Wiki
Clone wikiWADQC / Security
HTTPS
Presently the WAD-QC uses only standard non-encrypted HTTP for all communications with Orthanc, WAD-Admin, and WAD-Dashboard. Since self-signed certificates are no longer supported by some browsers, or at least result in distracting warnings, there are currently no plans to automatically enable HTTPS.
Manually enable HTTPS
To manually enable HTTPS after installation, you can follow these steps for Ubuntu. Here we assume that the server is named "wadqc.myhospital.org" and that you have the appropriate HTTPS certificate files (wadqc.myhospital.org.crt and wadqc.myhospital.org.key).
First copy the certifcate files to a good location.
#!bash
sudo mkdir /etc/apache2/ssl
sudo cp wadqc.myhospital.org.crt /etc/apache2/ssl
sudo cp wadqc.myhospital.org.key /etc/apache2/ssl
Now edit the apache conf files for the different webservices, so they end and start with the HTTPS modifications as shown below. For "...." fill in the contents of the original conf file between the <VirtualHost> and </VirtualHost> (without these tags and without the ServerName line).
/etc/apache2/sites-available/dashboard_wadqc.conf
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerName wadqc.myhospital.org .... SSLEngine on SSLCertificateFile /etc/apache2/ssl/wadqc.myhospital.org.crt SSLCertificateKeyFile /etc/apache2/ssl/wadqc.myhospital.org.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
/etc/apache2/sites-available/admin_wadqc.conf
<IfModule mod_ssl.c> Listen 12001 <VirtualHost _default_:12001> ServerName wadqc.myhospital.org .... SSLEngine on SSLCertificateFile /etc/apache2/ssl/wadqc.myhospital.org.crt SSLCertificateKeyFile /etc/apache2/ssl/wadqc.myhospital.org.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
/etc/apache2/sites-available/api_wadqc.conf
<IfModule mod_ssl.c> Listen 3000 <VirtualHost _default_:3000> ServerName wadqc.myhospital.org .... SSLEngine on SSLCertificateFile /etc/apache2/ssl/wadqc.myhospital.org.crt SSLCertificateKeyFile /etc/apache2/ssl/wadqc.myhospital.org.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
Now enable HTTPS
#!bash
sudo a2enmod ssl
sudo systemctl restart apache2
To redirect all HTTP trafic to HTTPS for the dashboard, modify /etc/apache2/sites-available/000-default and add right below the line "<VirtualHost *:80>"
Redirect permanent "/" "https://wadqc.myhospital.org/"
Now activate this redirect site
#!bash sudo a2ensite 000-default sudo apache2ctl restart
To enable HTTPS for Orthanc, please read http://book.orthanc-server.com/faq/https.html.
Passwords
When installing using wad_setup, some default users with default passwords are created. Also, when starting WAD-Admin and WAD-Dashboard for the first time after installation, a default user is created for access.
changes before running wad_setup
When installing using wad_setup, one can change the initial passwords for the Orthanc REST access and for the databases of Orthanc and WAD-QC by manually editing the installation "recipe" file in a text editor and changing the indicated password fields.
changes in a running WAD-QC installation
In a running WAD-QC installation, all access credentials can be changed.
Orthanc WADQC
- The Orthanc REST users are defined in the Orthanc config file, located at <WADROOT>/orthanc/config/orthanc.json. To change the access credentials, edit the file manually. Afer editing, restart Orthanc, and use WAD-Admin to apply the same changes to the access credentials of Source WADQC in the Data Sources page. This page is found from the WAD-Admin home page, under section "data sources".
-
WAD-Admin
WAD-Admin has its own user management function. This can be accessed from the WAD-Admin home page under section Resources.
WAD-Dashboard
WAD-Dashboard has its own user management function. This can be accessed from the WAD-Dashboard Admin page under section Resources (the WAD-Dashboard Admin page is found with the "Admin" button on the left in the top bar).
Malware Analysis Modules
By design WAD-QC and all its databases are installed in the wadqc user's home directory. Also all analysis processes are executed as the wadqc user. That means that it is not difficult to make a malware Analyse Module that erases the whole WAD-QC installation, or tampers with the access credentials.
To minimize that risk, use only factory modules and modules from sources you trust. Before importing Modules or restoring Selectors, you can always open the zip file and inspect the sources. If you don't trust it, do not install it, but please report it here!
Restrict privileges of wadqc
For installation, it is necessary that the wadqc user (i.e. the user installing WAD-QC) has superuser privileges in order to install system packages and create startup scripts. After installation, these privileges can be restricted. The only privileged operations that the wadqc user still needs are for controlling the different systemd services (like starting/stopping postgresql) and for enabling/disabling websites (like disabling WAD-api); these operations are all used by the wadservices script, and when updating WAD-QC.
To restrict the privileges of wadqc, after installation run (using wad2env3 and in folder wad_setup):
./wad_setup.sh -r recipes/privileges_only.json
You could also revoke all privileges of wadqc by removing user wadqc from the sudo group. In that case user wadqc can no longer (fully) use the script wadservices, so that you need to find a different method to (re)start the WAD-QC services after upgrading WAD-QC (e.g. reboot the computer).
Updated