3:ListBucket" - and "s3:ListAllMyBuckets"

Sorry, I mean 's3:ListBucket'.
Just don't know why the permission is denied.

 

[Jim Boy]

Sorry, I mean 's3:ListBucket'.
Just don't know why the permission is denied.

the simulator is looking at '*' in "simulation resource" - ie any and every bucket. You (rightly) have probably restricted actions to your actual bucket. the simulator tool is a waste of time IMHO.

 

[Imgbi]

the simulator is looking at '*' in "simulation resource" - ie any and every bucket. You (rightly) have probably restricted actions to your actual bucket. the simulator tool is a waste of time IMHO.

Thanks, but I use the stimulator because I was getting error in the s3cmd config.


The error is strange because my I AM user should have access to all my buckets.

 

[Jim Boy]

This is why I dont like s3cmd - you dont actually need s3:ListAllMyBuckets for XF to work. Anyway either your perms are wrong or your using the wrong set of creds? Incidentally if you are running this on an ec2 instance, you shouldn't even be using an IAM user

 

[Imgbi]

This is why I dont like s3cmd - you dont actually need s3:ListAllMyBuckets for XF to work. Anyway either your perms are wrong or your using the wrong set of creds? Incidentally if you are running this on an ec2 instance, you shouldn't even be using an IAM user

I agree, even amazon advised users to remove ListAllMyBuckets and replace it with ListBucket.
Either way I decided not to use Amazon s3 again.
Their pricing is not straightforward and can cost a lot on the long run.
This is not even mentioning their renaming of the files in the Bucket to .data.

 

[Jim Boy]

This is not even mentioning their renaming of the files in the Bucket to .data.

lol - they definitely do not do that. But I agree that AWS is not for everyone and you really shouldn't use it unless you know what you are doing

 

[Imgbi]

This is not even mentioning their renaming of the files in the Bucket to .data.

lol - they definitely do not do that. But I agree that AWS is not for everyone and you really shouldn't use it unless you know what you are doing

This - https://xenforo.com/community/threa...ith-their-original-name-and-extension.201643/

Have also read another user complaining the same in a different thread.
Did avatar upload test and it retained the jpg extension.

Image caching is also lost in the process, right?

 

[briansol]

the .data extension is from xf, not s3.

 

[Jim Boy]

Image caching is also lost in the process, right?

No - works in the same way as attachments as far as naming goes.
As far as I am aware the only thing that varies is code_cache data, which continues to be stored on the local, which makes sense as s3 as a file system is dreadfully slow - we use EFS for that

 

[briansol]

s3 is slower than the local filesystem, for sure, and even efs.

but it's also 300% cheaper than efs

.023 vs .3 per gb stored

and then you also need to access efs through an ec2 instance, so you need to pay for that as well if you're not using ec2 for your container/hosting which most people here aren't.

And s3 is more reliable. can survive 2 AZ outages where as efs can only survive one in concurrency.
So, you need a backup plan for efs which probably involves s3 or glacier anyway.

My takeaway -
use s3 and lazy load with a cdn cookie-less sub domain that is pre-connected in the head, and you probably won't ever know the different on even the fastest of devices.

EDIT: changed all my EKS to EFS

 

[Jim Boy]

s3 is slower than the local filesystem, for sure, and even eks

eks? I think you mean efs, not kubernetes.
Agree that efs is relatively expensive compared to s3 - to a point. S3 cost and performance on very small files is abysmal. And despite running one of the bigger and most complex XF sites going around (70 mill+ posts, 100,000+ users) our EFS cost last month was 7 cents! But yeah, running on AWS can be expensive if you dont know what you are doing - we scale up and down and mint new amis regularly - it suits our needs but the vast majority of XF sites dont need this.

 

[Imgbi]

eks? I think you mean efs, not kubernetes.
Agree that efs is relatively expensive compared to s3 - to a point. S3 cost and performance on very small files is abysmal. And despite running one of the bigger and most complex XF sites going around (70 mill+ posts, 100,000+ users) our EFS cost last month was 7 cents! But yeah, running on AWS can be expensive if you dont know what you are doing - we scale up and down and mint new amis regularly - it suits our needs but the vast majority of XF sites dont need this.

You are likely in the first year hence the free ec2 benefits.
S3 is cheap but not that cheap, their pricing system is a bit complex.

023 vs .3 per gb stored

S3 don't just charge for gb storage. The charges includes storage, bandwidth copy & cut etc.

On a very bright day DO Spaces should be much cheaper than s3, also, getting a sata based hdd from cheap dedicated server for a forum and may even be cheaper.
Just use different storage host from the main performance based host.

 

[Jim Boy]

You are likely in the first year hence the free ec2 benefits.

