Mercurial > hg > orthanc-book

annotate Sphinx/source/faq/security.rst @ 805:d8ad5728a179

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
community
author Sebastien Jodogne <s.jodogne@gmail.com>
date Mon, 24 Jan 2022 13:59:11 +0100
parents 11e536e70b37
children 49ec83c000e9
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
1 .. _security:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
2
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
3 Securing Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
4 ================
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
5
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
6 .. contents::
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
7
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
8 Orthanc is a microservice for medical imaging. Out-of-the-box, it
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
9 makes the assumption that it runs on the localhost, within a secured
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
10 environment. As a consequence, care must be taken if deploying Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
11 in a insecure environment, especially if it is run as a public-facing
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
12 service on Internet. This page provides instructions to secure Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
13 through its :ref:`configuration options <configuration>`.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
14
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
15
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
16 General configuration
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
17 ---------------------
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
18
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
19 As for any service running on a computer, you should:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
20
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
21 * Make sure to run the Orthanc service as a separate user. In
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
22 particular, never run Orthanc as the ``root`` user on GNU/Linux, or
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
23 as the ``Administrator`` user on Microsoft Windows.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
24
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
25 * Contact your network administrators to setup `Intranet firewalls
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
26 <https://en.wikipedia.org/wiki/Firewall_(computing)>`__, so that
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
27 only trusted computers can contact Orthanc through its REST API
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
28 or through the DICOM protocol.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
29
634
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
30 * Make sure that the :ref:`configuration files <configuration>`
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
31 containing confidential information or private keys (typically
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
32 ``RegisteredUsers``) are only readable by the user that runs
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
33 Orthanc.
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
34
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
35 Care must also be taken about some configuration options specific to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
36 Orthanc:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
37
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
38 * ``LimitFindResults`` and ``LimitFindInstances`` should not be set to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
39 zero to avoid making Orthanc unresponsive on large databases by a
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
40 malicious user that would make many lookups within Orthanc. A value
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
41 of ``100`` should be a good compromise.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
42
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
43 * ``HttpsVerifyPeers`` should be set to ``true`` to secure outgoing
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
44 connections to remote HTTPS servers (such as when Orthanc is acting
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
45 as a :ref:`DICOMweb client <dicomweb-client>`).
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
46
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
47 * Make sure to understand the implications of the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
48 ``OverwriteInstances`` option.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
49
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
50 * You might also be interested in checking the options related to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
51 :ref:`performance optimization <scalability>`.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
52
526
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
53
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
54 .. _security_http:
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
55
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
56 Securing the HTTP server
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
57 ------------------------
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
58
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
59 .. highlight:: lua
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
60
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
61 Orthanc publishes a :ref:`REST API <rest>` that provides full
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
62 programmatic access to its content, in read/write. This means for
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
63 instance that a malicious user could delete the entire content of the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
64 server, or could inspect confidential medical data.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
65
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
66 By default, the HTTP server is restricted to the localhost to prevent
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
67 such attacks from the outside world. However, as soon as external
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
68 access is granted by setting the ``RemoteAccessAllowed`` configuration
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
69 option to ``true``, you should:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
70
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
71 * Set ``AuthenticationEnabled`` to ``true`` to force the users to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
72 authenticate. The authorized users are listed in the option
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
73 ``RegisteredUsers``.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
74
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
75 * Enable :ref:`HTTPS encryption <https>` to prevent the stealing of
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
76 medical data or passwords, even on the Intranet.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
77
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
78 * If Orthanc is put on a server that can be contacted from Internet,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
79 put Orthanc behind a :ref:`reverse proxy <https>`, and let this
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
80 reverse proxy take care of the HTTPS encryption.
512
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
81
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
82 * Enable :ref:`Client certificate authentication <https>` between multiple
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
83 Orthanc peers.
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
84
526
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
85 * Consider turning of the :ref:`embedded WebDAV server <webdav>` by
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
86 setting configuration option ``WebDavEnabled`` to ``false``.
