Webserver configuration

Webserver timeout

Some long running actions can cause webserver errors if they take longer than the timeout setting in the webserver, particularly generating fluoroscopy Skin dose maps. The default setting is 300 seconds, or five minutes. To modify this, change the following two settings:

Edit docker-compose.yml in the Docker OpenREM installation folder and change the timeout setting on the following line:

services:
  openrem:
    container_name: openrem
    command: gunicorn openremproject.wsgi:application --bind 0.0.0.0:8000 --timeout 300

Edit nginx-conf/conf.d/openrem.conf and set the same timeout:

server {
    listen 80;
    location / {
        proxy_pass http://openremproject;
        # ...
        proxy_read_timeout 300s;
    }

Reload the containers:

$ docker-compose down
$ docker-compose up -d

Non-Docker install

Change the same settings as for the Docker install above:

$ sudo nano /etc/nginx/sites-available/openrem-server

and

$ sudo nano /etc/systemd/system/openrem-gunicorn.service

ExecStart=/var/dose/veopenrem3/bin/gunicorn \
    --bind unix:/tmp/openrem-server.socket \
    openremproject.wsgi:application --timeout 300

Adding an SSL certificate

It is advisable to add an SSL certificate to the web server even though it might only be accessible within an institution. There are several reasons for this, but one main one is that over time web browsers will give more and more warnings about entering passwords into non-HTTPS websites.

It is likely that within your institution there will be a corporate trusted root certificate and a mechanism of getting certificates you generate for your servers signed by that root certificate. How to generate a certificate signing request (CSR) and private key are beyond the scope of these documents, but this blog post was helpful when we were learning how to do this at our institution: https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one

Once you have a signed certificate, place it and the key in nginx-conf/certs, where it will be available in the Nginx container at /etc/ssl/private.

There are two conf files in nginx-conf/conf.d - the default one is openrem.conf. There is an alternative one named openrem-secure.conf.example. Edit the second file as required, then rename them both so the secure version is the only one to have a .conf ending.

Ensure the the following lines are updated for the name of your server and the names of your signed certificate and key:

server {
    listen 443 ssl;
    server_name add_server_name_here;
    ssl_certificate /etc/ssl/private/openrem.cer;
    ssl_certificate_key /etc/ssl/private/openrem.key;

    # ...
}