I have a few questions about SSL offload and NGINX over SSL.
In order to enable SSL offload on Kaltura, it looked like all I needed to do was pass info to the the FE web servers that it was previously offloaded at the NLB, done in zzzkaltura.conf, like so:
for SSL offloading support, if LB has X_FORWARDED_PROTO set to ‘https’, set HTTPS to ‘on’
Note: Currently, the Nginx VOD module does not support integration with Kaltura over HTTPs, only HTTP is supported.
However, I saw in 11.06, there was added support for NGINX and OpenSSL. Is this fully working now? And in order to enable it, does OpenSSL just need to be installed on the NGINX server?
RE #1: yes, correct.
LBs typically set the X-Forwarded-Proto header when forwarding the requests.
The Kaltura code looks for the HTTPS header to determine whether or not the request should be made over HTTPs.
and so:
SetEnvIf X-Forwarded-Proto https HTTPS=on
Which says: if we have a header called X-Forwarded-Proto, set HTTPS to “on”
RE #2: no longer true since we are now using the standard nginx proxy_pass directive to do the http requests.
It should work correctly if you set:
upstream kalapi {
server https://$SERVICE_URL;
}
in the Nginx config. Can you please try and let me know? if all is well, I’ll also update the doc.
For a bit more clarification on 1, (I’ve never done SSL Offload before)
I don’t need to install certs, or tell my apache Vhost to listen on 443, as the load balancer should be sending all traffic via http. So, if I were to diagram it the flow would look like:
client -> SSL -> LB -> http -> Server Pool
client <- SSL <- LB <-http <- Server Pool
And I shouldn’t need to reconfigure my FE servers, as far as they are concerned everything is still coming in via 80
Is this correct? I’m seeing some HTTPS://mykmc requests in my Apache logs, and some pages are responding back on 80, I am assuming my config somewhere isn’t quite right.
As for NGINX, I will be trying it in the near future – I should have a window coming up soon. Just need to nail down this offloading first.
So I have verified that my LB is passing along the “X-Forwarded-Proto” request to the Web servers. I added in %{X-FORWARDED-PROTO} to the logging section on /app/configurations/conf.d/kaltura.enabled.conf. In the apache access logs, I am seeing the value “https” in the header of the GET requests.
And certain parts of the site are working, like the landing page and all of the Administration Console.
The problem seems to be the KMC, which is trying to grab things over https, on port 80. For example, when logging in to the KMC: https://mykaltura.com:80/api_v3/index.php?service=multirequest&action=null&kalsig=81a40dd9a3ff56b3eace73eed3138233
My guess is you have “:80” in /opt/kaltura/app/configurations/local.ini and possibly in other files under /opt/kaltura/app/configurations/. Please make sure to get rid of them.
In addition, check the same in the kaltura.delivery_profiles table.
Most of the testing has gone smoothly. SSL is working on all aspects, but I am still at times getting redirected back to the HTTP version of the site at different times. (IE, logging into the KMC via it’s https: url sends you in via HTTP)
Are most these redirects handled in the Apache rewrite rules, or should I be looking somewhere else?
If you go to Admin Console->Publishers->your partner->Actions->configure, you will see it has a checkbox called:
"Force KMC HTTPS"
If you check this one, all interactions with KMC should be over HTTPs only.
That’ll do it. Thanks Jess. Once I get my window to upgrade to the next version of Kaltura, I’ll make a new topic about the Kaltura / NGINX SSL integration if I have any issues.
