X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/102df19458ef2c97d1ef4ba0e571e3204d7073e6..3b321249456939079404973d40ae7e999872c963:/doc/install/install-keep-web.html.textile.liquid?ds=sidebyside
diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 9f1188831f..0dfcac37e0 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -39,45 +39,61 @@ If blank, serve links to WebDAV with @disposition=attachment@ query param. Unli
If @WebDAVDownload@ is blank, and @WebDAV@ has a single origin (not wildcard, see below), then Workbench will show an error page
-
- Services:
+
+ Services:
WebDAVDownload:
- ExternalURL: https://download.ClusterID.example.com
-
+ ExternalURL: https://download.ClusterID.example.com
+
+
h3. Collections preview URL
-Collections will be served using the URL pattern in @Services.WebDAV.ExternalURL@ . If blank, use @Services.WebDAVDownload.ExternalURL@ instead, and disable inline preview. If both are empty, downloading collections from workbench will be impossible.
+Collections will be served using the URL pattern in @Services.WebDAV.ExternalURL@ . If blank, use @Services.WebDAVDownload.ExternalURL@ instead, and disable inline preview. If both are empty, downloading collections from workbench will be impossible. When wildcard domains configured, credentials are still required to access non-public data.
h4. In their own subdomain
Collections can be served from their own subdomain:
-
- Services:
+
+ Services:
WebDAV:
- ExternalURL: https://*.collections.ClusterID.example.com
-
+ ExternalURL: https://*.collections.ClusterID.example.com/
+
+
h4. Under the main domain
Alternately, they can go under the main domain by including @--@:
-
- Services:
+
+ Services:
WebDAV:
- ExternalURL: https://*--collections.ClusterID.example.com
-
+ ExternalURL: https://*--collections.ClusterID.example.com/
+
+
h4. From a single domain
-Serve preview links from a single domain, setting uuid or pdh in the path (similar to downloads). This configuration only allows previews of public data or collection-sharing links, because these use the anonymous user token or the token is already embedded in the URL. Authenticated requests will always result in file downloads from @Services.WebDAVDownload.ExternalURL@.
+Serve preview links from a single domain, setting uuid or pdh in the path (similar to downloads). This configuration only allows previews of public data (data accessible by the anonymous user) and collection-sharing links (where the token is already embedded in the URL); it will ignore authorization headers, so a request for non-public data may return "404 Not Found" even if normally valid credentials were provided.
-
- Services:
+
+ Services:
WebDAV:
- ExternalURL: https://collections.ClusterID.example.com
-
+ ExternalURL: https://collections.ClusterID.example.com/
+
+
+
+Note the trailing slash.
+
+h2. Set InternalURLs
+
+
+ Services:
+ WebDAV:
+ InternalURLs:
+ http://localhost:9002: {}
+
+
h2(#update-config). Configure anonymous user token
@@ -87,26 +103,17 @@ If you intend to use Keep-web to serve public data to anonymous clients, configu
Users:
- AnonymousUserToken: "{{railsout}}"
+ AnonymousUserToken: "{{railsout}}"
Set @Users.AnonymousUserToken: ""@ (empty string) or leave it out if you do not want to serve public data.
-h2. Set InternalURL
-
-
- Services:
- WebDAV:
- InternalURL:
- "http://collections.ClusterID.example.com:9002": {}
-
-
h3. Update nginx configuration
Put a reverse proxy with SSL support in front of keep-web. Keep-web itself runs on the port 25107 (or whatever is specified in @Services.Keepproxy.InternalURL@) the reverse proxy runs on port 443 and forwards requests to Keepproxy.
-Use a text editor to create a new file @/etc/nginx/conf.d/keep-web.conf@ with the following configuration. Options that need attention are marked with âTODOâ.
+Use a text editor to create a new file @/etc/nginx/conf.d/keep-web.conf@ with the following configuration. Options that need attention are marked in red.
upstream keep-web {
@@ -114,18 +121,18 @@ upstream keep-web {
}
server {
- listen [TODO: your public IP address]:443 ssl;
- server_name download.ClusterID.example.com
- collections.ClusterID.example.com
- *.collections.ClusterID.example.com
- ~.*--collections.ClusterID.example.com;
+ listen *:443 ssl;
+ server_name download.ClusterID.example.com
+ collections.ClusterID.example.com
+ *.collections.ClusterID.example.com
+ ~.*--collections.ClusterID.example.com;
proxy_connect_timeout 90s;
proxy_read_timeout 300s;
ssl on;
- ssl_certificate /TODO/YOUR/PATH/TO/cert.pem;
- ssl_certificate_key /TODO/YOUR/PATH/TO/cert.key;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
location / {
proxy_pass http://keep-web;
@@ -157,16 +164,18 @@ In such cases -- for example, a site which is not reachable from the internet, w
h2(#confirm-working). Confirm working installation
-Adjust for your configuration.
+
+$ curl -H "Authorization: Bearer $system_root_token" https://download.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt
+
+
+If wildcard collections domains are configured:
-
-$ curl -H "Authorization: Bearer $system_root_token" https://download.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt
-
+
+$ curl -H "Authorization: Bearer $system_root_token" https://59389a8f9ee9d399be35462a0f92541c-53.collections.ClusterID.example.com/hello.txt
+
-$ curl -H "Authorization: Bearer $system_root_token" https://collections.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt
-
+If using a single collections preview domain:
-
-$ curl -H "Authorization: Bearer $system_root_token" https://59389a8f9ee9d399be35462a0f92541c-53.collections.ClusterID.example.com/hello.txt
-
+
+$ curl https://collections.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/t=$system_root_token/_/hello.txt
+