Following the discussion here, I have set up an Orthanc behind an Apache proxy.
On the Apache side, apache handles authentication prior to passing through to the Orthanc.
On the orthanc side, I have remote access and authentication turned ON and have registered a single user. The Apache passes along base64 encoded credentials for the internal Orthanc using RequestHeader to set the Authorization header.
Both the Apache and Orthanc have registered SSL certificates and are employing SSL proxying.
All of that works great except when the explorer is the first link visited, whether the home lookup page or a specific patient, study, instance, etc.
https://our.apache.server/OrthancLocation/app/explorer.html#study?uuid=hexadecimal
If the user is clicking the link for the first time, the process completes the Apache side authentication and passes through to the Orthanc. The Orthanc presents an empty study page with a warning that this is an insecure setup. The page has all the elements of a study page (banner, buttons, etc). It is simply empty of any study related information.
If I manually edit the URL in the browser to briefly point to one of the more basic Rest API url:
https://our.apache.server/OrthancLocation/statistics
and THEN go back to the original direct explorer address, everything works as expected and the study is presented to the user.
At that point, direct links to studies via the explorer work as expected. Only one call to “statistics” or something similar is required.
I am assuming that some aspect of the internal Orthanc authentication with the internal Orthanc registered user is not taking place when invoking the explorer the first time, but DOES take place when invoking a more atomistic command like “patients” or “statistics” or “system”.
This does not appear to be a problem of sending the wrong base64 encoded Authorization from the apache proxy. The behavior is quite different if I get the registered Orthanc credentials wrong on the apache side. In that scenario, I get the “denied access” error when Orthanc rejects the incorrect credentials.
So, in my current setup, during that first interaction, apache DOES seem to send the correct credentials such that the Orthanc does not reject the request outright, but the Orthanc then throws the “insecure setup” warning and presents the blank study page.
Thanks in advance for any suggestions as to what I might be getting incorrect!
John.