Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69205

Adding a new Check - test https and directory slash redirects

Details

    • MOODLE_310_STABLE
    • MDL-69205-redirect-checks
    • Hide

      1) Setup your web server to correctly redirect directory links without a slash to a slash. Most we severs do this out of the box.

      2) Confirm this manually by visiting /mod and see if it redirect to /mod/

      3) Visit /report/security/index.php?detail=core_publicpaths

      4) Confirm the 'directory-without-slash' test is green / ok

      5) Disable this, eg in apache add DirectorySlash Off to your /etc/apache2/apache2.conf

      <Directory /var/www/>
       DirectorySlash Off
       Options FollowSymLinks
       AllowOverride None
       Require all granted
      </Directory>

      6) Reload and confirm the 'directory-without-slash' test is red / error

      7) You will need a site setup to be on https, confirm that visiting the http version of the site will redirect you to the https version

      8) Reload the report and confirm 'http-redirect' is green / ok

      9) Disable the http redirect at the web server level and confirm manually it is no longer redirecting

      eg in apache2 virtualhosts file on ubuntu located at: /etc/apache2/sites-available/000-default.conf

      <VirtualHost moodle.local:80>
       #Redirect "/" "https://moodle.local/"
       ErrorDocument 403 /var/www/moodle/error/index.php
       DocumentRoot /var/www/moodle
      </VirtualHost>

      10) Reload the report and confirm 'http-redirect' is red / error

      Show
      1) Setup your web server to correctly redirect directory links without a slash to a slash. Most we severs do this out of the box. 2) Confirm this manually by visiting /mod and see if it redirect to /mod/ 3) Visit /report/security/index.php?detail=core_publicpaths 4) Confirm the 'directory-without-slash' test is green / ok 5) Disable this, eg in apache add DirectorySlash Off to your /etc/apache2/apache2.conf <Directory /var/www/> DirectorySlash Off Options FollowSymLinks AllowOverride None Require all granted </Directory> 6) Reload and confirm the 'directory-without-slash' test is red / error 7) You will need a site setup to be on https, confirm that visiting the http version of the site will redirect you to the https version 8) Reload the report and confirm 'http-redirect' is green / ok 9) Disable the http redirect at the web server level and confirm manually it is no longer redirecting eg in apache2 virtualhosts file on ubuntu located at: /etc/apache2/sites-available/000-default.conf <VirtualHost moodle.local: 80 > #Redirect "/" "https://moodle.local/" ErrorDocument 403 /var/www/moodle/error/index.php DocumentRoot /var/www/moodle </VirtualHost> 10) Reload the report and confirm 'http-redirect' is red / error

    Description

      https://docs.moodle.org/dev/Check_API

      We want to put some new checks in core moodle to assert that the url is being rewritten properly. There are different server configurations and php level code that can affect this and when it's incorrect can prevent files from loading or result in 404 errors.

      All of this ONLY applies on https

      Do some low level curls and assert:

      • /my on http redirects to /my on https, OR /my/ on https
      • /my/ on http redirects to /my/ on https OR to the /login on https, but NOT /login on http
      • /dontexist on http redirects to /dontexist on https
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

      If the site is not https (why???) then assert these instead:

      • /my -> /my/
      • /dontexist -> 404
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

      Attachments

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              kristianr Kristian Ringer
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 10 minutes
                  10m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.