Talk:Server clustering improvements proposal: Difference between revisions
From MoodleDocs
| Line 2: | Line 2: | ||
The problem with this setting is that it requires your whole site to be HTTPS, ie. wwwroot must begin with "https://". This doesn't allow for having only partly HTTPS, like can be done with the $CFG->loginhttps feature. Moodle can be informed if a page is HTTPS or not by checking for a header set by the SSL termination device. So, it should be an advanced configuration option to enter a HTTP header which, if present, indicates the page was accessed under HTTPS. This would allow for mixed HTTP/HTTPS site with a SSL proxy. | The problem with this setting is that it requires your whole site to be HTTPS, ie. wwwroot must begin with "https://". This doesn't allow for having only partly HTTPS, like can be done with the $CFG->loginhttps feature. Moodle can be informed if a page is HTTPS or not by checking for a header set by the SSL termination device. So, it should be an advanced configuration option to enter a HTTP header which, if present, indicates the page was accessed under HTTPS. This would allow for mixed HTTP/HTTPS site with a SSL proxy. | ||
* Can you tell us more about the use case for a mixed environment like this? The more i've worked with $CFG->loginhttps, the more i've come to realise it isn't a great idea and fraught with peril. Edge cases (some random forgot-password page) and unsecured sessions (see also [http://en.wikipedia.org/wiki/Firesheep Firesheep]) being the major security downsides. So i'd actually like to see us move away from supporting mixed environments like this (or at least not introduce another place for it) --[[User:Dan Poltawski|Dan Poltawski]] ([[User talk:Dan Poltawski|talk]]) 00:18, 11 July 2013 (WST) | * Can you tell us more about the use case for a mixed environment like this? The more i've worked with $CFG->loginhttps, the more i've come to realise it isn't a great idea and fraught with peril. Edge cases (some random forgot-password page) and unsecured sessions (see also [http://en.wikipedia.org/wiki/Firesheep Firesheep]) being the major security downsides. So i'd actually like to see us move away from supporting mixed environments like this (or at least not introduce another place for it) --[[User:Dan Poltawski|Dan Poltawski]] ([[User talk:Dan Poltawski|talk]]) 00:18, 11 July 2013 (WST) | ||
* Mixing http and https makes https useless from the security standpoint, I do not think we should encourage it. The recommended way is to switch to https completely and enable "Secure cookies only" setting. [[User:Petr Škoda (škoďák)|Petr Škoda (škoďák)]] ([[User talk:Petr Škoda (škoďák)|talk]]) 15:59, 11 July 2013 (WST) | |||
Latest revision as of 07:59, 11 July 2013
$CFG->sslproxy
The problem with this setting is that it requires your whole site to be HTTPS, ie. wwwroot must begin with "https://". This doesn't allow for having only partly HTTPS, like can be done with the $CFG->loginhttps feature. Moodle can be informed if a page is HTTPS or not by checking for a header set by the SSL termination device. So, it should be an advanced configuration option to enter a HTTP header which, if present, indicates the page was accessed under HTTPS. This would allow for mixed HTTP/HTTPS site with a SSL proxy.
- Can you tell us more about the use case for a mixed environment like this? The more i've worked with $CFG->loginhttps, the more i've come to realise it isn't a great idea and fraught with peril. Edge cases (some random forgot-password page) and unsecured sessions (see also Firesheep) being the major security downsides. So i'd actually like to see us move away from supporting mixed environments like this (or at least not introduce another place for it) --Dan Poltawski (talk) 00:18, 11 July 2013 (WST)
- Mixing http and https makes https useless from the security standpoint, I do not think we should encourage it. The recommended way is to switch to https completely and enable "Secure cookies only" setting. Petr Škoda (škoďák) (talk) 15:59, 11 July 2013 (WST)
