Skip to content

Configuration

Lychee’s core configuration is managed using a .env file. It probably exists already in your directory, but if not it can be created by copying .env.example. The options which are already included in the .env file should be sufficient to cover the necessary configuration for the vast majority of all use-cases and setups. Using other options than those included in the .env file should rarely be necessary. However, this page contains a more complete list of the available options, incl. some highly advanced ones, together with descriptions and default values. For non-core options (for example UI options), take a look at Settings.

OptionDescriptionDefault
APP_NAMEThe gallery nameLychee
APP_ENVEnvironment of your gallery. Only the literal value production is treated as production; anything else (e.g. local, development) is non-production, see below.production
APP_DEBUGShow detailed error messages with stack traces instead of a generic error page. Also exposes all environment variables on uncaught exceptions, see Hiding Environment Variables From Debug Pages. Never enable on a public-facing install.false
APP_URLThe hostname of your gallery (which should resolves to the public/ folder).http://localhost
APP_DIRThe subfolder path part of the URL, for installs hosted under a sub-path instead of a domain root. We do not recommend its use, see below.empty
APP_KEYYour app key which is used for encryption (set during installation)null
ASSET_URLOverrides the base URL used to load built JS/CSS assets. Rarely needed.null
TIMEZONEThe timezone of your photos, requires a named timezone identifier like Europe/Parissystem timezone of server
LYCHEE_UPLOADSPath to uploads directoryuploads/ inside public/
LYCHEE_UPLOADS_DIRSubfolder name used to build LYCHEE_UPLOADS and its URL when LYCHEE_UPLOADS is unsetuploads/
LYCHEE_UPLOADS_URLURL to uploads directory, better left empty/uploads
APP_FORCE_HTTPSForce HTTPS on all URLsfalse
TRUSTED_PROXIESTrusted proxy IP addressesnull
LOG_VIEWER_ENABLEDEnable log viewer inside Lychee instead of through CLI.true
WHITE_LABEL_ENABLEDHide all Lychee branding from the UI. Requires a valid SE licence.false
KEYGEN_API_KEYAPI token from keygen.lycheeorg.dev. When set, an expired SE licence is automatically rotated on admin login, and the diagnostics page warns if the token itself is about to expire.null

APP_ENV only has special meaning to Lychee and its dependencies when it is exactly production:

  • production (default) — the safe default for any public-facing install. Generic error pages are shown instead of stack traces, APP_DEBUG_LATENCY is always ignored, and the Content Security Policy is enforced.
  • Anything else (e.g. local, development) — treated as non-production. This is what unlocks the Development options below, and is required by the Log Viewer if you want to use it outside of an admin session (per the official .env.example: “it is not possible to enable Log Viewer in production; if you wish to enable it, also switch your APP_ENV to local”).

Never set APP_ENV to anything other than production on a public-facing install — combined with APP_DEBUG, non-production values relax several security defaults.

These options enable or disable entire features of Lychee. Most of them are advanced and rarely need to be touched.

OptionDescriptionDefault
LOG_404_ERRORSLog all 404 errors, useful to track broken links or attempted attacks. Set to false to avoid overly large logs.true
LEGACY_V4_REDIRECTRedirect legacy v4 links of the form /#albumID/photoID to the new URL scheme.false
S3_ENABLEDUse an S3-compatible bucket instead of local storage for media. Also requires AWS_ACCESS_KEY_ID to be set, see AWS.false
REQUIRE_CONTENT_TYPE_ENABLEDRequire all API requests to set a content-type header. Disabling this allows using the API from the API documentation page.true
DISABLE_BASIC_AUTHDisable username/password login. Only API tokens, WebAuthn or OAuth can then be used to authenticate. Only enable this after setting up another login method.false
DISABLE_WEBAUTHNDisable WebAuthn login.false
DISABLE_IMPORT_FROM_SERVERDisable the “import from server” feature, reducing the attack surface if the admin account is ever compromised.false
WEBSHOP_ENABLEDEnable the webshop feature.true
WEBHOOK_ENABLEDEnable outgoing webhooks, triggered on photo lifecycle events (photo.add, photo.move, photo.delete).false
WEBHOOK_TIMEOUT_SECONDSSeconds Lychee waits for a webhook endpoint to respond before treating the request as failed.10
LOCATION_DECODING_REQUESTS_PER_SECONDRate limit for reverse-geocoding requests sent to the Nominatim service. Only raise this if you run your own instance.1
VULNERABILITY_CHECK_ENABLEDPeriodically compare the running version against published security advisories and surface matches on the diagnostics page and login.true
UPDATE_CHECK_ENABLEDAllow admins to check from the dashboard whether the installation is up to date.true
USE_FOPEN_FOR_URL_IMPORTSUse PHP’s fopen instead of curl for URL imports. curl mitigates Time of Check Time of Use (TOCTOU) issues but isn’t available everywhere.false
USE_SYSTEM_TEMP_DIRUse PHP’s system temp directory for chunked uploads. Set to false on shared hosting where it isn’t readable/writable, to use storage/tmp/uploads_parts instead.true
ENABLE_REQUEST_CACHINGExpose Redis-backed response caching settings (cache_enabled, cache_ttl, cache_event_logging) in the admin settings panel.false
HIDE_LYCHEE_SE_CONFIGHide Lychee SE options from the configuration screens, useful for recording demos.false
V8_ENABLEDEnable experimental, in-development v8 features. Not recommended outside of testing the next major version.false

