Mercurial > hg > orthanc-book

annotate Sphinx/source/faq/security.rst @ 940:dec770139554

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
typo
author Sebastien Jodogne <s.jodogne@gmail.com>
date Fri, 21 Apr 2023 09:19:40 +0200
parents 84a6892495f6
children 4a2b55b602fe
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
1 .. _security:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
2
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
3 Securing Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
4 ================
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
5
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
6 .. contents::
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
7
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
8 Orthanc is a microservice for medical imaging. Out-of-the-box, it
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
9 makes the assumption that it runs on the localhost, within a secured
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
10 environment. As a consequence, care must be taken if deploying Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
11 in a insecure environment, especially if it is run as a public-facing
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
12 service on Internet. This page provides instructions to secure Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
13 through its :ref:`configuration options <configuration>`.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
14
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
15
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
16 General configuration
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
17 ---------------------
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
18
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
19 As for any service running on a computer, you should:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
20
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
21 * Make sure to run the Orthanc service as a separate user. In
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
22 particular, never run Orthanc as the ``root`` user on GNU/Linux, or
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
23 as the ``Administrator`` user on Microsoft Windows.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
24
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
25 * Contact your network administrators to setup `Intranet firewalls
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
26 <https://en.wikipedia.org/wiki/Firewall_(computing)>`__, so that
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
27 only trusted computers can contact Orthanc through its REST API
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
28 or through the DICOM protocol.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
29
634
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
30 * Make sure that the :ref:`configuration files <configuration>`
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
31 containing confidential information or private keys (typically
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
32 ``RegisteredUsers``) are only readable by the user that runs
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
33 Orthanc.
2571d7f4e135 protect configuration file
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 609
diff changeset
34
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
35 Care must also be taken about some configuration options specific to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
36 Orthanc:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
37
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
38 * ``LimitFindResults`` and ``LimitFindInstances`` should not be set to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
39 zero to avoid making Orthanc unresponsive on large databases by a
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
40 malicious user that would make many lookups within Orthanc. A value
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
41 of ``100`` should be a good compromise.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
42
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
43 * ``HttpsVerifyPeers`` should be set to ``true`` to secure outgoing
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
44 connections to remote HTTPS servers (such as when Orthanc is acting
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
45 as a :ref:`DICOMweb client <dicomweb-client>`).
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
46
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
47 * Make sure to understand the implications of the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
48 ``OverwriteInstances`` option.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
49
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
50 * You might also be interested in checking the options related to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
51 :ref:`performance optimization <scalability>`.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
52
526
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
53
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
54 .. _security_http:
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
55
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
56 Securing the HTTP server
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
57 ------------------------
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
58
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
59 .. highlight:: lua
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
60
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
61 Orthanc publishes a :ref:`REST API <rest>` that provides full
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
62 programmatic access to its content, in read/write. This means for
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
63 instance that a malicious user could delete the entire content of the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
64 server, or could inspect confidential medical data.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
65
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
66 By default, the HTTP server is restricted to the localhost to prevent
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
67 such attacks from the outside world. However, as soon as external
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
68 access is granted by setting the ``RemoteAccessAllowed`` configuration
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
69 option to ``true``, you should:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
70
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
71 * Set ``AuthenticationEnabled`` to ``true`` to force the users to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
72 authenticate. The authorized users are listed in the option
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
73 ``RegisteredUsers``.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
74
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
75 * Enable :ref:`HTTPS encryption <https>` to prevent the stealing of
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
76 medical data or passwords, even on the Intranet.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
77
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
78 * If Orthanc is put on a server that can be contacted from Internet,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
79 put Orthanc behind a :ref:`reverse proxy <https>`, and let this
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
80 reverse proxy take care of the HTTPS encryption.
512
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
81
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
82 * Enable :ref:`Client certificate authentication <https>` between multiple
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
83 Orthanc peers.
be8b638f3f46 added mutual auth
Alain Mazy <alain@mazy.be>
parents: 490
diff changeset
84
526
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
85 * Consider turning of the :ref:`embedded WebDAV server <webdav>` by
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 518
diff changeset
86 setting configuration option ``WebDavEnabled`` to ``false``.
938
84a6892495f6 security
Alain Mazy <am@osimis.io>
parents: 812
diff changeset
87
84a6892495f6 security
Alain Mazy <am@osimis.io>
parents: 812
diff changeset
88 * Ensure that ``/tools/execute-script`` is disabled by leaving the configuration
84a6892495f6 security
Alain Mazy <am@osimis.io>
parents: 812
diff changeset
89 ``ExecuteLuaEnabled`` to its default ``false`` value.
84a6892495f6 security
Alain Mazy <am@osimis.io>
parents: 812
diff changeset
90
84a6892495f6 security
Alain Mazy <am@osimis.io>
parents: 812
diff changeset
91 * Ensure that the REST API can not write to the filesystem (e.g. in the
84a6892495f6 security
Alain Mazy <am@osimis.io>
parents: 812
diff changeset
92 ``/instances/../export`` route) by leaving the configuration
940
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 938
diff changeset
93 ``RestApiWriteToFileSystemEnabled`` to its default ``false`` value.
