Hello,
We are expecting to put all of our moodle's websites with SSL certificate, however, we don't wan't to force https protocol to them instead we want to use SSL Offloading to do that.
Quick explanation about Offloading: SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL, the security protocol that is implemented in every Web browser. The processing is offloaded to a separate device designed specifically to perform SSL acceleration or SSL termination.
In our case we use an ARR (Aplication Request Routing) that handles with the SSL protocol and route the requests to our Moodle's webservers without SSL (offloading). Our webservers tha handle our Moodle's are based on CentOS 7 with PHP-FPM 5.6 and Apache 2.4.
Why we need to use SSL Offloading? To remove unecessary load from webservers. Imagine the following scenarios:
Forcing SSL:
- Someone access the Moodle website using SSL protocol
- The ARR receives the SSL request, decrypts the contents using the certificate, checks the contents, encrypts the request using the certificate, and sends it to the web server.
- The Web Server receives the SSL request, decrypts the contents using the certificate, checks the contents, encrypts the request using the certificate, and sends it to the ARR.
- The ARR receives the SSL request, decrypts the contents using the certificate, checks the contents, encrypts the request using the certificate, and sends it to the guy that startd the request.
As you can see, theres a big amout of processign here, and to avoid this, we use Offloading.
With Offloading:
- Someone access the Moodle website using SSL protocol
- The ARR receives the SSL request, decrypts the contents using the certificate, checks the contents, and sends a request to the web server using http.
- The Web Server receives the request and return it to the ARR with the content.
- The ARR receives the request, encrypts the request using the certificate, and sends it to the guy that startd the request.
The question is, when we enable Offloading on our Moodle instalation (3.0.2+ (Build: 20160211)) we receive a malformed web page (sometimes broken) and nothing works (login and any links). There is a way for put Moodle to work with SSL Offloading?
Here I found some work around, but I think its not the "good way" https://moodle.org/mod/forum/discuss.php?d=207951