Moodle SSL Offloading

Moodle SSL Offloading

by Daniel Alves -
Number of replies: 5

Hello,

We are expecting to put all of our moodle's websites with SSL certificate, however, we don't wan't to force https protocol to them instead we want to use SSL Offloading to do that.

Quick explanation about Offloading: SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL, the security protocol that is implemented in every Web browser. The processing is offloaded to a separate device designed specifically to perform SSL acceleration or SSL termination.

In our case we use an ARR (Aplication Request Routing) that handles with the SSL protocol and route the requests to our Moodle's webservers without SSL (offloading). Our webservers tha handle our Moodle's are based on CentOS 7 with PHP-FPM 5.6 and Apache 2.4.

Why we need to use SSL Offloading? To remove unecessary load from webservers. Imagine the following scenarios:

Forcing SSL:

- Someone access the Moodle website using SSL protocol

- The ARR receives the SSL request, decrypts the contents using the certificate, checks the contents, encrypts the request using the certificate, and sends it to the web server.

- The Web Server receives the SSL request, decrypts the contents using the certificate, checks the contents, encrypts the request using the certificate, and sends it to the ARR.

- The ARR receives the SSL request, decrypts the contents using the certificate, checks the contents, encrypts the request using the certificate, and sends it to the guy that startd the request.

As you can see, theres a big amout of processign here, and to avoid this, we use Offloading.

With Offloading:

- Someone access the Moodle website using SSL protocol

- The ARR receives the SSL request, decrypts the contents using the certificate, checks the contents, and sends a request to the web server using http.

- The Web Server receives the request and return it to the ARR with the content.

- The ARR receives the request, encrypts the request using the certificate, and sends it to the guy that startd the request.


The question is, when we enable Offloading on our Moodle instalation (3.0.2+ (Build: 20160211)) we receive a malformed web page (sometimes broken) and nothing works (login and any links). There is a way for put Moodle to work with SSL Offloading?


Here I found some work around, but I think its not the "good way" https://moodle.org/mod/forum/discuss.php?d=207951

Average of ratings: -
In reply to Daniel Alves

Re: Moodle SSL Offloading

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Daniel,
about IIS ARR: did you already read https://moodle.org/mod/forum/discuss.php?d=323514 ?
It would be helpful if you could describe here what do you mean for "malformed web page".

Besides, how did you elaborate the Moodle config.php file to support your off-loading configuration? Could you share it, keeping care of replacing sensitive data like passwords?
You should make use of $CFG->sslproxy = true; and https:// in $CFG->wwwroot.

HTH,
Matteo

Average of ratings: Useful (1)
In reply to Matteo Scaramuccia

Re: Moodle SSL Offloading

by Daniel Alves -

Hello Matteo,

Thx for your help. We are struggling in thta configuration because we thought that, for a offloading, we can't add de https header in the in $CFG->wwwroot configuration. We applyed your sugestion and worked like a charm.

The malformed webpage is just a broken page, its happens because its working with a proxy in HTTPS but without the two changes you comment in moodle website. As a result the website is entirely broken.

Average of ratings: -
In reply to Daniel Alves

Re: Moodle SSL Offloading

by Dave Perry -
Picture of Testers

We did this once, when moving moodle behind Forefront (reverse proxy, does SSL for most of our other sites) - I think just by setting wwwroot properly. We did set Forefront to also rewrite all http links (built in feature, not sure if any other reverse proxies do it) for anything that didn't use wwwroot though.

But then we put the SSL back into Apache handling, because we point all devices on our internal network to moodle's internal IP address to speed it up, which works better for us.

Average of ratings: -
In reply to Dave Perry

Re: Moodle SSL Offloading

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

There are some specific things you need to put in your config.php file to make this work. Look at the comment on sslproxy in config-dist.php file https://github.com/moodle/moodle/blob/master/config-dist.php#L314

Average of ratings: -
In reply to Tim Hunt

Re: Moodle SSL Offloading

by Daniel Alves -

Thx both of you.

Workd like a charm when we add HTTPS header in $CFG->wwwroot and $CFG->sslproxy = true;

[]'s

Average of ratings: -