Have been using EFS since it was in "preview" years ago - the days of "free ec2 benefits" are long gone.

getting a sata based hdd from cheap dedicated server for a forum and may even be cheaper.

good god no - I dont care how cheap a dedicated server is, the overhead on maintenance, backup, reliability and scalability means it is a false economy never mind that you are paying for unused capacity. AWS S3 or DO spaces or Azure Blobs or GCP Cloud Storage or CloudFlare R2 (when available) are much better options

 

[Imgbi]

Have been using EFS since it was in "preview" years ago - the days of "free ec2 benefits" are long gone.


good god no - I dont care how cheap a dedicated server is, the overhead on maintenance, backup, reliability and scalability means it is a false economy never mind that you are paying for unused capacity. AWS S3 or DO spaces or Azure Blobs or GCP Cloud Storage or CloudFlare R2 (when available) are much better options

'Better' in this context is relative.
S3 pricing model should be tad expensive for a relative busy forum but a good idea for backup because of the reliability.

 

[briansol]

eks? I think you mean efs, not kubernetes.

Typo, so used to using eks at work :X yes, i meant efs in all instances and updated my post.

Agree that efs is relatively expensive compared to s3 - to a point. S3 cost and performance on very small files is abysmal. And despite running one of the bigger and most complex XF sites going around (70 mill+ posts, 100,000+ users) our EFS cost last month was 7 cents! But yeah, running on AWS can be expensive if you dont know what you are doing - we scale up and down and mint new amis regularly - it suits our needs but the vast majority of XF sites dont need this.

i'm curious how you manage a 7 cent charge. Even a small site would rip through that.
Are you caching everything at cloudflare/etc?

S3 don't just charge for gb storage. The charges includes storage, bandwidth copy & cut etc.

Correct, i was only comparing storage. in/egress and touch cost money too.

On a very bright day DO Spaces should be much cheaper than s3, also, getting a sata based hdd from cheap dedicated server for a forum and may even be cheaper.
Just use different storage host from the main performance based host.

This also adds a lot of overhead and DR planning. S3 is already pretty resilient - enough for my needs - without going into crazy DR plans. If us-east gets nuked, i don't care about my forum anymore.
Some hosts offer block storage. I've looked into it, but it doesn't give the same DR that s3 does. it's one data center. which means i need complex backups sending tons of GB to something like s3 anyway...

good god no - I dont care how cheap a dedicated server is, the overhead on maintenance, backup, reliability and scalability means it is a false economy never mind that you are paying for unused capacity. AWS S3 or DO spaces or Azure Blobs or GCP Cloud Storage or CloudFlare R2 (when available) are much better options

'Better' in this context is relative.
S3 pricing model should be tad expensive for a relative busy forum but a good idea for backup because of the reliability.

my s3 costs are around $5 a month for forum related activities (i store other stuff there too). I am behind cloudflare too for caching.
The biggest win is my root server is a tiny vps and backups are fast and light because all the data is elsewhere.
the database, relative to attachment data, is small.

 

[Jim Boy]

i'm curious how you manage a 7 cent charge. Even a small site would rip through that.

The EFS is used really only for code cache and templates. We have 'internal-data' set to use S3, despite this XF actually does the templates and code cache locally, so we mount an EFS volume for that -not that much data and no retrieval costs. We run multiple servers so that data needs to be stored in a file system that is both shared and reasonably fast (compared to S3) - We can hit 200 or hits a second so we need to be reasonably performant.
Need to clean up the S3 though, is hitting almost 1TB of storage and we are not that media heavy a site

 

[El Porcharo]

Hello there Chris!
First, thank you for integrating this cool feature: this is the solution for many users like me that needs to allow video uploads!

I'm trying to set up Wasabi on my testing XF (they have a 30 free trial without the need of credit card details) to see if I can buy their service and attach it to my live XF.

Steps are slightly different from Amazon S3 but I think I can manage it.

For the moment I'm just stuck to the policies creation, and this is why I'm posting.
When I paste the full JSON code in their "Policy Document" field, I get Policy has invalid action: s3:ReplicateObject error:

​

I don't know if this is a Wasabi servers limit or if this action has been removed by the time the guide was written...
Anyway, they already have 2 "FullAccess" policies: AmazonS3FullAccess and WasabiFullAccess.


Would it be ok to select both of it for setting up the bucket policies to work with XenForo?



Here is how it's set:

​

 

[Jim Boy]

I'm not going to comment on wasabi - its a third party and you use at you own risk -although as there are no deny statements, it wont affect anything. As for Amazon s3FullAccess - if you ain't storing any other data in the account, then you are probably ok. If you get breached, they can take all your s3 data and wipe everything - if, given the likelihood of this is happening and the impact it causes and you accept that risk, then all good.