1 // Keep-web provides read-only HTTP access to files stored in Keep. It
2 // serves public data to anonymous and unauthenticated clients, and
3 // serves private data to clients that supply Arvados API tokens. It
4 // can be installed anywhere with access to Keep services, typically
5 // behind a web proxy that supports TLS.
7 // See http://doc.arvados.org/install/install-keep-web.html.
9 // Run "keep-web -help" to show all supported options.
11 // Starting the server
13 // Serve HTTP requests at port 1234 on all interfaces:
15 // keep-web -listen=:1234
17 // Serve HTTP requests at port 1234 on the interface with IP address 1.2.3.4:
19 // keep-web -listen=1.2.3.4:1234
21 // Proxy configuration
23 // Keep-web does not support SSL natively. Typically, it is installed
24 // behind a proxy like nginx.
26 // Here is an example nginx configuration.
29 // upstream keep-web {
30 // server localhost:1234;
34 // server_name collections.example.com *.collections.example.com ~.*--collections.example.com;
35 // ssl_certificate /root/wildcard.example.com.crt;
36 // ssl_certificate_key /root/wildcard.example.com.key;
38 // proxy_pass http://keep-web;
39 // proxy_set_header Host $host;
40 // proxy_set_header X-Forwarded-For $remote_addr;
45 // It is not necessary to run keep-web on the same host as the nginx
46 // proxy. However, TLS is not used between nginx and keep-web, so
47 // intervening networks must be secured by other means.
49 // Anonymous downloads
51 // Use the -allow-anonymous flag with an ARVADOS_API_TOKEN environment
52 // variable to specify a token to use when clients try to retrieve
53 // files without providing their own Arvados API token.
55 // export ARVADOS_API_TOKEN=zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
56 // keep-web [...] -allow-anonymous
58 // See http://doc.arvados.org/install/install-keep-web.html for examples.
62 // The following "same origin" URL patterns are supported for public
63 // collections and collections shared anonymously via secret links
64 // (i.e., collections which can be served by keep-web without making
65 // use of any implicit credentials like cookies). See "Same-origin
68 // http://collections.example.com/c=uuid_or_pdh/path/file.txt
69 // http://collections.example.com/c=uuid_or_pdh/t=TOKEN/path/file.txt
71 // The following "multiple origin" URL patterns are supported for all
74 // http://uuid_or_pdh--collections.example.com/path/file.txt
75 // http://uuid_or_pdh--collections.example.com/t=TOKEN/path/file.txt
77 // In the "multiple origin" form, the string "--" can be replaced with
78 // "." with identical results (assuming the downstream proxy is
79 // configured accordingly). These two are equivalent:
81 // http://uuid_or_pdh--collections.example.com/path/file.txt
82 // http://uuid_or_pdh.collections.example.com/path/file.txt
84 // The first form (with "--" instead of ".") avoids the cost and
85 // effort of deploying a wildcard TLS certificate for
86 // *.collections.example.com at sites that already have a wildcard
87 // certificate for *.example.com. The second form is likely to be
88 // easier to configure, and more efficient to run, on a downstream
91 // In all of the above forms, the "collections.example.com" part can
92 // be anything at all: keep-web itself ignores everything after the
93 // first "." or "--". (Of course, in order for clients to connect at
94 // all, DNS and any relevant proxies must be configured accordingly.)
96 // In all of the above forms, the "uuid_or_pdh" part can be either a
97 // collection UUID or a portable data hash with the "+" character
98 // optionally replaced by "-". (When "uuid_or_pdh" appears in the
99 // domain name, replacing "+" with "-" is mandatory, because "+" is
100 // not a valid character in a domain name.)
102 // In all of the above forms, a top level directory called "_" is
103 // skipped. In cases where the "path/file.txt" part might start with
104 // "t=" or "c=" or "_/", links should be constructed with a leading
105 // "_/" to ensure the top level directory is not interpreted as a
106 // token or collection ID.
