Moodle insists it is accessed using $CFG->wwwroot. It enforces this by checking the request by inspecting $_SERVER[]. In a standard configuration the browser connects directly to the web server (assuming $CFG->wwwroot is "https://moodle.example.com"):
| Browser's request to web server |
$_SERVER['HTTP_HOST'] that Moodle sees |
|---|---|
| GET https://moodle.example.com/ | "moodle.example.com" |
They match so Moodle is happy. But if the web server is behind a reverse proxy (e.g. load balancer):
| Browser's request to reverse proxy |
Reverse proxy's request to web server |
$_SERVER['HTTP_HOST'] that Moodle sees |
|---|---|---|
| GET https://moodle.example.com/ | GET https://webnode1.internal.test/ | "webnode1.internal.test" |
and you get "Incorrect access detected…" because $CFG->wwwroot and the $_SERVER[] values don't match.
Enabling $CFG->reverseproxy turns off this check. With this enabled you now cannot access the web server directly using $CFG->wwwroot, only via the reverse proxy. Direct access results in "Reverse proxy enabled, server can not be accessed directly".