Https absolute URLs in HLS chunklists

Hi,

I configured two Wowza Streaming Engines (v. 4.8.5.05) with load balancing for HTTP streaming (HLS, Dash). Both WSEs are located behind an Nginx reverse proxy that can only be reached via https while communication between Nginx and WSE is via http.
I succesfully configured the load balancer to use the server’s https ULRs for redirection (by setting loadbalanceClientForcePort and loadbalanceClientForceScheme).
Then I configured absolute playlist URLs (by setting cupertinoRelativePlaylistPlaylists and cupertinoRelativePlaylistItems to false) as mentioned in the load balancing manual. As expected, the URLs in HLS playlists and chunklists are absolute URLs now, but they use http instead of https.
How can i configure WSE to generate https URLs for these files?

Thanks,

Daniel

I’m not 100% sure if I understand your setup so forgive me it this idea is stupid, but if you’re using Nginx in front of both Wowza Servers, why not ditch the Load Balancer, and instead set up Nginx as a reverse proxy with load balancing (see https://nginx.org/en/docs/http/load_balancing.html). You can terminate SSL on your Nginx and use HTTP between Wowza and Nginx.

Remember configure the Wowza Applications as HTTP Origin Applications to make sure no session IDs are added to the URLs which make it impossible for Nginx and for a CDN to gain from cache. More info; see: (https://www.wowza.com/docs/how-to-configure-a-wowza-server-as-an-http-caching-origin)

Thanks for your response. At the moment each Wowza is behind his own Nginx. But you are right, using a single Nginx in front of both for load balancing seems to be an option and would avoid the problem since I can use relative URLs in playlists/chunklists.
Are you aware of any downsides of this setup? We are going to use SecureToken for some Applications and my assumption was I may run into less issues if I use the load balancing built into Wowza itself.
With Wowza’s load balancer each client is redirected to a single Wowza server while with Nginx’ load balancing a client’s requests may be answered by both servers.

If I understand correctly, the absolute URLs in playlists/chunklists are generated based on the request URL. So I guess my other option would be to configure SSL at the Wowza itself and use https between Nginx and Wowza.

SecureToken won’t work with HTTP Origin applications and a single Nginx reverse proxy. First of all, the token must be unique per user and session, and HTTP Origin applications share a single session for all users so the token can’t be verified.

Secondly, if you’d use session-based (“normal”) Wowza Applications, you would need to make sure that a user is always routed to the same Wowza Server (aka. “sticky”) where the session is. That ruins the concept of Load Balancing.

Instead of using SecureToken it’s better to do the security check in Nginx. You could use LUA script to verify the token and keep a clear, sessionless connection between Nginx and the Wowza Servers (check out OpenResty, it’s basically Nginx with built-in LUA support),

I wouldn’t know why you need to use absolute URLs. Nginx is the endpoint for all clients, no direct connections between clients and Wowza Servers.

Thank you for the clarification. Handling the Token verification in Nginx is a nice idea! I will try my luck with OpenResty.

I came across this in the load-balancing guide and was not sure about the consequences of using relative URLs.

When using a load-balancing system to deliver relative playlists, particularly with Apple HLS, some playback clients may not follow the redirection correctly. Therefore, it is important to configure absolute playlists for all load-balancing edge servers.

But I guess using the reverse proxy makes this unnecessary. Thanks again!