108 // Assuming there is a collection with UUID
109 // zzzzz-4zz18-znfnqtbbv4spc3w and portable data hash
110 // 1f4b0bc7583c2a7f9102c395f4ffc5e3+45, the following URLs are
113 // http://zzzzz-4zz18-znfnqtbbv4spc3w.collections.example.com/foo/bar.txt
114 // http://zzzzz-4zz18-znfnqtbbv4spc3w.collections.example.com/_/foo/bar.txt
115 // http://zzzzz-4zz18-znfnqtbbv4spc3w--collections.example.com/_/foo/bar.txt
116 // http://1f4b0bc7583c2a7f9102c395f4ffc5e3-45--foo.example.com/foo/bar.txt
117 // http://1f4b0bc7583c2a7f9102c395f4ffc5e3-45--.invalid/foo/bar.txt
119 // An additional form is supported specifically to make it more
120 // convenient to maintain support for existing Workbench download
123 // http://collections.example.com/collections/download/uuid_or_pdh/TOKEN/foo/bar.txt
125 // A regular Workbench "download" link is also accepted, but
126 // credentials passed via cookie, header, etc. are ignored. Only
127 // public data can be served this way:
129 // http://collections.example.com/collections/uuid_or_pdh/foo/bar.txt
131 // Authorization mechanisms
133 // A token can be provided in an Authorization header:
135 // Authorization: OAuth2 o07j4px7RlJK4CuMYp7C0LDT4CzR1J1qBE5Avo7eCcUjOTikxK
137 // A base64-encoded token can be provided in a cookie named "api_token":
139 // Cookie: api_token=bzA3ajRweDdSbEpLNEN1TVlwN0MwTERUNEN6UjFKMXFCRTVBdm83ZUNjVWpPVGlreEs=
141 // A token can be provided in an URL-encoded query string:
143 // GET /foo/bar.txt?api_token=o07j4px7RlJK4CuMYp7C0LDT4CzR1J1qBE5Avo7eCcUjOTikxK
145 // A suitably encoded token can be provided in a POST body if the
146 // request has a content type of application/x-www-form-urlencoded or
147 // multipart/form-data:
150 // Content-Type: application/x-www-form-urlencoded
152 // api_token=o07j4px7RlJK4CuMYp7C0LDT4CzR1J1qBE5Avo7eCcUjOTikxK
154 // If a token is provided in a query string or in a POST request, the
155 // response is an HTTP 303 redirect to an equivalent GET request, with
156 // the token stripped from the query string and added to a cookie
161 // Currently, keep-web does not generate HTML index listings, nor does
162 // it serve a default file like "index.html" when a directory is
163 // requested. These features are likely to be added in future
164 // versions. Until then, keep-web responds with 404 if a directory
165 // name (or any path ending with "/") is requested.
169 // Client-provided authorization tokens are ignored if the client does
170 // not provide a Host header.
172 // In order to use the query string or a POST form authorization
173 // mechanisms, the client must follow 303 redirects; the client must
174 // accept cookies with a 303 response and send those cookies when
175 // performing the redirect; and either the client or an intervening
176 // proxy must resolve a relative URL ("//host/path") if given in a
177 // response Location header.
181 // Normally, Keep-web accepts requests for multiple collections using
182 // the same host name, provided the client's credentials are not being
183 // used. This provides insufficient XSS protection in an installation
184 // where the "anonymously accessible" data is not truly public, but
185 // merely protected by network topology.
187 // In such cases -- for example, a site which is not reachable from
188 // the internet, where some data is world-readable from Arvados's
189 // perspective but is intended to be available only to users within
190 // the local network -- the downstream proxy should configured to
191 // return 401 for all paths beginning with "/c=".
195 // Without the same-origin protection outlined above, a web page
196 // stored in collection X could execute JavaScript code that uses the
197 // current viewer's credentials to download additional data from
198 // collection Y -- data which is accessible to the current viewer, but
199 // not to the author of collection X -- from the same origin
200 // (``https://collections.example.com/'') and upload it to some other
201 // site chosen by the author of collection X.
203 // Attachment-Only host
205 // It is possible to serve untrusted content and accept user
206 // credentials at the same origin as long as the content is only
207 // downloaded, never executed by browsers. A single origin (hostname
208 // and port) can be designated as an "attachment-only" origin: cookies
209 // will be accepted and all responses will have a
210 // "Content-Disposition: attachment" header. This behavior is invoked
211 // only when the designated origin matches exactly the Host header
212 // provided by the client or downstream proxy.
214 // keep-web -listen :9999 -attachment-only-host domain.example:9999
216 // Trust All Content mode
218 // In "trust all content" mode, Keep-web will accept credentials (API
219 // tokens) and serve any collection X at
220 // "https://collections.example.com/collections/X/path/file.ext".
221 // This is UNSAFE except in the special case where everyone who is
222 // able write ANY data to Keep, and every JavaScript and HTML file
223 // written to Keep, is also trusted to read ALL of the data in Keep.
225 // In such cases you can enable trust-all-content mode.
227 // keep-web -listen :9999 -trust-all-content
229 // When using trust-all-content mode, the only effect of the
230 // -attachment-only-host option is to add a "Content-Disposition:
231 // attachment" header.
233 // keep-web -listen :9999 -attachment-only-host domain.example:9999 -trust-all-content