Using apache authentication with etherpad.

Once we started using our shiny new etherpad, we realized it might be handy to have private etherpad pads.  While it's possible to setup etherpad to require authentication, I didn't want ALL our pads to be private, just a subset of them that needed at least a small amount of privacy.

One approach would be to work within the etherpad source and create this new functionality.  This is probably the best approach, and we may do so eventually,  but for now I've instead added apache authentication to a specific subset of pads on our etherpad.

Below is a sample config.

<VirtualHost *:80>


ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
<locationmatch \/p\/bks-.*>
AuthType basic
AuthName "The bks-* namespace is restricted to basekamp users only."
AuthUserFile /var/htpass
Require valid-user
<proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
ServerSignature Off

With these changes, all that remains are to create the password file in /var/etherpad. The below command creates the file (assuming the directory exists already) and adds a user to it "BigAdmin".   The "c" param is required the first time htpasswd is run on a particular file, to create the file.  "m" encodes it as md5.  Once the command is run you will be asked for a password.

sudo htpasswd -cm /var/etherpad/htpass BigAdmin

You could extend this config by having multiple LocationMatch sections matching different paths to pads, for different groups with their own passwords, and optionally by using a mysql db for password storage instead of text files.

This configuration allows most pads to remain public, but any pad starting with bks- will require authentication.  It's worth noting that as configured, the passwords will be sent in plaintext, as there is no SSL in this configuration.