Difference between revisions of "Masquerading"

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 1.9. Up-to-date documentation for the latest stable version is available here: Masquerading.

(Running Moodle Behind A Masquerading Firewall)
(See also: issue link)
 
(30 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 
== Running Moodle Behind A Masquerading Firewall ==
 
== Running Moodle Behind A Masquerading Firewall ==
 +
 +
  
 
You may be running Moodle behind a Masquerading Firewall (using Network Address Translation or NAT). In this case your internal Moodle server will most likely be assigned a non-routable (private) IP address in one of the following ranges:
 
You may be running Moodle behind a Masquerading Firewall (using Network Address Translation or NAT). In this case your internal Moodle server will most likely be assigned a non-routable (private) IP address in one of the following ranges:
Line 7: Line 9:
 
* 192.168.0.0 - 192.168.255.255
 
* 192.168.0.0 - 192.168.255.255
  
Moodle can be set up using the standard instructions but will only be accessible within  the local network. To make the Moodle server accessible from outside of the network you will need to address the following points:
+
You can not use internal ip address or internal server name in config.php if you want to access the server from Internet too. If you want to use Moodle server from Internet, use real DNS hostname in $CFG->wwwroot.
 +
 
 +
===HTTPS and HTTP?===
 +
 
 +
Please note that you can not use both https:// and http:// at the same time, and must choose one and use it from both sides. Using both http and https is not supported and fails in many cases.
 +
 
 +
Remember that it is more important to use https:// inside because the potential attackers are your students and it is also much easier to eavesdrop intranet communication.
 +
 
 +
Also note that UK data protection laws indicate that https:// is required for all outside access to internal school servers, so make sure you do more than just enable the loginhttps setting.
 +
 
 +
===First get real DNS hostname===
 +
If you have static IP, your firewall might already have public DNS hostname.
 +
 
 +
If you do not have a DNS hostname, if you do not like it or if you have dynamic IP address you can use several free Dynamic DNS services to obtain DNS hostname that maps to your current IP address. See http://www.dyndns.com/ , http://www.no-ip.com , etc.
 +
 
 +
===Then tweak internal DNS server===
 +
You can either tweak all PCs in your intranet by editing ''hosts'' files which can override the data returned from DNS server.
 +
 
 +
Or you can tweak your DNS server (or forwarder) to return the internal server IP instead of the public one.
 +
 
 +
==Windows DNS==
 +
 
 +
Assuming you already have your NAT firewall performing port forwarding to your moodle.  If running Win200x Server in an AD domain, a domain controller must be running DNS.  This DNS server should be configured with Forwarders to your ISP for resolving names it doesn't have in its own zones.  And your Windows clients should be pointing to this DNS server.  (If you're running AD and your Windows clients do not have DNS pointing to the DNS server running on your DC, that's why it's taking you 5+ minutes to logon to the domain)
 +
 
 +
To accomodate using the same URL for intranet and Internet access to your moodle, you can create a new zone with the domain your moodle is in on your DNS server.  Create an A record for your moodle's internal IP address inside this zone.  Since your internal clients are using this DNS server, they'll get the private IP address; and Internet clients will get your public IP address.
  
* Ideally provide a domain name for your external network.
+
==See also==
* In your firewall or router set up port forwarding to forward HTTP requests (port 80) to your Moodle server
 
* Your moodle config.php will need to be modified so that $CFG->wwwroot is modified according to the IP address of the client.
 
  
Modify config.php by adding the following code snippet around your $CFG->wwwroot setting:
+
* Comments in MDL-27003
  
    $subnet = '192.168';
+
[[Category:Administrator]]
    $client_ip = $_SERVER['REMOTE_ADDR'];
+
[[Category:Installation]]
    if (strpos($client_ip, $subnet)===0) {
 
        $CFG->wwwroot = '...internal URL...';
 
    }
 
    else {
 
        $CFG->wwwroot = '...external URL...';
 
    }
 
  
The $subnet variable is set to the most significant values of your internal IP addresses (most likely '192.168.' or '10.'). The 'internal' URL is the appropriate setting for access from the local network. The 'external' URL that for external access.
+
[[es:masquerading]]
 +
[[ja:マスカレーディング]]

Latest revision as of 13:53, 1 April 2011

Running Moodle Behind A Masquerading Firewall

You may be running Moodle behind a Masquerading Firewall (using Network Address Translation or NAT). In this case your internal Moodle server will most likely be assigned a non-routable (private) IP address in one of the following ranges:

  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255

You can not use internal ip address or internal server name in config.php if you want to access the server from Internet too. If you want to use Moodle server from Internet, use real DNS hostname in $CFG->wwwroot.

HTTPS and HTTP?

Please note that you can not use both https:// and http:// at the same time, and must choose one and use it from both sides. Using both http and https is not supported and fails in many cases.

Remember that it is more important to use https:// inside because the potential attackers are your students and it is also much easier to eavesdrop intranet communication.

Also note that UK data protection laws indicate that https:// is required for all outside access to internal school servers, so make sure you do more than just enable the loginhttps setting.

First get real DNS hostname

If you have static IP, your firewall might already have public DNS hostname.

If you do not have a DNS hostname, if you do not like it or if you have dynamic IP address you can use several free Dynamic DNS services to obtain DNS hostname that maps to your current IP address. See http://www.dyndns.com/ , http://www.no-ip.com , etc.

Then tweak internal DNS server

You can either tweak all PCs in your intranet by editing hosts files which can override the data returned from DNS server.

Or you can tweak your DNS server (or forwarder) to return the internal server IP instead of the public one.

Windows DNS

Assuming you already have your NAT firewall performing port forwarding to your moodle. If running Win200x Server in an AD domain, a domain controller must be running DNS. This DNS server should be configured with Forwarders to your ISP for resolving names it doesn't have in its own zones. And your Windows clients should be pointing to this DNS server. (If you're running AD and your Windows clients do not have DNS pointing to the DNS server running on your DC, that's why it's taking you 5+ minutes to logon to the domain)

To accomodate using the same URL for intranet and Internet access to your moodle, you can create a new zone with the domain your moodle is in on your DNS server. Create an A record for your moodle's internal IP address inside this zone. Since your internal clients are using this DNS server, they'll get the private IP address; and Internet clients will get your public IP address.

See also