Security and privacy

 
 
Picture of raghav agarwal
SSL certificate issues
 

Hi all,

Using Moodle 2.3

I want to use https in few pages of my site, But when I use rewrite rules for certain pages, then the rendering of the pages in the browser is not proper.

May be this is the issue because some of the pages which I call through HTTPS there are some links on the page which are calling using HTTP.

So how can I handle this, so that I am able to use HTTPS on selected pages on my site.

Any help will be appreciated.

Thanks.

 
Average of ratings: -
Picture of Andrea Bicciolo
Re: SSL certificate issues
Group DevelopersGroup Particularly helpful MoodlersGroup TestersGroup Translators
Hi,

If pages you want to secure are generated and served by Moodle, there are good chances your issue is related to the config.php setting $CFG->wwwroot = 'http://yourdomain.tld'. Rewriting web server rule does not instruct Moodle to change wwwroot accordingly.

If you need to secure login page, you may want to configure Moodle to handle switching between http and https: http://docs.moodle.org/24/en/HTTP_security
 
Average of ratings: -
Picture of raghav agarwal
Re: SSL certificate issues
 

Hi Andrea,

Thanks for your reply.

But as you say if I make changes in $CFG->wwwroot = http://mydomain.id  to

$CFG->wwwroot = https://mydomain.id , It will turn whole site into https and this really do not fulfill my requirement.

I want to apply HTTPS on selective pages, But Chrome blocked the css and the javascript files for those pages, as these are called through HTTP.

How can I call all the javascript and css files required for the page, in the moodle, seperately using HTTPS.

 

Thanks..

 
Average of ratings: -
Picture of Andrea Bicciolo
Re: SSL certificate issues
Group DevelopersGroup Particularly helpful MoodlersGroup TestersGroup Translators
Hi Raghav,

yes, if you add "https" to $CFG->wwwroot all Moodle pages will be served by https. If you want to serve only certain pages by https, you should make Moodle switch from http to https when those page are requested. At the present time only the login page in Moodle supports switch from http to https when requested and switch back from https to http after login.

Rewriting rules in the web server switching from http to https does not change Moodle's wwwroot, which remains in http, and this is the reason why some page parts are served by http.
 
Average of ratings: -
Picture of Daniel Kaelin
Re: SSL certificate issues
 

I don't think anyone is following what he is saying. I am running into the exact problem with my Moodle installations. 

The affected portals are set to "HTTPS" logins only. 

They are behind a load balancer so $CFG->sslproxy = 1; must be specified in the config file. 

 

As a result of setting sslproxy=1 moodle expects the wwwroot to be https. If you aren't running an entire site as https you cannot do this so you have to apply a hack found by other users to bypass this check. 

To bypass the check you have to comment out ~ lines 822-828 in wwwroot/lib/setuplib.php

// $CFG->sslproxy specifies if external SSL appliance is used
// (That is, the Moodle server uses http, with an external box translating everything to https).
if (empty($CFG->sslproxy)) {
if ($rurl['scheme'] === 'http' and $wwwroot['scheme'] === 'https') {
print_error('sslonlyaccess', 'error');
}
} /*else {
if ($wwwroot['scheme'] !== 'https') {
throw new coding_exception('Must use https address in wwwroot when ssl proxy enabled!');
}
$rurl['scheme'] = 'https'; // make moodle believe it runs on https, squid or something else it doing it
}
*/

If you google around for HTTPS login redirect, or login loop you will find other conversations / issues in the issue tracker. 

The above fix combined with the sslproxy setting fixes the login loop problem for a setup behind a loadbalancer using SSL offloading. 

 

 
Average of ratings: -
Picture of Daniel Kaelin
Re: SSL certificate issues
 

I'm having this exact problem as well. I have fixed the HTTPS login loop issue with sslproxy=1 in the config and commenting out the section in setuplib.php.

 

My login page displays as HTTPS just fine but other random pages within moodle are displayed as HTTPS even though the entire site is set to HTTP. 

 

If you go to site administration -> users -> accounts -> browse list of users and type in any name in the search field. When you hit submit Moodle redirects you to a HTTPS page and breaks the theme on certain browsers (chrome).

 

image

 

Chrome will not display non secure items on a "secure" page resulting in the theme being completely broken down (seen below).

image2'

 

I have yet to find a fix to this problem aside from setting the entire site to HTTPS. 


Has anyone else found a solution or ran into this problem?

 

 
Average of ratings: -
Picture of udagawa mitsuru
Re: SSL certificate issues
 

Do you have purchased valid SSL cetificate?
It seems self signed ceritificate or something...

 
Average of ratings: -
Picture of Daniel Kaelin
Re: SSL certificate issues
 

The certificate is a valid certificate and is not self signed. 

 
Average of ratings: -
Picture of Daniel Kaelin
Re: SSL certificate issues
 

I have found multiple fixes for this issue. We have our Moodle site sitting in a load balanced environment with SSL offloading. 

I was running into the same problem as you with HTTPS logins only and certain pages being rewritten as HTTPS which resulted in broken pages. 

 

Here are the fixes we have implemented in our environment to workaround these issues. I would test them with your environment prior to putting them on a production site. This is with Moodle 2.4.7 but I would imagine it applies to more than one version. 

 

1. Set sslproxy=true in config.php file 

2. Comment out the following section from /lib/setuplib.php.  Approximately line 822 - 828

3. Add the following lines to lib/pagelib.php typically found around line 1352

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {

                                    $_SERVER['HTTPS'] = 'On';

                                    return;

                        } else {

 

                                    redirect($this->_url);

                        }

 Use the image below as a guide. You will replace out the return; line with the enclosed code. 

4. To prevent form pages from being rewritten as HTTPS you will need to comment out the following lines around line 175 in /lib/formslib.php

            /*if (!empty($CFG->sslproxy)) {

                // return only https links when using SSL proxy

                $action = preg_replace('/^http:/', 'https:', $action, 1);

            }*/

 

 

 
Average of ratings: -