A question came to me (also posed here) about whether has any problems
running entirely encrypted. I know the default setting for SSL is to
have the login page be served via SSL, then revert to standard http
after login*.
But how about running the enire Moodle site via https? It seems to me this should be no problem (given enough server horsepower), have folks done this and does everything work? Example sites Lanny can check out?
Earlham, (https://moodle.earlham.edu/) for instance, appears to be entirely encrypted, after I login as guest, the pages all are still delivered via https, is this impression in fact what you get when the entire Moodle directory is encrypted via SSL?
(*loginhttps: Turning this on will make Moodle use a secure
https connection just for the login page (providing a secure login),
and then afterwards revert back to the normal http URL for general
speed.)
Yes, we've been running our Moodle site entirely over SSL for over two years now. Our sysadmin estimates a 5-10% performance penalty for this. But we've had no problems running Moodle together with WeBWorK (which is more resource intensive than Moodle) on the same server with up to 3000 simultaneously enrolled students.
Hi, im trying to set up moodle using SSL on IIS6, do I setup the website or do i use a virtual directory? Do you know of any how tos on thischeers shane
How did your institution go about implementing this? Were changes made to the Moodle installation itself in addition to the server configurations that needed to be done. Any how to information would be great, thanks!
There's no reason to expect this not to work. Yes, I know of another site
running at WiscNet that is all under SSL.
We've run WebCT and D2L this way, it all works. Not so hard, just a matter
of doing a few Apache httpd configs.
Now let me say what it wrong with using all SSL. It's not so much the encryption
(which is done on both server and client), that only adds a small amount of load.
No, the bigger issue is that SSL will turn off caching of content. It's in the HTTP
specs to do that. That means any "static" content will no longer be cached and
you'll have to GET it every time. While this can be tolerable, it's still not good to give up this performance improvement. 2 places in particular this would affect,
on your client (web browser) and network web caches.
The better approach is to have selective SSL on parts of the site. The current
login page is one place. Another might be for grades. Typically this is implemented on a per feature basis, and allows for a policy driven approach.
running at WiscNet that is all under SSL.
We've run WebCT and D2L this way, it all works. Not so hard, just a matter
of doing a few Apache httpd configs.
Now let me say what it wrong with using all SSL. It's not so much the encryption
(which is done on both server and client), that only adds a small amount of load.
No, the bigger issue is that SSL will turn off caching of content. It's in the HTTP
specs to do that. That means any "static" content will no longer be cached and
you'll have to GET it every time. While this can be tolerable, it's still not good to give up this performance improvement. 2 places in particular this would affect,
on your client (web browser) and network web caches.
The better approach is to have selective SSL on parts of the site. The current
login page is one place. Another might be for grades. Typically this is implemented on a per feature basis, and allows for a policy driven approach.
No, the bigger issue is that SSL will turn off caching of content.
Absolutely yes
In particular, the HTML Editor thingy, which has a couple-dozen little images, takes forever to load, making it quite unusable, which is a shame.
Thanks all for the comments, were looking at this issue at HSU now, and I also invited Lanny to come on by with any question he might have.
So I gather the ideal situation would be to decide on which pages to secure, such as grade/index.php, and set the webserver to just handle those pages via https?
BTW, here's a fun tidbit. Blackboard has put code into Basic which disables BB if you set up the BB server for SSL yourself.
So I gather the ideal situation would be to decide on which pages to secure, such as grade/index.php, and set the webserver to just handle those pages via https?
BTW, here's a fun tidbit. Blackboard has put code into Basic which disables BB if you set up the BB server for SSL yourself.
Hi Michael,
I normally run Moodle with SSL for login. However, I just recently tested Moodle 1.5 entirely over SSL and I found the following problems:
1) The Cornflower 2 theme breaks (only theme I have tested). The topic outlines disappear.
2) If SSL login is turned on, an extra "s" is placed in the URL (httpss://). Must turn of SSL login first before switching entire site to SSL.
This was just a quick test of Moodle 1.5 entirely over SSL. I stopped testing after these two problems and went back to just SSL for login.
Ray
Ray said:
2) If SSL login is turned on, an extra "s" is placed in the URL (httpss://). Must turn of SSL login first before switching entire site to SSL.
I also found this problem. Has anyone any thoughts on where the problem lies?
I'm assuming it's a str_replace replacing http with https (as opposed to http:// with https://) thus giving httpss. If I knew which of the many scripts it was in I could easily change it but tracking it down is no easy task!
