Masquerading: Difference between revisions

From MoodleDocs
No edit summary
Line 17: Line 17:
Also note that UK data protection laws indicate that https:// is required for all outside access to internal school servers, so make sure you do more than just enable the loginhttps setting.  
Also note that UK data protection laws indicate that https:// is required for all outside access to internal school servers, so make sure you do more than just enable the loginhttps setting.  


It is in fact possible to use http internally and https from outside in two ways.
Please do not try to use both http and https at the same time, it is clearly not supported and will break in many cases.
# Using Microsoft ISA server as your gateway, you can set it to perform http-https bridging so that all outside access is done bvia https but the webserver doesn't realise and needs no extra setup
# If the webserver faces the outside with no bridging gateway sever, you can use Apache's mod rewrite to redircet all traffic that is not from an internal IP address to https.


===First get real DNS hostname===
===First get real DNS hostname===

Revision as of 14:51, 25 February 2009

Running Moodle Behind A Masquerading Firewall

You may be running Moodle behind a Masquerading Firewall (using Network Address Translation or NAT). In this case your internal Moodle server will most likely be assigned a non-routable (private) IP address in one of the following ranges:

  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255

You can not use internal ip address or internal server name in config.php if you want to access the server from Internet too. If you want to use Moodle server from Internet, use real DNS hostname in $CFG->wwwroot.

HTTPS and HTTP?

Please note that you can sometimes not use both https:// and http:// at the same time, and must choose one and use it from both sides. Remember that it is more important to use https:// inside because the potential attackers are your students and it is also much easier to eavesdrop intranet communication.

Also note that UK data protection laws indicate that https:// is required for all outside access to internal school servers, so make sure you do more than just enable the loginhttps setting.

Please do not try to use both http and https at the same time, it is clearly not supported and will break in many cases.

First get real DNS hostname

If you have static IP, your firewall might already have public DNS hostname.

If you do not have a DNS hostname, if you do not like it or if you have dynamic IP address you can use several free Dynamic DNS services to obtain DNS hostname that maps to your current IP address. See http://www.dyndns.com/ , http://www.no-ip.com , etc.

Then tweak internal DNS server

You can either tweak all PCs in your intranet by editing hosts files which can override the data returned from DNS server.

Or you can tweak your DNS server (or forwarder) to return the internal server IP instead of the public one.

Windows DNS

Assuming you already have your NAT firewall performing port forwarding to your moodle. If running Win200x Server in an AD domain, a domain controller must be running DNS. This DNS server should be configured with Forwarders to your ISP for resolving names it doesn't have in its own zones. And your Windows clients should be pointing to this DNS server. (If you're running AD and your Windows clients do not have DNS pointing to the DNS server running on your DC, that's why it's taking you 5+ minutes to logon to the domain)

To accomodate using the same URL for intranet and Internet access to your moodle, you can create a new zone with the domain your moodle is in on your DNS server. Create an A record for your moodle's internal IP address inside this zone. Since your internal clients are using this DNS server, they'll get the private IP address; and Internet clients will get your public IP address.