Lua script to give write-read access only to local network

[Dkorthosurgery]

I want to give read-write access only to my local network (ip range) and read access to other ip ,  but i do not now how to do it and if is possible.

I want to modify this lua script,  that i use to give access to one ip.

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)

 

 if method method == 'GET'  then     

-- Read-only access (only GET method is allowed)    

 return true   

elseif username == 'admin' and ip == 'add-your-ip-address-here'  ( i want to give my local ip range )

then     -- Read-write access for administrator (any HTTP method is allowed on localhost)     return true  

else     -- Access is disallowed by default     

return false   

 end

many thanks,

kyriacos

[Dkorthosurgery]

I can use OR statement as a workaround but some pc in my network get automatic ip from dhcp server

[Sébastien Jodogne]

We can't provide much guidance, as this entirely relies on the way IP ranges are attributed by your DHCP server.

The "OR" statement is *not* a workaround, but the proper solution to your scenario.

I you want more flexibility regarding string parsing than offered by Lua, or if you need to gather information from other systems in your network (such as from your DHCP server), you might have an interest in using a Python plugin:

https://book.orthanc-server.com/plugins/python.html#forbid-or-allow-access-to-rest-resources-authorization

Sébastien-

[Dkorthosurgery]

Is it possible with lua script to restrict  access on a specific port of an ip and give access to onother port of the same ip ?

for example 192.168.1.2:2443 and 192.168.1.2:3443

[Sébastien Jodogne]

Your question doesn't make sense, as Orthanc only listens on 1 TCP port for HTTP/REST, and on 1 another TCP for the DICOM protocol.

A Lua script can determine the TCP ports that are used by Orthanc by querying the "/system" URI. For instance:

$ curl https://demo.orthanc-server.com/system

{

   "ApiVersion" : 11,

   "DatabaseBackendPlugin" : null,

   "DatabaseVersion" : 6,

   "DicomAet" : "ORTHANC",

   "DicomPort" : 4242,

   "HttpPort" : 8042,

   "IsHttpServerSecure" : false,

   "Name" : "Orthanc Demo",

   "PluginsEnabled" : true,

   "StorageAreaPlugin" : null,

   "Version" : "1.9.1"

}

If you have a reverse HTTP proxy that maps 2 different ports onto the same instance of Orthanc, you can configure this proxy to add a HTTP header that reflects the used port number, then use the "httpHeaders" information that is provided to the Lua callback "IncomingHttpRequestFilter()".

[Dkorthosurgery]

I use two different reverse proxies in the same machine 

i want one to be fully secure and accept only get request

The other one to use it for maintenance only and have read - write acces

As workaround i use is to have the reverse proxies in differnet machines   

Unfortunately using in the nginx proxy custom header X-Real-IP  $remote_addr doesnt seems to work

We are trying to bulid a non commercial frontend in order to give restricted access to patient studies using iframe,  throught authentication system based on passwords, patient id number and patient date of birth

many thanks,

Kyriakos

[Dkorthosurgery]

My workaround to my senario to give full access to local users and restricted access to users through internet ( as an additional layer of security)

is to use a secure local reverse proxy server and the iua script below

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)

   -- Only allow access to explorer and DELETE requests for local users 

  if uri == ( '/app/explorer.html'  or method == 'DELETE' ) and ip == 'local reverse proxy server ip' 

then return false;  

  else    

  return true;

  end

end