Dave
In reply to Eloy Lafuente (stronk7)
This forum post has been removed
The content of this forum post has been removed and can no longer be accessed.
When I click on the Edit profile link in the profile screen (user/view.php), I get the httpss in the URL when the "loginhttps" variable is set to "Yes". When I changed the loginhttps back to "No", the extra 's' does not appear. I viewed bug #3848 and the status is closed. Is this a new bug?
I am using version 1.5.3 (2005060230), PHP 5.1.1, MySQL 5.0.18
Have a look at .../moodle/blocks/login/block_login.php, and search around line 27, for a line looking like this:
$wwwroot = str_replace("http://", "https://", $CFG->wwwroot);
If you don't have it like that, and instead you have something like:
str_replace("http", "https", $CFG->wwwroot);
then the bug has been fixed in a later version of moodle than the one you are using. Update to 1.5.3+ or change that line manually.
Saludos. Iñaki.
$wwwroot = str_replace("http://", "https://", $CFG->wwwroot);
If you don't have it like that, and instead you have something like:
str_replace("http", "https", $CFG->wwwroot);
then the bug has been fixed in a later version of moodle than the one you are using. Update to 1.5.3+ or change that line manually.
Saludos. Iñaki.
We're also implementing moodle (1.5.2) entirely over ssl (apache/linux). One small annoyance is that the login block on our index page fails to log in a user; instead, the user is returned to the /login/index.php page. Logging in a second time from that page works. This occurs whether or not the httpslogin variable is on or off. I fiddled about with hardcoding paths in login_block.php without success. Anyone have an idea about this?
Thanks
Thanks
If you have your whole website behind https:// you should not say yes to the question on the settingspage that asks you if you want your login to be https://
Could that be the problem?
Do you currently have your entire site running behind https:// ? It appears like there was some glitches involved over the past year, but those bugs have been worked out with current upgrades. The biggest drawback obviously seems to be server performance with full ssl.
I'm debating wether it is worth going full ssl or just ssl at the login prompt. Does the secure forms function provide enough security for the rest of the site?
ztechguy
I'm debating wether it is worth going full ssl or just ssl at the login prompt. Does the secure forms function provide enough security for the rest of the site?
ztechguy
Yes, the problem occurs whether or not I have login via https enabled or not. And yes, due to privacy concerns we are required to run the whole site via ssl. (well probably not the whole site, but I don't want to have to figure out which templates need https or not). I'm hoping that the performance hit isn't too bad, and anyway my boss just approved us to move to a dedicated server (yeah!). We're on a shared server right now with no shell access and running an outdated version of moodle. So, this also means that I can upgrade to 1.6 on the dedicated server and hopefully resolve this issue.
Thanks.
Thanks.
The issue was resolved with an upgrade to 1.6 on a dedicated server.
try to change your config.php in the moodle root as http to https
$CFG->wwwroot = "https://moodle.example.com";
Could someone please tell me how to correctly set up Moodle over SSL?
I have successfully created the key and cer files; Apache successfully starts now, I can't visit my Moodle website anymore.
I don't know what I am missing.
I have successfully created the key and cer files; Apache successfully starts now, I can't visit my Moodle website anymore.
I don't know what I am missing.
Ashley - If I understand your question, you want all traffic to go across as https. In that case you could simply change the $CFG->wwwroot to be https instead of http. I think that should take care of it for you. If not, let us know. Peace - Anthony
Don't do it 
You'll make your site very slow. Running in https disables all cacheing so all those images get sent down the wire *every* time. Unless you have a particularly compelling reason for doing this I would advise against it.
https for logins is usually good enough.
BTW... Just to add to Anthony's comment. That's fine but it would be a sensible move to add a redirect (all http to https) in the web server configuration too.
You'll make your site very slow. Running in https disables all cacheing so all those images get sent down the wire *every* time. Unless you have a particularly compelling reason for doing this I would advise against it.
https for logins is usually good enough.
BTW... Just to add to Anthony's comment. That's fine but it would be a sensible move to add a redirect (all http to https) in the web server configuration too.
I just realised that I misread your post. If SSL is correctly installed then
http://your.moodle.site/ and https://your.moodle.site/ should both work (although where you go next depends on your wwwroot setting in config.php).
If that's completely broken then there's something wrong with your Apache configuration. Did you run apachectl -t (apache2ctl -t on some systems)? Have you carefully checked your Apache error log(s)?
http://your.moodle.site/ and https://your.moodle.site/ should both work (although where you go next depends on your wwwroot setting in config.php).
