**************************************************************************** Description: The Secure Site module allows site administrators to make a site or part of a site private. You can restrict access to the site by role. This means the site will be invisible to search engines and other crawlers, but you can still allow access to certain people. You can also secure remote access to RSS feeds. You can keep content private and protected, but still allow users to get notification of new content and other actions via RSS with news readers that support user:pass@example.com/node/feed URLs, or have direct support for username and password settings. This is especially useful when paired with the Organic Groups module or other node access systems. As of the Drupal 4.7 release of this module, you can specify which pages of your site to protect. This means that you can configure only the feeds to require browser based authentication, and not your whole site, as before. **************************************************************************** Installation: 1. Place the entire securesite directory into your Drupal modules directory or sites/all/modules. 2. Enable the securesite module by navigating to: administer > build > modules 3. Configure securesite permission. administer > user > access Set the user roles that are allowed to access secursite pages by giving those roles the "access site" permission. 4. Configure securesite module admin > settings > securesite **************************************************************************** Configuration: - Authentication Modes: There are four authentication modes. By default authentication is disabled. Please note that the HTTP-AUTH methods require PHP to be installed as an Apache module and do not work if it is installed as a CGI binary. See Issues for workaround. 1. Disabled The disabled settings will disable the securesite module completely and no pages will be protected. 2. Enabled with web browser HTTP-AUTH security This will use browser-based authentication. When a protected page is accessed the user's web browser will display a username and password log-in form. This is the recommend method for secure feeds. 3. Enabled with web browser HTTP-AUTH security, with browser log-out workaround Some browsers have problems when logging out and the user session does not get destroyed. This is the recommended HTTP-AUTH method. Please see the following issues for details: http://drupal.org/node/21814 http://drupal.org/node/91025 4. Enabled with HTML login form This method uses a themeable HTML log-in form for username and password input. This method is the most reliable as it does not rely on the browser for authentication. This method does not work for secure feeds. - Guest username and password If you require anonymous users to bypass secure pages, you can set a username and password for anonymous users. If left blank, guest user access will be disabled. - Authentication realm You can use this field to name your log-in area. This is primarily used with HTTP-AUTH. - HTML log-in form "Message for HTML log-in form" and "Message for request password reset form" are used in the headings of the HTML boxes displayed. If either of these text boxes are empty, the relevant box will not display. Please note, the username and password box is only displayed when the HTML log-in form authentication mode is used. - Bypass log-in filter This is were you can specify what pages are to be made secure. The default will secure the entire site. This works exactly the same as Block page specific visibility settings. - Only the listed pages Specify the page and paths that are not secure. The rest of the site will be secure. - Every page except the listed pages Specify the pages and paths that are to be made secure. The rest of the site will not be secure. - Session IP check This setting is for very specific scenarios. Use this if you have secure pages that use embedded video players, such as Windows Media player. The reason being that the embedded media player will access the site as an anonymous user and will not have access site permissions. Any anonymous user will still require the appropriate Drupal permissions for the pages being bypassed. If you do not want to use this feature you can instead bypass the video directory path, eg. files/video/* **************************************************************************** Theming: You can theme the HTML output of the Secure Site module using the securesite-dialog.tpl.php found in the securesite directory. Copy the securesite-dialog.tpl.php to your default theme. Now the securesite-dialog.tpl.php will be used as a template for all securesite html output. securesite-dialog.tpl.php works in the same way as the page.tpl.php file does. **************************************************************************** Issues: Authentication on PHP/CGI installations If you are using HTTP-AUTH and unable to log in, it could be that PHP is running as a CGI binary. Please see http://drupal.org/node/28408#comment-339150 for a workaround.