LLHLS chunklist requests return 401 Unauthorized (“Invalid session_key”) behind Nginx reverse proxy with AdmissionWebhooks

[manish-drake]

Hi folks,

I’m running OvenMediaEngine (v0.12.6) in Docker behind an nginx reverse proxy (with SSL) and using AdmissionWebhooks for access control. My LLHLS streams work for the master playlist but every chunklist request is immediately rejected with 401 Unauthorized / Invalid session_key. I’ve pasted my configuration and logs below—any pointers on what I’m missing would be hugely appreciated!
Here is my Docker Compose service:

version: "3.8" services: ovenmediaengine: image: {our private OME based image on docker hub} ports: - "8081:8081" - "1935:1935" - "3333:3333" # LLHLS HTTP - "3334:3334" # LLHLS HTTPS (TLS) volumes: - ome-media:/opt/ovenmediaengine/bin/dumps - ome-conf:/opt/ovenmediaengine/bin/conf networks: - private environment: - OME_HOST_IP=0.0.0.0 restart: unless-stopped
Here is my OvenMedia Virtual-Host config:

[ { "name": "spip", "crossDomains": { "urls": ["*"] }, "host": { "names": ["{my public domain}"], "tls": { "certPath": "/opt/ovenmediaengine/bin/conf/cert.pem", "chainCertPath": "/opt/ovenmediaengine/bin/conf/chain.pem", "keyPath": "/opt/ovenmediaengine/bin/conf/privkey.pem" } }, "admissionWebhooks": { "controlServerUrl": "http://service-gateway:1437/api/omal/control-server", "enables": { "providers": "rtmp,webrtc,srt", "publishers": "webrtc,llhls" }, "timeout": 3000 }, "publishers": { "llhls": { "originMode": false, // tried both true and false "port": 3333, "tlsPort": 3334, "workerCount": 1 } } } ]
And here is my nginx reverse proxy:

`upstream om_llhls {
server ovenmediaengine:3334;
}

server {
listen 443 ssl;
server_name {my public domain};

ssl_certificate       /opt/ovenmediaengine/bin/conf/fullchain.pem;
ssl_certificate_key   /opt/ovenmediaengine/bin/conf/privkey.pem;
ssl_trusted_certificate /opt/ovenmediaengine/bin/conf/chain.pem;

# block stray socket.io
location /socket.io { return 404; }

location / {
    # handle CORS preflight
    if ($request_method = OPTIONS) {
        add_header Access-Control-Allow-Origin  $http_origin always;
        add_header Access-Control-Allow-Credentials true     always;
        add_header Access-Control-Allow-Methods    "OPTIONS, GET, HEAD" always;
        add_header Access-Control-Allow-Headers    "Content-Type, Range" always;
        add_header Content-Length 0 always;
        return 204;
    }

    # proxy to OME TLS port
    proxy_pass         https://om_llhls/;
    proxy_ssl_server_name on;
    proxy_ssl_verify      off;

    proxy_set_header   Host              $host;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_buffering    off;
    proxy_read_timeout 300;
    proxy_send_timeout 300;

    # enforce our own CORS
    proxy_hide_header Access-Control-Allow-Origin;
    proxy_hide_header Access-Control-Allow-Credentials;
    add_header Access-Control-Allow-Origin  $http_origin always;
    add_header Access-Control-Allow-Credentials true     always;
}

}
`
What works and what fails:

• ✅ curl https://{my public domain}/summer/…/llhls.m3u8 returns 200 OK with valid playlist and CORS headers.
• ❌ Browser fetch of any chunklist (chunklist_0_video_…llhls.m3u8?session=…) immediately fails with 401 Unauthorized.
• OME Logs (3334 TLS port)

[SPRtcSig-t3334] LLHLS Publisher | Invalid session_key :
https://{my public domain}:3334/summer/johndoe_katecam_955/chunklist_0_video_…?session=34_xyz
[HTTP.Server] Response 401 Unauthorized

• I’ve toggled "originMode" (true/false) but chunklists still get 401.
• I’ve tried both proxy_pass http:// and https:// (TLS) with/without proxy_ssl_server_name, but OME TLS errors or invalid session_key persist.
  My Questions:

1. AdmissionWebhooks & LLHLS

• Should LLHLS chunklists be validated by the same AdmissionWebhook?
• Does "originMode" need to be true (Origin only) or false (all requests) for chunklist checks?

2. Reverse‑Proxy / SSL

• Are there any required headers or SNI settings needed so that OME can reconstruct the original request URL and validate the session key?
• Is it correct to terminate SSL at nginx and proxy via HTTPS to OME’s tlsPort, or should OME handle TLS directly?

