Installing and upgrading help

Moodle entirely over SSL?

 
Picture of steve maher
Re: Moodle entirely over SSL?
 

Can someone post how to achieve complete ssl for moodle? My config.php has https and moodle is running on :443 but the lock symbol in the url toolbar reports that some of the code is coming across insecure. The message I have when i click on the lock with the red x on it is:

 

Your connection to www.mysite.com is encrypted with 128-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses DHE_RSA as the key exchange mechanism.

 
Average of ratings: -
Picture of Murphy Wong
Re: Moodle entirely over SSL?
 


Please try adding the followings onto your ~moodle/config.php:

$CFG->wwwroot   = 'http://mysite.com';

$CFG->httpswwwroot   = 'https://mysite.com';

$CFG->loginhttps=true;


It works on my installation.  Thanks.  smile

 
Average of ratings: -
Picture of L Passaglia
Re: Moodle entirely over SSL?
 

As an alternative to having SSL on the entire site, in addition to the login page, is it possible to protect other pages as well (i.e.: the grades page)? If so, how? Thanks!!

 
Average of ratings: -
Picture of Dan Marsden
Re: Moodle entirely over SSL?
Group Core developersGroup Moodle Course Creator Certificate holdersGroup Particularly helpful MoodlersGroup Plugin developersGroup Plugins guardiansGroup TestersGroup Translators

No. If you're concerned about security you should really use full-time SSL. 

SSL for logins may prevent the users password from being obtained but the users session will still be passed unencrypted so could potentially be intercepted (for example on a public wifi point) allowing someone malicious to impersonate the user.

 
Average of ratings: -
Picture of L Passaglia
Re: Moodle entirely over SSL?
 

I agree Dan, but my concern was the slowing down of the site due to ssl that I read about all over the place. Nevertheless, I will test it as you suggest. However, the question now is how to integrate it full-time. Right now, it only kicks in on the login page and kicks out everywhere else! Thanks.

 
Average of ratings: -
Picture of Visvanath Ratnaweera
Re: Moodle entirely over SSL?
Group Particularly helpful Moodlers
The CPU overhead is passé. The tune today is HTTPS everywhere!

So the decision is between HTTP and "entirely over SSL". If you go for the latter no need to play with the "Use HTTPS for logins" option, rather you configure your webserver for HTTPS by listening at port 443. Additionally you may want to redirect HTTP to HTTPS.

For a professional site, you need to get your SSL certificates signed by a certification authority.

P.S. Just now contributed to the oldest active thread in moodle.org: https://moodle.org/mod/forum/discuss.php?d=25981 - which is over 10 years old!
wink
 
Average of ratings: -
Picture of L Passaglia
Re: Moodle entirely over SSL?
 

Thank you Visvanath, I will do as suggested. The oldest thread you say? Well, as it turned out, I was still able to squeeze some use from it!! smile

 
Average of ratings: -
Picture of Susan Mangan
Re: Moodle entirely over SSL?
 

Nice! 

HQ should have a just-now-contributed-to-the-oldest-active-thread-in-moodle.org badge!!

 
Average of ratings: -
Picture of Visvanath Ratnaweera
Re: Moodle entirely over SSL?
Group Particularly helpful Moodlers
Currently discussed, yes, again, in the Moodle community sites forum: https://moodle.org/mod/forum/discuss.php?d=336415#p1355812.
 
Average of ratings: -
Picture of Dan Marsden
Re: Moodle entirely over SSL?
Group Core developersGroup Moodle Course Creator Certificate holdersGroup Particularly helpful MoodlersGroup Plugin developersGroup Plugins guardiansGroup TestersGroup Translators

you will need to modify your config.php to use "https:" in the wwwroot instead of "http:"

As Visvanath mentions - the overhead caused by running full-time ssl is very minimal - and in most cases you won't notice a difference - just make sure you have tuned your server well and read the usual performance recommendations 

 
Average of ratings: -
Picture of L Passaglia
Re: Moodle entirely over SSL?
 

Noted Dan! We have some media intensive SCORM lessons. So I'll apply all recommendations and post the results here, in the event that they may be of assistance to someone else.

Thank you both for your help, it is much appreciated!!


 
Average of ratings: -
David
Re: Moodle entirely over SSL?
 

Steve,

this usually means that you have included resources on the page that are not served over SSL. Commonly videos like from vimeo.com and others cannot be served over SSL as vimeon (and other services) do not support this.

The advice given by Murphy is actually wrong, and will decrease the security of your Moodle site, as it will fallback to HTTP after the user has logged in.

If you are using apache, there are simple rules that force all content to be served over SSL, I have attached one of our example configuration files for true SSL usage.

Regards, David

 
Average of ratings: -