---
layout: default
navsection: installguide
title: Install Keepproxy server
...

The Keepproxy server is a gateway into your Keep storage. Unlike the Keepstore servers, which are only accessible on the local LAN, Keepproxy is designed to provide secure access into Keep from anywhere on the internet.

By convention, we use the following hostname for the Keepproxy:

<div class="offset1">
table(table table-bordered table-condensed).
|_Hostname_|
|keep.@uuid_prefix@.your.domain|
</div>

This hostname should resolve from anywhere on the internet.

h2. Install Keepproxy

On Debian-based systems:

<notextile>
<pre><code>~$ <span class="userinput">sudo apt-get install keepproxy</span>
</code></pre>
</notextile>

On Red Hat-based systems:

<notextile>
<pre><code>~$ <span class="userinput">sudo yum install keepproxy</span>
</code></pre>
</notextile>

Verify that Keepproxy is functional:

<notextile>
<pre><code>~$ <span class="userinput">keepproxy -h</span>
Usage of default:
  -default-replicas=2: Default number of replicas to write if not specified by the client.
  -listen=":25107": Interface on which to listen for requests, in the format ipaddr:port. e.g. -listen=10.0.1.24:8000. Use -listen=:port to listen on all network interfaces.
  -no-get=false: If set, disable GET operations
  -no-put=false: If set, disable PUT operations
  -pid="": Path to write pid file
</code></pre>
</notextile>

It's recommended to run Keepproxy under "runit":http://smarden.org/runit/ or something similar.

h3. Create an API token for the Keepproxy server

The Keepproxy server needs a token to talk to the API server.

On the <strong>API server</strong>, use the following command to create the token:

<notextile>
<pre><code>~/arvados/services/api/script$ <span class="userinput">RAILS_ENV=production ./get_anonymous_user_token.rb</span>
hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r
</code></pre></notextile>

The value for the @api_token@ field should be added to Keepproxy's environment as ARVADOS_API_TOKEN. Make sure to also set ARVADOS_API_HOST to @uuid_prefix@.your.domain.

h3. Set up a reverse proxy with SSL support

Because the Keepproxy is intended for access from anywhere on the internet, it is recommended to use SSL for transport encryption.

This is best achieved by putting a reverse proxy with SSL support in front of Keepproxy. Keepproxy itself runs on port 25107 by default; your reverse proxy can run on port 443 and pass requests to Keepproxy on port 25107.

If possible, the proxy should be configured to add CORS headers to its own error responses -- otherwise in-browser applications can't report proxy errors. For example, in nginx >= 1.7.5:

<notextile><pre>
server {
  server_name keep.example.com
  ...
  add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS' always
  add_header 'Access-Control-Allow-Origin' '*' always
  add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Length, Content-Type, X-Keep-Desired-Replicas' always
  add_header 'Access-Control-Max-Age' '86486400' always
}
</pre></notextile>

*Warning:* Make sure you don't inadvertently add CORS headers for services _other than keepproxy_ while you're doing this.

h3. Tell the API server about the Keepproxy server

The API server needs to be informed about the presence of your Keepproxy server. Please execute the following commands on your <strong>shell server</strong>.

<notextile>
<pre><code>~$ <span class="userinput">prefix=`arv --format=uuid user current | cut -d- -f1`</span>
~$ <span class="userinput">echo "Site prefix is '$prefix'"</span>
~$ <span class="userinput">read -rd $'\000' keepservice &lt;&lt;EOF; arv keep_service create --keep-service "$keepservice"</span>
<span class="userinput">{
 "service_host":"keep.$prefix.your.domain",
 "service_port":443,
 "service_ssl_flag":true,
 "service_type":"proxy"
}
EOF</span>
</code></pre></notextile>