Securing Your Installation
In its current version, GTD-PHP leaves security features and access restrictions to be administered purely via the configuration of the web-server: the package is just as secure as you make your web-server; no more, and no less.
There's probably a million different scenarios of usage and access, each with its own configuration, so to keep things short we'll concentrate in this document on a few common and most useful securing techniques.
If you're installing GTD-PHP in a trusted environment, where either you're the only one who will have access to its pages, or you know everyone who could potentially have access and can tell them to keep their hands off, than you probably don't need much additional security. This type of installation includes the following scenarios:
Consider the situation carefully and if you still feel that your GTD-PHP installation should have a password-protected access, read on.
Limiting access on public servers
Whenever installing GTD-PHP on a publicly accessible server, where possibly anyone can open its pages, you need to use Apache's features (or those of your server of choice) to ensure access is limited to you only. This scenario includes:
Apache has an extensive article on access control, which you can study to find the right scenario for you.
In short, you must create a password file, by executing the command (substituting the path and login you want to use):
htpasswd -c /path/to/file/.htpasswd [login_name]
The path should point to a directory, which is readable by Apache, but not accessible from the web. If you can't achieve that, ie. on shared hosting, put it in any directory, create a file in it named .htaccess and put the following lines inside:
Order deny,allow Deny from all
Launching the above command will ask you for a password for the given particular login and afterwards create the file.
With the password file in place, go into the directory where GTD-PHP is installed and create a file there names .htaccess. Inside it put the following lines:
Require valid-user AuthType Basic AuthName "GTD" AuthUserFile /path/to/file/.htpasswd
Save it and try opening your GTD-PHP. It should ask you for a login and password and after providing these successfully let you in.
If you after doing the above you receive notices of server errors (especially the 500 error), first check your .htaccess syntax. If all appears correct, contact your server administrator, since the cause of the problem may be a limitation on user-access set-up, which the administrator can change.
Intranet and extranet access combined
If you happen to be using a private server, which you would like to be easily accessible on a local network, while having protected access to it from the outside as well, there's an easy tweak to the password protected access configuration. Open the .htaccess file for the GTD-PHP folder and put a few more lines in:
Order deny,allow Deny from all Allow from 192.168.0. Satisfy Any
Change 192.168.0. to whatever your local network addressing is. The above code with the password protection from the previous section will allow access to the system for any computer on the 192.168.0. network, while requiring all other computers to identify themselves with proper login and password data.
Since your GTD-PHP may contain sensitive data, you probably wouldn't like anyone to be able to intercept your password when logging in and gaining access. To make sure your login details remain safe, it is suggested, that you secure your connections, especially on the Internet, to the server hosting GTD-PHP with SSL. This section takes the following assumptions:
First make sure anyone accessing GTD-PHP is forced to use in through a secure connection, by permanently redirecting http requests to https (substitute your server's IP), adding the following into your virtual host configuration file:
<VirtualHost [your_server_ip]:80> ServerName gtd.example.org ServerAlias *.gtd.example.org Redirect permanent / https://gtd.example.org/ </VirtualHost>
Next, configure SSL for the https virtual host:
<VirtualHost [your_server_ip]:443> [... ServerName, ServerAlias, DocumentRoot etc.] SSLEngine on SSLCertificateFile /path/to/cert.pem SSLCertificateKeyFile /path/to/key.pem <Location /> SSLRequireSSL </Location> </VirtualHost>
Restart Apache and check your access. The browser should indicate that the connection is secured and you can safely browse GTD-PHP from anywhere in the world.