You are here

Home » API reference » Secure Site 7.2

README.txt in Secure Site 7.2

Same filename in this branch
  1. 7.2 README.txt
  2. 7.2 digest_md5/README.txt
Same filename and directory in other branches
  1. 8 README.txt
  2. 5 README.txt
  3. 6.2 README.txt
  4. 6 README.txt
The Secure Site module allows site administrators to make a site or part of a
site private. You can restrict access to the site by role. This means the site
will be inaccessible to search engines and other crawlers, but you can still
allow access to certain people.

You can also secure remote access to RSS feeds. You can keep content private and
protected, but still allow users to get notification of new content and other
actions via RSS with news readers that support user:pass@example.com/node/feed
URLs, or have direct support for user name and password settings. This is
especially useful when paired with the Organic Groups module or other node
access systems.


Installation
------------

  1. Place the entire securesite directory into your sites/all/modules
     directory.

  2. Enable the Secure Site module by navigating to:

     Administer >> Site building >> Modules

  3. Configure the Secure Site permissions:

     Administer >> User management >> Permissions

     Set the user roles that are allowed to access secured pages by giving those
     roles the "access secured pages" permission.

  4. Configure the Secure Site module:

     Administer >> Site configuration >> Secure Site


Configuration
-------------

  - Force authentication

    This setting controls whether users will be forced to authenticate before
    viewing pages. By default, authentication is never forced.

    1. Never

       This setting will prevent Secure Site from hiding pages.

    2. Always

       This setting will hide your entire site from unauthenticated users.

    3. During maintenance

       This setting will hide your site during maintenance.

    4. On restricted pages

       This setting will hide only pages that anonymous users cannot access.

  - Authentication type

    Three methods of authentication are available. Please note that HTTP
    authentication requires extra configuration if PHP is not installed as an
    Apache module. See the Known issues section of this file for details.

    1. HTTP digest

       This will enable HTTP digest authentication. The user's browser will
       prompt for the user's name and password before displaying the page.

       Digest authentication protects a user's password from eavesdroppers when
       you are not using SSL to encrypt the connection. However, it can only be
       used when a copy of the password is stored on the server. For security
       reasons, Drupal does not store passwords. You will need to configure
       scripts to securely save passwords and authenticate users. See README.txt
       in the digest_md5 directory for details.

       When digest authentication is enabled, passwords will be saved when users
       log in or set their passwords. If you use digest authentication to
       protect your whole site, you should allow guest access or allow another
       authentication type until users whose passwords are not yet saved have
       logged in. Otherwise, you may lock yourself out of your own site.

    1. HTTP basic

       This will enable HTTP basic authentication. The user's browser will
       prompt for the user's name and password before displaying the page.
       Basic authentication is not secure unless you are using SSL to encrypt
       the connection.

    2. Use HTML log-in form

       This method uses a themeable HTML log-in form for user name and password
       input. This method is the most reliable as it does not rely on the
       browser for authentication. Like HTTP basic, it is insecure unless you
       are using SSL to encrypt the connection.

    HTTP authentication is recommended for secure feeds, because feed readers
    are not likely to be able to handle forms. You can enable all three types of
    authentication at the same time.

  - Digest authentication script

    For security, HTTP digest authentication uses an external script to check
    passwords. Enter the digest authentication script exactly as it would appear
    on the command line.

  - Password storage script

    For security, HTTP digest authentication uses an external script to save
    passwords. Enter the password storage script exactly as it would appear on
    the command line.

  - Authentication realm

    You can use this field to name your login area. This is primarily used with
    HTTP Auth.

  - Guest user name and password

    If you give anonymous users the "access secured pages" permission, you can
    set a user name and password for anonymous users. If not set, guests can use
    any name and password.

  - Customize HTML forms

    "Custom message for login form" and "Custom message for password reset form"
    are used in the HTML forms when they are displayed. If the latter box is
    empty, Secure Site will not offer to reset passwords. Please note, the login
    form is only displayed when the HTML login form authentication mode is used.


Theming
-------

Secure Site's HTML output is controlled by three files:

- securesite-page.tpl.php: Template for Secure Site pages. Works in the same way
  as page.tpl.php.

- securesite-user-login.tpl.php: Template for the user log-in form.

- securesite-user-pass.tpl.php: Template for the password reset form.

