Hi @eemirtekinn,
No. Kaltura can and should work just fine over SSL. Ideally, you’ll want a cluster with an LB doing SSL offloading to two or more front nodes for redundancy purposes.
Nginx does not have to work over SSL but can do so and the installation scripts prompt about that as well. If I were you though, I’d set 2 or more Nginx instances behind an LB doing SSL offloading, same as with the front servers.
Did you configure Nginx with SSL? Seems from the console errors that you did not.
You can re-run kaltura-nginx-config.sh and when prompted with:
"Would you like to configure Nginx with SSL?"
Select ‘Y’ and input your cert and key.
Yes I configured nginx with ssl and I have tried aganin now.
The problem still continue
[root@cdn ~]# kaltura-nginx-config.sh
kaltura-nginx-1.8.1-9.x86_64
Kaltura API host [cdn.yasar.edu.tr]:
Nginx server name [cdn.yasar.edu.tr]:
Nginx port to listen on [88]:
Would you like to configure Nginx with SSL?[Y/n]Y
Nginx SSL port to listen on [8443]:
Nginx SSL cert: /etc/ssl/certs/yasar.pem
Nginx SSL key: /etc/ssl/certs/yasar.key
Note: Forwarding request to 'systemctl enable kaltura-nginx.service'.
Redirecting to /bin/systemctl reload kaltura-nginx.serviceFirst of all, does this work for you?
# curl -I -v https://cdn.yasar.edu.tr:8443
it does not work for me but that may be because cdn.yasar.edu.tr on port 8443 [Nginx SSL] is only available from your internal network. If it does work, then you just need to update kaltura.delivery_profile accordingly so that all records that have cdn.yasar.edu.tr:88 become cdn.yasar.edu.tr:8443.
If it does NOT work then you need to understand why… start by looking at the curl output and then the Nginx error log.
Hi @jess
it dosen’t work in internal network.
how can I edit “kaltura.delivery_profile accordingly”
is it on mysql?
Thanks in advance
[root@cdn ~]# curl -I -v https://cdn.yasar.edu.tr:8443
* About to connect() to cdn.yasar.edu.tr port 8443 (#0)
* Trying 195.142.121.231...
* Connected to cdn.yasar.edu.tr (195.142.121.231) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=*.yasar.edu.tr,OU=PositiveSSL Wildcard,OU=Hosted by Comodo Yazılım San. ve Tic. A.S,OU=Domain Control Validated
* start date: Dec 03 00:00:00 2015 GMT
* expire date: Dec 02 23:59:59 2016 GMT
* common name: *.yasar.edu.tr
* issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: cdn.yasar.edu.tr:8443
> Accept: */*
>
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: nginx/1.8.1
Server: nginx/1.8.1
< Date: Wed, 19 Oct 2016 13:32:01 GMT
Date: Wed, 19 Oct 2016 13:32:01 GMT
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
< Content-Length: 362
Content-Length: 362
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host cdn.yasar.edu.tr left intactmy delivery_profiles profile are below
[root@cdn ~]# mysql -h$DB1_HOST -u$DB1_USER -p$DB1_PASS $DB1_NAME
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9993
Server version: 5.5.50-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [kaltura]> select id,name,url,host_name from delivery_profile;
+------+------------------------------------------------+---------------------------------+------------------+
| id | name | url | host_name |
+------+------------------------------------------------+---------------------------------+------------------+
| 1 | Default HTTP Delivery Profile | http://cdn.yasar.edu.tr | cdn.yasar.edu.tr |
| 2 | Default HTTP Delivery Profile | http://cdn.yasar.edu.tr | cdn.yasar.edu.tr |
| 3 | Default HLS Live Delivery Profile | NULL | NULL |
| 4 | Default HLS Network Live Delivery Profile | NULL | NULL |
| 5 | Default HLS To Multicast Live Delivery Profile | NULL | NULL |
| 301 | Default MPEG-DASH Live Delivery Profile | NULL | NULL |
| 302 | Default HD Network Live Delivery Profile | NULL | NULL |
| 303 | Default HDS Live Delivery Profile | NULL | NULL |
| 304 | Default RTMP Live Delivery Profile | NULL | NULL |
| 1001 | Kaltura HLS segmentation | http://cdn.yasar.edu.tr:88/hls | cdn.yasar.edu.tr |
| 1002 | Kaltura HDS segmentation | http://cdn.yasar.edu.tr:88/hds | cdn.yasar.edu.tr |
| 1003 | Kaltura DASH segmentation | http://cdn.yasar.edu.tr:88/dash | cdn.yasar.edu.tr |
+------+------------------------------------------------+---------------------------------+------------------+
12 rows in set (0.00 sec)Before you update any DB records, this needs to work correctly.
