3 navsection: installguide
4 title: Install Keepproxy server
7 The Keepproxy server is a gateway into your Keep storage. Unlike the Keepstore servers, which are only accessible on the local LAN, Keepproxy is designed to provide secure access into Keep from anywhere on the internet.
9 By convention, we use the following hostname for the Keepproxy:
12 table(table table-bordered table-condensed).
14 |keep.@uuid_prefix@.your.domain|
17 This hostname should resolve from anywhere on the internet.
21 On Debian-based systems:
24 <pre><code>~$ <span class="userinput">sudo apt-get install keepproxy</span>
28 On Red Hat-based systems:
31 <pre><code>~$ <span class="userinput">sudo yum install keepproxy</span>
35 Verify that Keepproxy is functional:
38 <pre><code>~$ <span class="userinput">keepproxy -h</span>
40 -default-replicas=2: Default number of replicas to write if not specified by the client.
41 -listen=":25107": Interface on which to listen for requests, in the format ipaddr:port. e.g. -listen=10.0.1.24:8000. Use -listen=:port to listen on all network interfaces.
42 -no-get=false: If set, disable GET operations
43 -no-put=false: If set, disable PUT operations
44 -pid="": Path to write pid file
48 It's recommended to run Keepproxy under "runit":http://smarden.org/runit/ or something similar.
50 h3. Create an API token for the Keepproxy server
52 The Keepproxy server needs a token to talk to the API server.
54 On the <strong>API server</strong>, use the following command to create the token:
57 <pre><code>~/arvados/services/api/script$ <span class="userinput">RAILS_ENV=production bundle exec ./get_anonymous_user_token.rb</span>
58 hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r
59 </code></pre></notextile>
61 The value for the @api_token@ field should be added to Keepproxy's environment as ARVADOS_API_TOKEN. Make sure to also set ARVADOS_API_HOST to @uuid_prefix@.your.domain.
63 h3. Set up a reverse proxy with SSL support
65 Because the Keepproxy is intended for access from anywhere on the internet, it is recommended to use SSL for transport encryption.
67 This is best achieved by putting a reverse proxy with SSL support in front of Keepproxy. Keepproxy itself runs on port 25107 by default; your reverse proxy can run on port 443 and pass requests to Keepproxy on port 25107.
69 If possible, the proxy should be configured to add CORS headers to its own error responses -- otherwise in-browser applications can't report proxy errors. For example, in nginx >= 1.7.5:
73 server_name keep.example.com
75 add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS' always
76 add_header 'Access-Control-Allow-Origin' '*' always
77 add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Length, Content-Type, X-Keep-Desired-Replicas' always
78 add_header 'Access-Control-Max-Age' '86486400' always
82 *Warning:* Make sure you don't inadvertently add CORS headers for services _other than keepproxy_ while you're doing this.
84 h3. Tell the API server about the Keepproxy server
86 The API server needs to be informed about the presence of your Keepproxy server. Please execute the following commands on your <strong>shell server</strong>.
89 <pre><code>~$ <span class="userinput">prefix=`arv --format=uuid user current | cut -d- -f1`</span>
90 ~$ <span class="userinput">echo "Site prefix is '$prefix'"</span>
91 ~$ <span class="userinput">read -rd $'\000' keepservice <<EOF; arv keep_service create --keep-service "$keepservice"</span>
92 <span class="userinput">{
93 "service_host":"<strong>keep.$prefix.your.domain</strong>",
95 "service_ssl_flag":true,
96 "service_type":"proxy"
99 </code></pre></notextile>
projects / arvados.git / blob