First of all, you will need to find a low trafic time in your organization to switch the whole site to redirect to HTTPS as the logged users will be automatically logged out at the moment of the change.
To see your actual settings go to Administration--Site administration--security--HTTP security
As you see in yellow in the above screenshot, under HTTP security you will find the option 'Use HTTPS for logins'. You might already have this option checked, if not, checking this option will make Moodle use a secure https connection just for the login page. As it read in the help text bellow the option ...
Turning this on will make Moodle use a secure https connection just for the login page (providing a secure login), and then afterwards revert back to the normal http URL for general speed. CAUTION: this setting REQUIRES https to be specifically enabled on the web server - if it is not then YOU COULD LOCK YOURSELF OUT OF YOUR SITE.
To activate https for all the site you do not need to play with the above options under the "HTTP security" in Moodle, rather you can follow the next steps...
- Configure your webserver for HTTPS by listening at port 443
- run a migration script to change every mention of http urls to https.
- For a professional site, you need to get your SSL certificates signed by a certification authority.
Re: Moodle entirely over SSL?Marc CoutureSaturday, September 12, 2015, 3:24 AM
I know this is an older thread, but we just switched over our production site to SSL everywhere (using Moodle 2.8.5) and are encountering various issues, including:
Problems with restored courses not properly modifying course IDs in some linked documents (especially those pointing to Legacy files);"Connection error" messages that require users to refresh their pages (sometimes resulting in loss of data in submitted forms).Any ideas on possible solutions? update and run migration script to change every mention of http urls to https
Also, in the same thread, I found 2 other helpful posts dealing with that task...
1.
Re: Moodle entirely over SSL?Visvanath RatnaweeraTuesday, November 17, 2015, 5:44 AMGroup Particularly helpful Moodlers
The CPU overhead is passé. The tune today is HTTPS everywhere!
So the decision is between HTTP and "entirely over SSL". If you go for the latter no need to play with the "Use HTTPS for logins" option, rather you configure your webserver for HTTPS by listening at port 443. Additionally you may want to redirect HTTP to HTTPS.
For a professional site, you need to get your SSL certificates signed by a certification authority.
2.
Dan MarsdenTuesday, November 17, 2015, 6:17 AM
you will need to modify your config.php to use "https:" in the wwwroot instead of "http:"
As Visvanath mentions - the overhead caused by running full-time ssl is very minimal - and in most cases you won't notice a difference - just make sure you have tuned your server well and read the usual performance recommendations (https://docs.moodle.org/30/en/Performance_recommendations [^])
Apart from taking in consideration the above posts, it would be great if you run a performance test in the site before switching to HTTPS and after, so you could see the impact performance impact on the site.
You might want to do a test in a Moodle installation with few or no users before going ahead in your production site.
No comments:
Post a Comment