938
84a6892495f6 security
Alain Mazy <am@osimis.io>
parents: 812
diff changeset
94
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
95 * Setup rules that define, for each authorized user, which resources
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
96 it can access, and through which HTTP method (GET, POST, DELETE
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
97 and/or PUT). This can be done by defining a :ref:`filter written in
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
98 Lua <lua-filter-rest>`. Here is a sample Lua filter that
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
99 differentiates between an administrator user (``admin``) who has
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
100 full access on the localhost only, and a generic user (``user``)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
101 that has only read-only access::
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
102
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
103 function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
104 if method == 'GET' and (username == 'user' or username == 'admin') then
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
105 -- Read-only access (only GET method is allowed)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
106 return true
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
107 elseif username == 'admin' and ip == '127.0.0.1' then
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
108 -- Read-write access for administrator (any HTTP method is allowed on localhost)
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
109 return true
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
110 else
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
111 -- Access is disallowed by default
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
112 return false
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
113 end
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
114 end
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
115
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
116 Very importantly, make sure to protect ``POST`` access to the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
117 ``/tools/execute-script`` URI. This URI can indeed be used by a
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
118 malicious user to execute any system command on the computer as the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
119 user that runs Orthanc.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
120
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
121 * Consider implementing a :ref:`higher-level application
289
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
122 <improving-interface>` (e.g. in PHP, Java, Django...) that takes
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
123 care of user authentication/authorization, and that is the only one
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
124 to be allowed to contact the Orthanc REST API. In particular, you
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
125 must create a higher-level application so as to properly deal with
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
126 `CSRF attacks
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
127 <https://en.wikipedia.org/wiki/Cross-site_request_forgery>`__:
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
128 Indeed, as explained in the introduction, Orthanc is a microservice
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 253
diff changeset
129 that is designed to be used within a secured environment.
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
130
812
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 683
diff changeset
131 * Configuration option ``OrthancExplorerEnabled`` should be set to
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 683
diff changeset
132 ``false`` in Internet-facing deployments.
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 683
diff changeset
133
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
134 * For advanced scenarios, you might have interest in the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
135 :ref:`advanced authorization plugin <authorization>`. Similarly,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
136 developers of :ref:`plugins <plugins>` could be interested by the
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
137 ``OrthancPluginRegisterIncomingHttpRequestFilter2()`` function
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
138 provided by the Orthanc plugin SDK.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
139
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
140
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
141 **Remark:** These parameters also apply to the :ref:`DICOMweb server plugin <dicomweb>`.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
142
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
143
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
144 Securing the DICOM server
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
145 -------------------------
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
146
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
147 .. highlight:: json
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
148
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
149 Besides its REST API that is served through its embedded HTTP/HTTPS
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
150 server, Orthanc also acts as a :ref:`DICOM server <dicom-protocol>`
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
151 (more precisely, as a DICOM SCP).
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
152
248
b15c3423b682 security
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 238
diff changeset
153 In general, the DICOM protocol should be disabled if running Orthanc
b15c3423b682 security
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 238
diff changeset
154 on a cloud server, except if you use a VPN (cf. `reference
517
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
155 <https://groups.google.com/d/msg/orthanc-users/yvHexxG3dTY/7s3A7EHVBAAJ>`__)
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
156 or a SSH tunnel (cf. `reference
518
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 517
diff changeset
157 <https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/>`__). Favor
517
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
158 HTTPS for transfering medical images across sites (see above). You can
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
159 turn off DICOM protocol by setting the configuration option
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 513
diff changeset
160 ``DicomServerEnabled`` to ``false``.
248
b15c3423b682 security
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 238
diff changeset
161
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
162 The DICOM modalities that are known to Orthanc are defined by setting
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
163 the ``DicomModalities`` configuration option. Out-of-the-box, Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
164 accepts C-ECHO and C-STORE commands sent by unknown modalities, but
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
165 blocks C-FIND and C-MOVE commands issued by unknown modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
166
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
167 To fully secure the DICOM protocol, you should:
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
168
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
169 * Set the ``DicomAlwaysAllowEcho`` configuration option to ``false``
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
170 to disallow C-ECHO commands from unknown modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
171
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
172 * Set the ``DicomAlwaysAllowStore`` configuration option to ``false``
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
173 to disallow C-STORE commands from unknown modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
174
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
175 * Set the ``DicomCheckModalityHost`` configuration option to ``true``
683
11e536e70b37 ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 634
diff changeset
176 to validate the IP address of the remote modalities (note that
11e536e70b37 ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 634
diff changeset
177 hostnames cannot be used in ``DicomModalities`` when this option is
11e536e70b37 ip addresses are mandatory if DicomCheckModalityHost is true
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 634
diff changeset
178 enabled: The ``Host`` values should only contain IP addresses).
