securise Orthanc as database

Hi there,

I have a real technical question, I will try to explain my goal to get some advices from the community.

Long story short, I have a web server running PHP that is made to drive Orthanc using it’s RestAPI.

The global goal is to get incoming data from web-users that will land to a securized Orthanc server that will no be exposed to the internet (and will respond only to PHP localhost request).

For now I use one orthanc server that recieve DICOM from external users with Orthanc Peer protocol (each user have a local instance of Orthanc with my central server declared as Peer to push DICOM).

This land to a critical security issue, as I need to give my Orthanc server credential, the user can directly connect to the central Orthanc a potentially erase or copy data.

So I thought about a second solution : Run 2 Orthanc instances, one exposed to the internet and the second only responding for localhost request (PHP).
The Orthanc-Exposed server will have the Orthanc-Lan as peer and my PHP server will ask Orthanc-Exposed to push the recived foreign study to Orthanc-LAN.

But this still have a problem, since the user will get the credential of the Orthanc-Exposed, it will be able to connect to it and push unwanted data to the Orthanc-LAN. He won’t be able to access the Orthanc-LAN directly but still be able to make peer push from Exposed to Lan (like my PHP server).

So to completly isolate my Orthanc-LAN I would need 3 Orthanc session and DICOM jumping to one to another until reaching a secured Orthanc session (which is transfert time consuming).

In short my question is : What you be the best architecture to make a secured localhost-Orthanc to recieve foreign data using Orthanc peers ?

Should I consider the Authorization plugin or Lua scripts to make some authorization based on users login in Orthanc ?
For Orthanc peer protocol is it possible to differenciate Peer reception and Peer send in authorization ? For Example it would be perfect if I can give a Othanc Login for Orthanc-Exposed that will only accept incoming peer possible and block outgoing Peer (maybe I can have access to this in a lua script ? This way PHP will have a special login in which Peer Push will be granted)

Best regards,

Salim

Hi Salim,

I did not analysed all your proposals in details but here’s one option that might work:
you may filter the incoming HTTP requests in lua based on method (GET/POST), uri and user-name. (http://book.orthanc-server.com/users/lua.html#filtering-incoming-rest-requests)

Therefore, your PHP app might have his dedicated user and have access to the full API while your remote peers will have access only to POST requests on /instances to allow them to upload data but not query anything.

Br

Alain

http://book.orthanc-server.com/users/lua.html#filtering-incoming-rest-requests

Dear Alain,

Thanks for your interessting answer.

So I understand that when Orthanc recieve incoming DICOM from a Orthanc Peer protocol , this trigger the /Instance Post RestAPI of the recieving Orthanc ?

If this is correct so yes your solution sounds good, 2 Orthanc sessions, 1 exposed to the internet and the second non exposed. The exposed server with 2 logins, one with only acces to Orthanc Instance Post to recieve DICOM from Orthanc Peers protocols and one full access for PHP to transfert from the exposed server to the non exposed server.

Best regards,

Salim

So I understand that when Orthanc recieve incoming DICOM from a Orthanc Peer protocol , this trigger the /Instance Post RestAPI of the recieving Orthanc ?

Indeed, sending DICOM instances to an Orthanc Peer only triggers HTTP POST calls to URI “/instances”.

Perfect, that’s a real good news, I think I have now a good server design !

Many thanks !

Hi Salim,

Once you have a lua script which does what Alain suggests, would you mind sharing it? I do more or less exactly what you are after today but instead of using a second internet facing orthanc, I have a WAF which filters the incoming web traffic. Web application firewalls are easy to configure, log and monitor how they allow and block traffic in different scenarios. Maybe even more so than a lua script.

Best of luck,
Pär
www.cmrad.com

Sure I will, when I will write the lua script I will post it here as solution

Hi there,

Problem solved here is my script: I first check the user, if it is not php I allow only instances and POST method, if the user is php all URI are granted

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)
– Only allow POST Instance requests for non-php users
if (username ~= ‘php’) then
if (method == ‘POST’ and uri==‘/instances’) then
return true
else
return false
end
else
return true
end

end

thanks for your help !

Note that the security could be even better by adding an IP condition,
if the request comming from php are correctly logged from localhost (127.0.0.1) then we will be able to grant access for only localhost ips (this way still secure even if php password is compromised).
So I would refactor my script this way :
if user==php and ip=localhost => retrun true
else{
if URI=“instances” retrun true
else return false
}

Salim