kaltura / platform-install-packages

Official deployment packages to install the Kaltura platform on a server or cluster environments using native OS package managers
GNU Affero General Public License v3.0
520 stars 241 forks source link

KMC cannot be used anymore in HAproxy offloading/terminating SSL as port is attached to Host in http request #699

Open guillemlc opened 3 years ago

guillemlc commented 3 years ago

Bug report

*Please provide steps to reproduce, including errors from /opt/kaltura/log/kaltura_api_v3.log, /opt/kaltura/log/kaltura_apache_errorslog and /opt/kaltura/log/kaltura_prod.log:**

  1. Install using this guidelines: https://github.com/kaltura/platform-install-packages/blob/Propus-16.15.0/doc/rpm-cluster-deployment-instructions.md
  2. Use the https://github.com/kaltura/platform-install-packages/blob/Propus-16.15.0/doc/haproxy.cfg HAproxy config and chaneg values accordingly.
  3. Install a SSL certificate in HAproxy
  4. (Try to) Log in to KMC via https

Issue explain in detail here: https://forum.kaltura.org/t/distributed-kaltura-ce-installation-works-but-cant-log-in-lots-of-questions/10960/2

You see a request like this being generated:

OPTIONS /api_v3/service/multirequest?format=1&clientTag=kmcng undefined
**Host: media.xxxxx.com:80**
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en,en-US;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://media.xxxxxxx.com/
Origin: https://media.xxxxxx.com
DNT: 1
Connection: keep-alive
Sec-GPC: 1

Basically, what web browser sees is Host: whateverhostname:NN when api calls are used. This is OK for internal network traffic in plain http, but a modern browser does not fear well with a protocol and port mismatch ( it is truing to do http over port 80 ) and it interprets the error as a CORS issue.

Altering the request manually in the browser and changing the 80 for a 443 leads to a 200 code( although the process does not change).

This all works fine if https is dropped and plain http is used. So it is entirely an issue of protocol and port mismatch.

Possible solution ( although I am not sure): make sure that the application does not attach the port to the Host portion of the request.

Maybe that is useful in some scenarios, but it currently breaks KMC login over https.

Linux distribution name and version:

CentOS Linux release 7.9.2009 (Core)

Are you using the RPM or deb packages?

When using RPM, paste the output for:

# rpm -qa "kaltura-*"
kaltura-monit-5.25.3-1.x86_64
kaltura-a52dec-0.7.4-11.x86_64
kaltura-release-16.14.0-1.noarch
kaltura-kupload-v1.2.16-2.noarch
kaltura-kdp3-v3.9.9-2.noarch
kaltura-flexwrapper-v1.2-1.noarch
kaltura-html5lib-v2.85-2.noarch
kaltura-widgets-1.0.0-9.noarch
kaltura-mediainfo-0.7.61-9.x86_64
kaltura-x264-0.140-2.20140104.x86_64
kaltura-lame-3.99.5-3.x86_64
kaltura-libopencore-amr-0.1.3-1.x86_64
kaltura-ffmpeg-4.0.2-1.x86_64
kaltura-sphinx-2.2.1-21.x86_64
kaltura-base-16.14.0-2.noarch
kaltura-kmc-v5.43.13-137.noarch
kaltura-kdp-v2.7.0-1.noarch
kaltura-kdp3wrapper-v37.0-1.noarch
kaltura-kmcng-v5.17.0-1.noarch
kaltura-kclip-v1.1.2.1-2.noarch
kaltura-kcw-1.0.0-6.noarch
kaltura-html5lib3-1.2.1-4.noarch
kaltura-clipapp-1.3-2.noarch
kaltura-front-16.14.0-1.noarch
kaltura-html5-studio-v2.2.3-1.noarch
kaltura-libmediainfo-0.7.61-9.x86_64
kaltura-html5-studio3-v3.8.0-1.noarch
kaltura-sshpass-1.05-1.x86_64
kaltura-libvpx-1.7.0-1.x86_64
kaltura-postinst-1.0.33-109.noarch
kaltura-krecord-1.0.0-1.noarch
kaltura-live-analytics-front-v2.7.3-2.noarch
kaltura-kdpwrapper-v11.0-1.noarch
kaltura-playkit-bundler-1.2.0-14.noarch
kaltura-html5-analytics-v0.3-2.noarch

For deb based systems:

# dpkg -l "kaltura-*"

Is this an all in one instance [single server] or a cluster?

If applicable, please provide the MySQL version

mysql Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1

If you're having an issue with a specific media asset, please provide a link from which it can be downloaded/played:

guillemlc commented 3 years ago

Is there any update or supported workaround for this issue?