I have a kaltura 12.8.0-2 set up on Debian. It’s setup to use http (port 80) and works fine.
In front of this server I have another one using ngingx as an SSL-endpoint using LetsEncrypt certs.
Clients connect to the ssl-endpoint wich proxies data to the back-side non ssl Kaltura server.
I’ve updated the delivery profiles accordingly and tls, dash etc. can get delivered as expected.
There is however a problem with mixed content that the browser block. Having a look at the embed code I notice that the kEmbedCodeGenerator is called with http instead of https as arguments.
Where can I change the variables that is passed to the kEmbedCodeGenerator() ?
var code = new kEmbedCodeGenerator({“host”:“host.domain.com”,“securedHost”:“host.domain.com”,“partnerId”:101,“protocol”:“http”,“embedType”:“auto”,“uiConfId”:23448186,“width”:“740”,“height”:“416”,“includeKalturaLinks”:true,“cacheSt”:1484563242,“entryId”…
There are two ways to go about making sure the embed loads resources over HTTPs:
0. In Admin Console->Publishers->your partner->Actions->Configure-> check “Embed Code Default Protocol HTTPS”
In KMC->Preview and Embed->Show Advanced Options->check “Support for HTTPS embed code”
I’d recommend the first option since loading over HTTPs will work when the embed is loaded over both HTTPs and HTTP but not the other way around and also, because then you don’t have to remember to check an additional checker.
I’ve tried both options without luck. Still get the blocking of mixed-content.
Is there any server-side cache that needs to be cleared? I’ve tried reset the APC-cahce using the Developer -> APC and also restarted Apache on the Kaltura server.
Also, I’m not sure if the error stems from the parameters sent to kEmbedCodeGenerator() or if it also might be the meta-tags for which some is using http instead of https.
<meta property="og:image" content="**http:**//host.dmain...
and
<meta property="og:url" content="**http**://host.domain...
The problem stems from the fact asking for https://YOUR_LB redirects to http://YOUR_APACHE_NODE.
Your LB should have the X_FORWARDED_PROTO header set to https when passing the request along to your Apache nodes. In the Apache main config [/opt/kaltura/app/configurations/apache/kaltura.conf], there is this line:
and in turn, all the code looks for the HTTPS header to determine whether or not the protocol should be HTTPs.
Also, in /opt/kaltura/app/configurations/local.ini and /opt/kaltura/app/configurations/admin.ini, you must make sure none of the directives point to a specific node over “http://” but rather, to your LB.
The player reads these directives in its configuration here: /opt/kaltura/web/html5/html5lib/$YOUR_VERSION/LocalSettings.php
Thanks for pointing out about the headers. Adding that to the LB links all content in the player with https.
However, neither the thumbnail nor the video itself loads. No errors in console or messages about mixed content.
Also, I’m unable to use the KAC to manage the publisher any more. I can login, change settings etc. but using the actions -> manage tries to log using the LBs name as publisher id.
Also, in the validatelivemediaserverslog I get this message Failed to connect to LB port 80:
For the playback issue, please provide a sample URL and I’ll look.
For Admin Console, what did you set /opt/kaltura/app/configurations/admin.ini for settings.serviceUrl? and what the request look like when you click on “Manage”?
In addition, make sure
mysql> select url,host_name from delivery_profile where id in (1001,1002,1003);
have the right values. Your LB, if I understand correctly, listens on TCP 443 [HTTPs] and does SSL offloading to the nodes over HTTP, need to make sure you set the values in the config INIs and the kaltrua.delivery_profile url column accordingly.
Also, when making the requests, in addition to looking at both the “Console” and “Network” tabs in your browser’s dev tools, run:
# source /etc/profile.d/kaltura*base.sh
# kaltlog
from the shell and look for errors.
Then open the log files they appear in and follow the lines leading to the actual error to understand what’s causing them.
Main log files to look at in your case are:
/opt/kaltura/log/kaltura_api_v3.log
/opt/kaltura/log/kaltura_apache_errors.log
/opt/kaltura/log/kaltura_prod.log
And for Admin Console /opt/kaltura/log/kaltura_admin.log
Yes it’s correct one LB for SSL-ofloading that listens on 443 and forwards traffic to Kaltura:80 and Kaltura-VOD:88 both on the same machine.
Kaltlog shows signs of the unsuccessful login from the admin console as exception ‘KalturaAPIException’ with message ‘Invalid user id’. That error is also visible in /opt/kaltura/log/kaltura_admin.log
The other logs shows lots of other information although not relevant for this problem.
This issue can be closed now. I finally managed to get it working. Although I did a complete re-install. The tricky part was to figure out when to use the CDN-url, when to use the back-end machine in the installer config-scripts. I also had to tweak the kaltura-ngingx-config to use the local ip as back-end instead of going out through the LB and in again.
It would be a great help if this could be clarified more, either in the installer itself or on the web.
I am in a similar situation as you where I have an LB doing SSL offloading. I too pointed nginx to the kaltura api’s using local host names instead of the LB address.
However, I’m having a similar intermittent issue with the html5lib not loading properly sometimes, but not all the time. the code is reporting a problem getting a KS from the api, it seems. I think it may have something to do with the front end going back out and through the load balancer again.
I’m wondering what your values were for CDN and SERVICE_URL in your configuration?
My set up is as follows.
CDN and SERVICE_URL = the public facing host name of the Nginx-ssl offloader.
Delivery profiles for dash/hls etc. in kaltura public facing host name AND https, so that the m3u8 links hls/dash -segments using the correct url and protocol.
as well as vod_base_url & vod_segments_base_url in /opt/kaltura/nginx/conf/nginx.conf using public facing host name AND https.