Hello,
We have a moodle 3.9 with LTI 1.3 activities running.
If we go through a WAF in reverse proxy mode (Checkpoint)
all the LTI 1.3 activities stop working.
Any ideas?
Thank's and regards.
Sorry to hear you're having trouble. It would be great if you could expand on "stop working". Is there a specific error displayed during the launch process, for example?
MDL-73847 could be what you're seeing (without more information it's impossible to know though). Keep in mind that this is only fixed in 4.0+ too.
Cheers
MDL-73847 could be what you're seeing (without more information it's impossible to know though). Keep in mind that this is only fixed in 4.0+ too.
Cheers
Hello,
MatLab Grader does not show anything else in the browser or logs files after the REDIRECT, we think that it remains in the authentication jump.
With Zoom, displays error "Invalid Request Data (2507)."
WAF (checkpoint) is in monitor mode. That is, it does not block any request.
With LTI 1.1 activities we don't have this problem but they are obviously deprecated.
Regards
MatLab Grader does not show anything else in the browser or logs files after the REDIRECT, we think that it remains in the authentication jump.
With Zoom, displays error "Invalid Request Data (2507)."
WAF (checkpoint) is in monitor mode. That is, it does not block any request.
With LTI 1.1 activities we don't have this problem but they are obviously deprecated.
Regards
It might help to look at the network trace for the launch (which includes auth). You can capture that, in Chrome as HAR file (https://support.google.com/admanager/answer/10358597?hl=en). If you could attach that here that may be helpful.
Also, just to clarify: if your issue is with the launch, it won't relate to the tracker issue I linked above, sorry. That issue only deals with proxy awareness in the service calls so just ignore that.
Cheers,
Also, just to clarify: if your issue is with the launch, it won't relate to the tracker issue I linked above, sorry. That issue only deals with proxy awareness in the service calls so just ignore that.
Cheers,
Sorry for taking so long to reply.
Attached the requested HAR file.
Hello again,
I found this thread on this forum https://github.com/Cvmcosta/ltijs/issues/56 which I think is related to what happens to me with a reverse proxy.
I think the request fails because Moodle is not on the same machine as where the validation request (/mod/lti/auth.php) originates.
The lti_state2 cookie is not set in the header of said request.
Can the validation request be forwarded to the reverse proxy instead of locally? and in that case it would be possible to configure a field in the configuration page of the lti tool to adjust the value of the reverse proxy address.
Another option I'm considering is to reconfigure the reverse proxy (nginx) using a redirect for those /mod/lti destinations
Thanks in advance and greetings
I found this thread on this forum https://github.com/Cvmcosta/ltijs/issues/56 which I think is related to what happens to me with a reverse proxy.
I think the request fails because Moodle is not on the same machine as where the validation request (/mod/lti/auth.php) originates.
The lti_state2 cookie is not set in the header of said request.
Can the validation request be forwarded to the reverse proxy instead of locally? and in that case it would be possible to configure a field in the configuration page of the lti tool to adjust the value of the reverse proxy address.
Another option I'm considering is to reconfigure the reverse proxy (nginx) using a redirect for those /mod/lti destinations
Thanks in advance and greetings
Thanks for attaching that HAR file. Unfortunately, it's a bad file and causes errors when imported into Chrome. Can you send another one? You can confirm it's valid by dragging it into the network tab of chrome.
Perhaps you can also explain your setup in more detail. I don't quite follow when you say that Moodle isn't on the same machine as mod/lti/auth.php.
Thanks again,
Jake
Perhaps you can also explain your setup in more detail. I don't quite follow when you say that Moodle isn't on the same machine as mod/lti/auth.php.
Thanks again,
Jake
Hello again,
Basicly the escheme is (al servers has public IPs)
Scenario A ( Matlab Grader, Zoom and LTI activities are running OK )
( Browser User <=> The Moodle site )
Scenario B ( Matlab Grader, Zoom and LTI the same activities are running not ok )
( Browser User <=> reverse proxy (WAF) <=> The same Moodle site, same database )
The redirection to waf is make by DNS.
The HAR file was capture with Firefox, sorry.
We have found that in the Scenario B the 302 redirect request from User's browser has not efect: User view White page or a blank iframe ( the lti_state cookie are ok sorry for older confused post: were tests)
We have found that the failure was in the trust relationship of the server certificates, and now we have all lti 1.3 tools running again passing throw the waf.
Thank you very much,
Hope this can help other with this issue
Regards
Basicly the escheme is (al servers has public IPs)
Scenario A ( Matlab Grader, Zoom and LTI activities are running OK )
( Browser User <=> The Moodle site )
Scenario B ( Matlab Grader, Zoom and LTI the same activities are running not ok )
( Browser User <=> reverse proxy (WAF) <=> The same Moodle site, same database )
The redirection to waf is make by DNS.
The HAR file was capture with Firefox, sorry.
We have found that in the Scenario B the 302 redirect request from User's browser has not efect: User view White page or a blank iframe ( the lti_state cookie are ok sorry for older confused post: were tests)
We have found that the failure was in the trust relationship of the server certificates, and now we have all lti 1.3 tools running again passing throw the waf.
Thank you very much,
Hope this can help other with this issue
Regards
Greetings again
When the provider of the Moodle LTI tool requests the page
mod/lti/certs.php and moodle is configured through a WAF, the request fails showing no errors.
The same request being moodle behind HA proxy works correctly.
Perhaps some request verification check could be set into mod/lti/certs.php code to help administrators.
Thank's and regards
Given the complexity of the setup, unless there's a crystal clear description, and steps to reproduce it, issue like this can be hard to reproduce and it becomes less likely someone will work on it, were a tracker issue to be created (and may just sit there in jira for some time unfortunately). Can a reverse proxy nginx container be used instead to trigger the same problem? That would assist in reproduction of the problem. Can you see the requests hitting the Moodle site? You're of course welcome to create an issue on tracker.moodle.org, but without all the information we can get, it becomes very hard to reproduce and runs the risk of being closed.
I will add that that file (mod/lti/certs.php) is a public file so should always be accessible. I.e. the tool should be able to read it any time. Can you access the file directly? You say it's fails with no errors, but what about the HTTP trace?
Hope that helps and sorry I can't be of more help,
Jake
I will add that that file (mod/lti/certs.php) is a public file so should always be accessible. I.e. the tool should be able to read it any time. Can you access the file directly? You say it's fails with no errors, but what about the HTTP trace?
Hope that helps and sorry I can't be of more help,
Jake