Comparisons and advocacy

Moodle entirely over SSL?

 
 
Picture of steve maher
Re: Moodle entirely over SSL?
 

Can someone post how to achieve complete ssl for moodle? My config.php has https and moodle is running on :443 but the lock symbol in the url toolbar reports that some of the code is coming across insecure. The message I have when i click on the lock with the red x on it is:

 

Your connection to www.mysite.com is encrypted with 128-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses DHE_RSA as the key exchange mechanism.

 
Average of ratings: -
Picture of Murphy Wong
Re: Moodle entirely over SSL?
 


Please try adding the followings onto your ~moodle/config.php:

$CFG->wwwroot   = 'http://mysite.com';

$CFG->httpswwwroot   = 'https://mysite.com';

$CFG->loginhttps=true;


It works on my installation.  Thanks.  smile

 
Average of ratings:Useful (1)
David
Re: Moodle entirely over SSL?
 

Steve,

this usually means that you have included resources on the page that are not served over SSL. Commonly videos like from vimeo.com and others cannot be served over SSL as vimeon (and other services) do not support this.

The advice given by Murphy is actually wrong, and will decrease the security of your Moodle site, as it will fallback to HTTP after the user has logged in.

If you are using apache, there are simple rules that force all content to be served over SSL, I have attached one of our example configuration files for true SSL usage.

Regards, David

 
Average of ratings:Useful (2)