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
179
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
180 * For each modality that is defined in ``DicomModalities``,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
181 selectively specify what DICOM commands are allowed to be issued by
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
182 the SCU of this modality by setting the suboptions ``AllowEcho``,
413
3ec4d890912e fix c-get
Alain Mazy <alain@mazy.be>
parents: 392
diff changeset
183 ``AllowFind``, ``AllowMove``, ``AllowStore`` and ``AllowGet``. For instance, a
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
184 modality could be allowed to C-STORE images, but be disallowed to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
185 C-FIND the content of Orthanc. Here is a sample configuration to
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
186 define a single modality that is only allowed to send DICOM
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
187 instances to Orthanc::
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
188
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
189 {
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
190 "DicomModalities" : {
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
191 "untrusted" : {
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
192 "AET" : "CT",
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
193 "Port" : 104,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
194 "Host" : "192.168.0.10",
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
195 "AllowEcho" : false,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
196 "AllowFind" : false,
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
197 "AllowMove" : false,
413
3ec4d890912e fix c-get
Alain Mazy <alain@mazy.be>
parents: 392
diff changeset
198 "AllowGet" : false,
238
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
199 "AllowStore" : true
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
200 }
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
201 }
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
202 }
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
203
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
204 **Note:** These configuration suboptions only affect the behavior of
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
205 the DICOM SCP of Orthanc (i.e. for incoming connections). Orthanc
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
206 will always be able to make outgoing DICOM SCU connections to these
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
207 modalities, independently of the value of these suboptions.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
208
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
209 * Consider implementing a :ref:`filter implemented in Lua
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
210 <lua-filter-rest>` to restrict which modalities can C-STORE images
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
211 within Orthanc, and which kind of images are accepted by Orthanc.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
212
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
213 * Consider setting ``DicomCheckCalledAet`` to ``true`` to force proper
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
214 configuration of remote modalities.
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
215
a363714813b2 securing orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
216
609
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
217 Starting with Orthanc 1.9.0, `DICOM TLS encryption
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
218 <https://www.dicomstandard.org/using/security/>`__ is supported by
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
219 Orthanc. If you need to share DICOM instances between sites, but if
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
220 you don't want to use DICOMweb or Orthanc peers over HTTPS, you must
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
221 enable :ref:`DICOM TLS in Orthanc <dicom-tls>` to ensure secure
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
222 exchanges.
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
223
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
224 As a workaround for the releases <= 1.8.2 of Orthanc that don't
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
225 support DICOM TLS, `it has been reported
544
d7ec7ea133b8 note about nginx to emulate dicom tls
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 528
diff changeset
226 <https://www.digihunch.com/2020/11/medical-imaging-web-server-deployment-pipeline/>`__
d7ec7ea133b8 note about nginx to emulate dicom tls
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 528
diff changeset
227 that the "*SSL Termination for TCP Upstream Servers*" feature of nginx
546
7c4ef4411992 stunnel
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 544
diff changeset
228 can be used to emulate DICOM TLS. Another option is to use `stunnel
609
0dde82745e0d documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 588
diff changeset
229 <https://www.stunnel.org/>`__.
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
230
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
231
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
232 Securing the storage
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
233 --------------------
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
234
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
235 In general, for security, Orthanc should store its database index
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
236 (PostgreSQL, SQLite...) and its :ref:`storage area <orthanc-storage>`
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
237 for DICOM files on an `on-premises, self-hosted infrastructure
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
238 <https://en.wikipedia.org/wiki/On-premises_software>`__ with `disk
588
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
239 encryption
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
240 <https://en.wikipedia.org/wiki/Disk_encryption>`__. Similarly, Orthanc
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
241 itself should ideally run on your own on-premises infrastructure, and
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
242 not on a virtual machine that is managed by a public cloud solution
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
243 provider.
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
244
588
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
245 Depending on your jurisdiction, it might be possible to move the
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
246 storage area to a `cloud-based object storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
247 <https://en.wikipedia.org/wiki/Object_storage>`__, by using the
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
248 :ref:`dedicated storage plugins <object-storage>`. :ref:`Orthanc-side
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
249 encryption <client-side-encryption>` should be enabled in such a
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
250 situation.
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
251
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
252 In any case, make sure to get legal advice that is very specific to
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
253 the legislation of the countries where you are active (for
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
254 illustration, check out the recent debates over the `privacy shield
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
255 <https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield>`__ in
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
256 Europe). Make sure to understand the implications of using cloud-based
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
257 object storage, of using virtual machines in the cloud to store health
588
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
258 data, of using managed database servers (even with so-called
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 587
diff changeset
259 "encryption-at-rest" features)...
586
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
260
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
261 As a free and open-source project, the Orthanc ecosystem cannot be
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
262 taken as liable for any security breach or data leak in your
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
263 deployments, for any misconfiguration, for any bad handling of
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
264 personal/health data, for any bypassing of regulatory requirements,
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
265 for not being compliant with your local legislation, or for any
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
266 similar stuff: Orthanc is just software, security is your
5f5519f1491a securing the storage
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 568
diff changeset
267 responsibility.