Skip to main content

FlexView-Orthanc Integration via Nginx as a proxy

Updated

Overview:

Using Nginx as a reverse proxy for Orthanc provides a reliable endpoint that can be integrated into the FlexView platform as a datasource to view DICOM studies. Additionally, this configuration resolves any CORS (Cross-Origin Resource Sharing) issues that may arise when accessing the Orthanc server from different origins, like the FlexView domain.

Prerequisites:

  • An installed and running Orthanc server
  • An Nginx installation on the same or a different server
  • SSL certificate and private key for HTTPS connections

Configuration Steps:

  1. Edit Nginx Configuration: Open the Nginx configuration file for editing: sudo nano /etc/nginx/nginx.conf
  2. Paste the Configuration: Copy the provided configuration from above and paste it into the opened Nginx configuration file.
  3. Update SSL Paths: If you have your SSL certificate and private key in a different location, make sure to update the following lines in the configuration: ssl_certificate "/etc/pki/nginx/server.crt"; and ssl_certificate_key "/etc/pki/nginx/private/server.key"; Replace the paths with the appropriate paths to your certificate and private key.
  4. Save and Close: After editing, save the configuration file and close the editor.
  5. Test the Configuration: Before restarting the Nginx server, it's good practice to test the configuration for any syntax errors. Run the following to test: sudo nginx -t If everything is okay, you should see a message indicating that the configuration test is successful.
  6. Restart Nginx: To apply the changes, restart the Nginx server: sudo systemctl restart nginx

Notes:

  • This setup assumes that Orthanc is running on the same server as Nginx and listens on port 8042 over HTTPS. If your Orthanc server is on a different machine or port, adjust the proxy_pass directive accordingly.
  • The CORS headers added in the configuration allow any origin (*) to access the resources. Depending on your security requirements, you may want to restrict this to specific origins.

Nginx Config:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format main '$remote_addr - $remote_user [$time_local] "$request"'
                    '$status $body_bytes_sent "$http_referer"'
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        root /usr/share/nginx/html;

        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
        location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

    server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        server_name _;
        root /usr/share/nginx/html;

        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow_Credentials' 'true';
        add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';

        add_header 'Cross-Origin-Opener-Policy' 'same-origin' 'always';
        add_header 'Cross-Origin-Embedder-Policy' 'require-corp' 'always';
        add_header 'Cross-Origin-Resource-Policy' 'cross-origin' 'always';

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        include /etc/nginx/default.d/*.conf;

        location ^~ / {
            proxy_pass https://127.0.0.1:8042;

            if ($request_method = 'OPTIONS') {
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow_Credentials' 'true';
                add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
                add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Content-Type' 'text/plain charset=UTF-8';
                add_header 'Content-Length' 0;
                return 204;
            }

            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $server_name;

            rewrite (.*) $1 break;
        }

        error_page 404 /404.html;
        location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}

Related articles