10.18 release and nginx ssl offloading


Is someone able to put a nginx listening on 443 in front of a kaltura server and proxying requests to a kaltura server listening on 80? I works fine for the the admin_console but when i try to access kmc flash is not loading. It’s even more weird. When i try https://domain/kmc the page complains about a not installed flash plugin.

any hints are really appreciated.


I would suggest starting a sniffer to see which request is failing as well as looking at the access log on the Nginx and the Apache. Also, when balancing between nodes, remember the session has to be sticky as well.

There is no reason for such a setup not to work, we do have examples of doing the same with Apache’s mod_proxy and with HA proxy over here:

Hi Jess.

Thanks for your answer. It seems kaltura generates http links. Therefore connection fails. I even tried to configure kaltura to serve via https. Double encryption so to speak. But that fails too. For now i stick to http. That works. Any further hints would be appreciated though.


I debugged a litte bit further. When accessing via https this part of the response header is missing:


How can this happen?


Nevermind. I had:

proxy_hide_header x-powered-by

in my nginx.conf.

Firebug shows me that two javascript files are not loaded when accessing /kmc via https.

  1. jqeury-1.8.3.min.js
  2. swobject_v2.2.js

I think that leads to a not working login page.

What can lead to such a behaviour?



What is the exact URL it is trying to load from?
Does it work with curl -I -v from the shell? if not, does it work correctly if you use the Kaltura node instead of the Nginx host? also, I suggest you check the access/error logs on both sides.


What is the exact URL it is trying to load from?


Which givs me the “You must have flash installed. click here to download” page. Just to say it again, http is working fine.

Here the curl output (https)

* Hostname was NOT found in DNS cache
*   Trying nice ip...
* Connected to my-domain.tld (nice ip) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: OU=Domain Control Validated; OU=PositiveSSL Trial; CN=my-domain.tld
*        start date: 2015-08-29 00:00:00 GMT
*        expire date: 2015-09-28 23:59:59 GMT
*        subjectAltName: my-domain.tld matched
*        issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*        SSL certificate verify ok.
> GET /kmc HTTP/1.1
> User-Agent: curl/7.39.0
> Host: my-domain.tld
> Accept: */*
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.9.3
Server: nginx/1.9.3
< Date: Mon, 31 Aug 2015 17:16:55 GMT
Date: Mon, 31 Aug 2015 17:16:55 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 3212
Content-Length: 3212
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=20
Keep-Alive: timeout=20
< X-Powered-By: PHP/5.5.9-1ubuntu4.11
X-Powered-By: PHP/5.5.9-1ubuntu4.11
< X-Kaltura-Session: 1054313788
X-Kaltura-Session: 1054313788
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
Pragma: no-cache
< X-Frame-Options: DENY
X-Frame-Options: DENY
< Vary: Accept-Encoding
Vary: Accept-Encoding
< X-Me: my-domain.tld:80
X-Me: my-domain.tld:80

<!DOCTYPE html>
<!--[if IE 7]>         <html class="no-js lt-ie10 lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html class="no-js lt-ie10 lt-ie9"> <![endif]-->
<!--[if lt IE 10]>     <html class="no-js lt-ie10"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js"> <!--<![endif]-->
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="title" content="Kaltura - Open Source Video Platform" />
<meta name="robots" content="index, follow" />
<meta name="description" content="Kaltura Management Console. Media Asset Management System. Video solutions for video streaming and video management. Kaltura - The Open Source Video Platform." />
<meta name="keywords" content="production, shows, talent, discover, contribute, share, enhance, first open source video platform, video editing, media collaboration, online video, movie, wikimentaries, wiki" />
<meta name="language" content="en" />
<meta name="verify-v1" content="JIjZEB+ZCdDyAw49II0fIpcLfFc40M9EzXEY5/Tva68=" />

<title>Kaltura - Open Source Video Platform</title>

<script type="text/javascript" src="http://my-domain.tld/lib/js/jquery-1.8.3.min.js"></script>
<script type="text/javascript" src="http://my-domain.tld/lib/js/swfobject_v2.2.js"></script>

<link rel="stylesheet" type="text/css" media="screen" href="/lib/css/modal.css" />
<link rel="stylesheet" type="text/css" media="screen" href="/lib/css/kmc.css" />
<body id="ng-app" ng-app="kmcApp">
 <div id="wrap">
body { background-color:#272929 !important; background-image:none !important;}
div#login { width:500px; margin: 0 auto; text-align:center;}
<link rel="stylesheet" type="text/css" media="screen" href="/lib/css/kmc5.css" />
<div id="kmcHeader">
                <img src="/lib/images/kmc/logo_kmc.png" alt="Kaltura CMS" />
                <div id="langIcon" style="display: none"></div>
        <div id="user_links" style="right: 36px">
        <a href="/content/docs/pdf/KMC_User_Manual.pdf" target="_blank">User Manual</a>
</div><!-- end kmcHeader -->

