Our Moodle 3.2.1 server is behind a load balancer which offers SSL offloading (meaning that the Moodle server never sees SSL/HTTPS requests). In 1.9 this worked perfectly, enabling loginhttps would send users via a secure login page, but dropped them back to HTTP when their login completed. It seems that whenever the login form appeared, it would POST to a secure page.
However, in Moodle 2.3.1, we're getting different results:
loginhttps = false; sslproxy = false
Works, but login page is sent over an unsecure HTTP connection.
loginhttps = true; sslproxy = false
Fails, visiting the login page causes a cyclic/infinite browser redirect.
loginhttps = true; sslproxy = true
Fails, visiting Moodle throws up an error that wwwroot isn't https.
Changing wwwroot to include fixes this, but the entire site is then in https (and we hit subsequent issues of mixed http and https content).
It seems that:
- With sslproxy = false, Moodle is expecting to see a $_SERVER['HTTPS'] value, which is never set (due to NLB), and hence causes an infinite loop.
- With sslproxy = true, Moodle is expecting the wwwroot to be a https url, forcing the entire site to be https, and bombs out when it isn't.
Any suggestions? Reintroducing the older behaviour, with a warning that it isn't advised, would be an ideal solution.