Search code examples
nginxproxystreamproxypasskaltura

How to save HTTPS protocol after proxy_pass to HTTP protocol?


I have 3 docker containers in the same network:

  1. Storage (golang) - it provides API for uploading video files.
  2. Streamer (nginx) - it streams uploaded files
  3. Reverse Proxy (let's call it just Proxy)

I have HTTPS protocol between User and Proxy.

Let's assume that there is a file with id=c14de868-3130-426a-a0cc-7ff6590e9a1f and User wants to see it. So User makes a request to https://stream.example.com/hls/master.m3u8?id=c14de868-3130-426a-a0cc-7ff6590e9a1f. Streamer knows video id (from query param), but it doesn't know the path to the video, so it makes a request to the storage and exchanges video id for the video path. Actually it does proxy_pass to http://docker-storage/getpath?id=c14de868-3130-426a-a0cc-7ff6590e9a1f.

docker-storage in an upstream server. And protocol is http, because I have no SSL-connection between docker containers in local network.

After Streamer gets path to the file it starts streaming. But User's browser start throwing Mixed Content Type error, because the first request was throw HTTPS and after proxy_pass it became HTTP.

Here is nginx.conf file (it is a Streamer container):

worker_processes auto;

events {
  use epoll;
}

http {
  error_log stderr debug;

  default_type application/octet-stream;

  sendfile    on;
  tcp_nopush  on;
  tcp_nodelay on;

  vod_mode                           local;
  vod_metadata_cache                 metadata_cache 16m;
  vod_response_cache                 response_cache 512m;
  vod_last_modified_types            *;
  vod_segment_duration               9000;
  vod_align_segments_to_key_frames   on;
  vod_dash_fragment_file_name_prefix "segment";
  vod_hls_segment_file_name_prefix   "segment";

  vod_manifest_segment_durations_mode accurate;

  open_file_cache          max=1000 inactive=5m;
  open_file_cache_valid    2m;
  open_file_cache_min_uses 1;
  open_file_cache_errors   on;

  aio on;

  upstream docker-storage {
    # There is a docker container called storage on the same network
    server storage:9000;
  }

  server {
    listen 9000;
    server_name localhost;
    root /srv/static;

    location = /exchange-id-to-path {
      proxy_pass $auth_request_uri;
      proxy_pass_request_body off;

      proxy_set_header Content-Length "";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Original-URI $request_uri;

      # I tried to experiment with this header
      proxy_set_header X-Forwarded-Proto https;

      set $filepath $upstream_http_the_file_path;
    }

    location /hls {
      # I use auth_request module just to get the path from response header (The-File-Path)
      set $auth_request_uri "http://docker-storage/getpath?id=$arg_id";
      auth_request /exchange-id-to-path;
      auth_request_set $filepath $upstream_http_the_file_path;

      # Here I provide path to the file I want to stream
      vod hls;
      alias $filepath/$arg_id;
    }
  }
}

Here is a screenshot from browser console: photo

Here is the response from success (200) request:

#EXTM3U
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1470038,RESOLUTION=1280x720,FRAME-RATE=25.000,CODECS="avc1.4d401f,mp4a.40.2"
http://stream.example.com/hls/index-v1-a1.m3u8

#EXT-X-I-FRAME-STREAM-INF:BANDWIDTH=171583,RESOLUTION=1280x720,CODECS="avc1.4d401f",URI="http://stream.example.com/hls/iframes-v1-a1.m3u8"

The question is how to save https protocol after proxy_pass to http?

p.s. I use Kaltura nginx-vod-module for streaming video files.


Solution

  • I think proxy_pass isn't the problem here. When the vod module returns the index path it uses an absolute URL with HTTP protocol. A relative URL should be enough since the index file and the chunks are under the same domain (if I understood it correctly).

    Try setting vod_hls_absolute_index_urls off; (and vod_hls_absolute_master_urls off; as well), so your browser should send requests relative to stream.example.com domain using HTTPS.