**************************************************************************** Description: The Secure Site module allows site administrators to make a site or part of a site private. You can restrict access to the site by role. This means the site will be inaccessible to search engines and other crawlers, but you can still allow access to certain people. You can also secure remote access to RSS feeds. You can keep content private and protected, but still allow users to get notification of new content and other actions via RSS with news readers that support user:pass@example.com/node/feed URLs, or have direct support for username and password settings. This is especially useful when paired with the Organic Groups module or other node access systems. **************************************************************************** Installation: 1. Place the entire securesite directory into your sites/all/modules directory. 2. Enable the Secure Site module by navigating to: Administer > Site building > Modules 3. Configure the Secure Site permission: Administer > User management > Access control Set the user roles that are allowed to access secured pages by giving those roles the "access secured pages" permission. 4. Configure the Secure Site module: Administer > Site configuration > Secure Site **************************************************************************** Configuration: - Authentication modes There are three authentication modes. By default authentication is disabled. Please note that the HTTP Auth method requires extra configuration if PHP is not installed as an Apache module. See the Known Issues section of this file for a work-around. 1. Disabled The disabled settings will disable the securesite module completely and no pages will be protected. 2. Use HTTP Auth This will use browser-based authentication. When a protected page is accessed the user's web browser will display a username and password login form. This is the recommend method for secure feeds. 3. Use HTML login form This method uses a themeable HTML login form for username and password input. This method is the most reliable as it does not rely on the browser for authentication. This method does not work for secure feeds. - Guest username and password If you want to allow anonymous users to access secure pages, you can set a username and password for anonymous users. If left blank, guest user access will be disabled. - Authentication realm You can use this field to name your login area. This is primarily used with HTTP Auth. - Customize HTML forms "Custom message for login form" and "Custom message for password reset form" are used in the HTML forms when they are displayed. If the latter box is empty, Secure Site will not offer to reset passwords. Please note, the login form is only displayed when the HTML login form authentication mode is used. - Bypass login This is were you can specify which pages should be secured. The default ("On every page except the listed pages") will secure the entire site. - On every page except the listed pages Specify the page and paths that are not secure. The rest of the site will be secure. - Only on the listed pages Specify the pages and paths that are to be made secure. The rest of the site will not be secure. **************************************************************************** Theming: You can theme the HTML output of the Secure Site module using the securesite-dialog.tpl.php found in the securesite directory. Copy the securesite-dialog.tpl.php to your default theme. Now the securesite-dialog.tpl.php will be used as a template for all Secure Site HTML output. securesite-dialog.tpl.php works in the same way as page.tpl.php. **************************************************************************** Known Issues: - Authentication on PHP/CGI installations If you are using HTTP Auth and are unable to login, PHP could be running in CGI mode. When run in CGI mode, the normal HTTP Auth login variables are not available to PHP. To work-around this issue, add the following rewrite rule at the end of the .htaccess file in Drupal's root installation directory: RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] After making the suggested change in Drupal 5.7, the rewrite rules would look like this: # Rewrite current-style URLs of the form 'index.php?q=x'. RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] - Authentication when running Drupal via IIS If you are using HTTP Auth and are unable to login when Drupal is running on an IIS server, make sure that the PHP directive cgi.rfc2616_headers is set to 0 (the default value).