Lychee supports MySQL/MariaDB, SQLite and PostgreSQL as database backends. Microsoft SQL Server can be used, but is unsupported. The configuration is managed using the DB_ variables.

Some hosting providers give you a single URL containing all the information needed to configure your database. Therefore, Lychee has a DATABASE_URL option which only needs the database connection type. For example:

DB_CONNECTION=mysql
DATABASE_URL="mysql://root:password@127.0.0.1/forge?charset=UTF-8"

If this applies to your hosting provider, you can skip the other DB configuration steps.

The configuration is exactly the same for both systems.

OptionValue it should have
DB_CONNECTIONmysql
DB_HOSTHost of the database server (if it’s running on the same server use 127.0.0.1)
DB_PORTPort of the database server (default 3306)
DB_DATABASEThe name of the database
DB_USERNAMEUsername of the database user
DB_PASSWORDPassword of the database user
DB_SOCKETUNIX socket to DB server, replaces DB_HOST and DB_PORT
MYSQL_ATTR_SSL_CAOptional and only used when using the pdo_mysql extension, file path to the SSL certificate authority
DB_POOL_MINMinimum number of pooled connections (Octane only)
DB_POOL_MAXMaximum number of pooled connections (Octane only)
OptionValue it should have
DB_CONNECTIONsqlite
DB_DATABASEPath to the database file (default database/database.sqlite)
OptionValue it should have
DB_CONNECTIONpgsql
DB_HOSTHost of the database server (if it’s running on the same server use 127.0.0.1) or socket path
DB_PORTPort of the database server or null if using socket (default 5432)
DB_DATABASEThe name of the database
DB_USERNAMEUsername of the database user
DB_PASSWORDPassword of the database user
OptionDescriptionDefault
DB_OLD_LYCHEE_PREFIXTable prefix (e.g. lychee_) of the Lychee v3 instance to migrate from.empty

Supported mailers are smtp, ses, mailgun, postmark or sendmail, which you can set using MAIL_DRIVER.

OptionDescription
MAIL_DRIVERMailer type
MAIL_FROM_ADDRESS”From” address
MAIL_FROM_NAME”From” name (defaults to APP_NAME)
MAIL_EHLO_DOMAINLocal domain announced in the SMTP EHLO/HELO command. Advanced, rarely needed.
OptionDescription
MAIL_HOSTHost of SMTP server
MAIL_PORTPort of SMTP server (default 587)
MAIL_ENCRYPTIONEncryption for SMTP server (default tls)
MAIL_USERNAMEUsername of SMTP server
MAIL_PASSWORDPassword of SMTP server

SES can be configured using AWS settings. See AWS configuration.

OptionDescription
MAILGUN_DOMAINDomain of the Mailgun server
MAILGUN_SECRETSecret of the Mailgun server
MAILGUN_ENDPOINTMailgun endpoint (default api.mailgun.net)
OptionDescription
POSTMARK_TOKENToken for Postmark
OptionDescriptionDefault
MAIL_SENDMAIL_PATHPath (and arguments) to the local sendmail binary/usr/sbin/sendmail -bs -i

Lychee can use various services as cache driver to store temporary data. The driver is set using CACHE_DRIVER and supports: apc, array, file, memcached, redis or dynamodb.

OptionDescription
CACHE_PREFIXPrefix of cache data keys in in-memory stores
CACHE_STOREAlias for CACHE_DRIVER. If both are set, CACHE_STORE takes precedence.
OptionDescription
MEMCACHED_HOSTHost for memcached
MEMCACHED_PORTPort for memcached
MEMCACHED_USERNAMEUsername for memcached
MEMCACHED_PASSWORDPassword for memcached
MEMCACHED_PERSISTENT_IDPersistent ID for memcached

Base options are configured using AWS options. You need to create a table, please refer to the Laravel docs.

OptionDescriptionDefault
DYNAMODB_CACHE_TABLECache table namecache
DYNAMODB_ENDPOINTDynamoDB endpointnull

Also see Redis.

OptionDescription
REDIS_CACHE_DBRedis cache database

There are no config options, however, you need to run php artisan cache:table to use this option.

OptionDescriptionDefault
LOG_VIEWER_CACHE_DRIVERCache driver used by the Log Viewer. If you use Redis as your main cache driver, it is strongly recommended to set this to file instead — should Redis crash, you would otherwise lose access to your logs.file
LOG_STDOUTAlso send logs to stdout, useful when running in a container and collecting logs from the container runtime.false
LOG_VIEWER_API_ONLYOnly expose the Log Viewer through its API, without the bundled UI.false

Lychee can interact with various third-party services. You can find config options for them here.

To use Redis, you need the PhpRedis PHP extension.

OptionDescription
REDIS_SCHEMERedis connection scheme (default tcp, other option unix)
REDIS_PATHRedis Unix socket path
REDIS_HOSTRedis host
REDIS_PASSWORDRedis password
REDIS_PORTRedis port
REDIS_DBDefault Redis database index (used outside of caching, e.g. sessions/queue)
REDIS_CLUSTERRedis cluster
REDIS_PREFIXRedis prefix
REDIS_URLRedis URL
OptionDescription
AWS_ACCESS_KEY_IDAccess key ID for AWS
AWS_SECRET_ACCESS_KEYSecret access key for AWS
AWS_DEFAULT_REGIONDefault AWS region
AWS_URL[S3] Overrides viewing URL, for use with CDNs and similar
AWS_BUCKET[S3] The bucket to use
AWS_ENDPOINT[S3] The endpoint for uploads. AWS_URL defaults to this
AWS_IMAGE_VISIBILITY[S3] Visibility of uploaded objects (public or private)
AWS_USE_PATH_STYLE_ENDPOINT[S3] Use path-style endpoint URLs, required by some S3-compatible providers (e.g. MinIO)

Lychee can authenticate users against an LDAP or Active Directory server, alongside or instead of local accounts.

OptionDescriptionDefault
LDAP_ENABLEDEnable LDAP authentication.false
LDAP_HOSTLDAP server hostname.ldap.example.com
LDAP_PORTLDAP server port. Use 636 for LDAPS.389
LDAP_BASE_DNBase DN for LDAP searches.dc=example,dc=com
LDAP_BIND_DNDN of the service account used to bind and search LDAP. This account only needs read-only access.cn=bind-user,dc=example,dc=com
LDAP_BIND_PASSWORDPassword of the bind account.empty
LDAP_CONNECTION_TIMEOUTConnection timeout, in seconds.5
LDAP_USE_TLSUse TLS for the LDAP connection.true
LDAP_TLS_VERIFY_PEERVerify the LDAP server’s TLS certificate.true
LDAP_USER_FILTERLDAP search filter used to find a user by username (%s is replaced with the submitted username). OpenLDAP: (&(objectClass=person)(uid=%s)). Active Directory: (&(objectClass=user)(sAMAccountName=%s)).(&(objectClass=person)(uid=%s))
LDAP_ATTR_USERNAMELDAP attribute mapped to the Lychee username.uid
LDAP_ATTR_EMAILLDAP attribute mapped to the Lychee email address.mail
LDAP_ATTR_DISPLAY_NAMELDAP attribute mapped to the Lychee display name.displayName
LDAP_ADMIN_GROUP_DNDN of an LDAP group whose members are granted admin rights in Lychee.null
LDAP_AUTO_PROVISIONAutomatically create Lychee accounts on first successful LDAP login. If false, users must already exist in Lychee.true
LDAP_LOGGINGLog LDAP bind/search operations, useful for debugging. Passwords are never logged.false

Lychee can delegate login to a number of external OAuth/OpenID providers. Each provider needs its own client ID and secret, obtained from the provider. Unless stated otherwise, *_REDIRECT_URI should be left at its default value.

ProviderRequired optionsNotes
AmazonAMAZON_SIGNIN_CLIENT_ID, AMAZON_SIGNIN_SECRETAMAZON_SIGNIN_REDIRECT_URI defaults to /auth/amazon/redirect.
AppleAPPLE_CLIENT_ID, APPLE_CLIENT_SECRETThe client secret is a JWT with a maximum lifetime of 6 months and must be regenerated periodically. APPLE_REDIRECT_URI defaults to /auth/apple/redirect.
AutheliaAUTHELIA_CLIENT_ID, AUTHELIA_CLIENT_SECRET, AUTHELIA_BASE_URLFor self-hosted Authelia instances. Also set AUTHELIA_REDIRECT_URI.
AuthentikAUTHENTIK_CLIENT_ID, AUTHENTIK_CLIENT_SECRET, AUTHENTIK_BASE_URLFor self-hosted Authentik instances. Also set AUTHENTIK_REDIRECT_URI.
FacebookFACEBOOK_CLIENT_ID, FACEBOOK_CLIENT_SECRETFACEBOOK_REDIRECT_URI defaults to /auth/facebook/redirect.
GitHubGITHUB_CLIENT_ID, GITHUB_CLIENT_SECRETGITHUB_REDIRECT_URI defaults to /auth/github/redirect.
GoogleGOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRETGOOGLE_REDIRECT_URI defaults to /auth/google/redirect.
KeycloakKEYCLOAK_CLIENT_ID, KEYCLOAK_CLIENT_SECRET, KEYCLOAK_BASE_URL, KEYCLOAK_REALMFor self-hosted Keycloak instances. Also set KEYCLOAK_REDIRECT_URI.
MastodonMASTODON_DOMAIN, MASTODON_ID, MASTODON_SECRETMASTODON_DOMAIN is the URL of your Mastodon instance, e.g. https://mastodon.social. MASTODON_REDIRECT_URI defaults to /auth/mastodon/redirect.
MicrosoftMICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRETMICROSOFT_TENANT_ID defaults to common. MICROSOFT_REDIRECT_URI defaults to /auth/microsoft/redirect.
NextcloudNEXTCLOUD_CLIENT_ID, NEXTCLOUD_CLIENT_SECRET, NEXTCLOUD_BASE_URIFor self-hosted Nextcloud instances. Also set NEXTCLOUD_REDIRECT_URI.

AI Vision (facial recognition & NSFW classification)

Section titled “AI Vision (facial recognition & NSFW classification)”

These options configure the connection to the external AI Vision microservices used for facial recognition and NSFW classification. They are kept out of the database-backed settings so the service URL and shared API key are never exposed through the admin settings UI.

OptionDescriptionDefault
AI_VISION_ENABLEDEnable AI Vision features (facial recognition, person management, photo clustering).true
AI_VISION_FACE_URLURL of the external facial-recognition service.empty
AI_VISION_FACE_API_KEYAPI key for the facial-recognition service.empty
AI_VISION_FACE_RESCAN_IOU_THRESHOLDIntersection-over-union threshold used to decide whether a detected face needs rescanning.0.3
AI_VISION_FACE_STUCK_SCAN_THRESHOLD_MINUTESMinutes after which a face-scan job that hasn’t progressed is considered stuck.720
AI_VISION_NSFW_URLURL of the external NSFW-classification service.empty
AI_VISION_NSFW_API_KEYAPI key for the NSFW-classification service.empty

Payment options gate the webshop checkout (requires Pro). See Payments for the full setup guide for each provider.

OptionDescriptionDefault
OMNIPAY_TEST_MODEUse sandbox/test mode for payment gateways. Only set to false once you’re ready to accept real payments.true
MOLLIE_API_KEYMollie API key.empty
MOLLIE_PROFILE_IDMollie profile ID.empty
PAYPAL_CLIENT_IDPayPal client ID.empty
PAYPAL_SECRETPayPal secret.empty

Support for token based authentication used by API requests.

