--- layout: default navsection: installguide title: Install Keepproxy server ... This installation guide assumes you are on a 64 bit Debian or Ubuntu system. The Keepproxy server is a gateway into your Keep storage. Unlike the Keepstore servers, which are only accessible on the local LAN, Keepproxy is designed to provide secure access into Keep from anywhere on the internet. By convention, we use the following hostname for the Keepproxy:

table(table table-bordered table-condensed). |_Hostname_| |keep.@uuid_prefix@.your.domain|

This hostname should resolve from anywhere on the internet. h2. Install Keepproxy First add the Arvados apt repository, and then install the Keepproxy package.

~$ echo "deb http://apt.arvados.org/ wheezy main" | sudo tee /etc/apt/sources.list.d/apt.arvados.org.list
~$ sudo /usr/bin/apt-key adv --keyserver pool.sks-keyservers.net --recv 1078ECD7
~$ sudo /usr/bin/apt-get update
~$ sudo /usr/bin/apt-get install keepproxy

Verify that Keepproxy is functional:

~$ keepproxy -h
Usage of default:
  -default-replicas=2: Default number of replicas to write if not specified by the client.
  -listen=":25107": Interface on which to listen for requests, in the format ipaddr:port. e.g. -listen=10.0.1.24:8000. Use -listen=:port to listen on all network interfaces.
  -no-get=false: If set, disable GET operations
  -no-put=false: If set, disable PUT operations
  -pid="": Path to write pid file

It's recommended to run Keepproxy under "runit":https://packages.debian.org/search?keywords=runit or something similar. h3. Create an API token for the Keepproxy server The Keepproxy server needs a token to talk to the API server. On the API server, use the following command to create the token:

~/arvados/services/api/script$ RAILS_ENV=production ./get_anonymous_user_token.rb
hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r

The value for the @api_token@ field should be added to Keepproxy's environment as ARVADOS_API_TOKEN. Make sure to also set ARVADOS_API_HOST to @uuid_prefix@.your.domain. h3. Set up a reverse proxy with SSL support Because the Keepproxy is intended for access from anywhere on the internet, it is recommended to use SSL for transport encryption. This is best achieved by putting a reverse proxy with SSL support in front of Keepproxy. Keepproxy itself runs on port 25107 by default; your reverse proxy can run on port 443 and pass requests to Keepproxy on port 25107. If possible, the proxy should be configured to add CORS headers to its own error responses -- otherwise in-browser applications can't report proxy errors. For example, in nginx >= 1.7.5:

server {
  server_name keep.example.com
  ...
  add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS' always
  add_header 'Access-Control-Allow-Origin' '*' always
  add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Length, Content-Type, X-Keep-Desired-Replicas' always
  add_header 'Access-Control-Max-Age' '86486400' always
}

*Warning:* Make sure you don't inadvertently add CORS headers for services _other than keepproxy_ while you're doing this. h3. Tell the API server about the Keepproxy server The API server needs to be informed about the presence of your Keepproxy server. Please execute the following commands on your shell server.

~$ prefix=`arv --format=uuid user current | cut -d- -f1`
~$ echo "Site prefix is '$prefix'"
~$ read -rd $'\000' keepservice <<EOF; arv keep_service create --keep-service "$keepservice"
{
 "service_host":"keep.$prefix.your.domain",
 "service_port":443,
 "service_ssl_flag":true,
 "service_type":"proxy"
}
EOF