Using nginx reverse proxy with SSL termination

I have a reverse-proxy nginx server setup to direct traffic to a few different servers that I run. Kaltura is one of them. I’ve got a fresh install CentOS Kaltura 15. I followed the non-SSL instructions because I’m hanving my nginx rev-proxy terminate the SSL with HTTP/80 behind the proxy to Kaltura.

The install runs perfectly in HTTP when I bypass the reverse proxy. When I move the server behind the reverse proxy I changed http to https on all local.ini, system.ini, var.ini, admin.ini.
With these changes I can access Kaltura, but some things aren’t working:
Admin Console hangs when saving a Publisher’s Configuration
KMC will upload video, but won’t encode
Dropfolders won’t upload
Thumbnails won’t show.

Various other things are broken I’m sure.

I’m wondering if there are other things I need to do to my configurations to get it working. I read something about how I need to point some things to the local url (video.home), while other things I point to my external url (video.thatcherkelley.com)

For refernce, here is my server block on my nginx reverse proxy:

Kaltura Site

server {
	listen 443 ssl;
	server_name  encoder.thatcherkelley.com;
	include ssl_common.conf;
	location / {
 		proxy_pass http://10.0.1.43;
 		proxy_redirect off;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Proto $scheme;
		client_max_body_size 0;
 	}
}

Hello,

You just need to add a proper zzzkaltura.ssl.conf in /etc/httpd/conf.d. It really is a ln to /opt/kaltura/app/configurations/apache/kaltura.ssl.conf

Please be careful to pass the correct headers to apache in nginx, so Kaltura will know that the connection is https.
For isntance:
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;

Hope this helps,

David

I’m still pretty new at this. So to understand, even though I’m running Kaltura on http non-ssl behind the nginx reverse proxy I still need a zzzkaltura.ssl.conf in my httpd folder? Does this mean that I also need certificate and key stored on my Kaltura server, not just on my reverse proxy? This whole ssl thing confuses me a bit. And I assume I keep the zzzkaltura.conf as well as the zzzkaltura.ssl.conf

I was also trying to run the configuration with SSL, bypassing the reverse proxy and I couldn’t get that to work. I kept getting this error:

Couldn't make an API request to https://encoder.thatcherkelley.com/api_v3/index.php?service=system&action=ping

So that isn’t working for me either.

Today, you almost need everything on https. And yes, you need an https configuration for apache even if you proxy the traffic on http.

This is my kaltura.ssl.conf:

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
Listen 443

SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
SSLMutex default

= 2.4>
Mutex sysvsem default

SSLCryptoDevice builtin

SSLCertificateFile /etc/ssl/certs/fullchain.pem
SSLCertificateKeyFile /etc/ssl/certs/privkey.pem
SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"

One final tip. You don’t need to have a proper ssl cert on apache. Just leave the default autosigned cert.

Regards,

David

So right now I’m bypassing the reverse proxy and trying to just get it to work with SSL.
When I try and configure the first time with SSL it gives me an error:

ERROR: Couldn't make an API request to https://encoder.thatcherkelley.com/api_v3/index.php?service=system&action=ping.

So instead I’m configuring non-SSL at first. It doesn’t give me that error. Then I go in and do just the front config to move to SSL. Along with that I go through all my config files in configurations folder and make sure all http is set to https.

I can get the site basically running after doing all this. But the problem is that my videos won’t transcode. They upload, then just hang and never actually transcode.

Any thoughts on what I’m missing? Are there other config files or files elsewhere that I need to change to make sure it’s going to 443? Or is there a cache I need to flush on the server to get it working correctly?

Hi,
Do you have a proprer apache cert configured ?
With nginx as a frontend you only to use the default autosigned cert for apache and proxy_pass con http.

With the proper headers I sent you, kaltura will know that the connection is on https, even though the traffic comes from nginx on http.

David

I have tried both a certbot let’s encrypt cert as well as a self-signed for the apache. And my kaltura.ssl.conf looks like yours.

To be clear, I do need to change all my http:// to https:// within my config files? Is there anything in the database that I need to change to make sure SSL works correctly?

I’m really not sure why I get the ERROR: Couldn't make an API request when I try and do a full config following the SSL instructions, but when I do a non-SSL I don’t get the error. The error seems to have to do with my CA cert not working, but I’ve used bot Let’s Encrypt and self signed to create certs that work. They just don’t seeem to work when verifying my API request.

I didn’t change anything on my standard Kaltura conf.

Just added the kaltura.ssl.conf to apache and set the right headers with nginx.

Regards,

David

And you did the config-all using non-SSL guide. Then went in and changed the kaltura.conf to what you pasted above? (which correct me if I’m wrong sets up the kaltura.conf not kaltura.ssl.conf). And of course with nginx rev proxy setup properly as you stated above.

I ignored the SSL conf, as well. That was the trick, maybe.

I just can’t get it working with SSL (with or without the reverse proxy in-line). When I try and config with SSL, it fails. When I try and manually change to SSL things start breaking.

