--- layout: default navsection: installguide title: Install Keepproxy server ... The Keepproxy server is a gateway into your Keep storage. Unlike the Keepstore servers, which are only accessible on the local LAN, Keepproxy is designed to provide secure access into Keep from anywhere on the internet. By convention, we use the following hostname for the Keepproxy:
table(table table-bordered table-condensed). |_Hostname_| |keep.@uuid_prefix@.your.domain|
This hostname should resolve from anywhere on the internet. h2. Install Keepproxy On Debian-based systems:
~$ sudo apt-get install keepproxy
On Red Hat-based systems:
~$ sudo yum install keepproxy
Verify that Keepproxy is functional:
~$ keepproxy -h
Usage of default:
  -default-replicas=2: Default number of replicas to write if not specified by the client.
  -listen=":25107": Interface on which to listen for requests, in the format ipaddr:port. e.g. -listen=10.0.1.24:8000. Use -listen=:port to listen on all network interfaces.
  -no-get=false: If set, disable GET operations
  -no-put=false: If set, disable PUT operations
  -pid="": Path to write pid file
h3. Create an API token for the Keepproxy server The Keepproxy server needs a token to talk to the API server. On the API server, use the following command to create the token:
~/arvados/services/api/script$ RAILS_ENV=production bundle exec ./get_anonymous_user_token.rb
hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r
h3. Set up the Keepproxy service We recommend you run Keepproxy under "runit":http://smarden.org/runit/ or a similar supervisor. Make sure the launcher sets the envirnoment variables @ARVADOS_API_TOKEN@ (with the token you just generated), @ARVADOS_API_HOST@, and, if needed, @ARVADOS_API_HOST_INSECURE@. The core keepproxy command to run is:
ARVADOS_API_TOKEN=[generated token] ARVADOS_API_HOST=uuid_prefix.your.domain exec keepproxy
h3. Set up a reverse proxy with SSL support Because the Keepproxy is intended for access from anywhere on the internet, it is recommended to use SSL for transport encryption. This is best achieved by putting a reverse proxy with SSL support in front of Keepproxy. Keepproxy itself runs on port 25107 by default; your reverse proxy can run on port 443 and pass requests to Keepproxy on port 25107.
upstream keepproxy {
  server                127.0.0.1:25107;
}

server {
  listen                [your public IP address]:443 ssl;
  server_name           keep.uuid_prefix.your.domain

  proxy_connect_timeout 90s;
  proxy_read_timeout    300s;
  proxy_set_header      X-Real-IP $remote_addr;

  ssl                   on;
  ssl_certificate       /etc/nginx/keep.uuid_prefix.your.domain-ssl.crt;
  ssl_certificate_key   /etc/nginx/keep.uuid_prefix.your.domain-ssl.key;

  # Clients need to be able to upload blocks of data up to 64MiB in size.
  client_max_body_size  64m;

  location / {
    proxy_pass          http://keepproxy;
  }
}
Note: if the Web uploader is failing to upload data and there are no logs from keepproxy, be sure to check the nginx proxy logs. In addition to "GET" and "PUT", The nginx proxy must pass "OPTIONS" requests to keepproxy, which should respond with appropriate Cross-origin resource sharing headers. If the CORS headers are not present, brower security policy will cause the upload request to silently fail. The CORS headers are generated by keepproxy and should not be set in nginx. h3. Tell the API server about the Keepproxy server The API server needs to be informed about the presence of your Keepproxy server. Please execute the following commands on your shell server.
~$ uuid_prefix=`arv --format=uuid user current | cut -d- -f1`
~$ echo "Site prefix is '$uuid_prefix'"
~$ read -rd $'\000' keepservice <<EOF; arv keep_service create --keep-service "$keepservice"
{
 "service_host":"keep.$uuid_prefix.your.domain",
 "service_port":443,
 "service_ssl_flag":true,
 "service_type":"proxy"
}
EOF