You can theme Secure Site's HTML output by copying these files to your theme's
directory. The files in your theme's directory will become the templates for all
Secure Site HTML output.


Configuring cron jobs
---------------------

If HTTP authentication is forced, cron jobs will need to authenticate
themselves. See http://drupal.org/cron for more details on configuring cron
jobs. These examples show how to add a user name and password (note: Lynx does
not support digest authentication):

45 * * * * /usr/bin/lynx -auth=username:password -source http://example.com/cron.php
45 * * * * /usr/bin/wget --user=username --password=password -O - -q http://example.com/cron.php
45 * * * * /usr/bin/curl --anyauth --user username:password --silent --compressed http://example.com/cron.php


Known issues
------------

  - Authentication on PHP/CGI installations

    If you are using HTTP Auth and are unable to login, PHP could be running in
    CGI mode. When run in CGI mode, the normal HTTP Auth login variables are not
    available to PHP. To work-around this issue, add the following rewrite rule
    at the end of the .htaccess file in Drupal's root installation directory:

    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

    After making the suggested change in Drupal 6, the rewrite rules would
    look like this:

    # Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !=/favicon.ico
    RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

  - Authentication when running Drupal via IIS

    If you are using HTTP Auth and are unable to login when Drupal is running on
    an IIS server, make sure that the PHP directive cgi.rfc2616_headers is set
    to 0 (the default value).

File

README.txt
View source 
  1. The Secure Site module allows site administrators to make a site or part of a

  2. site private. You can restrict access to the site by role. This means the site

  3. will be inaccessible to search engines and other crawlers, but you can still

  4. allow access to certain people.

  5. 

  6. You can also secure remote access to RSS feeds. You can keep content private and

  7. protected, but still allow users to get notification of new content and other

  8. actions via RSS with news readers that support user:pass@example.com/node/feed

  9. URLs, or have direct support for user name and password settings. This is

  10. especially useful when paired with the Organic Groups module or other node

  11. access systems.

  12. 

  13. 

  14. Installation

  15. ------------

  16. 

  17.   1. Place the entire securesite directory into your sites/all/modules

  18.      directory.

  19. 

  20.   2. Enable the Secure Site module by navigating to:

  21. 

  22.      Administer >> Site building >> Modules

  23. 

  24.   3. Configure the Secure Site permissions:

  25. 

  26.      Administer >> User management >> Permissions

  27. 

  28.      Set the user roles that are allowed to access secured pages by giving those

  29.      roles the "access secured pages" permission.

  30. 

  31.   4. Configure the Secure Site module:

  32. 

  33.      Administer >> Site configuration >> Secure Site

  34. 

  35. 

  36. Configuration

  37. -------------

  38. 

  39.   - Force authentication

  40. 

  41.     This setting controls whether users will be forced to authenticate before

  42.     viewing pages. By default, authentication is never forced.

  43. 

  44.     1. Never

  45. 

  46.        This setting will prevent Secure Site from hiding pages.

  47. 

  48.     2. Always

  49. 

  50.        This setting will hide your entire site from unauthenticated users.

  51. 

  52.     3. During maintenance

  53. 

  54.        This setting will hide your site during maintenance.

  55. 

  56.     4. On restricted pages

  57. 

  58.        This setting will hide only pages that anonymous users cannot access.

  59. 

  60.   - Authentication type

  61. 

  62.     Three methods of authentication are available. Please note that HTTP

  63.     authentication requires extra configuration if PHP is not installed as an

  64.     Apache module. See the Known issues section of this file for details.

  65. 

  66.     1. HTTP digest

  67. 

  68.        This will enable HTTP digest authentication. The user's browser will

  69.        prompt for the user's name and password before displaying the page.

  70. 

  71.        Digest authentication protects a user's password from eavesdroppers when

  72.        you are not using SSL to encrypt the connection. However, it can only be

  73.        used when a copy of the password is stored on the server. For security

  74.        reasons, Drupal does not store passwords. You will need to configure

  75.        scripts to securely save passwords and authenticate users. See README.txt

  76.        in the digest_md5 directory for details.

  77. 

  78.        When digest authentication is enabled, passwords will be saved when users

  79.        log in or set their passwords. If you use digest authentication to

  80.        protect your whole site, you should allow guest access or allow another

  81.        authentication type until users whose passwords are not yet saved have

  82.        logged in. Otherwise, you may lock yourself out of your own site.

