projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch '16749-arvbox-users' refs #16749
[arvados.git] / doc / install / install-keep-web.html.textile.liquid
diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 9f1188831f90051258a636c7dc002a9dcf826931..24f37bfb4f8ee25b3b32b691624e06586f9b42d1 100644 (file)
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -39,45 +39,61 @@ If blank, serve links to WebDAV with @disposition=attachment@ query param.  Unli
 
 If @WebDAVDownload@ is blank, and @WebDAV@ has a single origin (not wildcard, see below), then Workbench will show an error page
 
-<pre>
-    Services:
+<notextile>
+<pre><code>    Services:
       WebDAVDownload:
-        ExternalURL: https://download.ClusterID.example.com
-</pre>
+        ExternalURL: https://<span class="userinput">download.ClusterID.example.com</span>
+</code></pre>
+</notextile>
 
 h3. Collections preview URL
 
-Collections will be served using the URL pattern in @Services.WebDAV.ExternalURL@ .  If blank, use @Services.WebDAVDownload.ExternalURL@ instead, and disable inline preview.  If both are empty, downloading collections from workbench will be impossible.
+Collections will be served using the URL pattern in @Services.WebDAV.ExternalURL@ .  If blank, use @Services.WebDAVDownload.ExternalURL@ instead, and disable inline preview.  If both are empty, downloading collections from workbench will be impossible.  When wildcard domains configured, credentials are still required to access non-public data.
 
 h4. In their own subdomain
 
 Collections can be served from their own subdomain:
 
-<pre>
-    Services:
+<notextile>
+<pre><code>    Services:
       WebDAV:
-        ExternalURL: https://*.collections.ClusterID.example.com
-</pre>
+        ExternalURL: https://<span class="userinput">*.collections.ClusterID.example.com/</span>
+</code></pre>
+</notextile>
 
 h4. Under the main domain
 
 Alternately, they can go under the main domain by including @--@:
 
-<pre>
-    Services:
+<notextile>
+<pre><code>    Services:
       WebDAV:
-        ExternalURL: https://*--collections.ClusterID.example.com
-</pre>
+        ExternalURL: https://<span class="userinput">*--collections.ClusterID.example.com/</span>
+</code></pre>
+</notextile>
 
 h4. From a single domain
 
-Serve preview links from a single domain, setting uuid or pdh in the path (similar to downloads).  This configuration only allows previews of public data or collection-sharing links, because these use the anonymous user token or the token is already embedded in the URL.  Authenticated requests will always result in file downloads from @Services.WebDAVDownload.ExternalURL@.
+Serve preview links from a single domain, setting uuid or pdh in the path (similar to downloads).  This configuration only allows previews of public data (data accessible by the anonymous user) and collection-sharing links (where the token is already embedded in the URL); it will ignore authorization headers, so a request for non-public data may return "404 Not Found" even if normally valid credentials were provided.
 
-<pre>
-    Services:
+<notextile>
+<pre><code>    Services:
       WebDAV:
-        ExternalURL: https://collections.ClusterID.example.com
-</pre>
+        ExternalURL: https://<span class="userinput">collections.ClusterID.example.com/</span>
+</code></pre>
+</notextile>
+
+Note the trailing slash.
+
+h2. Set InternalURLs
+
+<notextile>
+<pre><code>    Services:
+      WebDAV:
+        InternalURLs:
+          http://<span class="userinput">localhost:9002</span>: {}
+</code></pre>
+</notextile>
 
 h2(#update-config). Configure anonymous user token
 
@@ -87,26 +103,17 @@ If you intend to use Keep-web to serve public data to anonymous clients, configu
 
 <notextile>
 <pre><code>    Users:
-      AnonymousUserToken: "{{railsout}}"
+      AnonymousUserToken: <span class="userinput">"{{railsout}}"</span>
 </code></pre>
 </notextile>
 
 Set @Users.AnonymousUserToken: ""@ (empty string) or leave it out if you do not want to serve public data.
 
-h2. Set InternalURL
-
-<pre>
-    Services:
-      WebDAV:
-        InternalURL:
-         "http://collections.ClusterID.example.com:9002": {}
-</pre>
-
 h3. Update nginx configuration
 
 Put a reverse proxy with SSL support in front of keep-web.  Keep-web itself runs on the port 25107 (or whatever is specified in @Services.Keepproxy.InternalURL@) the reverse proxy runs on port 443 and forwards requests to Keepproxy.
 
-Use a text editor to create a new file @/etc/nginx/conf.d/keep-web.conf@ with the following configuration. Options that need attention are marked with “TODO”.
+Use a text editor to create a new file @/etc/nginx/conf.d/keep-web.conf@ with the following configuration. Options that need attention are marked in <span class="userinput">red</span>.
 
 <notextile><pre>
 upstream keep-web {
@@ -114,18 +121,18 @@ upstream keep-web {
 }
 
 server {
-  listen                <span class="userinput">[TODO: your public IP address]</span>:443 ssl;
-  server_name           download.<span class="userinput">ClusterID</span>.example.com
-                        collections.<span class="userinput">ClusterID</span>.example.com
-                        *.collections.<span class="userinput">ClusterID</span>.example.com
-                        ~.*--collections.<span class="userinput">ClusterID</span>.example.com;
+  listen                443 ssl;
+  server_name           <span class="userinput">download.ClusterID.example.com</span>
+                        <span class="userinput">collections.ClusterID.example.com</span>
+                        <span class="userinput">*.collections.ClusterID.example.com</span>
+                        <span class="userinput">~.*--collections.ClusterID.example.com</span>;
 
   proxy_connect_timeout 90s;
   proxy_read_timeout    300s;
 
   ssl                   on;
-  ssl_certificate       <span class="userinput">/TODO/YOUR/PATH/TO/cert.pem</span>;
-  ssl_certificate_key   <span class="userinput">/TODO/YOUR/PATH/TO/cert.key</span>;
+  ssl_certificate       <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
+  ssl_certificate_key   <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
 
   location / {
     proxy_pass          http://keep-web;
@@ -135,6 +142,7 @@ server {
     client_max_body_size    0;
     proxy_http_version      1.1;
     proxy_request_buffering off;
+    proxy_max_temp_file_size 0;
   }
 }
 </pre></notextile>
@@ -157,16 +165,18 @@ In such cases -- for example, a site which is not reachable from the internet, w
 
 h2(#confirm-working). Confirm working installation
 
-Adjust for your configuration.
+<notextile><code><pre>
+$ curl -H "Authorization: Bearer $system_root_token" https://<span class="userinput">download.ClusterID.example.com</span>/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt
+</code></pre></notextile>
+
+If wildcard collections domains are configured:
 
-<pre>
-$ curl -H "Authorization: Bearer $system_root_token" https://download.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt
-</pre>
+<notextile><code><pre>
+$ curl -H "Authorization: Bearer $system_root_token" https://<span class="userinput">59389a8f9ee9d399be35462a0f92541c-53.collections.ClusterID.example.com</span>/hello.txt
+</code></pre></notextile>
 
-<pre>
-$ curl -H "Authorization: Bearer $system_root_token" https://collections.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt
-</pre>
+If using a single collections preview domain:
 
-<pre>
-$ curl -H "Authorization: Bearer $system_root_token" https://59389a8f9ee9d399be35462a0f92541c-53.collections.ClusterID.example.com/hello.txt
-</pre>
+<notextile><code><pre>
+$ curl https://<span class="userinput">collections.ClusterID.example.com</span>/c=59389a8f9ee9d399be35462a0f92541c-53/t=$system_root_token/_/hello.txt
+</code></pre></notextile>