Make sure you have /etc/nginx/conf.d/ssl.conf and that it looks correct and try commenting:
server {
listen 88;
server_name cdn.yasar.edu.tr;
include /etc/nginx/conf.d/kaltura.conf;
}
in /etc/nginx/nginx.conf
and make sure you have:
include /etc/nginx/conf.d/ssl.conf;
then reload kaltura-nginx with:
# service kaltura-nginx reload
and make sure you’re getting HTTP 200 when making the request to https://cdn.yasar.edu.tr:8443
then you can log in to MySQL with the kaltura user and update the records in the delivery_profile table.
Jess,
is it corret below,
nginx.conf
user kaltura;
worker_processes auto;
error_log /opt/kaltura/log/kaltura_nginx_errors.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
upstream kalapi {
server cdn.yasar.edu.tr;
}
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $bytes_sent $request_time "$http_referer" "$http_user_agent" "-" - '
'"$sent_http_x_kaltura" "$http_host" $pid $sent_http_x_kaltura_session - '
'$request_length "$sent_http_content_range" "$http_x_forwarded_for" '
'"$http_x_forwarded_server" "$http_x_forwarded_host" "$sent_http_cache_control" '
'$connection ';
access_log /opt/kaltura/log/kaltura_nginx_access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
keepalive_requests 1000;
client_header_timeout 20;
client_body_timeout 20;
reset_timedout_connection on;
send_timeout 20;
gzip on;
gzip_types application/vnd.apple.mpegurl video/f4m application/dash+xml text/xml;
# common vod settings
vod_mode mapped;
vod_upstream_location /kalapi_proxy;
vod_upstream_extra_args "pathOnly=1";
# shared memory zones
vod_metadata_cache metadata_cache 512m;
vod_mapping_cache mapping_cache 64m;
vod_response_cache response_cache 64m;
vod_performance_counters perf_counters;
# common file caching / aio
open_file_cache max=1000 inactive=5m;
open_file_cache_valid 2m;
open_file_cache_min_uses 1;
open_file_cache_errors on;
aio on;
server {
listen 88;
server_name cdn.yasar.edu.tr;
include /etc/nginx/conf.d/kaltura.conf;
}
include /etc/nginx/conf.d/ssl.conf;
}
ssl.conf
# HTTPS server
#
server {
listen 8443 ssl;
server_name cdn.yasar.edu.tr;
ssl_certificate /etc/ssl/certs/yasar.pem;
ssl_certificate_key /etc/ssl/certs/yasar.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
include /etc/nginx/conf.d/kaltura.conf;
}Right. So try commenting out:
server {
listen 88;
server_name cdn.yasar.edu.tr;
include /etc/nginx/conf.d/kaltura.conf;
}
reload the server and see if a request to https://cdn.yasar.edu.tr:8443 returns correctly.
I have a new error
GET https://cdn.yasar.edu.tr:8443/hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8 value @ load.php?debug=false&lang=en&modules=Hlsjs%2CacCheck%2CacPreview%2Cbase64_decode%2Cbase64_encode%2C…:1
auto?&flashvars[streamerType]=auto:1 XMLHttpRequest cannot load https://cdn.yasar.edu.tr:8443/hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://cdn.yasar.edu.tr’ is therefore not allowed access. The response had HTTP status code 404.
2load.php?debug=false&lang=en&modules=Hlsjs%2CacCheck%2CacPreview%2Cbase64_decode%2Cbase64_encode%2C…:1 GET https://cdn.yasar.edu.tr:8443/hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8 value @ load.php?debug=false&lang=en&modules=Hlsjs%2CacCheck%2CacPreview%2Cbase64_decode%2Cbase64_encode%2C…:1
auto?&flashvars[streamerType]=auto:1 XMLHttpRequest cannot load https://cdn.yasar.edu.tr:8443/hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://cdn.yasar.edu.tr’ is therefore not allowed access. The response had HTTP status code 404.
Good, that’s progress.
Edit /etc/nginx/conf.d/ssl.conf and add:
add_header Access-Control-Allow-Origin cdn.yasar.edu.tr;
inside the ‘server’ block, then reload kaltura-nginx and try again.
