Orthanc server secure access trough REST APIs

Google Groups archive
1

Dear All,

I have installed ORTHANC in an Ubuntu 16.04 server environment as Dicom Store engine, on top I put a web application which communicates with ORTHANC trough rest API. I want to keep ORTHANC secure and maintain these configurations:

“RemoteAccessAllowed” : true**,**

“AuthenticationEnabled” : true**,**

“RegisteredUsers” : {

“Administrator” : “StrongPwd”

},

so I would like to know if there is a way to pass username and password through REST API in order to securely access to ORTHANC APIs?

Thanks in advance

All the bests

Paolo

2

Hi,

I have installed ORTHANC in an Ubuntu 16.04 server environment as Dicom Store engine, on top I put a web application which communicates with ORTHANC trough rest API. I want to keep ORTHANC secure and maintain these configurations:

"RemoteAccessAllowed" : true,
  "AuthenticationEnabled" : true,
  "RegisteredUsers" : {
    "Administrator" : "StrongPwd"
  },

so I would like to know if there is a way to pass username and password through REST API in order to securely access to ORTHANC APIs?

Yes. Orthanc uses HTTP Basic Authentication. (https://en.wikipedia.org/wiki/Basic_access_authentication)

You can put username/password into the URL directly like so: "http://username:password@orthanc-host.example/"\.

(Most tools have other dedicated ways to specify authentication. In curl, for example, you can also say `curl --user username:password http://orthanc-host.example`)

Be aware that Basic Authentication, while simple, isn't really secure against eavesdropping. Because the password is sent over the network in (base64-encoded-) plaintext for every request, everyone that can see your traffic on the network can access your server. You should use HTTPS instead of HTTP to mitigate that.

If you need a more full-featured authentication setup you can put Orthanc behind some other web server that does authentication and only proxies authenticated requests to Orthanc. Something like https://github.com/bitly/oauth2_proxy would probably work (I have not used this yet though)

The Orthanc book has a section about how to configure nginx or Apache to act as a reverse proxt for Orthanc as well: https://orthanc.chu.ulg.ac.be/book/faq/nginx.html

--Levin Alexander

3

Hello,

As a complement to Levin’s answer, please check out the following FAQ in the Orthanc Book:
https://orthanc.chu.ulg.ac.be/book/faq/https.html

Regards,
Sébastien-

4

Dear All,

thanks for both complete replies. I have my application running HTTPS behind Tomcat 8 web server. I will try to configure Orthanc behind it and let you know. Any experiences with this scenario? maybe I can directly install nginx to serve Orthanc, but following Orthanc book explanation I’m missing a point:

server {
listen 80 default_server;

location /orthanc/ {
proxy_pass http://localhost:8042;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
rewrite /orthanc(.*) $1 break;
}

}

What the “location /orthanc/” means?
Thanks

All the bests

Paolo

5

I have my application running HTTPS behind Tomcat 8 web server. I will try to configure Orthanc behind it and let you know. Any experiences with this scenario?

As far as I’m concerned, I’ve not heard about someone experimenting the Orthanc+Tomcat combination yet. We would of course love to hear your feedback.

maybe I can directly install nginx to serve Orthanc, but following Orthanc book explanation I’m missing a point:

server {
listen 80 default_server;

location /orthanc/ {
proxy_pass http://localhost:8042;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
rewrite /orthanc(.*) $1 break;
}

}

What the “location /orthanc/” means?

It means that the following URL of Orthanc: http://localhost:8042/instances

Would be mapped as: http:///orthanc/instance

You can of course replace the “/orthanc/” URI by anything you wish (don’t forget to adapt the “rewrite” directive accordingly). You can as well branch several instances of Orthanc running on different ports, under several distinct URIs.

HTH,
Sébastien-