****************************************************************************
Description:

  The Secure Site module allows site administrators to make a site or part of
  a site private. You can restrict access to the site by role. This means the
  site will be inaccessible to search engines and other crawlers, but you can
  still allow access to certain people.

  You can also secure remote access to RSS feeds. You can keep content private
  and protected, but still allow users to get notification of new content and
  other actions via RSS with news readers that support
  user:pass@example.com/node/feed URLs, or have direct support for username
  and password settings. This is especially useful when paired with the
  Organic Groups module or other node access systems.

****************************************************************************
Installation:

1. Place the entire securesite directory into your sites/all/modules
   directory.

2. Enable the Secure Site module by navigating to:

   Administer > Site building > Modules

3. Configure the Secure Site permission:

   Administer > User management > Permissions

   Set the user roles that are allowed to access secured pages by giving
   those roles the "access secured pages" permission.

4. Configure the Secure Site module:

   Administer > Site configuration > Secure Site

****************************************************************************
Configuration:

  - Authentication modes

    There are three authentication modes. By default authentication is
    disabled. Please note that the HTTP Auth method requires extra
    configuration if PHP is not installed as an Apache module. See the
    Known Issues section of this file for a work-around.

      1. Disabled

         The disabled settings will disable the securesite module completely
         and no pages will be protected.

      2. Use HTTP Auth

         This will use browser-based authentication. When a protected page
         is accessed the user's web browser will display a username and
         password login form. This is the recommend method for secure
         feeds.

      3. Use HTML login form

         This method uses a themeable HTML login form for username and
         password input. This method is the most reliable as it does not
         rely on the browser for authentication. This method does not work
         for secure feeds.

  - Guest username and password

    If you want to allow anonymous users to access secure pages, you can
    set a username and password for anonymous users. If left blank, guest
    user access will be disabled.

  - Authentication realm

    You can use this field to name your login area. This is primarily used
    with HTTP Auth.

  - Customize HTML forms

    "Custom message for login form" and "Custom message for password reset
    form" are used in the HTML forms when they are displayed. If the
    latter box is empty, Secure Site will not offer to reset passwords.
    Please note, the login form is only displayed when the HTML login form
    authentication mode is used.

  - Bypass login

    This is were you can specify which pages should be secured. The default
    ("On every page except the listed pages") will secure the entire site.

      - On every page except the listed pages
        Specify the page and paths that are not secure. The rest of the site
        will be secure.

      - Only on the listed pages
        Specify the pages and paths that are to be made secure. The rest of
        the site will not be secure.

****************************************************************************
Theming:

  You can theme the HTML output of the Secure Site module using the
  securesite-dialog.tpl.php found in the securesite directory.

  Copy the securesite-dialog.tpl.php to your default theme. Now the
  securesite-dialog.tpl.php will be used as a template for all Secure Site HTML
  output. securesite-dialog.tpl.php works in the same way as page.tpl.php.

****************************************************************************
Known Issues:

  - Authentication on PHP/CGI installations

    If you are using HTTP Auth and are unable to login, PHP could be running in
    CGI mode.  When run in CGI mode, the normal HTTP Auth login variables are
    not available to PHP.  To work-around this issue, add the following rewrite
    rule at the end of the .htaccess file in Drupal's root installation
    directory:

    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

    After making the suggested change in Drupal 5.7, the rewrite rules would
    look like this:

  # Rewrite current-style URLs of the form 'index.php?q=x'.
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

  - Authentication when running Drupal via IIS

    If you are using HTTP Auth and are unable to login when Drupal is running on
    an IIS server, make sure that the PHP directive cgi.rfc2616_headers is set to
    0 (the default value).