How can I run Orthanc behind nginx?

Similarly to Apache, Orthanc can run behind nginx through reverse proxying. Here is the configuration snippet for nginx:

server {
   listen  80  default_server;
   ...
   location  /orthanc/  {
      proxy_pass http://127.0.0.1:8042;
      proxy_set_header HOST $host;
      proxy_set_header X-Real-IP $remote_addr;
      rewrite /orthanc(.*) $1 break;
   }
   ...
}

Note: Thanks to Qaler for submitting this information.

You might also wish to adapt the client_max_body_size configuration option of nginx to allow the uploading of DICOM files larger than the default 1MB if using the REST API of Orthanc.

Setting up a demo server using nginx

It is often needed to setup a demo server through which users can access DICOM images, but cannot modify the content of the Orthanc database. The easiest solution to this scenario is to place an Orthanc server behind a nginx proxy, with a Lua script that only grants read-only access to external users.

To this end, first define two users admin and public in the configuration file of Orthanc:

{
  "RemoteAccessAllowed" : true,
  "AuthenticationEnabled" : true,
  "RegisteredUsers" : {
    "admin" : "orthanc",
    "public" : "hello"
  },
  "LuaScripts" : [ "ReadOnly.lua" ]
}

Next, disallow POST/PUT/DELETE requests to the public using the ReadOnly.lua script:

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)
  if method == 'GET' then
    return true
  elseif username == 'admin' then
    return true
  else
    return false
  end
end

Finally, setup the nginx reverse proxy so that it automatically adds the HTTP basic authentication header that is expected by Orthanc for the public user:

server {
   listen  80  default_server;
   ...
   location  /orthanc/  {
      proxy_pass http://127.0.0.1:8042;
      proxy_set_header HOST $host;
      proxy_set_header X-Real-IP $remote_addr;
      rewrite /orthanc(.*) $1 break;

      // Use the "public" user with the "hello" password
      proxy_set_header Authorization "Basic cHVibGljOmhlbGxv";
   }
   ...
}

The cHVibGljOmhlbGxv string corresponds to the Base64 encoding of the string public:hello, as can be seen using the following bash command line:

$ echo -n 'public:hello' | base64
cHVibGljOmhlbGxv

Note that more fine-grained access control can be achieved using Python plugins or the advanced authorization plugin.

Also, note that the admin user has full access to the REST API, including POST/PUT/DELETE requests.

Enabling CORS

Orthanc does not feature built-in support for cross-origin resource sharing (CORS). It is however possible to enable it with a nginx reverse proxy. Here is a sample configuration for nginx:

server {
   listen  80  default_server;
   ...
   location  /orthanc/  {
      proxy_pass http://127.0.0.1:8042;
      proxy_set_header HOST $host;
      proxy_set_header X-Real-IP $remote_addr;
      rewrite /orthanc(.*) $1 break;
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      add_header 'Access-Control-Allow-Origin' '*';
   }
   ...
}

Note: Thanks to Fernando for submitting this information.