Mercurial > hg > orthanc-book
comparison Sphinx/source/faq/nginx.rst @ 929:a7ac8e5edc89
setting up a demo server using nginx
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Sat, 08 Apr 2023 13:44:32 +0200 |
parents | a49b3f034580 |
children | 9753b3f62695 |
comparison
equal
deleted
inserted
replaced
928:f8a843621ddd | 929:a7ac8e5edc89 |
---|---|
27 <http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size>`__ | 27 <http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size>`__ |
28 to allow the uploading of DICOM files larger than the default 1MB if | 28 to allow the uploading of DICOM files larger than the default 1MB if |
29 using the :ref:`REST API <sending-dicom-images>` of Orthanc. | 29 using the :ref:`REST API <sending-dicom-images>` of Orthanc. |
30 | 30 |
31 | 31 |
32 .. _nginx-demo: | |
33 | |
34 Setting up a demo server using nginx | |
35 ------------------------------------ | |
36 | |
37 It is often needed to setup a demo server through which users can | |
38 access DICOM images, but cannot modify the content of the Orthanc | |
39 database. The easiest solution to this scenario is to place an Orthanc | |
40 server behind a nginx proxy, with a :ref:`Lua script | |
41 <lua-filter-rest>` that only grants read-only access to external | |
42 users. | |
43 | |
44 .. highlight:: json | |
45 | |
46 To this end, first define two users ``admin`` and ``public`` in the | |
47 :ref:`configuration file <configuration>` of Orthanc:: | |
48 | |
49 { | |
50 "RemoteAccessAllowed" : true, | |
51 "AuthenticationEnabled" : true, | |
52 "RegisteredUsers" : { | |
53 "admin" : "orthanc", | |
54 "public" : "hello" | |
55 }, | |
56 "LuaScripts" : [ "ReadOnly.lua" ] | |
57 } | |
58 | |
59 | |
60 .. highlight:: lua | |
61 | |
62 Next, disallow POST/PUT/DELETE requests to the ``public`` using the | |
63 ``ReadOnly.lua`` script:: | |
64 | |
65 function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders) | |
66 if method == 'GET' then | |
67 return true | |
68 elseif username == 'admin' then | |
69 return true | |
70 else | |
71 return false | |
72 end | |
73 end | |
74 | |
75 | |
76 .. highlight:: text | |
77 | |
78 Finally, setup the nginx reverse proxy so that it automatically adds | |
79 the `HTTP basic authentication header | |
80 <https://en.wikipedia.org/wiki/Basic_access_authentication>`__ that is | |
81 expected by Orthanc for the ``public`` user:: | |
82 | |
83 server { | |
84 listen 80 default_server; | |
85 ... | |
86 location /orthanc/ { | |
87 proxy_pass http://127.0.0.1:8042; | |
88 proxy_set_header HOST $host; | |
89 proxy_set_header X-Real-IP $remote_addr; | |
90 rewrite /orthanc(.*) $1 break; | |
91 | |
92 // Use the "public" user with the "hello" password | |
93 proxy_set_header Authorization "Basic cHVibGljOmhlbGxv"; | |
94 } | |
95 ... | |
96 } | |
97 | |
98 The ``cHVibGljOmhlbGxv`` corresponds to the `Base64 encoding | |
99 <https://en.wikipedia.org/wiki/Base64>`__ of the string | |
100 ``public:hello``, as can be seen using the following bash command | |
101 line:: | |
102 | |
103 $ echo -n 'public:hello' |base64 | |
104 cHVibGljOmhlbGxv | |
105 | |
106 Note that more fine-grained access control can be achieved using | |
107 :ref:`Python plugins <python_authorization>` or the :ref:`advanced | |
108 authorization plugin <authorization>`. | |
109 | |
110 | |
32 .. _nginx-cors: | 111 .. _nginx-cors: |
33 | 112 |
34 Enabling CORS | 113 Enabling CORS |
35 ------------- | 114 ------------- |
36 | 115 |