Follow

SSL/TLS Offloading

Avatar

If you have your Engine instances behind a load balancer or proxy that does SSL termination, you can find yourself in the situation where the client's request to the launch URL uses https, but the player ends up loading over http. This happens because Engine must infer the root portion of the player URL from the launch request, which appears to be http due to the SSL offloading.

Fortunately, there are some built-in mechanisms in Engine that try to infer the 'original' URL for the launch, so that this will not happen. It requires certain behavior by the device terminating the SSL connection, though.

Engine tries to determine the original URL via the following steps:

  1. Engine first checks the "Forwarded" HTTP header for RFC7239-style reverse proxying. If it's present, Engine will check the "host" and "proto" segments in the value of that header to determine the original host and protocol.
  2. Engine then checks for either the "x-forwarded-proto" or "x-forwarded-host" HTTP headers (which were the industry standard way to solve this problem before RFC7239 adoption). If either header is present (the relevant one for SSL being x-forwarded-proto), it will use the given host and protocol for the original URL.
  3. Last, Engine checks for the IIS/ARR-specific header "x-arr-ssl", and will set the request to be https if it is found.

In short, one of the "Forwarded", "x-forwarded-proto", or "x-arr-ssl" HTTP headers must be added to the request that Engine finally processes in order for Engine to use https for generated URLs. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk