Mercurial > hg > orthanc-book
comparison Sphinx/source/faq/nginx.rst @ 929:a7ac8e5edc89
setting up a demo server using nginx
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Sat, 08 Apr 2023 13:44:32 +0200 |
| parents | a49b3f034580 |
| children | 9753b3f62695 |
comparison
equal
deleted
inserted
replaced
| 928:f8a843621ddd | 929:a7ac8e5edc89 |
|---|---|
| 27 <http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size>`__ | 27 <http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size>`__ |
| 28 to allow the uploading of DICOM files larger than the default 1MB if | 28 to allow the uploading of DICOM files larger than the default 1MB if |
| 29 using the :ref:`REST API <sending-dicom-images>` of Orthanc. | 29 using the :ref:`REST API <sending-dicom-images>` of Orthanc. |
| 30 | 30 |
| 31 | 31 |
| 32 .. _nginx-demo: | |
| 33 | |
| 34 Setting up a demo server using nginx | |
| 35 ------------------------------------ | |
| 36 | |
| 37 It is often needed to setup a demo server through which users can | |
| 38 access DICOM images, but cannot modify the content of the Orthanc | |
| 39 database. The easiest solution to this scenario is to place an Orthanc | |
| 40 server behind a nginx proxy, with a :ref:`Lua script | |
| 41 <lua-filter-rest>` that only grants read-only access to external | |
| 42 users. | |
| 43 | |
| 44 .. highlight:: json | |
| 45 | |
| 46 To this end, first define two users ``admin`` and ``public`` in the | |
| 47 :ref:`configuration file <configuration>` of Orthanc:: | |
| 48 | |
| 49 { | |
| 50 "RemoteAccessAllowed" : true, | |
| 51 "AuthenticationEnabled" : true, | |
| 52 "RegisteredUsers" : { | |
| 53 "admin" : "orthanc", | |
| 54 "public" : "hello" | |
| 55 }, | |
| 56 "LuaScripts" : [ "ReadOnly.lua" ] | |
| 57 } | |
| 58 | |
| 59 | |
| 60 .. highlight:: lua | |
| 61 | |
| 62 Next, disallow POST/PUT/DELETE requests to the ``public`` using the | |
| 63 ``ReadOnly.lua`` script:: | |
| 64 | |
| 65 function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders) | |
| 66 if method == 'GET' then | |
| 67 return true | |
| 68 elseif username == 'admin' then | |
| 69 return true | |
| 70 else | |
| 71 return false | |
| 72 end | |
| 73 end | |
| 74 | |
| 75 | |
| 76 .. highlight:: text | |
| 77 | |
| 78 Finally, setup the nginx reverse proxy so that it automatically adds | |
| 79 the `HTTP basic authentication header | |
| 80 <https://en.wikipedia.org/wiki/Basic_access_authentication>`__ that is | |
| 81 expected by Orthanc for the ``public`` user:: | |
| 82 | |
| 83 server { | |
| 84 listen 80 default_server; | |
| 85 ... | |
| 86 location /orthanc/ { | |
| 87 proxy_pass http://127.0.0.1:8042; | |
| 88 proxy_set_header HOST $host; | |
| 89 proxy_set_header X-Real-IP $remote_addr; | |
| 90 rewrite /orthanc(.*) $1 break; | |
| 91 | |
| 92 // Use the "public" user with the "hello" password | |
| 93 proxy_set_header Authorization "Basic cHVibGljOmhlbGxv"; | |
| 94 } | |
| 95 ... | |
| 96 } | |
| 97 | |
| 98 The ``cHVibGljOmhlbGxv`` corresponds to the `Base64 encoding | |
| 99 <https://en.wikipedia.org/wiki/Base64>`__ of the string | |
| 100 ``public:hello``, as can be seen using the following bash command | |
| 101 line:: | |
| 102 | |
| 103 $ echo -n 'public:hello' |base64 | |
| 104 cHVibGljOmhlbGxv | |
| 105 | |
| 106 Note that more fine-grained access control can be achieved using | |
| 107 :ref:`Python plugins <python_authorization>` or the :ref:`advanced | |
| 108 authorization plugin <authorization>`. | |
| 109 | |
| 110 | |
| 32 .. _nginx-cors: | 111 .. _nginx-cors: |
| 33 | 112 |
| 34 Enabling CORS | 113 Enabling CORS |
| 35 ------------- | 114 ------------- |
| 36 | 115 |