General developer forum

HTTPS Protocol

 
 
Picture of Cesario Siringoringo
HTTPS Protocol
 

I have moved my moodle from my localhost to another server, the protocol that used HTTPS. I've add 

$CFG->sslproxy = true; in config.php . but the moodle just show blank page

any idea for this problem?

 
Average of ratings: -
Picture of Ken Task
Re: HTTPS Protocol
Group Particularly helpful Moodlers

Unless you are actually using Apache proxy, then remove that line you've added.

You must first make sure your apache server will respond to an ssl request:

https://yourserver:443

If that hits your Moodle the theme will appear to be messed up.   That's ok.

See: http://docs.moodle.org/24/en/Apache#SSL

Then decide ... one can have https (SSL for logins only) or see

http://www.inmotionhosting.com/support/edu/moodle/moodle-site-security/forcing-ssl-sitewide

for running SSL all the time.

Think I've read in these forums that running SSL all the time messes with caching ... something not desired.

'spirit of sharing', Ken

 
Average of ratings: -
Picture of Abhi puri
Re: HTTPS Protocol
 

There can be lots of reasons for a blank page. Were you running moodle on https prior to moving servers? 

Apache logs would be a good starting point to start troubleshooting. On unix they would usually be in /var/log/httpd/

 

You could test if https is working correctly by placing a test.html file with something plaintext in it, like "TEST" or anything.

 

Running SSL the whole time is a good idea, it safeguards you against session hijacking.

 
Average of ratings: -
Picture of Danny Wahl
Re: HTTPS Protocol
Group DevelopersGroup Particularly helpful Moodlers

Ken you are right.  In the past we had run moodle on HTTPS (using the vhost to force https) and now we run https for login only.  As you mention a side-effect of HTTPS is that all caching is disabled.  This isn't a Moodle issue- it's an encryption issue.  There is a HUGE performance gain in not forcing HTTPS everywhere.

 
Average of ratings: -
Picture of Cesario Siringoringo
Re: HTTPS Protocol
 

thank you for your solution, but if I remove that line, the moodle says "For security reasons only https conections are allowed, sorry."

 

or can you explain step by step to move moodle from localhost to https server?

I have read some documentation but I still don't understand

 
Average of ratings: -
Picture of Andrew Nicols
Re: HTTPS Protocol
Group DevelopersGroup Moodle HQGroup Particularly helpful MoodlersGroup Testers

It sounds like you're still trying to access your Moodle installation from the HTTP version - you should consider writing a redirect rule on your web server to redirect anything accessing http://yoursite.com to https://yoursite.com.

Andrew

 
Average of ratings: -
Picture of Andrew Nicols
Re: HTTPS Protocol
Group DevelopersGroup Moodle HQGroup Particularly helpful MoodlersGroup Testers

Hi,

The correct solution after confirming that your SSL is all in place correctly, it simply to update the wwwroot setting to use https instead of https. Others are right in saying that you do not need the sslproxy setting.

However, contrary to other advice, I would not advise using the loginhttps (the setting to make SSL only for login). In fact, I would personally like to see it removed entirely but this is currently not feasible. We removed the equivalent setting from Mahara over two years ago.

It is incredibly easy for someone to steal another user's login when you're dealing with unencrypted connections - even if you encrypt the login itself. There's even a FireFox extension to demonstrate just how easy it is - see http://en.wikipedia.org/wiki/Firesheep for a bit more information.

Although there is a minor performance benefit from not having SSL, it is minor and modern servers can more than cope with that increase in load. When the setting was introduced many years ago (specifically the 19th June 2004 - https://github.com/moodle/moodle/commit/8a33e3717d19e1d2d650634e301d23a82438c136), the servers people used for production were much less capable. We didn't have the benefit of modern multi-core processors and instruction sets which were more suited to SSL encryption and decryption (at least, not at an affordable price).

Again, at the time that this setting was introduced, network bandwidth was a completely different ball-game. Many people were still on slower connections (e.g. dialup) and mobile data was non-existent. Today we're in a very different world and the chance are that your mobile phone has a connection 400 times faster (56K modem vs. a conservative 20MB 4G).

Yes, you do lose the ability to cache between browser restarts. Once you have a browser open, as I understand it, you do have browser caching, though you still cannot benefit from proxy server caching.

