Note: You are currently viewing documentation for Moodle 3.11. Up-to-date documentation for the latest stable version of Moodle may be available here: HTTP security.

HTTP security: Difference between revisions

From MoodleDocs
(rewording, category edit)
No edit summary
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Security}}
{{Security}}
HTTPS for logins can be enabled by an administrator in ''Settings > Site administration > Security > HTTP security''.
*In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
* There is a [[HTTPS conversion tool]] for converting embedded content to HTTPS.


==Use HTTPS for logins==
==Secure cookies only==
HTTPS encrypts the user's login data, so it's difficult to sniff out a user's username and password on the network. You will need to enable HTTPS on your server before you turn on this setting, or else you will be locked out of your site. Every web server has a different method for enabling HTTPS, so you should check the documentation for your web server.
 
It is recommended to use secure cookies only when serving over [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL]. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on.
 
==cURL blocked hosts list==
 
This allows you to block Moodle's cURL implementation from accessing the specified hosts, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that as a minimum this is configured to prevent access to any internal network resources. The following is an example list of hosts which can be configured, which prevents access to various versions of "localhost", as well as an address commonly used by AWS and some other cloud providers to provide meta data about the server instance (169.254.169.254):
 
<code php>
127.0.0.1
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
0.0.0.0
localhost
169.254.169.254
0000::1
</code>
 
In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.
 
'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to internal network endpoints to those users/services that require them.
 
==cURL allowed ports list==
 
This allows you to restrict Moodle's cURL implementation to only access the specified list of port numbers, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that this is configured to only allow standard web ports, as follows:
 
<code php>
80
443
</code>
 
In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.
 
'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to open ports on the internal network to those users/services that require them.


==See also==
==See also==


*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=79110 Locked out] forum discussion
* MDL-55662 for removing the secure cookies only setting


[[Category:Site administration]]
[[Category:Site administration]]


[[de:HTTP-Sicherheit]]
[[de:HTTP-Sicherheit]]
[[es:Seguridad HTTP]]

Latest revision as of 06:01, 13 April 2021

  • In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
  • There is a HTTPS conversion tool for converting embedded content to HTTPS.

Secure cookies only

It is recommended to use secure cookies only when serving over SSL. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on.

cURL blocked hosts list

This allows you to block Moodle's cURL implementation from accessing the specified hosts, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that as a minimum this is configured to prevent access to any internal network resources. The following is an example list of hosts which can be configured, which prevents access to various versions of "localhost", as well as an address commonly used by AWS and some other cloud providers to provide meta data about the server instance (169.254.169.254):

127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 0.0.0.0 localhost 169.254.169.254 0000::1

In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.

Note: In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to internal network endpoints to those users/services that require them.

cURL allowed ports list

This allows you to restrict Moodle's cURL implementation to only access the specified list of port numbers, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that this is configured to only allow standard web ports, as follows:

80 443

In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.

Note: In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to open ports on the internal network to those users/services that require them.

See also

  • MDL-55662 for removing the secure cookies only setting