Moodle

Cannot exclude domains or IP ranges from HTTP Proxy

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.9, 2.0
  • Fix Version/s: 2.0
  • Component/s: Administration
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE, MOODLE_20_STABLE
  • Fixed Branches:
    MOODLE_20_STABLE

Description

It would be really useful to be able to exclude ranges of IP addresses and/or domain suffixes from the proxy where a proxy has been set up. It's quite likely that you might want to access sites outside your organisation (needing a proxy) but also to access sites within (not needing the proxy). This would increase performance and reliability.

It would probably just look the same as the similar option in browsers. A small library function could check for proxy use based on the required URL and a match against the values in the list.

Issue Links

This issue blocks:
MDL-14624 mnet can't setup a peer when a proxy is in use. Major Reopened

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

Good idea. Assigning this to Petr... thanks!

Show
Eloy Lafuente (stronk7) added a comment - Good idea. Assigning this to Petr... thanks!
Hide
Permalink
Petr Škoda (skodak) added a comment -

sorry, I do not understand this part "from the proxy where a proxy has been set up".
Are you talking about Moodle server behind a proxy? Or people accessing internet server from behind a proxy?

Also I do not understand why any restrictions of this kind would be "really useful"? Do you mean secure?

I always thought that firewalls with DMZs are easier to set up and more secure.

Show
Petr Škoda (skodak) added a comment - sorry, I do not understand this part "from the proxy where a proxy has been set up". Are you talking about Moodle server behind a proxy? Or people accessing internet server from behind a proxy? Also I do not understand why any restrictions of this kind would be "really useful"? Do you mean secure? I always thought that firewalls with DMZs are easier to set up and more secure.
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

I guess Howard is talking about Moodle (the program) accessing to information stored in other computers (could be other mnet hosts, or webservices or filelib... ) any piece of code currently supporting $CFG->proxyhost.

The key is that not all those outgoing connections must be performed using the proxy (other intranet hosts, for example, need to be accessed without the proxy), and that's what Howard is proposing, if I'm not wrong.

Ciao

Show
Eloy Lafuente (stronk7) added a comment - I guess Howard is talking about Moodle (the program) accessing to information stored in other computers (could be other mnet hosts, or webservices or filelib... ) any piece of code currently supporting $CFG->proxyhost. The key is that not all those outgoing connections must be performed using the proxy (other intranet hosts, for example, need to be accessed without the proxy), and that's what Howard is proposing, if I'm not wrong. Ciao
Hide
Permalink
Howard Miller added a comment -

Yes, Eloy is spot on - sorry if I wasn't clear.

Without being able to make exceptions every HTTP call that Moodle makes out will have to go through the proxy.

PS. Happy to produce some code for this for review. Of course, it means hooks all over the place.

Show
Howard Miller added a comment - Yes, Eloy is spot on - sorry if I wasn't clear. Without being able to make exceptions every HTTP call that Moodle makes out will have to go through the proxy. PS. Happy to produce some code for this for review. Of course, it means hooks all over the place.
Hide
Permalink
Petr Škoda (skodak) added a comment -

Oh I see, now that mnet peers always go through proxy MDL-14624 it is a regression for people that have peers in one net behind the proxy
It might be better to revert MDL-14624 now in STABLE and work on this more in head.

Show
Petr Škoda (skodak) added a comment - Oh I see, now that mnet peers always go through proxy MDL-14624 it is a regression for people that have peers in one net behind the proxy It might be better to revert MDL-14624 now in STABLE and work on this more in head.
Hide
Permalink
Howard Miller added a comment -

Yes - that was my worry too with MDL-14624. I think I agree - I'll back that out of stable, and fix the whole thing properly in HEAD.

Show
Howard Miller added a comment - Yes - that was my worry too with MDL-14624. I think I agree - I'll back that out of stable, and fix the whole thing properly in HEAD.
Hide
Permalink
Howard Miller added a comment -

Changes added to HEAD. AFAIK, this only seems to effect lib/filelib.php and mnet/lib.php. I couldn't see anything else that did outgoing HTTP requests. If anybody knows different, please let me know and I'll add them.

Show
Howard Miller added a comment - Changes added to HEAD. AFAIK, this only seems to effect lib/filelib.php and mnet/lib.php. I couldn't see anything else that did outgoing HTTP requests. If anybody knows different, please let me know and I'll add them.
Hide
Permalink
Howard Miller added a comment -

This functionality is now in HEAD. Please reopen if I missed anything.

Show
Howard Miller added a comment - This functionality is now in HEAD. Please reopen if I missed anything.

People

Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.