I read someone else on the forum a while back with almost the exact same issue and they just installed on Ubuntu and it worked flawlessly. So I’m going to try that. Unfortuantely I ran into an issue where Ubuntu install failes (for different reasons). I’ve made a separate post for that.

I don’t know how you configured Kaltura but try again kaltura-config-all.sh

Answer NO to the apache and nginx SSL questions. Let it continue and finish.

Then set the kaltura.ssl.conf as I told you and the nginx proxy configuration on your frontend.

Try again and let me know,

David

I’ll try it again and let you know. The only confusing thing is that when I say no and tell port 80 and all that it doesn’t put the zzz.kaltura.ssh.conf in the httpd folder. It only puts the zzz.kaltura.conf. So should I use your suggested conf on the non-SSL kaltura.conf?

You have to put the alias on /etc/httpd/conf.d pointing to the ssl.conf and restart apache

I solved a couple issues by removing some of the security related settings I had on my proxy server.

At present, I’ve configured for non-SSL according to the instructions.
I’ve changed the http://hostname to https://hostname in admin.ini and local.ini
I’ve configured my publisher settings to force HTTPS on KMC and embed
My proxy SSL offloader server block is:

server {
listen 443 ssl;
server_name encoder.thatcherkelley.com;
include ssl_common.conf;
location / {
proxy_pass http://10.0.1.43;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $scheme;
client_max_body_size 0;
}
}

When I run the server behind my proxy SSL offloader I can upload videos, but they won’t transcode, they just sit in the queue. As soon as I directly forward my Kaltura server ports instead of running through the nginx proxy the videos almost immediately begin transcoding. Once complete I can put Kaltura back behind the proxy and the videos seem to embed and play just fine.

@david.eusse I tried using your kaltura.ssl.conf settings, but it just breaks and my nginx proxy. It gives a 502 error.

What am I missing? is it the VOD server that does the transcoding? Is there some way I need to configure that so it’ll talk to my main Kaltura server when it’s behind the SSL offloading proxy?

@jess I’m wondering if you have any insight.

Hi,
It’s hard to help after the modifications you made but I will resume what we do:

  • We perform a clean Kaltura install. When getting to the SSL questions, we answer that we don’t want to have it configured.
  • We copy the kaltura.ssl.conf file in /opt/kaltura/app/configurations/apache and then link it to /etc/httpd/conf.d/zzzkaltura.ssl.conf
  • We add the proxy_headers I sent you to nginx.

To make sure that any local calls (batch, etc) are treated directly by apache instead of going through nginx and back again, we add the kaltura domain name to /etc/hosts.

For instance:
127.0.0.1 web. mykaltura.com

This help you manage a different name for kaltura from the servers hostname.

Maybe I forgot to mention the last point.
That’s it and it should work.

David

I’ll try adding to my hosts file.

On your nginx proxy do you proxypass to http or https?

I’m making a little progress. Once I added my url encoder.thatcherkelley.com to my hosts file the transcoding started working. However it broke my video player.
Here is the error I get displayed over the player thumbnail in a video entry:

Error getting sources from server. Please try again. failed to unserialize server result

If I remove the url from hosts the player is fixed, but the transcoding no longer happens after upload.

Here is what my hosts file looks like:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 encoder.thatcherkelley.com
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

Also it seems that adding the encoder.thatcherkelley.com breaks the admin console and gives me a error code: API:-1 error

I feel like I’m very close to getting it all sorted out.

Hi,

First things first:

You proxy_pass on http and not https. You need to set an apache SSL configuration but it doesn’t get traffic. The nginx headers tell Apache the connection real scheme.

When configuring kaltura answer with a FQDN (ie, www.mykaltura.com) even it is different from the hostname.

Add that exact name to the servers /etc/hosts
127.0.0.1 localhost www.mykaltura.com

Point your DNS with that name to your server and add the same name to the nginx server.

What I mean is that everything needs to be consistent everywhere, otherwise you’l get in trouble.

Regards,

David

When I installed CentOS I set the hostname to encoder and that’s what appears in /etc/hostname file. The url that I’m using for Kaltura is encoder.thatcherkelley.com. This is the server_name that my nginx proxy server points to.

The following is what I’ve used for my various inputs

CDN hostname [kalrpm.lcl]: "encoder.thatcherkelley.com"
Apache virtual hostname [kalrpm.lcl]: "encoder.thatcherkelley.com"
Which port will this Vhost listen on [80]?:
DB hostname [127.0.0.1]: "<127.0.0.1>"
DB port [3306]: "<3306>"
Analytics DB hostname [127.0.0.1]: "<127.0.0.1>"
Analytics DB port [3306]: "<3306>"
Sphinx hostname [127.0.0.1]: "<127.0.0.1>"
Secondary Sphinx hostname: [leave empty if none] "<empty>"
VOD packager hostname [kalrpm.lcl]: "encoder.thatcherkelley.com"
VOD packager port to listen on [88]: 
Service URL [http://kalrpm.lcl:80]: "<http://encoder.thatcherkelley.com>"

Is this correct? or should I be using my local hostname for some of those (or my local IP address)?

This is an all-in-one install by the way.