HTTP security: Difference between revisions

From MoodleDocs
m (Recommend against loginhttps)
m (Changed <code php> to indented <pre>)
 
(7 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Security}}
{{Security}}
HTTPS for logins can be enabled by an administrator in ''Settings > Site administration > Security > HTTP security''.
*In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
* There is a [[HTTPS conversion tool]] for converting embedded content to HTTPS.


==Use HTTPS for logins==
==Secure cookies only==
HTTPS encrypts the user's login data, so it's difficult to sniff out a user's username and password on the network. You will need to enable HTTPS on your server before you turn on this setting, or else you will be locked out of your site. Every web server has a different method for enabling HTTPS, so you should check the documentation for your web server.


It is not recommended that you use this setting as it's not secure despite using HTTPS for logins.
It is recommended to use secure cookies only when serving over [https://en.wikipedia.org/wiki/Transport_Layer_Security SSL]. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on.


You are also unable to use the SSL proxy setting at the same time
==cURL blocked hosts list==


==Secure cookies only==
This allows you to block Moodle's cURL implementation from accessing the specified hosts, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that as a minimum this is configured to prevent access to any internal network resources. The following is an example list of hosts which can be configured, which prevents access to various versions of "localhost", as well as an address commonly used by AWS and some other cloud providers to provide meta data about the server instance (169.254.169.254):
 
127.0.0.1
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
0.0.0.0
localhost
169.254.169.254
0000::1
 
In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.
 
'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to internal network endpoints to those users/services that require them.
 
==cURL allowed ports list==
 
This allows you to restrict Moodle's cURL implementation to only access the specified list of port numbers, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that this is configured to only allow standard web ports, as follows:
 
80
443
 
In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.


It is recommended to use secure cookies only when serving over SSL. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on. (It is likely that the setting will be removed in 3.2 onwards - see MDL-55662.)
'''Note:''' In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to open ports on the internal network to those users/services that require them.


==See also==
==See also==


Forum discussions:
* MDL-55662 for removing the secure cookies only setting
*[http://moodle.org/mod/forum/discuss.php?d=79110 Locked out]
*[https://moodle.org/mod/forum/discuss.php?d=339129 Secure Cookies]


[[Category:Site administration]]
[[Category:Site administration]]

Latest revision as of 16:06, 5 July 2022

  • In Moodle 3.4 onwards, the setting 'Use HTTPS for logins' (loginhttps) has been removed.
  • There is a HTTPS conversion tool for converting embedded content to HTTPS.

Secure cookies only

It is recommended to use secure cookies only when serving over SSL. When not serving over SSL, the setting is ignored. In Moodle 3.1.2 onwards, the 'Secure cookies only' default setting is on.

cURL blocked hosts list

This allows you to block Moodle's cURL implementation from accessing the specified hosts, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that as a minimum this is configured to prevent access to any internal network resources. The following is an example list of hosts which can be configured, which prevents access to various versions of "localhost", as well as an address commonly used by AWS and some other cloud providers to provide meta data about the server instance (169.254.169.254):

127.0.0.1
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
0.0.0.0
localhost
169.254.169.254
0000::1

In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.

Note: In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to internal network endpoints to those users/services that require them.

cURL allowed ports list

This allows you to restrict Moodle's cURL implementation to only access the specified list of port numbers, wherever it is used to fetch content (such as by the URL downloader in the file picker). Generally it is recommended that this is configured to only allow standard web ports, as follows:

80
443

In future, some logical default values such as those above will be configured automatically for new Moodle sites. See MDL-56873 for more details.

Note: In addition to configuring this at the application level via this setting, it is also recommended that sufficient firewall/network security measures are in place, including restricting access to open ports on the internal network to those users/services that require them.

See also

  • MDL-55662 for removing the secure cookies only setting