X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/44c95f99098fa6c6acbfa82d4b6cbc6015eb6e39..6da6b846097364da3abed2abad272e9607b15ca8:/doc/install/install-keep-web.html.textile.liquid?ds=sidebyside
diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index ea2ebd161b..9f1188831f 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -9,85 +9,104 @@ Copyright (C) The Arvados Authors. All rights reserved.
SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}
-The Keep-web server provides read-only HTTP access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides SSL support. See the "godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web for more detail.
+# "Introduction":#introduction
+# "Configure DNS":#introduction
+# "Configure anonymous user token.yml":#update-config
+# "Update nginx configuration":#update-nginx
+# "Install keep-web package":#install-packages
+# "Start the service":#start-service
+# "Restart the API server and controller":#restart-api
+# "Confirm working installation":#confirm-working
-By convention, we use the following hostnames for the Keep-web service:
+h2(#introduction). Introduction
-
-download.uuid_prefix.your.domain
-collections.uuid_prefix.your.domain
-*.collections.uuid_prefix.your.domain
-
-~$ sudo apt-get install keep-web
-
-~$ sudo yum install keep-web
-
-~$ keep-web -h
-Usage of keep-web:
- -allow-anonymous
- Serve public data to anonymous clients. Try the token supplied in the ARVADOS_API_TOKEN environment variable when none of the tokens provided in an HTTP request succeed in reading the desired collection. (default false)
- -attachment-only-host string
- Accept credentials, and add "Content-Disposition: attachment" response headers, for requests at this hostname:port. Prohibiting inline display makes it possible to serve untrusted and non-public content from a single origin, i.e., without wildcard DNS or SSL.
- -listen string
- Address to listen on: "host:port", or ":port" to listen on all interfaces. (default ":80")
- -trust-all-content
- Serve non-public content from a single origin. Dangerous: read docs before using!
-
+ Services: + WebDAVDownload: + ExternalURL: https://download.ClusterID.example.com +-{% assign railscmd = "bundle exec ./script/get_anonymous_user_token.rb --get" %} -{% assign railsout = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" %} -If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. You can use the same one you used when you set up your Keepproxy server, or use the following command on the API server to create another. {% include 'install_rails_command' %} +h3. Collections preview URL + +Collections will be served using the URL pattern in @Services.WebDAV.ExternalURL@ . If blank, use @Services.WebDAVDownload.ExternalURL@ instead, and disable inline preview. If both are empty, downloading collections from workbench will be impossible. + +h4. In their own subdomain + +Collections can be served from their own subdomain: + +
+ Services: + WebDAV: + ExternalURL: https://*.collections.ClusterID.example.com +-Install runit to supervise the Keep-web daemon. {% include 'install_runit' %} +h4. Under the main domain -The basic command to start Keep-web in the service run script is: +Alternately, they can go under the main domain by including @--@: + +
+ Services: + WebDAV: + ExternalURL: https://*--collections.ClusterID.example.com ++ +h4. From a single domain + +Serve preview links from a single domain, setting uuid or pdh in the path (similar to downloads). This configuration only allows previews of public data or collection-sharing links, because these use the anonymous user token or the token is already embedded in the URL. Authenticated requests will always result in file downloads from @Services.WebDAVDownload.ExternalURL@. + +
+ Services: + WebDAV: + ExternalURL: https://collections.ClusterID.example.com ++ +h2(#update-config). Configure anonymous user token + +{% assign railscmd = "bundle exec ./script/get_anonymous_user_token.rb --get" %} +{% assign railsout = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" %} +If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. Use the following command on the API server to create an anonymous user token. {% include 'install_rails_command' %}
export ARVADOS_API_HOST=uuid_prefix.your.domain
-export ARVADOS_API_TOKEN="{{railsout}}"
-exec sudo -u nobody keep-web \
- -listen=:9002 \
- -attachment-only-host=download.uuid_prefix.your.domain \
- -allow-anonymous \
- 2>&1
+ Users:
+ AnonymousUserToken: "{{railsout}}"
+ Services: + WebDAV: + InternalURL: + "http://collections.ClusterID.example.com:9002": {} +-This is best achieved by putting a reverse proxy with SSL support in front of Keep-web, running on port 443 and passing requests to Keep-web on port 9002 (or whatever port you chose in your run script). +h3. Update nginx configuration -Note: A wildcard SSL certificate is required in order to support a full-featured secure Keep-web service. Without it, Keep-web can offer file downloads for all Keep data; however, in order to avoid cross-site scripting vulnerabilities, Keep-web refuses to serve private data as web content except when it is accessed using a "secret link" share. With a wildcard SSL certificate and DNS configured appropriately, all data can be served as web content. +Put a reverse proxy with SSL support in front of keep-web. Keep-web itself runs on the port 25107 (or whatever is specified in @Services.Keepproxy.InternalURL@) the reverse proxy runs on port 443 and forwards requests to Keepproxy. -For example, using Nginx: +Use a text editor to create a new file @/etc/nginx/conf.d/keep-web.conf@ with the following configuration. Options that need attention are marked with âTODOâ.
upstream keep-web { @@ -95,59 +114,59 @@ upstream keep-web { } server { - listen [your public IP address]:443 ssl; - server_name download.uuid_prefix.your.domain - collections.uuid_prefix.your.domain - *.collections.uuid_prefix.your.domain - ~.*--collections.uuid_prefix.your.domain; + listen [TODO: your public IP address]:443 ssl; + server_name download.ClusterID.example.com + collections.ClusterID.example.com + *.collections.ClusterID.example.com + ~.*--collections.ClusterID.example.com; proxy_connect_timeout 90s; proxy_read_timeout 300s; ssl on; - ssl_certificate YOUR/PATH/TO/cert.pem; - ssl_certificate_key YOUR/PATH/TO/cert.key; + ssl_certificate /TODO/YOUR/PATH/TO/cert.pem; + ssl_certificate_key /TODO/YOUR/PATH/TO/cert.key; location / { proxy_pass http://keep-web; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + client_max_body_size 0; + proxy_http_version 1.1; + proxy_request_buffering off; } }
keep_web_download_url: https://download.uuid_prefix.your.domain/c=%{uuid_or_pdh}
-
-+$ curl -H "Authorization: Bearer $system_root_token" https://download.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt +-Additionally, add *one* of the following entries to your Workbench configuration file, depending on your DNS setup. This URL will be used to serve user content that can be displayed in the browser, like image previews and static HTML pages. +
+$ curl -H "Authorization: Bearer $system_root_token" https://collections.ClusterID.example.com/c=59389a8f9ee9d399be35462a0f92541c-53/_/hello.txt +-
keep_web_url: https://%{uuid_or_pdh}--collections.uuid_prefix.your.domain
-keep_web_url: https://%{uuid_or_pdh}.collections.uuid_prefix.your.domain
-keep_web_url: https://collections.uuid_prefix.your.domain/c=%{uuid_or_pdh}
-
-+$ curl -H "Authorization: Bearer $system_root_token" https://59389a8f9ee9d399be35462a0f92541c-53.collections.ClusterID.example.com/hello.txt +