Mercurial > hg > orthanc-book
changeset 929:a7ac8e5edc89
setting up a demo server using nginx
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Sat, 08 Apr 2023 13:44:32 +0200 |
parents | f8a843621ddd |
children | 9753b3f62695 |
files | Sphinx/source/faq/nginx.rst |
diffstat | 1 files changed, 79 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/Sphinx/source/faq/nginx.rst Wed Mar 29 11:55:53 2023 +0200 +++ b/Sphinx/source/faq/nginx.rst Sat Apr 08 13:44:32 2023 +0200 @@ -29,6 +29,85 @@ using the :ref:`REST API <sending-dicom-images>` of Orthanc. +.. _nginx-demo: + +Setting up a demo server using nginx +------------------------------------ + +It is often needed to setup a demo server through which users can +access DICOM images, but cannot modify the content of the Orthanc +database. The easiest solution to this scenario is to place an Orthanc +server behind a nginx proxy, with a :ref:`Lua script +<lua-filter-rest>` that only grants read-only access to external +users. + +.. highlight:: json + +To this end, first define two users ``admin`` and ``public`` in the +:ref:`configuration file <configuration>` of Orthanc:: + + { + "RemoteAccessAllowed" : true, + "AuthenticationEnabled" : true, + "RegisteredUsers" : { + "admin" : "orthanc", + "public" : "hello" + }, + "LuaScripts" : [ "ReadOnly.lua" ] + } + + +.. highlight:: lua + +Next, disallow POST/PUT/DELETE requests to the ``public`` using the +``ReadOnly.lua`` script:: + + function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders) + if method == 'GET' then + return true + elseif username == 'admin' then + return true + else + return false + end + end + + +.. highlight:: text + +Finally, setup the nginx reverse proxy so that it automatically adds +the `HTTP basic authentication header +<https://en.wikipedia.org/wiki/Basic_access_authentication>`__ that is +expected by Orthanc for the ``public`` user:: + + server { + listen 80 default_server; + ... + location /orthanc/ { + proxy_pass http://127.0.0.1:8042; + proxy_set_header HOST $host; + proxy_set_header X-Real-IP $remote_addr; + rewrite /orthanc(.*) $1 break; + + // Use the "public" user with the "hello" password + proxy_set_header Authorization "Basic cHVibGljOmhlbGxv"; + } + ... + } + +The ``cHVibGljOmhlbGxv`` corresponds to the `Base64 encoding +<https://en.wikipedia.org/wiki/Base64>`__ of the string +``public:hello``, as can be seen using the following bash command +line:: + + $ echo -n 'public:hello' |base64 + cHVibGljOmhlbGxv + +Note that more fine-grained access control can be achieved using +:ref:`Python plugins <python_authorization>` or the :ref:`advanced +authorization plugin <authorization>`. + + .. _nginx-cors: Enabling CORS