Orthanc behind IIS+SSL certificate

[markh...@gmail.com]

Hi folks.

I am having a play with Orthanc 1.0 on Windows Server 2012 R2, and am wanting to ensure that it is set up using SSL from the get-go.

I am a newbie when it comes to DICOM, PACS, or Orthanc and would appreciate some advice/information from those that have gone before me :-)

Does anyone know if there is a guide for using Orthanc for Windows behind IIS?

If not, I assume I will have to use IIS as a reverse proxy bound to an SSL certificate on whatever port I decide on (probably 443) to port 8042 of the Orthanc instance (port 443 would be allowed through the firewall, port 8042 would be blocked).

Am I correct? Has anyone that has already done this got a web.config they would be willing to share?

Cheers,
Mark

[Sébastien Jodogne]

Hello,

The relationship between IIS and Orthanc has been previously discussed in the Cornerstone discussion group:

https://groups.google.com/forum/#!topic/cornerstone-platform/FcxZLU4bL2U

Regarding HTTPS encryption, there is a FAQ entry inside the Orthanc Book:

https://orthanc.chu.ulg.ac.be/book/faq/https.html

HTH,

Sébastien-

[Mark Hodge]

Hi Sébastien, thanks for the reply.

I had read that FAQ and the thread already without feeling any the wiser :-)

I'm hoping someone has gone through setting this up in IIS and has a web.config they can share from their reverse proxy setup (assuming that is required). Having fought through a similar issue with seafile recently I know this is going to be exceptionally painful without help.

Cheers,
Mark

[Sébastien Jodogne]

OK, I unfortunately cannot provide any guidance by myself, as I do not have access to any Windows IIS server.

I hope someone else will be able to answer you.

Cheers,

Sébastien-

[Mark Hodge]

No worries Sébastien.

If they do I'm happy to write up a step-by-step guide :-)

Cheers,
Mark

-- 
__________________________________________________________________________

 NextGen Games                         http://nextgengames.cloudapp.net/
 357 North Road                           Email: markh...@gmail.com
 Dunedin                                Phone: +64 3 473 0391/021 614 134
__________________________________________________________________________
View our sleeveguide at: http://nextgengames.cloudapp.net/sleeveguide.html 
    Check out http://www.mightyape.co.nz/?r=1649874 for everything else.

[tho...@dhollander.info]

Hi,
IIS is not my speciality, but here is a guide on how to use it as a reverse proxy : https://developers.coveo.com/display/public/SearchREST/Configuring+HTTPS+Reverse+Proxy+in+IIS

Tell me if it helped you :-)

Have a nice day !

[Mark Hodge]

Hi Sébastien (and anyone else interested in a how-to).

For your documentation:

The steps to use to hide Orthanc behind IIS in Windows are as below. IIS is also available as a feature you can enable via the Programs and Features in non Server versions of Windows.

Add Application Request Routing 3.0.
Add URL Rewrite module 2.
In IIS Manager bind an SSL certificate to port 443 on the default web site being used for Orthanc.
Add the following web.config at the root of the default website:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
                </rule>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Rewrite" url="http://127.0.0.1:8042/{R:1}" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

In IIS Manager Open Application Request Routing Cache click on Server Proxy Settings on the right side of the window, change the Time-out to a much higher value. eg., 3600 = 1 hour to ensure download of DICOMDIR or ZIP's doesn't time out.


To allow user authentication against an Active Directory group add the following directly after <configuration> in the above web.config, grant the appropriate Active Directory group read permission on the wwwroot folder:
 
    <system.web>
        <authentication mode="Windows" />
    </system.web>

You also need to make sure registered users is empty in the Orthanc Configuration.json file:

  "RegisteredUsers" : {  },

I think that is everything.

Cheers,
Mark

Systems Engineer
University of Otago
Dunedin, New Zealand

[Sébastien Jodogne]

Hi Mark,

For your documentation:
The steps to use to hide Orthanc behind IIS in Windows are as below. [...]

Great! Many thanks for sharing such a useful piece of information :)

I have just copied your instructions to the FAQ section of the Orthanc Book:

https://orthanc.chu.ulg.ac.be/book/faq/iis.html

Regards,

Sébastien- 

[Michael Bowers]

Orthanc is a really nice project.  You've done a lot of great work and I would love to use what you have built here.

So I worked on doing this for weeks a few years ago, and having learned about a little more about CORS I thought I would give it another try.  Unfortunately I'm not a networking expert, so I've been struggling with these instructions.  Whatever I've done so far doesn't seem to work, it just seems to hang, but I'm sure I don't have it set up properly.

Can you tell me what I should do if I already have a Web API on port 443?  I tried to put the web.config code above into the existing code and it breaks the site.  I tried to use another port and the calls just hang.