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
87
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
88 * Setup rules that define, for each authorized user, which resources
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
89 it can access, and through which HTTP method (GET, POST, DELETE
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
90 and/or PUT). This can be done by defining a :ref:`filter written in
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
91 Lua <lua-filter-rest>`. Here is a sample Lua filter that
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
92 differentiates between an administrator user (``admin``) who has
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
93 full access on the localhost only, and a generic user (``user``)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
94 that has only read-only access::
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
95
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
96 function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
97 if method == 'GET' and (username == 'user' or username == 'admin') then
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
98 -- Read-only access (only GET method is allowed)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
99 return true
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
100 elseif username == 'admin' and ip == '127.0.0.1' then
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
101 -- Read-write access for administrator (any HTTP method is allowed on localhost)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
102 return true
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
103 else
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
104 -- Access is disallowed by default
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
105 return false
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
106 end
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
107 end
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
108
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
109 Very importantly, make sure to protect ``POST`` access to the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
110 ``/tools/execute-script`` URI. This URI can indeed be used by a
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
111 malicious user to execute any system command on the computer as the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
112 user that runs Orthanc.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
113
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
114 * Consider implementing a :ref:`higher-level application
289
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
115 <improving-interface>` (e.g. in PHP, Java, Django...) that takes
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
116 care of user authentication/authorization, and that is the only one
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
117 to be allowed to contact the Orthanc REST API. In particular, you
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
118 must create a higher-level application so as to properly deal with
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
119 `CSRF attacks
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
120 <https://en.wikipedia.org/wiki/Cross-site_request_forgery>`__:
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
121 Indeed, as explained in the introduction, Orthanc is a microservice
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
122 that is designed to be used within a secured environment.
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
123
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
124 * For advanced scenarios, you might have interest in the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
125 :ref:`advanced authorization plugin <authorization>`. Similarly,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
126 developers of :ref:`plugins <plugins>` could be interested by the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
127 ``OrthancPluginRegisterIncomingHttpRequestFilter2()`` function
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
128 provided by the Orthanc plugin SDK.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
129
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
130
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
131 **Remark:** These parameters also apply to the :ref:`DICOMweb server plugin <dicomweb>`.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
132
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
133
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
134 Securing the DICOM server
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
135 -------------------------
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
136
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
137 .. highlight:: json
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
138
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
139 Besides its REST API that is served through its embedded HTTP/HTTPS
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
140 server, Orthanc also acts as a :ref:`DICOM server <dicom-protocol>`
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
141 (more precisely, as a DICOM SCP).
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
142
248
b15c3423b682 security
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 238
diff changeset
143 In general, the DICOM protocol should be disabled if running Orthanc
b15c3423b682 security
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 238
diff changeset
144 on a cloud server, except if you use a VPN (cf. `reference
517
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
145 <https://groups.google.com/d/msg/orthanc-users/yvHexxG3dTY/7s3A7EHVBAAJ>`__)
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
146 or a SSH tunnel (cf. `reference
518
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 517
diff changeset
147 <https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/>`__). Favor
517
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
148 HTTPS for transfering medical images across sites (see above). You can
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
149 turn off DICOM protocol by setting the configuration option
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
150 ``DicomServerEnabled`` to ``false``.
248
b15c3423b682 security
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 238
diff changeset
151
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
152 The DICOM modalities that are known to Orthanc are defined by setting
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
153 the ``DicomModalities`` configuration option. Out-of-the-box, Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
154 accepts C-ECHO and C-STORE commands sent by unknown modalities, but
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
155 blocks C-FIND and C-MOVE commands issued by unknown modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
156
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
157 To fully secure the DICOM protocol, you should:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
158
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
159 * Set the ``DicomAlwaysAllowEcho`` configuration option to ``false``
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
160 to disallow C-ECHO commands from unknown modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
161
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
162 * Set the ``DicomAlwaysAllowStore`` configuration option to ``false``
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
163 to disallow C-STORE commands from unknown modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
164
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
165 * Set the ``DicomCheckModalityHost`` configuration option to ``true``
683
11e536e70b37 ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 634
diff changeset
166 to validate the IP address of the remote modalities (note that
11e536e70b37 ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 634
diff changeset
167 hostnames cannot be used in ``DicomModalities`` when this option is
11e536e70b37 ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 634
diff changeset
168 enabled: The ``Host`` values should only contain IP addresses).