NameDescriptionDefault
ENABLE_BEARER_TOKEN_AUTHAuthentication Guard token support. Falls back to ENABLE_TOKEN_AUTH if unset.true
ENABLE_TOKEN_AUTHLegacy name for ENABLE_BEARER_TOKEN_AUTH, kept for backwards compatibility.true
REMEMBER_LIFETIMEDuration, in minutes, of the “Remember me” login cookie.40320 (4 weeks)
FAIL_NO_AUTHENTICABLE_BEARER_TOKENThrow an exception when a bearer token is supplied but no matching user is found. Only applies when ENABLE_BEARER_TOKEN_AUTH is true.true
LOG_WARN_NO_BEARER_TOKENLog a warning when an API token is supplied without the Bearer scheme prefix.true

Sessions are stored in the same locations as cache. You change the used driver using SESSION_DRIVER.

NameDescriptionDefault
SESSION_LIFETIMEIdle session expiration in minutes; the session will need to be reinitialized once it has expired.120
SESSION_SECURE_COOKIECookies only via HTTPSfalse
SECURITY_HEADER_HSTS_ENABLEEnable HTTP strict transport securityfalse

These options add extra allowed sources to Lychee’s default Content Security Policy. Each accepts a comma-separated list of origins.

OptionCSP directive extended
SECURITY_HEADER_CSP_CHILD_SRCchild-src
SECURITY_HEADER_CSP_CONNECT_SRCconnect-src
SECURITY_HEADER_CSP_FONT_SRCfont-src
SECURITY_HEADER_CSP_FORM_ACTIONform-action
SECURITY_HEADER_CSP_FRAME_ANCESTORSframe-ancestors (also drives the X-Frame-Options header and relaxes the session cookie’s SameSite attribute from lax to none when set)
SECURITY_HEADER_CSP_FRAME_SRCframe-src
SECURITY_HEADER_CSP_IMG_SRCimg-src
SECURITY_HEADER_CSP_MEDIA_SRCmedia-src
SECURITY_HEADER_SCRIPT_SRC_ALLOWscript-src (additional allowed script hosts)
OptionDescription
APP_CIPHERThe app’s cipher suite
HASHING_ALGORITHMHashing algorithm for passwords (default bcrypt, other options argon or argon2id)
ARGON_MEMORYMemory for Argon hashing algorithm
ARGON_THREADSThreads for Argon hashing algorithm
ARGON_TIMETime for Argon hashing algorithm
BCRYPT_ROUNDSRounds for bcrypt hashing algorithm
WEBAUTHN_NAMEName shown to users for WebAuthn devices (defaults to APP_NAME)
WEBAUTHN_IDRelying party ID for WebAuthn devices
SESSION_COOKIEThe cookie’s name (defaults to a slug of APP_NAME followed by _session)
SESSION_STORECache store used for cache-backed session drivers (apc, dynamodb, memcached, redis)
SESSION_DOMAINSession cookie domain
SKIP_DIAGNOSTICS_CHECKSComma-separated list of class names of diagnostics checks that should be skipped.
DB_LIST_FOREIGN_KEYSList foreign keys on the diagnostics page. Only takes effect when APP_DEBUG is also true.

Of these, only APP_DEBUG_LATENCY is hard-gated by APP_ENV in code (it is a no-op while APP_ENV is production). The others aren’t technically blocked in production, but doing so is unsupported and may affect stability, performance, or expose debugging information.

OptionDescriptionDefault
APP_DEBUG_LATENCYAdd this many milliseconds of artificial latency before processing requests. Always disabled when APP_ENV is production, regardless of this value.0
DEBUGBAR_ENABLEDEnable debugbar. This also disables the Content Security Policy.false
DB_LOG_SQLLog SQL statements, see your Logs within Lychee.false
DB_LOG_SQL_EXPLAINExplain the SQL statements for MySQL.false
DB_LOG_SQL_MIN_TIMEOnly log SQL statements whose execution time exceeds this many milliseconds.100
XHPROF_ENABLEDEnable the XHProf profiler.false
CLOCKWORK_ENABLEEnable the Clockwork debugging toolbar.false
CLOCKWORK_DRIVERClockwork data collection driver.laravel
CLOCKWORK_STORAGE_FILES_PATHPath used to store Clockwork’s collected request data.storage/clockwork
VITE_LOCAL_DEVEnable local Vite development without running a separate dev server.false
VITE_HTTP_PROXY_TARGETTarget URL for the Vite HTTP proxy used for API calls during local frontend development.empty

You can look at the files in the config/ folder. They contain some options you can’t configure using environmental variables and you are able to adapt Lychee completely to your needs.

