Security and privacy

 
 
Picture of Daniel Kaelin
Re: SSL certificate issues
 

I'm having this exact problem as well. I have fixed the HTTPS login loop issue with sslproxy=1 in the config and commenting out the section in setuplib.php.

 

My login page displays as HTTPS just fine but other random pages within moodle are displayed as HTTPS even though the entire site is set to HTTP. 

 

If you go to site administration -> users -> accounts -> browse list of users and type in any name in the search field. When you hit submit Moodle redirects you to a HTTPS page and breaks the theme on certain browsers (chrome).

 

image

 

Chrome will not display non secure items on a "secure" page resulting in the theme being completely broken down (seen below).

image2'

 

I have yet to find a fix to this problem aside from setting the entire site to HTTPS. 


Has anyone else found a solution or ran into this problem?

 

 
Average of ratings: -
Picture of udagawa mitsuru
Re: SSL certificate issues
 

Do you have purchased valid SSL cetificate?
It seems self signed ceritificate or something...

 
Average of ratings: -
Picture of Daniel Kaelin
Re: SSL certificate issues
 

The certificate is a valid certificate and is not self signed. 

 
Average of ratings: -
Picture of Daniel Kaelin
Re: SSL certificate issues
 

I have found multiple fixes for this issue. We have our Moodle site sitting in a load balanced environment with SSL offloading. 

I was running into the same problem as you with HTTPS logins only and certain pages being rewritten as HTTPS which resulted in broken pages. 

 

Here are the fixes we have implemented in our environment to workaround these issues. I would test them with your environment prior to putting them on a production site. This is with Moodle 2.4.7 but I would imagine it applies to more than one version. 

 

1. Set sslproxy=true in config.php file 

2. Comment out the following section from /lib/setuplib.php.  Approximately line 822 - 828

3. Add the following lines to lib/pagelib.php typically found around line 1352

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {

                                    $_SERVER['HTTPS'] = 'On';

                                    return;

                        } else {

 

                                    redirect($this->_url);

                        }

 Use the image below as a guide. You will replace out the return; line with the enclosed code. 

4. To prevent form pages from being rewritten as HTTPS you will need to comment out the following lines around line 175 in /lib/formslib.php

            /*if (!empty($CFG->sslproxy)) {

                // return only https links when using SSL proxy

                $action = preg_replace('/^http:/', 'https:', $action, 1);

            }*/

 

 

 
Average of ratings: -