Install Keep-web server

The Keep-web server provides read/write HTTP (WebDAV) access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides TLS support. See the godoc page for more detail.

By convention, we use the following hostnames for the Keep-web service:


The above hostnames should resolve from anywhere on the internet.

Install Keep-web

Typically Keep-web runs on the same host as Keepproxy.

On Debian-based systems:

~$ sudo apt-get install keep-web

On Red Hat-based systems:

~$ sudo yum install keep-web

Verify that Keep-web is functional:

~$ keep-web -h
Usage of keep-web:
        Serve public data to anonymous clients. Try the token supplied in the ARVADOS_API_TOKEN environment variable when none of the tokens provided in an HTTP request succeed in reading the desired collection. (default false)
  -attachment-only-host string
        Accept credentials, and add "Content-Disposition: attachment" response headers, for requests at this hostname:port. Prohibiting inline display makes it possible to serve untrusted and non-public content from a single origin, i.e., without wildcard DNS or TLS.
  -listen string
        Address to listen on: "host:port", or ":port" to listen on all interfaces. (default ":80")
        Serve non-public content from a single origin. Dangerous: read docs before using!

If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. You can use the same one you used when you set up your Keepproxy server, or use the following command on the API server to create another.

Change webserver-user to the user that runs your web server process. If you install Phusion Passenger as we recommend, this is www-data on Debian-based systems, and nginx on Red Hat-based systems.

Using RVM:

apiserver:~$ cd /var/www/arvados-api/current
apiserver:/var/www/arvados-api/current$ sudo -u webserver-user RAILS_ENV=production `which rvm-exec` default bundle exec ./script/get_anonymous_user_token.rb --get

Not using RVM:

apiserver:~$ cd /var/www/arvados-api/current
apiserver:/var/www/arvados-api/current$ sudo -u webserver-user RAILS_ENV=production bundle exec ./script/get_anonymous_user_token.rb --get

Install runit to supervise the Keep-web daemon.

On Debian-based systems:

~$ sudo apt-get install runit

On Red Hat-based systems:

~$ sudo yum install runit

The basic command to start Keep-web in the service run script is:

export ARVADOS_API_HOST=uuid_prefix.your.domain
export ARVADOS_API_TOKEN="zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
exec sudo -u nobody keep-web \
 -listen=:9002 \
 -attachment-only-host=download.uuid_prefix.your.domain \
 -allow-anonymous \

Omit the -allow-anonymous argument if you do not want to serve public data.

Set ARVADOS_API_HOST_INSECURE=1 if your API server’s TLS certificate is not signed by a recognized CA.

Set up a reverse proxy with TLS support

The Keep-web service will be accessible from anywhere on the internet, so we recommend using TLS for transport encryption.

This is best achieved by putting a reverse proxy with TLS support in front of Keep-web, running on port 443 and passing requests to Keep-web on port 9002 (or whatever port you chose in your run script).

Note: A wildcard TLS certificate is required in order to support a full-featured secure Keep-web service. Without it, Keep-web can offer file downloads for all Keep data; however, in order to avoid cross-site scripting vulnerabilities, Keep-web refuses to serve private data as web content except when it is accessed using a “secret link” share. With a wildcard TLS certificate and DNS configured appropriately, all data can be served as web content.

For example, using Nginx:

upstream keep-web {
  server      ;

server {
  listen                [your public IP address]:443 ssl;
  server_name           download.uuid_prefix.your.domain

  proxy_connect_timeout 90s;
  proxy_read_timeout    300s;

  ssl                   on;
  ssl_certificate       YOUR/PATH/TO/cert.pem;
  ssl_certificate_key   YOUR/PATH/TO/cert.key;

  location / {
    proxy_pass          http://keep-web;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;

    client_max_body_size    0;
    proxy_http_version      1.1;
    proxy_request_buffering off;


If you restrict access to your Arvados services based on network topology — for example, your proxy server is not reachable from the public internet — additional proxy configuration might be needed to thwart cross-site scripting attacks that would circumvent your restrictions. Read the ‘Intranet mode’ section of the Keep-web documentation now.

Configure DNS

Configure your DNS servers so the following names resolve to your Nginx proxy’s public IP address.

  • download.uuid_prefix.your.domain
  • collections.uuid_prefix.your.domain
  • *--collections.uuid_prefix.your.domain, if you have a wildcard TLS certificate valid for *.uuid_prefix.your.domain and your DNS server allows this without interfering with other DNS names.
  • *.collections.uuid_prefix.your.domain, if you have a wildcard TLS certificate valid for these names.

If neither of the above wildcard options is feasible, you have two choices:

  1. Serve web content at collections.uuid_prefix.your.domain, but only for unauthenticated requests (public data and collection sharing links). Authenticated requests will always result in file downloads, using the download name. For example, the Workbench “preview” button and the “view entire log file” link will invoke file downloads instead of displaying content in the browser window.
  2. In the special case where you know you are immune to XSS exploits, you can enable the “trust all content” mode in Keep-web (with the -trust-all-content command line flag) and Workbench (with the trust_all_content item in application.yml). With both of these enabled, inline web content can be served from a single collections host name; no wildcard DNS or certificate is needed. Do not do this without understanding the security implications described in the Keep-web documentation.

Tell Workbench about the Keep-web service

Workbench has features like “download file from collection” and “show image” which work better if the content is served by Keep-web rather than Workbench itself. We recommend using the two different hostnames (“download” and “collections” above) for file downloads and inline content respectively.

Add the following entry to your Workbench configuration file (/etc/arvados/workbench/application.yml). This URL will be used for file downloads.

keep_web_download_url: https://download.uuid_prefix.your.domain/c=%{uuid_or_pdh}

Additionally, add one of the following entries to your Workbench configuration file, depending on your DNS setup. This URL will be used to serve user content that can be displayed in the browser, like image previews and static HTML pages.

keep_web_url: https://%{uuid_or_pdh}--collections.uuid_prefix.your.domain
keep_web_url: https://%{uuid_or_pdh}.collections.uuid_prefix.your.domain
keep_web_url: https://collections.uuid_prefix.your.domain/c=%{uuid_or_pdh}

Previous: Install Keepproxy server Next: Install Keep-balance

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.