X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/102df19458ef2c97d1ef4ba0e571e3204d7073e6..3b321249456939079404973d40ae7e999872c963:/doc/install/install-keep-web.html.textile.liquid?ds=sidebyside diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid index 9f1188831f..0dfcac37e0 100644 --- a/doc/install/install-keep-web.html.textile.liquid +++ b/doc/install/install-keep-web.html.textile.liquid @@ -39,45 +39,61 @@ If blank, serve links to WebDAV with @disposition=attachment@ query param. Unli If @WebDAVDownload@ is blank, and @WebDAV@ has a single origin (not wildcard, see below), then Workbench will show an error page -
- Services: ++ h3. Collections preview URL -Collections will be served using the URL pattern in @Services.WebDAV.ExternalURL@ . If blank, use @Services.WebDAVDownload.ExternalURL@ instead, and disable inline preview. If both are empty, downloading collections from workbench will be impossible. +Collections will be served using the URL pattern in @Services.WebDAV.ExternalURL@ . If blank, use @Services.WebDAVDownload.ExternalURL@ instead, and disable inline preview. If both are empty, downloading collections from workbench will be impossible. When wildcard domains configured, credentials are still required to access non-public data. h4. In their own subdomain Collections can be served from their own subdomain: -+ + ExternalURL: https://download.ClusterID.example.com +Services: WebDAVDownload: - ExternalURL: https://download.ClusterID.example.com -
- Services: ++ h4. Under the main domain Alternately, they can go under the main domain by including @--@: -+ + ExternalURL: https://*.collections.ClusterID.example.com/ +Services: WebDAV: - ExternalURL: https://*.collections.ClusterID.example.com -
- Services: ++ h4. From a single domain -Serve preview links from a single domain, setting uuid or pdh in the path (similar to downloads). This configuration only allows previews of public data or collection-sharing links, because these use the anonymous user token or the token is already embedded in the URL. Authenticated requests will always result in file downloads from @Services.WebDAVDownload.ExternalURL@. +Serve preview links from a single domain, setting uuid or pdh in the path (similar to downloads). This configuration only allows previews of public data (data accessible by the anonymous user) and collection-sharing links (where the token is already embedded in the URL); it will ignore authorization headers, so a request for non-public data may return "404 Not Found" even if normally valid credentials were provided. -+ + ExternalURL: https://*--collections.ClusterID.example.com/ +Services: WebDAV: - ExternalURL: https://*--collections.ClusterID.example.com -
- Services: ++ + +Note the trailing slash. + +h2. Set InternalURLs + ++ + ExternalURL: https://collections.ClusterID.example.com/ +Services: WebDAV: - ExternalURL: https://collections.ClusterID.example.com -
Services:
+ WebDAV:
+ InternalURLs:
+ http://localhost:9002: {}
+
+ Users:
- AnonymousUserToken: "{{railsout}}"
+ AnonymousUserToken: "{{railsout}}"
- Services: - WebDAV: - InternalURL: - "http://collections.ClusterID.example.com:9002": {} -- h3. Update nginx configuration Put a reverse proxy with SSL support in front of keep-web. Keep-web itself runs on the port 25107 (or whatever is specified in @Services.Keepproxy.InternalURL@) the reverse proxy runs on port 443 and forwards requests to Keepproxy. -Use a text editor to create a new file @/etc/nginx/conf.d/keep-web.conf@ with the following configuration. Options that need attention are marked with âTODOâ. +Use a text editor to create a new file @/etc/nginx/conf.d/keep-web.conf@ with the following configuration. Options that need attention are marked in red.
upstream keep-web { @@ -114,18 +121,18 @@ upstream keep-web { } server { - listen [TODO: your public IP address]:443 ssl; - server_name download.ClusterID.example.com - collections.ClusterID.example.com - *.collections.ClusterID.example.com - ~.*--collections.ClusterID.example.com; + listen *:443 ssl; + server_name download.ClusterID.example.com + collections.ClusterID.example.com + *.collections.ClusterID.example.com + ~.*--collections.ClusterID.example.com; proxy_connect_timeout 90s; proxy_read_timeout 300s; ssl on; - ssl_certificate /TODO/YOUR/PATH/TO/cert.pem; - ssl_certificate_key /TODO/YOUR/PATH/TO/cert.key; + ssl_certificate /YOUR/PATH/TO/cert.pem; + ssl_certificate_key /YOUR/PATH/TO/cert.key; location / { proxy_pass http://keep-web; @@ -157,16 +164,18 @@ In such cases -- for example, a site which is not reachable from the internet, w h2(#confirm-working). Confirm working installation -Adjust for your configuration. +
+$ curl -H "Authorization: Bearer $system_root_token" https://download.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt +
-$ curl -H "Authorization: Bearer $system_root_token" https://download.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt -+
+$ curl -H "Authorization: Bearer $system_root_token" https://59389a8f9ee9d399be35462a0f92541c-53.collections.ClusterID.example.com/hello.txt
+
-$ curl -H "Authorization: Bearer $system_root_token" https://collections.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt -+If using a single collections preview domain: -
-$ curl -H "Authorization: Bearer $system_root_token" https://59389a8f9ee9d399be35462a0f92541c-53.collections.ClusterID.example.com/hello.txt -+
+$ curl https://collections.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/t=$system_root_token/_/hello.txt
+