Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69205

Adding a new Check - test https and directory slash redirects

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Set up a moodle with https
      2. Clone this patch and go to https://moodle.local/report/security/index.php?detail=core_httpwebserver

      There are 6 checks that happen on this page. I've outlined below how to fix/make each of them fail.

      For each check outlined below:

      1. Change your apache/nginx config
      2. Restart the web server to load in the new config
      3. Refresh the check page and check the resulting table. Any errors should show a red background in the results column. Passing tests will have a normal background.
      4. Make sure each test failed HTTP code does NOT match the expected HTTP code. Make sure the failed urls do NOT match the expected URLs.
      5. If the test passes, check that the HTTP code and URL do match the expected ones.

      urlthatdoesnotexist
      I don't know how to make this one fail, on http an invalid url is always giving me a 404. Maybe this test should be removed.

      dashboardnoslash
      to make this fail, add DirectorySlash Off to your /etc/apache2/apache2.conf

      <Directory /var/www/>
       DirectorySlash Off
       Options FollowSymLinks
       AllowOverride None
       Require all granted
      </Directory>

      directorylisting
      to make this fail, insert the Indexes option to the directory where your moodle is. eg. open the file /etc/apache2/apache2.conf and change

       

      <Directory /var/www/>
       Options FollowSymLinks
       AllowOverride None
       Require all granted
      </Directory>

      to

      <Directory /var/www/>
       Options Indexes FollowSymLinks
       AllowOverride None
       Require all granted
      </Directory>

      httpdashboardnoslash & httpurlnoredirect & httpurlthatdoesnotexist
      Comment out the redirect in apache2 virtualhosts file for me on ubuntu located at: /etc/apache2/sites-available/000-default.conf

      <VirtualHost moodle.local:80>
       #Redirect "/" "https://moodle.local/"
       ErrorDocument 403 /var/www/moodle/error/index.php
       DocumentRoot /var/www/moodle
      </VirtualHost>

      These http -> https tests could also be done by disabling the rewrite module if using that to do the rewrites. sudo a2dismod rewrite

       

       

      For a correctly configured moodle site and server, we should see the check return OK.

      Show
      Set up a moodle with https Clone this patch and go to https://moodle.local/report/security/index.php?detail=core_httpwebserver There are 6 checks that happen on this page. I've outlined below how to fix/make each of them fail. For each check outlined below: Change your apache/nginx config Restart the web server to load in the new config Refresh the check page and check the resulting table. Any errors should show a red background in the results column. Passing tests will have a normal background. Make sure each test failed HTTP code does NOT match the expected HTTP code. Make sure the failed urls do NOT match the expected URLs. If the test passes, check that the HTTP code and URL do match the expected ones. urlthatdoesnotexist I don't know how to make this one fail, on http an invalid url is always giving me a 404. Maybe this test should be removed. dashboardnoslash to make this fail, add DirectorySlash Off to your /etc/apache2/apache2.conf <Directory /var/www/> DirectorySlash Off Options FollowSymLinks AllowOverride None Require all granted </Directory> directorylisting to make this fail, insert the Indexes option to the directory where your moodle is. eg. open the file /etc/apache2/apache2.conf and change   <Directory /var/www/> Options FollowSymLinks AllowOverride None Require all granted </Directory> to <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> httpdashboardnoslash & httpurlnoredirect & httpurlthatdoesnotexist Comment out the redirect in apache2 virtualhosts file for me on ubuntu located at: /etc/apache2/sites-available/000-default.conf <VirtualHost moodle.local: 80 > #Redirect "/" "https://moodle.local/" ErrorDocument 403 /var/www/moodle/error/index.php DocumentRoot /var/www/moodle </VirtualHost> These http -> https tests could also be done by disabling the rewrite module if using that to do the rewrites. sudo a2dismod rewrite     For a correctly configured moodle site and server, we should see the check return OK.
    • Affected Branches:
      MOODLE_310_STABLE
    • Pull Master Branch:

      Description

      https://docs.moodle.org/dev/Check_API

      We want to put some new checks in core moodle to assert that the url is being rewritten properly. There are different server configurations and php level code that can affect this and when it's incorrect can prevent files from loading or result in 404 errors.

      All of this ONLY applies on https

      Do some low level curls and assert:

      • /my on http redirects to /my on https, OR /my/ on https
      • /my/ on http redirects to /my/ on https OR to the /login on https, but NOT /login on http
      • /dontexist on http redirects to /dontexist on https
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

      If the site is not https (why???) then assert these instead:

      • /my -> /my/
      • /dontexist -> 404
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

        Attachments

          Activity

            People

            Assignee:
            kristianr Kristian Ringer
            Reporter:
            kristianr Kristian Ringer
            Peer reviewer:
            Brendan Heywood
            Integrator:
            Andrew Nicols
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 10 minutes
                10m