<div id="langMenu"></div>

<div id="login">
        <div id="notSupported">Thank you for your logging into the Kaltura Management Console.<br />The KMC is no longer supported in Internet Explorer 7.<br />Please upgrade your Internet Explorer to a higher version or browse to the KMC from another browser.</div>
    <div id="login_swf"><img src="/lib/images/kmc/flash.jpg" alt="Install Flash Player" /><span>You must have flash installed. <a href="http://get.adobe.com/flashplayer/" target="_blank">click here to download</a></span></div>

<script type="text/javascript">
// Prevent the page to be framed
if(top != window) { top.location = window.location; }
// Options
var options = {
        secureLogin: false,
        enableLanguageMenu: "true",
        swfUrl: "http://my-domain.tld:80/flash/kmc/login/v1.2.8/login.swf",
        flashVars: {
                host: "my-domain.tld:80",
                displayErrorFromServer: "false",
                visibleSignup: "false",
                hashKey: "",
                errorCode: ""
<script src="/lib/js/kmc/6.0.10/langMenu.min.js"></script>
<script type="text/javascript" src="/lib/js/kmc.login.js"></script> </div>
* Connection #0 to host my-domain.tld left intact

Well and regarding the logs. There are many of them in /opt/kaltura/logs but non of them shows an error. I could tar them and give them to you if needed.

thanks again and cheers


Please run:
# kaltlog
From the shell of the kaltura node while making the request and take a look at the output for errors.
Also, does your nginx know the hostname you used as service URL for kaltura?
When you say it all works over HTTP, do you mean when directly requesting the node or when requesting the Nginx host which then offloads the request to the Kaltura node?

Hi Jess.

This is all i get from kaltlog when accessing https://my-domain.tld/kmc

2015-08-31 20:00:03 [0.001044] [ip] [1448265799] [12] [PS2] [sfView->initialize] INFO: {sfView} initialize view for "kmc/kmc"
2015-08-31 20:00:03 [0.001862] [ip] [1448265799] [13] [PS2] [sfPHPView->renderFile] INFO: {sfView} render "/opt/kaltura/app/alpha/apps/kaltura/modules/kmc/templates/kmcSuccess.php"
2015-08-31 20:00:03 [0.000760] [ip] [1448265799] [14] [PS2] [sfPHPView->decorate] INFO: {sfView} decorate content with "/opt/kaltura/app/alpha/apps/kaltura/templates/kmclayout.php"
2015-08-31 20:00:03 [0.000116] [ip] [1448265799] [15] [PS2] [sfPHPView->renderFile] INFO: {sfView} render "/opt/kaltura/app/alpha/apps/kaltura/templates/kmclayout.php"
2015-08-31 20:00:03 [0.000546] [ip] [1448265799] [16] [PS2] [sfRenderingFilter->execute] INFO: {sfFilter} render to client

Regarding your http question what works is.

nginx (http) —> kaltura server (http)
nginx (https) —> kaltura server (http) /admin_console

Not working is:

nginx (https) —> kaltura server (http) /kmc

Also, does your nginx know the hostname you used as service URL for kaltura?

I’m not entirely sure i understand your question. ServerName in Nginx and the KalturaBackend Server are the same.

thanks and cheers

Hi Jess.

Do you have a working nginx config for ssl offloading? Maybe i can look for differences then.

thanks and cheers

Hi @himbeere,

Sorry, but I don’t have such an example.
You can send me your configuration to jess.portnoy kaltura.com if you’d like and I’ll be happy to take a look.
Also, can I access your deployment over HTTPs from www? I can take a look and see if I fine something interesting using a simple sniffer…

To summarize this issue for the benefit of other people hitting this page:
The problem was the browser blocked the loading of the KMC files due to mixed content. This happens because if you use HTTPs [Nginx end] to load the page, but then make request to the Apache [which is what the Kaltura code runs on] over HTTP, the content will be blocked. This can be seen when using the browser’s dev tools and looking at the ‘console’ tab.
The solution is to use HTTPs as the service URL when configuring Kaltura. Note, of course, the since the Kaltura solution is based entirely on making RESTful API calls to the service URL [AKA endpoint], that service URL cannot have a user and passwd htaccess protection because that would mean the requests will result in HTTP 401.