Moodle 3.2.2+ - on Centos/httpd behind NGINX proxy

Moodle 3.2.2+ - on Centos/httpd behind NGINX proxy

by Piot r -
Number of replies: 3

Hi

I am trying to set up a moodle behind NGINX reverse-proxy and I cannot get it working right. Below are my config files. Basically site formatting is gone and I cannot logon to the app. Cannot see anything helpful in the logs and web servers conf seems to be fine as is serving files (ex css, upgrade.txt)  


I would appreciate any hint where to look for the source of the issue.

*****************

NGINX Vhost conf - proxy

*****************

server {

       listen         80;

       server_name    moodle.example.eu;

       return         301 https://$server_name$request_uri;

}


server {

    listen 443 ssl;


    server_name  moodle.example.eu;

    ssl_certificate /etc/letsencrypt/live/example.eu/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/example.eu/privkey.pem;

    ssl_protocols      TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers        HIGH:!aNULL:!MD5:!kEDH;

    ssl_prefer_server_ciphers on;


    #charset koi8-r;

    access_log  /var/log/nginx/moodle.access.log  main;

    error_log  /var/log/nginx/moodle.error.log;

    include /etc/nginx/default.d/*.conf;


    location / {

                add_header      Front-End-Https    on;

                # Send traffic to the backend

                proxy_pass http://192.168.1.46/;

                proxy_set_header Host $host;

                proxy_set_header X-Real-IP $remote_addr;

                proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;

                proxy_set_header X-Forwarded-Proto $remote_addr;

                proxy_set_header X-Forwarded-Protocol $scheme;

                proxy_redirect off;

    }


    # redirect server error pages to the static page /50x.html

    #

    error_page   500 502 503 504  /50x.html;

    location = /50x.html {

        root   /usr/share/nginx/html;

    }

}



***************************

httpd conf on the host with app

***************************

<VirtualHost *:80>

ServerAdmin admin@moodle

DocumentRoot /var/www/html/moodle/

ServerName moodle.example.eu

<Directory /var/www/html/moodle/>

Options FollowSymLinks

AllowOverride None

Order allow,deny

allow from all

</Directory>

LogLevel info

ErrorLog /var/log/httpd/moodle.error_log

CustomLog /var/log/httpd/moodle.access_log common

</VirtualHost>

****************

moodle config.php

****************

?php  // Moodle configuration file


unset($CFG);

global $CFG;

$CFG = new stdClass();


$CFG->dbtype    = 'mariadb';

$CFG->dblibrary = 'native';

$CFG->dbhost    = 'localhost';

$CFG->dbname    = 'moodle';

$CFG->dbuser    = 'moodleuser';

$CFG->dbpass    = 'password';

$CFG->prefix    = 'mdl_';

$CFG->dboptions = array (

  'dbpersist' => 0,

  'dbport' => '',

  'dbsocket' => '',

  'dbcollation' => 'utf8_unicode_ci',

);


$CFG->wwwroot   = 'http://moodle.example.eu';

$CFG->dirroot    =   '/var/www/html/moodle';

$CFG->dataroot  = '/var/www/moodledata';

$CFG->admin     = 'admin';


$CFG->directorypermissions = 02777;


require_once(__DIR__ . '/lib/setup.php');


$CFG->reverseproxy = true;


// There is no php closing tag in this file,

// it is intentional because it prevents trailing whitespace problems!


Moodle has been installed following steps from the link below

https://www.vultr.com/docs/how-to-install-moodle-on-centos-7

Average of ratings: -
In reply to Piot r

Re: Moodle 3.2.2+ - on Centos/httpd behind NGINX proxy

by Ken Task -
Picture of Particularly helpful Moodlers

While the page you followed looks pretty good, do see it didn't get into https and certs + no mention of SeLinux ... which always seems to come into play if set to enforcing.

So first thing I'd check is: sestatus

Set to enforcing?   Read somewhere that one could execute a selinux command to put it into permissive on a temp basis.

In looking at config-dist.php does this section apply?

// Enable when using external SSL appliance for performance reasons.
// Please note that site may be accessible via http: or https:, but not both!
//      $CFG->sslproxy = true;

And I see that in the config.php of Moodle using http:// rather than https://

As far as the certs part for config of https for site and how that works/doesn't work with Moodle.

Was the server responding to any test page via port :443 prior to installation of moodle or certs ... self-signed certs?

See config using .pem files ... which I guess one could ... but in configuring ssl for servers the certificate of authorities don't always follow/use/etc. info they tell their Linux/Apache customers.   All that to say, if you have a valid crt for the server ... one from a CA ... what do they say to use .... .pem files (which as I understand them have to be created from .key and .crt that reside on the server ... the .crt file actually acquired from the CA).  Have a valid .crt file from a CA?

How did you install?   http:// or https://

Moodle doesn't use relative addressing ... the $CFG->wwwroot   = 'http://example.com/moodle'; variable is used in the creation of every internal link in Moodle.

Might copy that line in your config and make one of them https:// - comment out the http:// to see the diff.

While one could get 'creative' with those lines, think it might be easiest to maintain Moodle if it uses https if that's how the server is confgured to run ... just one or the other http:// or https://   Moodle, BTW, will complain about access if user visits via http:// and site was installed with https://

'spirit of sharing', Ken


Average of ratings: -
In reply to Ken Task

Re: Moodle 3.2.2+ - on Centos/httpd behind NGINX proxy

by Ken Task -
Picture of Particularly helpful Moodlers

Follow up and more on .pem files ... at least from one CA:

https://www.namecheap.com/support/knowledgebase/article.aspx/9474/69/how-do-i-create-a-pem-file-from-the-certificates-i-received-from-you

says one has to choose Nginx to get a PEM-encoded SSL certificate.

That might not be the same with other CA's - other CA's might provide something different.

Working with an entity right now on getting a CentOS 7 system running a Moodle under https and because the .crt file do not match the .key file, apache won't restart.   Error apache reports states with no uncertainty that fact.  So converting .crt and .key to .pem coded files won't result in any fix either - should report same .pem for key and .pem for .crt do not match.

'spirit of sharing', Ken


Average of ratings: -
In reply to Piot r

Re: Moodle 3.2.2+ - on Centos/httpd behind NGINX proxy

by AL Rachels -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

One other thing to check, since you say that, "Basically site formatting is gone and I cannot logon to the app." do you have any third party plugins installed? I have run into a situation with one whereby, just having the plugin installed, the Boost theme loses all formatting. Seems to work fine with any non-boost theme, such as Clean.

Also, I've never tried anything similar to what you are doing but on one of my servers with NGINX my problem was the "location" entry. I had initially been trying to use  location ~ \.php$ { and eventually figured out that Needed to use the 'slash' arguments version,  location ~ [^/]\.php(/|$) { instead.

Average of ratings: -