I added, but it doesn’t work
[root@cdn ~]# cat /etc/nginx/conf.d/ssl.conf
# HTTPS server
#
server {
listen 8443 ssl;
server_name cdn.yasar.edu.tr;
add_header Access-Control-Allow-Origin cdn.yasar.edu.tr;
ssl_certificate /etc/ssl/certs/yasar.pem;
ssl_certificate_key /etc/ssl/certs/yasar.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
include /etc/nginx/conf.d/kaltura.conf;
}
[root@cdn ~]#
Make sure your restarted Nginx and also, in
add /opt/kaltura/app/configurations/apache/kaltura.conf:
Header set Access-Control-Allow-Origin "*"
Right after SetEnvIf X-Forwarded-Proto https HTTPS=on and reload Apache as well.
still it dosen’t work
[root@cdn conf.d]# cat /opt/kaltura/app/configurations/apache/kaltura.conf
<VirtualHost *:443>
# for SSL offloading support, if LB has X_FORWARDED_PROTO set to 'https', set HTTPS to 'on'
SetEnvIf X-Forwarded-Proto https HTTPS=on
Header set Access-Control-Allow-Origin "*"
ErrorLog "/opt/kaltura/log/kaltura_apache_errors.log"
CustomLog /opt/kaltura/log/kaltura_apache_access.log vhost_kalt
Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"
</VirtualHost>
[root@cdn conf.d]#
nginx error log
2016/10/19 17:37:34 [error] 15895#15895: *1 ngx_child_request_wev_handler: upstream returned a bad status 400 while sending to client, client: 10.1.241.240, server: cdn.yasar.edu.tr, request: "GET /hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8 HTTP/1.1", host: "cdn.yasar.edu.tr:8443", referrer: "https://cdn.yasar.edu.tr/index.php/extwidget/preview/partner_id/101/uiconf_id/23448423/entry_id/0_uz2n53en/embed/auto?&flashvars[streamerType]=auto"
2016/10/19 17:37:34 [error] 15895#15895: *1 open() "/etc/nginx/html/50x.html" failed (2: No such file or directory), client: 10.1.241.240, server: cdn.yasar.edu.tr, request: "GET /hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8 HTTP/1.1", host: "cdn.yasar.edu.tr:8443", referrer: "https://cdn.yasar.edu.tr/index.php/extwidget/preview/partner_id/101/uiconf_id/23448423/entry_id/0_uz2n53en/embed/auto?&flashvars[streamerType]=auto"
2016/10/19 17:37:36 [error] 15895#15895: *1 ngx_child_request_wev_handler: upstream returned a bad status 400 while sending to client, client: 10.1.241.240, server: cdn.yasar.edu.tr, request: "GET /hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8 HTTP/1.1", host: "cdn.yasar.edu.tr:8443", referrer: "https://cdn.yasar.edu.tr/index.php/extwidget/preview/partner_id/101/uiconf_id/23448423/entry_id/0_uz2n53en/embed/auto?&flashvars[streamerType]=auto"
2016/10/19 17:37:36 [error] 15895#15895: *1 open() "/etc/nginx/html/50x.html" failed (2: No such file or directory), client: 10.1.241.240, server: cdn.yasar.edu.tr, request: "GET /hls/p/101/sp/10100/serveFlavor/entryId/0_uz2n53en/v/22/flavorId/0_0i126w5y/name/a.mp4/index.m3u8 HTTP/1.1", host: "cdn.yasar.edu.tr:8443", referrer: "https://cdn.yasar.edu.tr/index.php/extwidget/preview/partner_id/101/uiconf_id/23448423/entry_id/0_uz2n53en/embed/auto?&flashvars[streamerType]=auto"What’s the error you’re currently seeing in the console tab?
Jess
/etc/nginx/static this directory doesn’t exist in my server, must I create it ?
[root@cdn nginx]# pwd
/etc/nginx
[root@cdn nginx]# ll
total 36
drwxr-xr-x 2 root root 128 Oct 19 20:09 conf.d
-rw-r--r-- 1 root root 964 Sep 9 17:52 fastcgi_params
-rw-r--r-- 1 root root 2837 Sep 9 17:52 koi-utf
-rw-r--r-- 1 root root 2223 Sep 9 17:52 koi-win
-rw-r--r-- 1 root root 3957 Sep 9 17:52 mime.types
-rw-r--r-- 1 root root 1689 Oct 19 17:20 nginx.conf
-rw-r--r-- 1 root root 1681 Oct 19 15:39 nginx.conf.old
-rw-r--r-- 1 root root 596 Sep 9 17:52 scgi_params
-rw-r--r-- 1 root root 623 Sep 9 17:52 uwsgi_params
-rw-r--r-- 1 root root 3610 Sep 9 17:52 win-utf
[root@cdn nginx]#Hi @jess
This is not work with 8443
https://cdn.yasar.edu.tr:8443/hls/p/101/sp/10100/serveFlavor/entryId/0_5u72aefd/v/2/flavorId/0_paronbmo/name/a.mp4/index.m3u8
This is work on chrome, firefox
https://cdn.yasar.edu.tr:8443/hls/p/101/sp/10100/serveFlavor/entryId/0_5u72aefd/v/2/flavorId/0_paronbmo/name/a.mp4/index.m3u8