Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69205

Adding a new Check - test https and directory slash redirects

    • MOODLE_310_STABLE
    • MDL-69205-redirect-checks
    • Hide

      1) Setup your web server to correctly redirect directory links without a slash to a slash. Most we severs do this out of the box.

      2) Confirm this manually by visiting /mod and see if it redirect to /mod/

      3) Visit /report/security/index.php?detail=core_publicpaths

      4) Confirm the 'directory-without-slash' test is green / ok

      5) Disable this, eg in apache add DirectorySlash Off to your /etc/apache2/apache2.conf

      <Directory /var/www/>
       DirectorySlash Off
       Options FollowSymLinks
       AllowOverride None
       Require all granted
      </Directory>

      6) Reload and confirm the 'directory-without-slash' test is red / error

      7) You will need a site setup to be on https, confirm that visiting the http version of the site will redirect you to the https version

      8) Reload the report and confirm 'http-redirect' is green / ok

      9) Disable the http redirect at the web server level and confirm manually it is no longer redirecting

      eg in apache2 virtualhosts file on ubuntu located at: /etc/apache2/sites-available/000-default.conf

      <VirtualHost moodle.local:80>
       #Redirect "/" "https://moodle.local/"
       ErrorDocument 403 /var/www/moodle/error/index.php
       DocumentRoot /var/www/moodle
      </VirtualHost>

      10) Reload the report and confirm 'http-redirect' is red / error

      Show
      1) Setup your web server to correctly redirect directory links without a slash to a slash. Most we severs do this out of the box. 2) Confirm this manually by visiting /mod and see if it redirect to /mod/ 3) Visit /report/security/index.php?detail=core_publicpaths 4) Confirm the 'directory-without-slash' test is green / ok 5) Disable this, eg in apache add DirectorySlash Off to your /etc/apache2/apache2.conf <Directory /var/www/> DirectorySlash Off Options FollowSymLinks AllowOverride None Require all granted </Directory> 6) Reload and confirm the 'directory-without-slash' test is red / error 7) You will need a site setup to be on https, confirm that visiting the http version of the site will redirect you to the https version 8) Reload the report and confirm 'http-redirect' is green / ok 9) Disable the http redirect at the web server level and confirm manually it is no longer redirecting eg in apache2 virtualhosts file on ubuntu located at: /etc/apache2/sites-available/000-default.conf <VirtualHost moodle.local: 80 > #Redirect "/" "https://moodle.local/" ErrorDocument 403 /var/www/moodle/error/index.php DocumentRoot /var/www/moodle </VirtualHost> 10) Reload the report and confirm 'http-redirect' is red / error

      https://docs.moodle.org/dev/Check_API

      We want to put some new checks in core moodle to assert that the url is being rewritten properly. There are different server configurations and php level code that can affect this and when it's incorrect can prevent files from loading or result in 404 errors.

      All of this ONLY applies on https

      Do some low level curls and assert:

      • /my on http redirects to /my on https, OR /my/ on https
      • /my/ on http redirects to /my/ on https OR to the /login on https, but NOT /login on http
      • /dontexist on http redirects to /dontexist on https
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

      If the site is not https (why???) then assert these instead:

      • /my -> /my/
      • /dontexist -> 404
      • /pluginfile/xxxxx/.js should not redirect to end in a slash

            brendanheywood Brendan Heywood
            kristianr Kristian Ringer
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 10 minutes
                10m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.