---
layout: default
navsection: installguide
title: Install the download server
...
The keep-web server provides read-only HTTP access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides SSL support. See the "godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web for more detail.
By convention, we use the following hostname for the download service:
dl.uuid_prefix.your.domain
This hostname should resolve from anywhere on the internet.
h2. Install keep-web
On Debian-based systems:
~$ sudo apt-get install keep-web
On Red Hat-based systems:
~$ sudo yum install keep-web
Verify that @keep-web@ is functional:
~$ keep-web -h
Usage of keep-web:
-address string
Address to listen on: "host:port", or ":port" to listen on all interfaces. (default ":80")
-anonymous-token value
API token to try when none of the tokens provided in an HTTP request succeed in reading the desired collection. If this flag is used more than once, each token will be attempted in turn until one works. (default [])
If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. You can use the same one you used when you set up your Keepproxy server, or use the following command on the API server to create another:
/var/www/arvados-api/current/script$ RAILS_ENV=production bundle exec ./get_anonymous_user_token.rb
hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r
We recommend running @keep-web@ under "runit":https://packages.debian.org/search?keywords=runit or a similar supervisor. The basic command to start @keep-web@ is:
export ARVADOS_API_HOST=uuid_prefix.your.domain
exec sudo -u nobody keep-web -address=:9002 -anonymous-token=hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r 2>&1
Omit the @-anonymous-token@ arguments if you do not want to serve public data.
Set @ARVADOS_API_HOST_INSECURE=1@ if your API server's SSL certificate is not signed by a recognized CA.
h3. Set up a reverse proxy with SSL support
The keep-web service will be accessible from anywhere on the internet, so we recommend using SSL for transport encryption.
This is best achieved by putting a reverse proxy with SSL support in front of keep-web, running on port 443 and passing requests to keep-web on port 9002 (or whatever port you chose in your run script).
Note: A wildcard SSL certificate is required in order to proxy keep-web effectively.
For example, using Nginx:
upstream keep-web {
server 127.0.0.1:9002;
}
server {
listen [your public IP address]:443 ssl;
server_name dl.uuid_prefix.your.domain *.dl.uuid_prefix.your.domain ~.*--dl.uuid_prefix.your.domain;
proxy_connect_timeout 90s;
proxy_read_timeout 300s;
ssl on;
ssl_certificate YOUR/PATH/TO/cert.pem;
ssl_certificate_key YOUR/PATH/TO/cert.key;
location / {
proxy_pass http://keep-web;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
h3. Tell the API server about the keep-web service
If your wildcard certificate is valid for *.dl.uuid_prefix.your.domain, add the following entry to your API server's @config/application.yml@ file:
keep-web: https://%{uuid_or_pdh}.dl.uuid_prefix.your.domain
If your wildcard certificate is valid for *.uuid_prefix.your.domain, add the following entry to your API server's @config/application.yml@ file. This approach requires a wildcard DNS entry covering *--dl.uuid_prefix.your.domain, which might be difficult to do without affecting other services, depending on your DNS server software.
keep-web: https://%{uuid_or_pdh}--dl.uuid_prefix.your.domain
h3. Configure DNS
Configure your DNS servers so *--dl.uuid_prefix.your.domain or *.dl.uuid_prefix.your.domain (according to the way you configured Workbench), as well as dl.uuid_prefix.your.domain, resolve to your Nginx proxy's public IP address.