httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aman Raheja <arah...@techquotes.com>
Subject Re: [users@httpd] AWStats and security
Date Wed, 29 Sep 2004 15:22:40 GMT
You can configure apache's VH setting for each host to disallow anything 
in the query string other than config=CustomerA
http://www.customerA.com/awstats/awstats.pl?config=CustomerA

How about if the put 
http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such that 
now the domain name part does not match the config= parameter - you do a 
rewrite (using mod_rewrite) and display an error page. That's easy to do.

RewriteEngine On
RewriteCond %{QUERYSTRING} !^config=customerA$
RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]

I have not tried the above - correction are welcome - though there might 
be some other way of restricting - this is the one I could think on the 
top of my head.

Btw, don't forget to Load and add the mod_rewrite, if you choose to do this.
Aman Raheja


Mark McCulligh wrote:

> Aman Raheja wrote:
>
>> Mark McCulligh wrote:
>>
>>> I have a question for anyone else using awstats for their website 
>>> stats.
>>>
>>> I have it installed and running ok. But want to protect the stats so 
>>> only valid users can access their stats.  I have created a .htaccess 
>>> file to make sure only valid users can get in but how are people 
>>> protecting valid users from looking at other valid users website 
>>> stats. I don't want customer A looking at customers B stats.
>>>
>>> I see that you can have awstats make static web pages using 
>>> "staticlinks" but I want to keep it dynamic.
>>>
>>> How are other people protecting their awstats.
>>>
>>> Thanks,
>>> Mark.
>>>
>> I have used awstats before i switched to webalizer which gives more 
>> useful info for me.
>> Well protecting is no big issue i think - esp if you are enabling 
>> .htaccess control then how can users know each other's user/pass info 
>> to look at someone else's stats!
>>
>> Aman Raheja
>>
> I am doing the opposite from you. I have used webalizer for years but 
> find awstats just looks nicer. Both give about the same information. 
> But customers are in to looks. I have even looked at Urchin or 
> WebTrends to do stats but I don't want to spend the money right now on 
> stats when both webalizer an awstats are good enough for most customers.
>
> Now about your .htacess question. It only makes sure valid customers 
> with username/pwd have access to the cgi-bin folder.  But once a 
> customer in logged in they can change their config file parameter and 
> get another customer's stats.
>
> Example:
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
> User asked for username/pwd, then log in. Then change their URL to
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
> Their how can see CustomerB stats. DOH
>
> Mark. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message