How to add other Virtual Host

jlotito · July 26, 2017, 9:49am

Hi experts,

I would like to configure in all my front servers (i have 3) another virtual host in order to get kaltura servcices from two differents domains each one with their respectives certificates.

I have one ssl domain perfectly working, this is the domian I used to install kaltura. But now I have another domain and I wolud like to access throw ssl using this new domain without deploy a new kaltura enviroment.

I have configured the zzzkaltura.conf by this way.

#########
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so

SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
SSLMutex default

= 2.4>
Mutex sysvsem default

SSLCryptoDevice builtin

<VirtualHost *:443>
ServerName domain.test.1.com
SSLCertificateFile /etc/ssl/certs/CERTIFICATE1.crt
SSLCertificateKeyFile /etc/ssl/certs/PRIVATE-KEY1.pem
SSLCACertificateFile /etc/ssl/certs/INTERMEDIATE1.crt
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
    CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

    Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"

ServerName domain.test.2.com SSLCertificateFile /etc/ssl/certs/CERTIFICATE2.crt SSLCertificateKeyFile /etc/ssl/certs/PRIVATE-KEY2.key SSLCACertificateFile /etc/ssl/certs/INTERMEDIATE2.crt SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
    CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

    Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"

#### When I restart apache everything seems correct. When I get to the kmc console throw the new domain it works too, but when I tried to get and specific request to a resource like.

https://domain.test.2.com/p/110/sp/11000/embedIframeJs/uiconf_id/23450443/partner_id/110 I get a 400 error.

I have read that this is couase beacuse a conflict between virtual hosts. Please can you explain me the syntax to configure the two domains in the virtual host?. I would like to approach this, without deploy anything or run any config script if this is possible.

Thanks

jess · July 27, 2017, 1:33pm

Hi @jlotito,

This article explains how to configure multiple VHosts with different domains and certs, all attached to one IP using SNI.

Alternatively, you can set SSLStrictSNIVHostCheck off like this:

<IfModule mod_ssl.c>
        SSLStrictSNIVHostCheck off
        <VirtualHost *:443>
                ServerAdmin webmaster@localhost
                ServerName vhost0.example.com
                SSLEngine on

                SSLCertificateFile /etc/ssl/certs/vhost0.crt
                SSLCertificateKeyFile /etc/ssl/certs/vhost0.key
                SSLCertificateChainFile /etc/apache2/ssl.crt/ca-vhost0.crt
                # rest of VHost config goes here 
        </VirtualHost>

        <VirtualHost *:443>
                ServerAdmin webmaster@localhost
                ServerName vhost1.example.com
                SSLEngine on

                SSLCertificateFile /etc/ssl/certs/vhost1.crt
                SSLCertificateKeyFile /etc/ssl/certs/vhost1.key
                SSLCertificateChainFile /etc/apache2/ssl.crt/ca-vhost1.crt
                # rest of VHost config goes here 
        </VirtualHost>
</IfModule>

Based on the template above, you can edit:
/opt/kaltura/app/configurations/apache/kaltura.ssl.conf

However, there are two important things to note here:

Kaltura only supports one endpoint [service URL] per role/application. So, for instance, Admin Console will determine the endpoint based on settings.serviceUrl in /opt/kaltura/app/configurations/admin.ini, the batch daemon will determine the endpoint to talk to based on serviceUrl in /opt/kaltura/app/configurations/batch/batch.ini, etc.
You can configure Apache in the way I described above but the API requests will still go to the one endpoint in the each config file. If you want completely separate ENVs then you will need 3 separate Kaltura instances, if this is an all in one deployment, you will need 3 servers, if it’s a cluster, then you’ll need three clusters.
If you do want to make changes to /opt/kaltura/app/configurations/apache/kaltura.ssl.conf, you need to also edit /opt/kaltura/app/configurations/apache/kaltura.ssl.conf.template, otherwise, your changes will be overridden whenever you rerun the configure scripts. Additionally, you will have to make these changes each time you upgrade the kaltura-base package since /opt/kaltura/app/configurations/apache/kaltura.ssl.conf.template belongs to it.

I’m not sure about your specific use case but perhaps it would make more sense for you to configure these domains at a load balancer level and perform SSL offloading from all of them to the actual Kaltura endpoint.