3. General Best Practice

• What’s the recommended Nginx + OME config for LLHLS + AdmissionWebhooks when serving via a public domain?
• Any sample configs or tips to avoid this Invalid session_key error?

Thank you in advance for any guidance!

[bchah]

Great timing on this - just the other day I started trying to move my backend from Apache/PHP to NGINX/PHP-FPM and encountered this exact issue (although with the master branch, not 0.12.6). I've tried a bunch of config options and the best I can get back is the same invalid session_key error you are seeing.

Based on this having worked perfectly with Apache for years, I can answer some of your questions anecdotally:

Should LLHLS chunklists be validated by the same AdmissionWebhook?

This was not required in my previous setup. That is, the chunklist calls were direct, no webhook (I imagine that's thanks to use of the session_key)

Does "originMode" need to be true (Origin only) or false (all requests) for chunklist checks?

OriginMode does not need to be set unless you are proxying to Edge servers in which case, I believe the directive is to enable OriginMode.

Reverse‑Proxy / SSL
Are there any required headers or SNI settings needed so that OME can reconstruct the original request URL and validate the session key?

In Apache it was quite simple, literally two lines:

ProxyPass /live/ http://127.0.0.1:$HLS_PORT/live/
ProxyPassReverse /live/ http://127.0.0.1:$HLS_PORT/live/

I suspect that the session key is reaching OME fine (since it is printing out the proper request URL in the logs), but there is some other validation problem.

Is it correct to terminate SSL at nginx and proxy via HTTPS to OME’s tlsPort, or should OME handle TLS directly?

Based on the above you'll also see that SSL was handled at the web server / proxy level and not enabled in OME.

[getroot]

If there is a cache server behind OME, AdmissionWebhooks will not work as expected. In that case, authentication should be done by the cache server.

Specifically,

1. AdmissionWebhooks validates the master playlist request and issues a session key.
2. All subsequent requests for media playlists and segment files must come with the issued session key to pass authentication.
3. If there is a cache server like Nginx behind, AdmissionWebhooks' authentication ability is disabled because nginx does not request files from the origin but responds with its own cached files.
4. If nginx uses the query string as a cache key, all requests will come to the origin, so all caches will miss. Therefore, there is no reason to use nginx in this case.
5. In conclusion, it is recommended to set OriginMode to true and authenticate in nginx, or remove Nginx and serve only with OME.

The reason you are getting a 401 error may be because you are requesting with an expired session key. Unlike a normal player, if nginx requests the master playlist and immediately closes the connection (this causes the session to expire), and then requests chunklist with a new connection, that could happen. Anyway, I don't think too deeply about this. As I said above, when using Nginx as an edge, set OriginMode to true. And authentication should be done at the nginx side. Just like other commercial HLS services leave all authentication functions to CloudFront when using CloudFront as an edge.

0.12.6 is too old. It's too hard to check how OME worked in 0.12.6. Please use the latest version.

[manish-drake]

Thanks for the pointer about session‑binding. We ended up fixing it by:
1. Enabling upstream keep‑alive so that the master playlist and all chunklist requests stay on the same TCP connection—and thus share the same session key.
2. Removing our proxy_set_header Connection "" override, so nginx will actually reuse its HTTP/1.1 connections to OME instead of opening a new one for each request.

With those two changes, our chunklists (chunklist_*.m3u8?session=…) now return 200 OK instead of 401, and playback is good.
Final nginx snippet we tested:

`upstream om_llhls {
server ovenmediaengine:3334;
keepalive 16;
}

server {
listen 443 ssl http2;
server_name {our public domain};

ssl_certificate     /opt/ovenmediaengine/bin/conf/fullchain.pem;
ssl_certificate_key /opt/ovenmediaengine/bin/conf/privkey.pem;

location / {
    # Preflight CORS…
    if ($request_method = OPTIONS) { return 204; }

    proxy_pass          https://om_llhls/;
    proxy_http_version  1.1;
    proxy_cache         off;
    proxy_buffering     off;

    proxy_ssl_server_name on;
    proxy_ssl_verify      off;

    proxy_set_header Host $host;
    proxy_read_timeout 60s;

    # Inject CORS headers…
    proxy_hide_header Access-Control-Allow-Origin;
    add_header Access-Control-Allow-Origin $http_origin always;
    add_header Access-Control-Allow-Credentials true always;
}

}`

With this in place, AdmissionWebhooks issues the session on the playlist request, and all chunklist/segment requests succeed on the same connection.