Hosting Moodle behind Apache2 ReverseProxy (from Gemini)

From Jay's Cafe' Wiki

Hosting Moodle behind an Apache2 reverse proxy is a common and recommended practice for several reasons, including enhanced security (SSL termination), improved performance (caching), and better organization of your web services. Here's a comprehensive guide on how to set this up:


Assumptions:


You have a working Moodle installation on a server (let's call it moodle_server with IP 192.168.1.100 and running on port 80 or 443 internally).

You have an Apache2 web server installed and running on a separate server (let's call it proxy_server with IP your_public_ip) that will act as the reverse proxy.

You have a domain name (e.g., moodle.example.com) pointing to the public IP address of your proxy_server.

You have mod_proxy, mod_proxy_http, and mod_ssl (if you're using HTTPS) enabled on your proxy_server. You can enable them using sudo a2enmod proxy proxy_http ssl.

Steps on the Proxy Server (Apache2):


Create a Virtual Host Configuration:

Create a new virtual host configuration file for your Moodle site on the proxy_server. You can usually find the Apache configuration directory in /etc/apache2/sites-available/. Create a file named something like moodle.example.com.conf.


Configure the Virtual Host (HTTP):

If your internal Moodle instance is running on HTTP (port 80), your virtual host configuration might look like this:


Apache


<VirtualHost *:80>

    ServerName moodle.example.com

    ServerAdmin webmaster@example.com


    ProxyRequests Off

    ProxyPreserveHost On

    <Proxy *>

        Order deny,allow

        Allow from all

    </Proxy>

    ProxyPass / http://192.168.1.100/

    ProxyPassReverse / http://192.168.1.100/


    ErrorLog ${APACHE_LOG_DIR}/moodle.example.com-error.log

    CustomLog ${APACHE_LOG_DIR}/moodle.example.com-access.log combined

</VirtualHost>

ServerName moodle.example.com: Your domain name.

ProxyRequests Off: Disables the forward proxy functionality.   

ProxyPreserveHost On: Passes the original Host header to the backend Moodle server. This is important for Moodle to generate correct URLs.   

<Proxy *>: Defines access control for the proxy. Allow from all allows all clients to access the proxied site.

ProxyPass / http://192.168.1.100/: Directs all requests to the root (/) of moodle.example.com to the root of the Moodle server at http://192.168.1.100/.

ProxyPassReverse / http://192.168.1.100/: Modifies the HTTP response headers from the backend Moodle server to ensure redirects and URLs generated by Moodle use the correct public domain (moodle.example.com).

Configure the Virtual Host (HTTPS):

If you want to serve Moodle over HTTPS (recommended), you'll need to enable SSL on your proxy_server.


Apache


<VirtualHost *:443>

    ServerName moodle.example.com

    ServerAdmin webmaster@example.com


    SSLEngine on

    SSLCertificateFile /path/to/your/ssl/certificate.crt

    SSLCertificateKeyFile /path/to/your/ssl/private.key

    SSLCertificateChainFile /path/to/your/ssl/intermediate.crt (optional)


    ProxyRequests Off

    ProxyPreserveHost On

    <Proxy *>

        Order deny,allow

        Allow from all

    </Proxy>

    ProxyPass / http://192.168.1.100/

    ProxyPassReverse / http://192.168.1.100/


    ErrorLog ${APACHE_LOG_DIR}/moodle.example.com-ssl-error.log

    CustomLog ${APACHE_LOG_DIR}/moodle.example.com-ssl-access.log combined

</VirtualHost>


<VirtualHost *:80>

    ServerName moodle.example.com

    Redirect permanent / https://moodle.example.com/

</VirtualHost>

SSLEngine on: Enables SSL for this virtual host.   

SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile: Paths to your SSL certificate files. You'll need to obtain an SSL certificate (e.g., from Let's Encrypt or a commercial CA).

The rest of the ProxyPass and ProxyPassReverse directives remain the same (pointing to the internal HTTP address of Moodle if that's how it's configured internally).

The second VirtualHost block redirects all HTTP traffic to the HTTPS version.

Enable the Virtual Host:

Enable the newly created virtual host configuration:


Bash


sudo a2ensite moodle.example.com.conf

Disable the Default Site (Optional):

If you don't need the default Apache site, you can disable it:


Bash


sudo a2dissite 000-default.conf

Apply the Configuration:

Restart or reload the Apache2 service to apply the changes:


Bash


sudo systemctl restart apache2

# or

sudo systemctl reload apache2

Steps on the Moodle Server:


Configure $CFG->wwwroot:

Edit your Moodle configuration file (config.php) and set the $CFG->wwwroot variable to the publicly accessible URL of your Moodle site (the URL of your reverse proxy):


PHP


$CFG->wwwroot   = 'https://moodle.example.com'; // If using HTTPS

// or

$CFG->wwwroot   = 'http://moodle.example.com';  // If only using HTTP

Configure $CFG->reverseproxy:

Add the following line to your config.php file to inform Moodle that it's behind a reverse proxy:


PHP


$CFG->reverseproxy = true;

(Optional but Recommended for HTTPS) Configure $CFG->httpswwwroot:

If you are using HTTPS on the proxy but your internal Moodle is running on HTTP, explicitly set the HTTPS URL:


PHP


$CFG->httpswwwroot = 'https://moodle.example.com';

(Optional but Recommended for Security) Configure Trusted Proxies:

To prevent potential security issues like IP address spoofing, you can configure Moodle to trust the IP address(es) of your reverse proxy server(s). Add the following to your config.php, replacing your_proxy_server_ip with the actual IP address of your proxy_server:


PHP


$CFG->trustedproxies = array('your_proxy_server_ip');

If you have multiple proxy servers, list their IP addresses in the array.


Important Considerations:


SSL Termination: In the HTTPS setup, the SSL encryption and decryption happen on the proxy_server. The traffic between the proxy_server and the moodle_server will be in plain HTTP unless you configure SSL internally as well.

Firewall: Ensure that your firewall on the proxy_server allows incoming traffic on ports 80 and 443. Also, ensure that the proxy_server can communicate with the moodle_server on the relevant HTTP/HTTPS port.

Internal Moodle URL: If your internal Moodle instance is accessible directly (e.g., via its internal IP address), consider restricting access to it to only the proxy_server's IP address for security reasons.

Load Balancing: If you have multiple Moodle servers, you can configure your Apache reverse proxy as a basic load balancer using modules like mod_proxy_balancer.

Troubleshooting: If you encounter issues, check the Apache error logs on both the proxy and Moodle servers, as well as the Moodle debugging settings. Ensure that DNS is correctly resolving your domain name to the proxy_server's IP address.

Performance: Reverse proxies can improve performance through caching and compression. You can further optimize your Apache configuration with modules like mod_cache and mod_deflate.   

By following these steps, you should be able to successfully host your Moodle instance behind an Apache2 reverse proxy. Remember to adjust the configuration details (IP addresses, domain names, file paths) to match your specific environment.

Retrieved from "https://wiki.jayscafe.net/index.php?title=Hosting_Moodle_behind_Apache2_ReverseProxy_(from_Gemini)&oldid=581"