If that's completely broken then there's something wrong with your Apache configuration. Did you run apachectl -t (apache2ctl -t on some systems)? Have you carefully checked your Apache error log(s)?
Hello:
I noticed moodle has a feature to activate https://www.site.com and it seems to work fine. However, when the secure certificate on a site has this url: https://secure.site.com, it doesn't work very well.
I have a site with both but https://secure.site.com doesn't work for moodle. How can I fix this without having to purchase another secure certificate?
Thanks so much,
Brian
I noticed moodle has a feature to activate https://www.site.com and it seems to work fine. However, when the secure certificate on a site has this url: https://secure.site.com, it doesn't work very well.
I have a site with both but https://secure.site.com doesn't work for moodle. How can I fix this without having to purchase another secure certificate?
Thanks so much,
Brian
Hello:
I noticed moodle has a feature to activate https://www.site.com and it seems to work fine. However, when the secure certificate on a site has this url: https://secure.site.com, it doesn't work very well.
I have a site with both but https://secure.site.com doesn't work for moodle. How can I fix this without having to purchase another secure certificate?
Thanks so much,
Brian
I noticed moodle has a feature to activate https://www.site.com and it seems to work fine. However, when the secure certificate on a site has this url: https://secure.site.com, it doesn't work very well.
I have a site with both but https://secure.site.com doesn't work for moodle. How can I fix this without having to purchase another secure certificate?
Thanks so much,
Brian
Hi all,
We've been running moodle entirely over SSL for a year or so with no ill effects or noticble slowdown (server is dual two core 3Ghz xeon with 2Gb RAM, and a max of around 100 concurrent users).
However, we've recently tried to install some SCROM packages from Pearson Education (Edexcel GCSE English and English Language Core ActiveTeach with BBC Active Clips, AS & A2 Biology and SNAB Biology for Edexcel) and found that not only can we not get them to work, but that Pearson now tell us they do not work over HTTPS - but without any explanation as to why.
Can anybody help? As I understand it our goverment guidelines, from BECTA, recommend that staff access potentially confidential VLE data over SSL so it makes sense that we encrypt the entire system, so I really do not want to swith this off just to get these SCORM packages to work...
Thanks in advance,
Tony
MY understanding was always that Becta recommended a secure system. This, in mind does not mean the whole system has to sent over https, but that your authentication must be secure.
Anyhow; does Becta's recommendations really mean that much any more?
http://news.becta.org.uk/display.cfm?resID=42305
Jon
Anyhow; does Becta's recommendations really mean that much any more?
http://news.becta.org.uk/display.cfm?resID=42305
Jon
+1
Don't run your whole site over https. It switches of caching completely giving your users a pretty miserable experience.
Don't run your whole site over https. It switches of caching completely giving your users a pretty miserable experience.
Is there a good step-by-step for configuring moodle to have logins (only) over SSL? What needs to be put into the secure server folder for this to work properly?
Can this be done by self-signing the certificate or will that throw a security exception in a modern browser? Do I need a 3rd party certificate?
Hi, having trouble getting https to run in logins only. It works, but then redirects users to the course hompeage served by https not http. Throws up security exceptions.
Did you find a good step-by-step yet? I'm looking for the same thing...
So I'm working with a client that has the moodle behind an ISA. THis means that external traffic is assigned https while internal is http. In moodle 1.9, this was an issue becuae anything uploaded from outside the network would not always be available inside, so we would have to change image URLS and such from https to http, an annoyance, but workable. In 22, the issue is that the file picker doesnt work at all from outside the network behind the ISA. JSON errors.
Sidenote- I have a request with the client to allow internal https, since they will not allow external http, but I have no control over them, and they haven't been the most responsive.
So I tried a little test, I set the config file wwwroot to be https://moodleaddress.com, which then resulted in an error from outside stating that only https connections were allowed. That was confusing, I was on an https connection, so why the error?
Wasn't really sure where to post this small issue, but as we begin to transition to moodle 22, I will need to find a solution, so any thoughts are appreciated.
Can someone post how to achieve complete ssl for moodle? My config.php has https and moodle is running on :443 but the lock symbol in the url toolbar reports that some of the code is coming across insecure. The message I have when i click on the lock with the red x on it is:
Your connection to www.mysite.com is encrypted with 128-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page.
The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and uses DHE_RSA as the key exchange mechanism.
Please try adding the followings onto your ~moodle/config.php:
$CFG->wwwroot = 'http://mysite.com';
$CFG->httpswwwroot = 'https://mysite.com';
$CFG->loginhttps=true;
It works on my installation. Thanks.