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
169
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
170 * For each modality that is defined in ``DicomModalities``,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
171 selectively specify what DICOM commands are allowed to be issued by
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
172 the SCU of this modality by setting the suboptions ``AllowEcho``,
413
3ec4d890912e fix c-get
Alain Mazy <alain@mazy.be>
parents: 392
diff changeset
173 ``AllowFind``, ``AllowMove``, ``AllowStore`` and ``AllowGet``. For instance, a
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
174 modality could be allowed to C-STORE images, but be disallowed to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
175 C-FIND the content of Orthanc. Here is a sample configuration to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
176 define a single modality that is only allowed to send DICOM
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
177 instances to Orthanc::
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
178
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
179 {
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
180 "DicomModalities" : {
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
181 "untrusted" : {
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
182 "AET" : "CT",
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
183 "Port" : 104,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
184 "Host" : "192.168.0.10",
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
185 "AllowEcho" : false,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
186 "AllowFind" : false,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
187 "AllowMove" : false,
413
3ec4d890912e fix c-get
Alain Mazy <alain@mazy.be>
parents: 392
diff changeset
188 "AllowGet" : false,
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
189 "AllowStore" : true
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
190 }
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
191 }
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
192 }
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
193
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
194 **Note:** These configuration suboptions only affect the behavior of
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
195 the DICOM SCP of Orthanc (i.e. for incoming connections). Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
196 will always be able to make outgoing DICOM SCU connections to these
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
197 modalities, independently of the value of these suboptions.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
198
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
199 * Consider implementing a :ref:`filter implemented in Lua
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
200 <lua-filter-rest>` to restrict which modalities can C-STORE images
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
201 within Orthanc, and which kind of images are accepted by Orthanc.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
202
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
203 * Consider setting ``DicomCheckCalledAet`` to ``true`` to force proper
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
204 configuration of remote modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
205
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
206
609
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
207 Starting with Orthanc 1.9.0, `DICOM TLS encryption
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
208 <https://www.dicomstandard.org/using/security/>`__ is supported by
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
209 Orthanc. If you need to share DICOM instances between sites, but if
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
210 you don't want to use DICOMweb or Orthanc peers over HTTPS, you must
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
211 enable :ref:`DICOM TLS in Orthanc <dicom-tls>` to ensure secure
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
212 exchanges.
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
213
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
214 As a workaround for the releases <= 1.8.2 of Orthanc that don't
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
215 support DICOM TLS, `it has been reported
544
d7ec7ea133b8 note about nginx to emulate dicom tls
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 528
diff changeset
216 <https://www.digihunch.com/2020/11/medical-imaging-web-server-deployment-pipeline/>`__
d7ec7ea133b8 note about nginx to emulate dicom tls
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 528
diff changeset
217 that the "*SSL Termination for TCP Upstream Servers*" feature of nginx
546
7c4ef4411992 stunnel
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 544
diff changeset
218 can be used to emulate DICOM TLS. Another option is to use `stunnel
609
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
219 <https://www.stunnel.org/>`__.
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
220
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
221
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
222 Securing the storage
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
223 --------------------
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
224
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
225 In general, for security, Orthanc should store its database index
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
226 (PostgreSQL, SQLite...) and its :ref:`storage area <orthanc-storage>`
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
227 for DICOM files on an `on-premises, self-hosted infrastructure
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
228 <https://en.wikipedia.org/wiki/On-premises_software>`__ with `disk
588
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
229 encryption
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
230 <https://en.wikipedia.org/wiki/Disk_encryption>`__. Similarly, Orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
231 itself should ideally run on your own on-premises infrastructure, and
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
232 not on a virtual machine that is managed by a public cloud solution
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
233 provider.
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
234
588
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
235 Depending on your jurisdiction, it might be possible to move the
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
236 storage area to a `cloud-based object storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
237 <https://en.wikipedia.org/wiki/Object_storage>`__, by using the
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
238 :ref:`dedicated storage plugins <object-storage>`. :ref:`Orthanc-side
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
239 encryption <client-side-encryption>` should be enabled in such a
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
240 situation.
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
241
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
242 In any case, make sure to get legal advice that is very specific to
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
243 the legislation of the countries where you are active (for
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
244 illustration, check out the recent debates over the `privacy shield
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
245 <https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield>`__ in
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
246 Europe). Make sure to understand the implications of using cloud-based
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
247 object storage, of using virtual machines in the cloud to store health
588
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
248 data, of using managed database servers (even with so-called
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
249 "encryption-at-rest" features)...
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
250
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
251 As a free and open-source project, the Orthanc ecosystem cannot be
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
252 taken as liable for any security breach or data leak in your
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
253 deployments, for any misconfiguration, for any bad handling of
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
254 personal/health data, for any bypassing of regulatory requirements,
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
255 for not being compliant with your local legislation, or for any
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
256 similar stuff: Orthanc is just software, security is your
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
257 responsibility.