Hi Bob,
You probably have a mixed state of HTTP and HTTPS requests. If you are forcing the site use HTTPS, but some elements either can't load under HTTPS or they try to load under HTTP, then those elements get blocked and will not load.
You can look at blocked elements in Chrome by opening the debugging console (Shift+Ctrl+J). Look for any errors. Additionally, go to the Network tab in the debugger and then press Ctrl+F5 to force the page to reload fully. You can see which elements did not load.
Question: What is in your .htaccess file?
My suggestion is to address this issue in the Apache vhost file to redirect any HTTP traffic to HTTPS. This way, any HTTP traffic automatically goes to HTTP regardless of any setting in Moodle or other places. In essence, all requests on the server will have to use HTTPS even if the HTTP resource is requested.
Here is code Let's Encrypt puts in the <VirtualHost *:80> block (as an example for a specific domain):
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Or, in general:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
There are a number of guides online:
You can test your HTTPS/SSL configurations at:
Kind regards,
Tony
Hi Tony, thanks for the suggestions! I had tried forcing HTTPS using .htaccess and everything works fine except for Moodle. I put .htaccess back to the default version that comes with version 3.0.10, and I can duplicate the problem by calling up Moodle in my browser including https://
Under HTTPS, all the graphics are stripped out, and text is arrayed vertically on the page. I'll check the guides you recommended and see if I can identify blocked elements with Chrome.
Thanks again,
Bob
Hi Bob, I've seen exactly what you talk about. The Moodle site at our university operates only in HTTP, but I use the secure-ish HTTPS login page using the default self-signed certificate. The login page is missing the images and other referenced objects.
It sounds like you have mixed elements and the .htaccess file isn't correctly picking up all references. One thought I have is that the .htaccess files it not all-encompassing. It gets some elements, but might be missing the embedded objects with an HTTP reference, which are still served as HTTP.
I hope this helps!
Thanks Tony, that's exactly what I was hoping to find - an HTTPS conversion tool. But I don't see that option under Site administration - Security. (I'm running version 3.010 until I get my server updated). There is an HTTP Security option, and I have the option checked for using HTTPS for logins.
- Bob
Ahh...yes. You are correct. They introduced it in 3.4: https://docs.moodle.org/34/en/HTTPS_conversion_tool
... AND HTTPS for just the login has been removed too:
In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
Refs:
HTH,
Matteo
For anyone using PayPal's IPN, starting on March 31st, PayPal is requiring that all postback URLs use HTTPS. I don't know how that will impact the PayPal plugin in Moodle (Moodle docs say that IPN is optional). But I'm hoping to get Moodule running fully under HTTPS - anyone doing this?
Bob
You might look your .conf and .htaccess settings to verify that inheritance is on (or not blocked)
I'll check those out - thanks!
Bob
Thanks!
However, Moodle does not operate that way in practice. For example, our University site will not load the CSS under HTTPS, which is exactly what you see.
index.php:9 Mixed Content: The page at 'https://moodle.aaaa.com/login/index.php' was loaded over HTTPS, but requested an insecure stylesheet 'http://moodle.aaaa.com/theme/yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.css'. This request has been blocked; the content must be served over HTTPS.
No one else at the university forces HTTPS, so we don't worry about it. My real Moodle site functions normally in HTTPS using a RewriteRule in Apache. I don't really care what protocol was requested, but I know Apache will take care of it. Having just checked my site, the source code (not a rewrite by apache) lists the CSS references as HTTPS. I installed it using HTTPS and did not have to deal with the mixed content. So, there must be a switch that one can flip for this in Moodle to enable HTTPS mode.
The actual answer might lie in Sites Administration > Server > HTTP. https://stackoverflow.com/questions/21782203/moodle-not-showing-css-and-theme-with-linux-server
Even so, if you can force HTTPS in the Apache (assuming you have access to the conf file), then Apache will change everything to HTTPS regardless of the request upstream. I figure you can't rely on users to use HTTPS without forcing them to do so.
Hi Tony,
apologize if I misunderstood something here in the thread - got a quick read - but:
Not sure what is the migration plan you chose here: guessing you've missed the point in (1) at the time of using loginhttps - when browsers where not complaining about (& blocking) "mixed content" - , since Moodle is serving CSSes still using HTTP. Call it a bug in these days - I do not have a 3.1 right now and I cannot check by myself if that - mixed content - is the way Moodle adopted on serving the Login page under loginhttps.
Go for a full HTTPS configuration and you'll be fine .
Some useful posts when the discussion about full HTTPS started: https://moodle.org/mod/forum/discuss.php?d=262482
HTH,
Matteo
Thanks, Matteo. My site is fine (it works as expected). Our university site isn't configured for HTTPS (self-signed cert, etc.), which is why the errors are there. I was only listing it for an example.
Robert and Josh are having problems. I forgot about the config portion. They should look at that. I have no idea what guide they used or did not use.
Hi,
So if I started my site in HTTP and want to convert to HTTPS. I ran the conversion tool. That's all I've done. To get rid of the mixed content, what else do I need to do? I have access to Apache, if that helps.
THanks
Thanks Tony. I have done that. I need to know is there is something I can change globally to get all the mix content to switch to https? For example, all the CSS files? They point to HTTP
Thank you
