Merge branch '7724-scoped-token' closes #7724

[arvados.git] / doc / install / install-keep-web.html.textile.liquid

---
layout: default
navsection: installguide
title: Install the keep-web server
...

The keep-web server provides read-only HTTP access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides SSL support. See the "godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web for more detail.

By convention, we use the following hostname for the keep-web service:

<notextile>
<pre><code>collections.<span class="userinput">uuid_prefix</span>.your.domain
</code></pre>
</notextile>

This hostname should resolve from anywhere on the internet.

h2. Install keep-web

On Debian-based systems:

<notextile>
<pre><code>~$ <span class="userinput">sudo apt-get install keep-web</span>
</code></pre>
</notextile>

On Red Hat-based systems:

<notextile>
<pre><code>~$ <span class="userinput">sudo yum install keep-web</span>
</code></pre>
</notextile>

Verify that @keep-web@ is functional:

<notextile>
<pre><code>~$ <span class="userinput">keep-web -h</span>
Usage of keep-web:
  -allow-anonymous
        Serve public data to anonymous clients. Try the token supplied in the ARVADOS_API_TOKEN environment variable when none of the tokens provided in an HTTP request succeed in reading the desired collection. (default false)
  -attachment-only-host string
        Accept credentials, and add "Content-Disposition: attachment" response headers, for requests at this hostname:port. Prohibiting inline display makes it possible to serve untrusted and non-public content from a single origin, i.e., without wildcard DNS or SSL.
  -listen string
        Address to listen on: "host:port", or ":port" to listen on all interfaces. (default ":80")
  -trust-all-content
        Serve non-public content from a single origin. Dangerous: read docs before using!
</code></pre>
</notextile>

If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. You can use the same one you used when you set up your Keepproxy server, or use the following command on the <strong>API server</strong> to create another:

<notextile>
<pre><code>/var/www/arvados-api/current/script$ <span class="userinput">RAILS_ENV=production bundle exec ./get_anonymous_user_token.rb</span>
hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r
</code></pre></notextile>

We recommend running @keep-web@ under "runit":https://packages.debian.org/search?keywords=runit or a similar supervisor. The basic command to start @keep-web@ is:

<notextile>
<pre><code>export ARVADOS_API_HOST=<span class="userinput">uuid_prefix</span>.your.domain
export ARVADOS_API_TOKEN="<span class="userinput">hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r</span>"
exec sudo -u nobody keep-web -listen=<span class="userinput">:9002</span> -allow-anonymous 2&gt;&amp;1
</code></pre>
</notextile>

Omit the @-allow-anonymous@ argument if you do not want to serve public data.

Set @ARVADOS_API_HOST_INSECURE=1@ if your API server's SSL certificate is not signed by a recognized CA.

h3. Set up a reverse proxy with SSL support

The keep-web service will be accessible from anywhere on the internet, so we recommend using SSL for transport encryption.

This is best achieved by putting a reverse proxy with SSL support in front of keep-web, running on port 443 and passing requests to keep-web on port 9002 (or whatever port you chose in your run script).

Note: A wildcard SSL certificate is required in order to proxy keep-web effectively.

For example, using Nginx:

<notextile><pre>
upstream keep-web {
  server                127.0.0.1:<span class="userinput">9002</span>;
}

server {
  listen                <span class="userinput">[your public IP address]</span>:443 ssl;
  server_name           collections.<span class="userinput">uuid_prefix</span>.your.domain *.collections.<span class="userinput">uuid_prefix</span>.your.domain ~.*--collections.<span class="userinput">uuid_prefix</span>.your.domain;

  proxy_connect_timeout 90s;
  proxy_read_timeout    300s;

  ssl                   on;
  ssl_certificate       <span class="userinput"/>YOUR/PATH/TO/cert.pem</span>;
  ssl_certificate_key   <span class="userinput"/>YOUR/PATH/TO/cert.key</span>;

  location / {
    proxy_pass          http://keep-web;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
</pre></notextile>

h3. Configure DNS

Configure your DNS servers so the following names resolve to your Nginx proxy's public IP address.
* @*--collections.uuid_prefix.your.domain@, if your DNS server allows this without interfering with other DNS names; or
* @*.collections.uuid_prefix.your.domain@, if you have a wildcard SSL certificate valid for these names; or
* @collections.uuid_prefix.your.domain@, if neither of the above options is feasible. In this case, only unauthenticated requests will be served, i.e., public data and collection sharing links.

h3. Tell Workbench about the keep-web service

Add *one* of the following entries to your Workbench configuration file (@/etc/arvados/workbench/application.yml@), depending on your DNS setup:

<notextile>
<pre><code>keep_web_url: https://%{uuid_or_pdh}--collections.<span class="userinput">uuid_prefix</span>.your.domain
keep_web_url: https://%{uuid_or_pdh}.collections.<span class="userinput">uuid_prefix</span>.your.domain
keep_web_url: https://collections.<span class="userinput">uuid_prefix</span>.your.domain
</code></pre>
</notextile>