That said, there are a number of thing which you can do to reduce the load on your server. One of the easiest to configure is the use of the X-SendFile header (and it's counterparts). I would probably advise this anyway if you are able to do so. See https://github.com/moodle/moodle/blob/master/config-dist.php#L206 for further information. This reduces the load massively for Moodle as it hands off the byte-shift serving of files to the web server, whose primary design is to serve files. Moodle serves a lot of files using byte-shifting (that's where it reads the files off disk, and then serves them rather than the web server serving the files directly) - it does to to prevent unauthorised access. The X-SendFile changes keep the authentication in place, but then add a new header (X-SendFile: /path/to/file/on/server) which the server then intercepts and uses to read the file - therefore keeping the authentication but moving the file serving back to the web server.

Another thing you can do is to introduce caching between Moodle and the SSL encryption stage. This is pretty easy with things like Varnish, and there's some functionality built into most modern web servers (I know there is for Nginx, and I think that there is for Apache2). You have to be very careful with this one, but it's generally safe to cache all of the theme directory and not much else. This is less of a benefit than X-SendFile.

There are other caveats to forcing HTTPS at all times (notably that using content from insecure sites will display warnings to this effect), but in my opinion the increased security is a better solution and educating staff as to what these warnings mean, and how they can write their content to be future-proof is something that will probably be required longer-term anyway. Moodle also does try and replace some of these links itself - e.g. if you are using SSL, I think I'm right in saying that pasting a non-SSL YouTube link it will replace it with the SSL equivalent by the Media filter.

Although Moodle is only carrying your virtual learning content, for many institutions this will include grades and will consequentially degree implications, and for some (e.g. research-based Universities) an attack of this type could potentially reveal sensitive research data which is not yet public and/or subject to appropriate copyright (so is a major concern in terms of Intellectual Property).

Of course, it's entirely up you and you must weigh up the various options but please do your research and consider your own requirements before making a decision.

Note, the opinions above are my own, and other developers at HQ may disagree. Prior to working at HQ, I did work for a University and was responsible for the development, running, and security of various sytems - we felt that SSL was an important requirement for our Moodle implementation (and many of our other systems too).

Best wishes,

Andrew

 
Average of ratings:Useful (1)
Picture of Danny Wahl
Re: HTTPS Protocol
Group DevelopersGroup Particularly helpful Moodlers

Andrew, thanks for the detailed write-up.  I couldn't agree more that https IS more secure.  One thing you said that I'd like to clarify:

It is incredibly easy for someone to steal another user's login when you're dealing with unencrypted connections - even if you encrypt the login itself.

If the login itself is encrypted then it is incredibly difficult (mostly) to steal another user's login credentials.  If you're dealing with unencrypted connections it is possible to have the current session hijacked, but not the credentials, though passwords can be reset after hijacking.

 
Average of ratings:Useful (1)
Picture of Andrew Nicols
Re: HTTPS Protocol
Group DevelopersGroup Moodle HQGroup Particularly helpful MoodlersGroup Testers

Apologies Danny,

Yes - that is what I meant and what I was referring to. I shouldn't write so much prose at 1am!

To clarify, when HTTPS is forced on login only, it should not be possible to steal the session credentials (public key revelation excluded), but the login session itself can still be stolen even if the login phase itself is encrypted.

Thank you for the clarification,

Andrew

 
Average of ratings: -
.?.
Re: HTTPS Protocol
 

Where should I send following for a fix:

The current login over HTTPS feature has a major security flaw:

it doesn't include Encrypton of the front page when it contains a login block and forced login isn't set, so it allows login without SSL...

---

I had to change back from HTTPS to HTTPS login only, due to embedded Links to external sources which do not support HTTPS aswell as Problems with SCORM packets.

Unfortunately most or more like all browsers do not offer a sitebased permanent "trust content" option so Supportwise managing a HTTPS Site with HTTP content = impossible, especially if the content is say an older or more like a couple of older SCORM packages.

Then again login aswell as transmitting sensitive Data over SSL should be a de facto standard nowadays and it should run smooth, also in future releases.

So Login trough HTTPS but other parts of the site served via Http remains important for many big sites with lots of contents.

We are far from having a general Https support for ressources and probably that's something we'll never have. So why not make a Content based concept for encryption?

Also it's probably a very bad Idea to pack the protocoll to use in the wwwroot parameter, why not have 2, one for the protocoll part and one for the domain/url.

So you could check if the site request comes via HTTP or HTTPS and depending on a setting like "force SSL" generate the site and it's content, like AJAX requests that contain the full url incl. protocoll (lib/outputrequirementslib.php for example) depending on force SSL either also for a HTTP version or have the site redirect to https and generate all the link to https?

something like:

if((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443 ){
    $CFG->wwwroot = 'https://mymoodle.url';
}
else if( $CFG->forceSSL){

//Do a sitereload with https

}

else{
   $CFG->wwwroot = 'http://mymoodle.url';
}

say in the config, so people can choose how they want their sites to be available.


 
Average of ratings: -