We recently launched our own orthanc-server in our university network behind the university firewall: https://nukit.uib.no
The orthanc server runs in a docker container (using jodogne/orthanc-plugins) behind apache2 httpd as a reverse proxy under CentOS.
Security is provided by the reverse proxy: https/SSL transport layer security, user authentication against the university’s central user administration using ldap, and authorization using an apache group file.
In the orthanc.json we set
“AuthenticationEnabled” : false
since authentication is done via apache httpd.
We also found out that we have to set
“RemoteAccessAllowed” : true,
otherwise the orthanc-server will not allow logins.
When we use a Fiji/PET-CT viewer with the Orthanc Tools plugin, everything is fine.
When a user logs on on the server via a web browser, she will see the ominous warning:
Your Orthanc server is accepting remote connections, but is using the default username and password, or has user authentication explicitly turned off. Please carefully read your logs and review your configuration, especially options
How can we get rid of this warning? Our configuration IS as safe as it gets, only that safety is provided outside the orthanc-server container.
Unless there is some workaround that I have overlooked (I ran multiple searches with the keyword “insecure”) I suggest having a separate parameter i orthanc.json as a new feature:
”InsecureSetupWarning”: true (default)
Setting the parameter to false would override the warning in case of configurations like ours.