3 navsection: installguide
4 title: Install Keep-web server
7 Copyright (C) The Arvados Authors. All rights reserved.
9 SPDX-License-Identifier: CC-BY-SA-3.0
12 The Keep-web server provides read/write HTTP (WebDAV) access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides TLS support. See the "godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web for more detail.
14 By convention, we use the following hostnames for the Keep-web service:
17 <pre><code>download.<span class="userinput">uuid_prefix</span>.your.domain
18 collections.<span class="userinput">uuid_prefix</span>.your.domain
19 *.collections.<span class="userinput">uuid_prefix</span>.your.domain
23 The above hostnames should resolve from anywhere on the internet.
27 Typically Keep-web runs on the same host as Keepproxy.
29 On Debian-based systems:
32 <pre><code>~$ <span class="userinput">sudo apt-get install keep-web</span>
36 On Red Hat-based systems:
39 <pre><code>~$ <span class="userinput">sudo yum install keep-web</span>
43 Verify that @Keep-web@ is functional:
46 <pre><code>~$ <span class="userinput">keep-web -h</span>
49 Site configuration file (default may be overridden by setting an ARVADOS_CONFIG environment variable) (default "/etc/arvados/config.yml")
51 write current configuration to stdout and exit
52 -legacy-crunch-dispatch-slurm-config file
53 Legacy crunch-dispatch-slurm configuration file (default "/etc/arvados/crunch-dispatch-slurm/crunch-dispatch-slurm.yml")
54 -legacy-keepstore-config file
55 Legacy keepstore configuration file (default "/etc/arvados/keepstore/keepstore.yml")
56 -legacy-keepweb-config file
57 Legacy keep-web configuration file (default "/etc/arvados/keep-web/keep-web.yml")
58 -legacy-ws-config file
59 Legacy arvados-ws configuration file (default "/etc/arvados/ws/ws.yml")
61 Don't load legacy config files
63 print version information and exit.
67 {% assign railscmd = "bundle exec ./script/get_anonymous_user_token.rb --get" %}
68 {% assign railsout = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" %}
69 If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. You can use the same one you used when you set up your Keepproxy server, or use the following command on the <strong>API server</strong> to create another. {% include 'install_rails_command' %}
71 Install runit to supervise the Keep-web daemon. {% include 'install_runit' %}
73 Set the cluster config file like the following:
77 <span class="userinput">uuid_prefix</span>:
78 SystemRootToken: "{{railsout}}"
81 ExternalURL: "https://<span class="userinput">uuid_prefix</span>.your.domain"
85 "http://keep_web_hostname_goes_here:9002/": {}
88 "http://keep_web_hostname_goes_here:9002/": {}
89 ExternalURL: "https://download.<span class="userinput">uuid_prefix</span>.your.domain/"
91 AnonymousUserToken: "xxxxxxxxxxxxxxxxxxxx"
93 TrustAllContent: false
97 The basic command to start Keep-web in the service run script is:
100 <pre><code>exec sudo -u nobody keep-web
104 {% include 'notebox_begin' %}
105 Please take into consideration that the config file should be world-readable.
106 {% include 'notebox_end' %}
108 Set @Users.AnonymousUserToken: ""@ (empty string) if you do not want to serve public data.
110 Set @TLS.Insecure: true@ if your API server's TLS certificate is not signed by a recognized CA.
112 h3. Set up a reverse proxy with TLS support
114 The Keep-web service will be accessible from anywhere on the internet, so we recommend using TLS for transport encryption.
116 This is best achieved by putting a reverse proxy with TLS support in front of Keep-web, running on port 443 and passing requests to Keep-web on port 9002 (or whatever port you chose in your run script).
118 Note: A wildcard TLS certificate is required in order to support a full-featured secure Keep-web service. Without it, Keep-web can offer file downloads for all Keep data; however, in order to avoid cross-site scripting vulnerabilities, Keep-web refuses to serve private data as web content except when it is accessed using a "secret link" share. With a wildcard TLS certificate and DNS configured appropriately, all data can be served as web content.
120 For example, using Nginx:
124 server 127.0.0.1:<span class="userinput">9002</span>;
128 listen <span class="userinput">[your public IP address]</span>:443 ssl;
129 server_name download.<span class="userinput">uuid_prefix</span>.your.domain
130 collections.<span class="userinput">uuid_prefix</span>.your.domain
131 *.collections.<span class="userinput">uuid_prefix</span>.your.domain
132 ~.*--collections.<span class="userinput">uuid_prefix</span>.your.domain;
134 proxy_connect_timeout 90s;
135 proxy_read_timeout 300s;
138 ssl_certificate <span class="userinput"/>YOUR/PATH/TO/cert.pem</span>;
139 ssl_certificate_key <span class="userinput"/>YOUR/PATH/TO/cert.key</span>;
142 proxy_pass http://keep-web;
143 proxy_set_header Host $host;
144 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
146 client_max_body_size 0;
147 proxy_http_version 1.1;
148 proxy_request_buffering off;
153 {% include 'notebox_begin' %}
154 If you restrict access to your Arvados services based on network topology -- for example, your proxy server is not reachable from the public internet -- additional proxy configuration might be needed to thwart cross-site scripting attacks that would circumvent your restrictions. Read the "'Intranet mode' section of the Keep-web documentation":https://godoc.org/github.com/curoverse/arvados/services/keep-web#hdr-Intranet_mode now.
155 {% include 'notebox_end' %}
159 Configure your DNS servers so the following names resolve to your Nginx proxy's public IP address.
160 * @download.uuid_prefix.your.domain@
161 * @collections.uuid_prefix.your.domain@
162 * @*--collections.uuid_prefix.your.domain@, if you have a wildcard TLS certificate valid for @*.uuid_prefix.your.domain@ and your DNS server allows this without interfering with other DNS names.
163 * @*.collections.uuid_prefix.your.domain@, if you have a wildcard TLS certificate valid for these names.
165 If neither of the above wildcard options is feasible, you have two choices:
166 # Serve web content at @collections.uuid_prefix.your.domain@, but only for unauthenticated requests (public data and collection sharing links). Authenticated requests will always result in file downloads, using the @download@ name. For example, the Workbench "preview" button and the "view entire log file" link will invoke file downloads instead of displaying content in the browser window.
167 # In the special case where you know you are immune to XSS exploits, you can enable the "trust all content" mode in Keep-web and Workbench (setting @Collections.TrustAllContent: true@ on the config file). With this enabled, inline web content can be served from a single @collections@ host name; no wildcard DNS or certificate is needed. Do not do this without understanding the security implications described in the "Keep-web documentation":http://godoc.org/github.com/curoverse/arvados/services/keep-web.
169 h3. Tell Workbench about the Keep-web service
171 Workbench has features like "download file from collection" and "show image" which work better if the content is served by Keep-web rather than Workbench itself. We recommend using the two different hostnames ("download" and "collections" above) for file downloads and inline content respectively.
173 Add the following entry to your cluster configuration file (@/etc/arvados/config.yml@). This URL will be used for file downloads.
180 ExternalURL: "https://download.<span class="userinput">uuid_prefix</span>.your.domain/"
184 Additionally, add *one* of the following entries to your Workbench cluster configuration file, depending on your DNS setup. This URL will be used to serve user content that can be displayed in the browser, like image previews and static HTML pages.
191 ExternalURL: "https://*--collections.<span class="userinput">uuid_prefix</span>.your.domain"
192 ExternalURL: "https://*.collections.<span class="userinput">uuid_prefix</span>.your.domain"
193 ExternalURL: "https://collections.<span class="userinput">uuid_prefix</span>.your.domain"