As an alternative to having SSL on the entire site, in addition to the login page, is it possible to protect other pages as well (i.e.: the grades page)? If so, how? Thanks!!
No. If you're concerned about security you should really use full-time SSL.
SSL for logins may prevent the users password from being obtained but the users session will still be passed unencrypted so could potentially be intercepted (for example on a public wifi point) allowing someone malicious to impersonate the user.
I agree Dan, but my concern was the slowing down of the site due to ssl that I read about all over the place. Nevertheless, I will test it as you suggest. However, the question now is how to integrate it full-time. Right now, it only kicks in on the login page and kicks out everywhere else! Thanks.
The CPU overhead is passé. The tune today is HTTPS everywhere!
So the decision is between HTTP and "entirely over SSL". If you go for the latter no need to play with the "Use HTTPS for logins" option, rather you configure your webserver for HTTPS by listening at port 443. Additionally you may want to redirect HTTP to HTTPS.
For a professional site, you need to get your SSL certificates signed by a certification authority.
P.S. Just now contributed to the oldest active thread in moodle.org: https://moodle.org/mod/forum/discuss.php?d=25981 - which is over 10 years old!
So the decision is between HTTP and "entirely over SSL". If you go for the latter no need to play with the "Use HTTPS for logins" option, rather you configure your webserver for HTTPS by listening at port 443. Additionally you may want to redirect HTTP to HTTPS.
For a professional site, you need to get your SSL certificates signed by a certification authority.
P.S. Just now contributed to the oldest active thread in moodle.org: https://moodle.org/mod/forum/discuss.php?d=25981 - which is over 10 years old!
Thank you Visvanath, I will do as suggested. The oldest thread you say? Well, as it turned out, I was still able to squeeze some use from it!!
Nice!
HQ should have a just-now-contributed-to-the-oldest-active-thread-in-moodle.org badge!!
Currently discussed, yes, again, in the Moodle community sites forum: https://moodle.org/mod/forum/discuss.php?d=336415#p1355812.
you will need to modify your config.php to use "https:" in the wwwroot instead of "http:"
As Visvanath mentions - the overhead caused by running full-time ssl is very minimal - and in most cases you won't notice a difference - just make sure you have tuned your server well and read the usual performance recommendations
Noted Dan! We have some media intensive SCORM lessons. So I'll apply all recommendations and post the results here, in the event that they may be of assistance to someone else.
Thank you both for your help, it is much appreciated!!
Steve,
this usually means that you have included resources on the page that are not served over SSL. Commonly videos like from vimeo.com and others cannot be served over SSL as vimeon (and other services) do not support this.
The advice given by Murphy is actually wrong, and will decrease the security of your Moodle site, as it will fallback to HTTP after the user has logged in.
If you are using apache, there are simple rules that force all content to be served over SSL, I have attached one of our example configuration files for true SSL usage.
Regards, David
I know this is an older thread, but we just switched over our production site to SSL everywhere (using Moodle 2.8.5) and are encountering various issues, including:
- Problems with restored courses not properly modifying course IDs in some linked documents (especially those pointing to Legacy files);
- "Connection error" messages that require users to refresh their pages (sometimes resulting in loss of data in submitted forms).
Any ideas on possible solutions?
You'll be better explaining this fully in (probably) the Installation help forum. This forum isn't for solving technical problems.
Hi everyone,
We are planning to change the settings in our site to use https in all pages, but reading the above I am not sure about what is going to stop working if we go for that change.
I see that Mark above has problems with...
- Restored courses not properly modifying course IDs in some linked documents (especially those pointing to Legacy files);
- "Connection error" messages that require users to refresh their pages (sometimes resulting in loss of data in submitted forms).
I guess that pasted links in forums, url activities, scorm... will still work as normal as in the first post in this link (in the https://moodle.org/ ) there is an http link and is working right.
Anyone have done the change to SSL and have problem after the change?
Any help is highly appreciated.
You really shouldn't resurrect old threads. Just post your issue as a new one.
That said, https:///blahblahblah and http://blahblahblah are different URL's, so you will need to run the search/replace script to fix up your database once you change. See https://docs.moodle.org/en/Moodle_migration for instructions.
Also, the setting in Site administration > Security > HTTP Security that says "Use HTTPS for logins" needs to be unchecked if your entire site is https.
Yes, I have done this and had no issues moving my site from http to https considering the above mentioned process.