Moodle comes with a built in 'security helper' which is what enforces the $CFG->curlsecurityblockedhosts and related settings. This plugin augments this existing security helper and adds additional features such as reporting on what urls are being curled to help inform policy decisions.
This relies on this tracker which is now in Moodle core since 3.11:
Allow plugins to augment the curl security helper via callback
https://tracker.moodle.org/browse/MDL-70649
A function tool_curlmanager_security_helper is defined in admin/tool/curlmanager/lib.php which will be called back.
A curlmanager_security_helper object will be returned from the above function and url_is_blocked method in curlmanager_security_helper will be triggered before making each curl request.
-
Allow curl requests only on
List of allow hostsspecified in plugin settings ifAllowed hostssetting is enabled. -
Log all curl requests made by moodle curl (new curl()) or functions that uses moodle curl (e.g. download_file_content) irrespective an url is blocked or not.
-
Report on the curl requests - summary report.
-
Report on the curl requests - domain aggregation report.
-
Please note URL will be treated as blocked if the url is specified in
List of allow hostsand included in$CFG->curlsecurityblockedhosts.
Not all outgoing traffic will be logged, there are some known edge cases:
- All Moodle code and plugins which use the Moodle curl libraries should use the security helper. However a plugin can pass in 'ignoresecurity'. In general this should only be done for internal services and not for traffic outbound the internet.
- Some Moodle plugins do not use the Moodle curl libraries, in particular Guzzle is a very common library in use. These will not use the security helper, but if they are being used for general internet traffic then they should use the Moodle proxy settings.
- Code which uses curl inside a DB transaction which gets rolled back. In this case the security helper will be used, but the logging may not happen.
| Moodle verion | Branch |
|---|---|
| 4.1+ | MOODLE_401_STABLE |
Checkout or download the plugin source code into folder admin\tool_curlmanager of your Moodle installation.
git clone [email protected]:catalyst/moodle-tool_curlmanager.git admin\tool\curlmanagerThen go to your Moodle admin interface and complete installation and configuration.
Fire of a quick curl through the Moodle curl library:
php -r "define('CLI_SCRIPT', 1); require('config.php'); ((new curl())->get('https://catalyst-au.net'));"You should now see this appear in the domain report:
/admin/tool/curlmanager/domain_report.php
See also:
Tracker: Allow an alternate curl security helper
https://tracker.moodle.org/browse/MDL-70649
This plugin was developed by Catalyst IT Australia:
