Transitioning to HTTPS

Jump to: navigation, search

There are numerous benefits to running your moodle site using HTTPS. This increases the level of security especially involving sessions and passwords.


Before you start

Check all the content you use supports https. You will not be able to embed HTTP content over HTTPS. If some content is only available over HTTP, you can convert it from a direct embedding to a link.

Make sure you have a staging environment. You will want to set up HTTPS the first time on a staging environment rather than updating your live site. It will take some time to convert to https and you will need to update content (see below).

Setting up an SSL certificate

The first thing you will need to do is acquire an SSL certificate. You can create these yourself, but this is only helpful for development purposes. Instead you will want to get your SSL certificate from a certificate authority, so that the certificate will be publicly verified.

The cost of certificates has been somewhat prohibitive, they come at various costs from a few dollars to hundreds of dollars per year. For the budget constrained, the "price is right" with a new initiative brought to us by the Internet Security Research Group (ISRG). Free domain-validated certificates can be acquired from Let's Encrypt. Let's Encrypt also tries to make the process of installing and managing certificates as painless as possible and there are numerous methods and clients available.

Setting up your server

Then you will need enable SSL on your web server to add your certificate. This process will vary depending on your web server of choice.

If you are using a proxy or load balancer, depending on your setup you will most likely want to set up the SSL certificate on your proxy server

Setting up your moodle

On a basic moodle site, it will be simple to set up https. Simply edit config.php and change http:// to https:// in $CFG->wwwroot.

However if you are using a proxy or load balancer, depending on your setup you may need to set $CFG->sslproxy to 1, and not use SSL on the moodle server. Then the load balancer or proxy server can communicate directly to your moodle site, but serve to the clients over SSL.

Updating content

You will need to change all embeded content from being requested over http. Links do not matter. But you will need to update images and iframes, scorm modules, and LTI external tools. You can modify external tools to open in a new window instead of in an iframe and they will work fine.

There is plans to work on a new tool to aid in this process. See MDL-46269 on the tracker.