Adds more detail about fine tuning access, and improves apache setup instructions.

examples/secure-terminals.txt

@@ -78,8 +78,12 @@ II.  cp device.key /etc/ssl/private/ssl-cert-snakeoil.key
      cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem
 
 III. a2enmod ssl;
-     a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
+     a2ensite default-ssl.conf; (standard on debian-based distributions) 
+     add certs to the SSLCertificateFile and SSLCertificateKeyFile directives in default-ssl.conf
+                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key        
      a2dissite 000-default.conf;
+     service apache2 restart
 
 In the Chromium broswer: chrome://settings/certificates
   Choose IMPORT in AUTHORITIES
@@ -102,7 +106,7 @@ Firefox (IceWeasel); note that Chrome below, provides the most recent instructio
 6. mv KeePass.config.xml KeePass.config.enforced.xml
 7. sudo chown root:root KeePass.config.enforced.xml (and database/key file)
 8. sudo chmod 0400 KeePass.config.enforced.xml
-9.	See Chrome for KeePass.config.enforced.xml policy changes.
+9. See Chrome for KeePass.config.enforced.xml policy changes.
 10. In Debian/Ubuntu:  apt-get install mono-runtime mono-devel
 11. Install KeeFox extension from https://addons.mozilla.org/en-us/firefox/addon/keefox/
 12. KeeFox will tell you where to copy KeePassRPC.plgx from into the plugins directory
@@ -230,6 +234,38 @@ SPECIAL NOTES
  including transaction_log.php, perhaps with the exclusion of certain reports that should only be available 
  to the volunteer coordinator.
  
+ https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements provides good details how this is done:
+ 
+ E.g., we want paid_members.php to be accessible via a completely different password under Apache for our paid members team:
+ 
+                <FilesMatch "\.(php|paid_members\.php)$">
+                                SSLOptions +StdEnvVars
+                </FilesMatch>
+                <Directory /var/www/html/js>
+                        Order allow,deny
+                        Allow from all
+                        Satisfy any
+                </Directory>
+                <Directory /var/www/html/css>
+                        Order allow,deny
+                        Allow from all
+                        Satisfy any
+                </Directory>
+                <Directory /var/www/html>
+                        Authtype        Basic
+                        Authname        "Amazing Community Bike Shop Login"
+                        Require         user someuser
+                        AuthUserFile    /var/htpasswd
+                </Directory>
+                <Files "paid_members.php">
+                        Authtype        Basic
+                        Authname        "Paid Members Login"
+                        Require         user paid_members_team
+                        AuthUserFile    /var/htpasswd
+                </Files>
+                
+How to get that working with keepass2 should be obvious.
+
 SUSPENDING COMPUTER
 
 Example commands that bring up the gui setting tool:
@@ -244,7 +280,7 @@ it is not always straight-forward, e.g., resetting the CMOS.
 
 GRUB2 PASSWORD PROTECT (mandatory)
 
-You don't want individuals casually booting into single mode or a shell, therefore,
+In order to prevent individuals from casually booting into single mode or a shell,
 password protecting GRUB with an encrypted password is mandatory.
 
 https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
@@ -270,7 +306,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
 
 5. update-grub2     
 
-SSD or HD Encryption (optional)
+SSD or HD ENCRYPTION (optional)
 
 If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases) 
 be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you