KMC cannot be used anymore in HAproxy offloading/terminating SSL as port is attached to Host in http request

[guillemlc]

• [x ] I've read the guidelines for Contributing to Kaltura Projects
• [ x] I've read the installation guides and troubleshooting FAQ
• This is not a support request or question that should be posted on the Kaltura forum

Bug report

Please provide steps to reproduce, including errors from /opt/kaltura/log/kaltura_api_v3.log, /opt/kaltura/log/kaltura_apache_errors*log and /opt/kaltura/log/kaltura_prod.log:

1. Install using this guidelines: https://github.com/kaltura/platform-install-packages/blob/Propus-16.15.0/doc/rpm-cluster-deployment-instructions.md
2. Use the https://github.com/kaltura/platform-install-packages/blob/Propus-16.15.0/doc/haproxy.cfg HAproxy config and chaneg values accordingly.
3. Install a SSL certificate in HAproxy
4. (Try to) Log in to KMC via https

Issue explain in detail here: https://forum.kaltura.org/t/distributed-kaltura-ce-installation-works-but-cant-log-in-lots-of-questions/10960/2

You see a request like this being generated:

OPTIONS /api_v3/service/multirequest?format=1&clientTag=kmcng undefined
**Host: media.xxxxx.com:80**
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en,en-US;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://media.xxxxxxx.com/
Origin: https://media.xxxxxx.com
DNT: 1
Connection: keep-alive
Sec-GPC: 1

Basically, what web browser sees is Host: whateverhostname:NN when api calls are used. This is OK for internal network traffic in plain http, but a modern browser does not fear well with a protocol and port mismatch ( it is truing to do http over port 80 ) and it interprets the error as a CORS issue.

Altering the request manually in the browser and changing the 80 for a 443 leads to a 200 code( although the process does not change).

This all works fine if https is dropped and plain http is used. So it is entirely an issue of protocol and port mismatch.

Possible solution ( although I am not sure): make sure that the application does not attach the port to the Host portion of the request.

Maybe that is useful in some scenarios, but it currently breaks KMC login over https.

Linux distribution name and version:

CentOS Linux release 7.9.2009 (Core)

Are you using the RPM or deb packages?

• [x ] RPM
• deb

When using RPM, paste the output for:

# rpm -qa "kaltura-*"
kaltura-monit-5.25.3-1.x86_64
kaltura-a52dec-0.7.4-11.x86_64
kaltura-release-16.14.0-1.noarch
kaltura-kupload-v1.2.16-2.noarch
kaltura-kdp3-v3.9.9-2.noarch
kaltura-flexwrapper-v1.2-1.noarch
kaltura-html5lib-v2.85-2.noarch
kaltura-widgets-1.0.0-9.noarch
kaltura-mediainfo-0.7.61-9.x86_64
kaltura-x264-0.140-2.20140104.x86_64
kaltura-lame-3.99.5-3.x86_64
kaltura-libopencore-amr-0.1.3-1.x86_64
kaltura-ffmpeg-4.0.2-1.x86_64
kaltura-sphinx-2.2.1-21.x86_64
kaltura-base-16.14.0-2.noarch
kaltura-kmc-v5.43.13-137.noarch
kaltura-kdp-v2.7.0-1.noarch
kaltura-kdp3wrapper-v37.0-1.noarch
kaltura-kmcng-v5.17.0-1.noarch
kaltura-kclip-v1.1.2.1-2.noarch
kaltura-kcw-1.0.0-6.noarch
kaltura-html5lib3-1.2.1-4.noarch
kaltura-clipapp-1.3-2.noarch
kaltura-front-16.14.0-1.noarch
kaltura-html5-studio-v2.2.3-1.noarch
kaltura-libmediainfo-0.7.61-9.x86_64
kaltura-html5-studio3-v3.8.0-1.noarch
kaltura-sshpass-1.05-1.x86_64
kaltura-libvpx-1.7.0-1.x86_64
kaltura-postinst-1.0.33-109.noarch
kaltura-krecord-1.0.0-1.noarch
kaltura-live-analytics-front-v2.7.3-2.noarch
kaltura-kdpwrapper-v11.0-1.noarch
kaltura-playkit-bundler-1.2.0-14.noarch
kaltura-html5-analytics-v0.3-2.noarch

For deb based systems:

# dpkg -l "kaltura-*"

Is this an all in one instance [single server] or a cluster?

• All in one
• [x ] Cluster

If applicable, please provide the MySQL version

mysql Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1

If you're having an issue with a specific media asset, please provide a link from which it can be downloaded/played:

[guillemlc]

Is there any update or supported workaround for this issue?