X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e333aa8b481c3347a3543eb108a622dfef5b30b6..6a8d940762f1b9be1a3a273e13b070d1f75ef8f1:/doc/install/install-keep-web.html.textile.liquid
diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 9282a8ee26..11a425d347 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -1,15 +1,15 @@
---
layout: default
navsection: installguide
-title: Install the download server
+title: Install the keep-web server
...
The keep-web server provides read-only HTTP access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides SSL support. See the "godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web for more detail.
-By convention, we use the following hostname for the download service:
+By convention, we use the following hostname for the keep-web service:
-dl.uuid_prefix.your.domain
+collections.uuid_prefix.your.domain
@@ -36,10 +36,14 @@ Verify that @keep-web@ is functional:
~$ keep-web -h
Usage of keep-web:
- -address string
+ -allow-anonymous
+ Serve public data to anonymous clients. Try the token supplied in the ARVADOS_API_TOKEN environment variable when none of the tokens provided in an HTTP request succeed in reading the desired collection. (default false)
+ -attachment-only-host string
+ Accept credentials, and add "Content-Disposition: attachment" response headers, for requests at this hostname:port. Prohibiting inline display makes it possible to serve untrusted and non-public content from a single origin, i.e., without wildcard DNS or SSL.
+ -listen string
Address to listen on: "host:port", or ":port" to listen on all interfaces. (default ":80")
- -anonymous-token value
- API token to try when none of the tokens provided in an HTTP request succeed in reading the desired collection. If this flag is used more than once, each token will be attempted in turn until one works. (default [])
+ -trust-all-content
+ Serve non-public content from a single origin. Dangerous: read docs before using!
@@ -54,11 +58,12 @@ We recommend running @keep-web@ under "runit":https://packages.debian.org/search
export ARVADOS_API_HOST=uuid_prefix.your.domain
-exec sudo -u nobody keep-web -address=:9002 -anonymous-token=hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r 2>&1
+export ARVADOS_API_TOKEN="hoShoomoo2bai3Ju1xahg6aeng1siquuaZ1yae2gi2Uhaeng2r"
+exec sudo -u nobody keep-web -listen=:9002 -allow-anonymous 2>&1
-Omit the @-anonymous-token@ arguments if you do not want to serve public data.
+Omit the @-allow-anonymous@ argument if you do not want to serve public data.
Set @ARVADOS_API_HOST_INSECURE=1@ if your API server's SSL certificate is not signed by a recognized CA.
@@ -79,7 +84,7 @@ upstream keep-web {
server {
listen [your public IP address]:443 ssl;
- server_name dl.uuid_prefix.your.domain *.dl.uuid_prefix.your.domain ~.*--dl.uuid_prefix.your.domain;
+ server_name collections.uuid_prefix.your.domain *.collections.uuid_prefix.your.domain ~.*--collections.uuid_prefix.your.domain;
proxy_connect_timeout 90s;
proxy_read_timeout 300s;
@@ -90,6 +95,7 @@ server {
location / {
proxy_pass http://keep-web;
+ proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
@@ -98,17 +104,17 @@ server {
h3. Configure DNS
Configure your DNS servers so the following names resolve to your Nginx proxy's public IP address.
-* @*--dl.uuid_prefix.your.domain@, if your DNS server allows this without interfering with other DNS names; or
-* @*.dl.uuid_prefix.your.domain@, if you have a wildcard SSL certificate valid for these names; or
-* @dl.uuid_prefix.your.domain@, if neither of the above options is feasible. In this case, only unauthenticated requests will be served, i.e., public data and collection sharing links.
+* @*--collections.uuid_prefix.your.domain@, if your DNS server allows this without interfering with other DNS names; or
+* @*.collections.uuid_prefix.your.domain@, if you have a wildcard SSL certificate valid for these names; or
+* @collections.uuid_prefix.your.domain@, if neither of the above options is feasible. In this case, only unauthenticated requests will be served, i.e., public data and collection sharing links.
-h3. Tell the API server about the keep-web service
+h3. Tell Workbench about the keep-web service
-Add *one* of the following entries to your API server's @config/application.yml@ file, depending on your DNS setup:
+Add *one* of the following entries to your Workbench configuration file (@/etc/arvados/workbench/application.yml@), depending on your DNS setup:
-keep-web: https://%{uuid_or_pdh}--dl.uuid_prefix.your.domain
-keep-web: https://%{uuid_or_pdh}.dl.uuid_prefix.your.domain
-keep-web: https://dl.uuid_prefix.your.domain
+keep_web_url: https://%{uuid_or_pdh}--collections.uuid_prefix.your.domain
+keep_web_url: https://%{uuid_or_pdh}.collections.uuid_prefix.your.domain
+keep_web_url: https://collections.uuid_prefix.your.domain