  83. 

  84.     1. HTTP basic

  85. 

  86.        This will enable HTTP basic authentication. The user's browser will

  87.        prompt for the user's name and password before displaying the page.

  88.        Basic authentication is not secure unless you are using SSL to encrypt

  89.        the connection.

  90. 

  91.     2. Use HTML log-in form

  92. 

  93.        This method uses a themeable HTML log-in form for user name and password

  94.        input. This method is the most reliable as it does not rely on the

  95.        browser for authentication. Like HTTP basic, it is insecure unless you

  96.        are using SSL to encrypt the connection.

  97. 

  98.     HTTP authentication is recommended for secure feeds, because feed readers

  99.     are not likely to be able to handle forms. You can enable all three types of

  100.     authentication at the same time.

  101. 

  102.   - Digest authentication script

  103. 

  104.     For security, HTTP digest authentication uses an external script to check

  105.     passwords. Enter the digest authentication script exactly as it would appear

  106.     on the command line.

  107. 

  108.   - Password storage script

  109. 

  110.     For security, HTTP digest authentication uses an external script to save

  111.     passwords. Enter the password storage script exactly as it would appear on

  112.     the command line.

  113. 

  114.   - Authentication realm

  115. 

  116.     You can use this field to name your login area. This is primarily used with

  117.     HTTP Auth.

  118. 

  119.   - Guest user name and password

  120. 

  121.     If you give anonymous users the "access secured pages" permission, you can

  122.     set a user name and password for anonymous users. If not set, guests can use

  123.     any name and password.

  124. 

  125.   - Customize HTML forms

  126. 

  127.     "Custom message for login form" and "Custom message for password reset form"

  128.     are used in the HTML forms when they are displayed. If the latter box is

  129.     empty, Secure Site will not offer to reset passwords. Please note, the login

  130.     form is only displayed when the HTML login form authentication mode is used.

  131. 

  132. 

  133. Theming

  134. -------

  135. 

  136. Secure Site's HTML output is controlled by three files:

  137. 

  138. - securesite-page.tpl.php: Template for Secure Site pages. Works in the same way

  139.   as page.tpl.php.

  140. 

  141. - securesite-user-login.tpl.php: Template for the user log-in form.

  142. 

  143. - securesite-user-pass.tpl.php: Template for the password reset form.

  144. 

  145. You can theme Secure Site's HTML output by copying these files to your theme's

  146. directory. The files in your theme's directory will become the templates for all

  147. Secure Site HTML output.

  148. 

  149. 

  150. Configuring cron jobs

  151. ---------------------

  152. 

  153. If HTTP authentication is forced, cron jobs will need to authenticate

  154. themselves. See http://drupal.org/cron for more details on configuring cron

  155. jobs. These examples show how to add a user name and password (note: Lynx does

  156. not support digest authentication):

  157. 

  158. 45 * * * * /usr/bin/lynx -auth=username:password -source http://example.com/cron.php

  159. 45 * * * * /usr/bin/wget --user=username --password=password -O - -q http://example.com/cron.php

  160. 45 * * * * /usr/bin/curl --anyauth --user username:password --silent --compressed http://example.com/cron.php

  161. 

  162. 

  163. Known issues

  164. ------------

  165. 

  166.   - Authentication on PHP/CGI installations

  167. 

  168.     If you are using HTTP Auth and are unable to login, PHP could be running in

  169.     CGI mode. When run in CGI mode, the normal HTTP Auth login variables are not

  170.     available to PHP. To work-around this issue, add the following rewrite rule

  171.     at the end of the .htaccess file in Drupal's root installation directory:

  172. 

  173.     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

  174. 

  175.     After making the suggested change in Drupal 6, the rewrite rules would

  176.     look like this:

  177. 

  178.     # Rewrite URLs of the form 'x' to the form 'index.php?q=x'.

  179.     RewriteCond %{REQUEST_FILENAME} !-f

  180.     RewriteCond %{REQUEST_FILENAME} !-d

  181.     RewriteCond %{REQUEST_URI} !=/favicon.ico

  182.     RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

  183.     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

  184. 

  185.   - Authentication when running Drupal via IIS

  186. 

  187.     If you are using HTTP Auth and are unable to login when Drupal is running on

  188.     an IIS server, make sure that the PHP directive cgi.rfc2616_headers is set

  189.     to 0 (the default value).