Moodle with SSL behind Varnish
Ok, after a whole morning working on my moodle server, I finally made it work with SSL while standing behind a Varnish cache server. Things are just as simple as the following steps:
A. Moodle Server Configuration:
1. Moodle's config.php: tell moodle to acknowledge the ssl proxy (the varnish) and provide users access via SSL link
...
$CFG->wwwroot = 'https://mymoodle.com';
$CFG->sslproxy = true;
...
2. Nginx's configuration: one important thing here is that we still have to config the nginx to serve moodle at port 80 (without ssl) despite the moodle's configuration
server {
listen 80;
root /var/www/moodle;
index index.php index.html index.htm;
server_name mymoodle.com;
access_log /var/log/nginx/moodle-access.log;
error_log /var/log/nginx/moodle-error.log;
location / {
try_files $uri $uri/ =404;
}
B. Varnish Server Configuration
1. Varnish's configuration (/etc/varnish/default.vcl):
backend mymoodle {
.host = "<moodle server's ip address>";
.port = "80";
.connect_timeout = 30s;
.between_bytes_timeout = 15s;
.first_byte_timeout = 300s;
}
sub vcl_recv {
if (req.http.X-Forwarded-Proto == "https" ) {
set req.http.X-Forwarded-Port = "443";
} else {
set req.http.X-Forwarded-Port = "80";
set req.http.X-Forwarded-Proto = "http";
}
if (req.http.host ~ "^(www.)?mymoodle.com$") {
set req.http.host = "mymoodle.com";
set req.backend = mymoodle;
}
...
}
2. nginx's configuration: because Varnish doesn't work with SSL (normally) we have to tell nginx to translate any https request to http (or SSL termination)
server {
ssl on;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.key;
listen 443 default ssl;
access_log /var/log/nginx/secure_server_access.log;
error_log /var/log/nginx/secure_server_error.log;
# Proxy any requests to the local varnish instance
location / {
proxy_set_header "X-Forwarded-For" $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_set_header X-Real-IP 127.0.0.1;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:80;
proxy_connect_timeout 5s;
proxy_read_timeout 300s;
}
}
This way, only the connections between the users and varnish server are encrypted, everything else (like between Varnish and Moodle server) is normal.
After everything is setup, I can access my moodle server at: https://mymoodle.com or http://mymoodle.com (then when I click the login screen, I will be redirected to https://newmoodle.ssis.edu.vn/login/index.php).
Pretty neat huh?! \m/\m/\m/
A. Moodle Server Configuration:
1. Moodle's config.php: tell moodle to acknowledge the ssl proxy (the varnish) and provide users access via SSL link
...
$CFG->wwwroot = 'https://mymoodle.com';
$CFG->sslproxy = true;
...
2. Nginx's configuration: one important thing here is that we still have to config the nginx to serve moodle at port 80 (without ssl) despite the moodle's configuration
server {
listen 80;
root /var/www/moodle;
index index.php index.html index.htm;
server_name mymoodle.com;
access_log /var/log/nginx/moodle-access.log;
error_log /var/log/nginx/moodle-error.log;
location / {
try_files $uri $uri/ =404;
}
location ~ [^/]\.php(/|$) {
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
if (!-e $request_filename) {
rewrite ^(.*\.php)(/)(.*)$ $1?file=/$3 last;
}
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
B. Varnish Server Configuration
1. Varnish's configuration (/etc/varnish/default.vcl):
backend mymoodle {
.host = "<moodle server's ip address>";
.port = "80";
.connect_timeout = 30s;
.between_bytes_timeout = 15s;
.first_byte_timeout = 300s;
}
sub vcl_recv {
if (req.http.X-Forwarded-Proto == "https" ) {
set req.http.X-Forwarded-Port = "443";
} else {
set req.http.X-Forwarded-Port = "80";
set req.http.X-Forwarded-Proto = "http";
}
set req.http.host = "mymoodle.com";
set req.backend = mymoodle;
}
...
}
2. nginx's configuration: because Varnish doesn't work with SSL (normally) we have to tell nginx to translate any https request to http (or SSL termination)
server {
ssl on;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.key;
listen 443 default ssl;
access_log /var/log/nginx/secure_server_access.log;
error_log /var/log/nginx/secure_server_error.log;
# Proxy any requests to the local varnish instance
location / {
proxy_set_header "X-Forwarded-For" $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_set_header X-Real-IP 127.0.0.1;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:80;
proxy_connect_timeout 5s;
proxy_read_timeout 300s;
}
}
This way, only the connections between the users and varnish server are encrypted, everything else (like between Varnish and Moodle server) is normal.
After everything is setup, I can access my moodle server at: https://mymoodle.com or http://mymoodle.com (then when I click the login screen, I will be redirected to https://newmoodle.ssis.edu.vn/login/index.php).
Pretty neat huh?! \m/\m/\m/