It is often helpful to have different configuration values based on the environment where the application is running. For example, you may wish to use a different cache driver locally than you do on your production server.

To make this a cinch, Lychee utilizes the DotEnv PHP library by Vance Lucas. In a fresh Lychee installation, the root directory of your application will contain a .env.example file. You should make a copy of this file as .env.

Your .env file should not be committed to your application’s source control, since each developer / server using your application could require a different environment configuration. Furthermore, this would be a security risk in the event an intruder gains access to your source control repository, since any sensitive credentials would get exposed.

If you are developing with a team, you may wish to continue including a .env.example file with your application. By putting placeholder values in the example configuration file, other developers on your team can clearly see which environment variables are needed to run your application. You may also create a .env.testing file. This file will override the .env file when running PHPUnit tests or executing Artisan commands with the --env=testing option.

All variables in your .env files are parsed as strings, so some reserved values have been created to allow you to return a wider range of types from the env() function:

.env Valueenv() Value
true(bool) true
(true)(bool) true
false(bool) false
(false)(bool) false
empty(string) ”
(empty)(string) ”
null(null) null
(null)(null) null

If you need to define an environment variable with a value that contains spaces, you may do so by enclosing the value in double quotes.

APP_NAME="My Application"

All of the variables listed in this file will be loaded into the $_ENV PHP super-global when your application receives a request. However, you may use the env helper to retrieve values from these variables in your configuration files. In fact, if you review the Lychee configuration files, you will notice several of the options already using this helper:

'debug' => env('APP_DEBUG', false),

The second value passed to the env function is the “default value”. This value will be used if no environment variable exists for the given key.

The current application environment is determined via the APP_ENV variable from your .env file. You may access this value via the environment method on the App facade:

$environment = App::environment();

You may also pass arguments to the environment method to check if the environment matches a given value. The method will return true if the environment matches any of the given values:

if (App::environment('development')) {
// The environment is development
}
if (App::environment(['development', 'production'])) {
// The environment is either development OR production...
}

Hiding Environment Variables From Debug Pages

Section titled “Hiding Environment Variables From Debug Pages”

When an exception is uncaught and the APP_DEBUG environment variable is true, the debug page will show all environment variables and their contents. In some cases you may want to obscure certain variables. You may do this by updating the debug_blacklist option in your config/app.php configuration file.

Some variables are available in both the environment variables and the server / request data. Therefore, you may need to blacklist them for both $_ENV and $_SERVER:

return [
// ...
'debug_blacklist' => [
'_ENV' => [
'APP_KEY',
'DB_PASSWORD',
],
'_SERVER' => [
'APP_KEY',
'DB_PASSWORD',
],
'_POST' => [
'password',
],
],
];

You may easily access your configuration values using the global config helper function from anywhere in your application. The configuration values may be accessed using “dot” syntax, which includes the name of the file and option you wish to access. A default value may also be specified and will be returned if the configuration option does not exist:

$value = config('app.timezone');

To set configuration values at runtime, pass an array to the config helper:

config(['app.timezone' => 'America/Chicago']);

To give your application a speed boost, you should cache all of your configuration files into a single file using the config:cache Artisan command. This will combine all of the configuration options for your application into a single file which will be loaded quickly by the framework.

You should typically run the php artisan config:cache command as part of your production deployment routine. The command should not be run during local development as configuration options will frequently need to be changed during the course of your application’s development.

When your application is in maintenance mode, a custom view will be displayed for all requests into your application. This makes it easy to “disable” your application while it is updating or when you are performing maintenance. A maintenance mode check is included in the default middleware stack for your application. If the application is in maintenance mode, a MaintenanceModeException will be thrown with a status code of 503.

To enable maintenance mode, execute the down Artisan command:

Terminal window
php artisan down

You may also provide message and retry options to the down command. The message value may be used to display or log a custom message, while the retry value will be set as the Retry-After HTTP header’s value:

Terminal window
php artisan down --message="Upgrading Database" --retry=60

Even while in maintenance mode, specific IP addresses or networks may be allowed to access the application using the command’s allow option:

Terminal window
php artisan down --allow=127.0.0.1 --allow=192.168.0.0/16

To disable maintenance mode, use the up command:

Terminal window
php artisan up