Hi,
I am also doing similar set up.
Could somebody help me in doing the below thing please. I tried various google article not able to understand.
IIS8.5, Moodle3.2
Basically what I want is -
in LAN - wwwroot should be like HTTP://xyz.abcd.com
in Internet wwwroot should be like HTTPS://xyz.abcd.com
The SSL is installed at the domain level.
I seems there is something like reverse proxy that should be done at IIS end. If anybody knows, could you please help
thanks!
I split your post as it really wasn't related to the discussion you had attached it to in any way I can see.
I don't think you can do that. You can only have one wwwroot setting in Moodle. I can't think why you wouldn't run the whole thing https both internally and externally.
Hi Howrad
Thank you so much.
Let me rephrase my question - basically the wwwroot will be always ..http:/...
But I think there is a concept of reverse proxy/ARR in IIS, I am not sure about it . which can make it work like that - like if some body is accessing inside LAN, it will open http://....
and from internet it will open automatically like https:// ....
thanks!
Ok... I don't know anything about IIS unfortunately. I am not a Windows person.
I still don't understand why you just don't make Moodle https. It's recommended anyway.
why they want to run is, inside LAN, there is no internet connection and inside LAN they dont want to run on HTTPS
thanks!
" inside LAN they dont want to run on HTTPS"
this is bad thinking on the decision-makers part. there is no reason not to run internally over HTTPS just as you do externally.
We also have Moodle running both internally and externally. Our DNS is examplemoodle.org. Internally, it resolves to a local 10.xx.xx.xx IP and the SSL cert is served by a webserver . Externally, it resolves to our reverse proxy/firewall applicance, which forwards the inbound requests and also has the SSL certificate installed on it. This is known as "split" or "split brain" DNS.
If you could provide me witha really, really, good reason why you would not run HTTPS internally (I'm very much struggling to think of one, particularly because caching is less important on an intranet) I could help you think, otherwise, I don't really want to provide advice that weakens security. While it's true that if you have switches (cf hubs) there's not a great chance the network could be tapped if your network infrastructure is secure, that possibility still exists.
the other reason this is bad thinking is that the browser (when used externally) may cache the redirect from http to https when the device comes inside. Also means you can't use HSTS. Just can't see the reasoning, sorry.
I can only think that there used to be a performance hit with https but not these days. Apart from spending money on a certificate and the extra half hour of hassle to set it up, I can see no valid reason at all not to run https
Well, perhaps one... if you have been running http it might be a bit awkward to change due to ending up with mixed http/https content on the pages (e.g. external links). In this case, the OP will have that problem anyway with his external site.
indeed. i remember finance used to be picky when certs were licenced per server, now eliminated as I'm not aware of any CA that still uses that absurd practice. And the https performance hit (which is as said, negligible), was another problem.
OP, I very rarely touch Windows server boxes, but last time I did I used this tool to add the cert, works with any CA. Better than dealing with certmgr.exe which I find annoying. It doesn't need .PFX files:
https://www.digicert.com/util/
then you just add the binding in IIS
HI All
Thank you for your help.
I was able to convince them to use HTTPS always even within LAN.
Thank you again!
Mihir
