httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aman Raheja <>
Subject Re: [users@httpd] AWStats and security
Date Wed, 29 Sep 2004 15:22:40 GMT
You can configure apache's VH setting for each host to disallow anything 
in the query string other than config=CustomerA

How about if the put - such that 
now the domain name part does not match the config= parameter - you do a 
rewrite (using mod_rewrite) and display an error page. That's easy to do.

RewriteEngine On
RewriteCond %{QUERYSTRING} !^config=customerA$
RewriteRule /awstats/ <some-error-page-url>? [R,L]

I have not tried the above - correction are welcome - though there might 
be some other way of restricting - this is the one I could think on the 
top of my head.

Btw, don't forget to Load and add the mod_rewrite, if you choose to do this.
Aman Raheja

Mark McCulligh wrote:

> Aman Raheja wrote:
>> Mark McCulligh wrote:
>>> I have a question for anyone else using awstats for their website 
>>> stats.
>>> I have it installed and running ok. But want to protect the stats so 
>>> only valid users can access their stats.  I have created a .htaccess 
>>> file to make sure only valid users can get in but how are people 
>>> protecting valid users from looking at other valid users website 
>>> stats. I don't want customer A looking at customers B stats.
>>> I see that you can have awstats make static web pages using 
>>> "staticlinks" but I want to keep it dynamic.
>>> How are other people protecting their awstats.
>>> Thanks,
>>> Mark.
>> I have used awstats before i switched to webalizer which gives more 
>> useful info for me.
>> Well protecting is no big issue i think - esp if you are enabling 
>> .htaccess control then how can users know each other's user/pass info 
>> to look at someone else's stats!
>> Aman Raheja
> I am doing the opposite from you. I have used webalizer for years but 
> find awstats just looks nicer. Both give about the same information. 
> But customers are in to looks. I have even looked at Urchin or 
> WebTrends to do stats but I don't want to spend the money right now on 
> stats when both webalizer an awstats are good enough for most customers.
> Now about your .htacess question. It only makes sure valid customers 
> with username/pwd have access to the cgi-bin folder.  But once a 
> customer in logged in they can change their config file parameter and 
> get another customer's stats.
> Example:
> User asked for username/pwd, then log in. Then change their URL to
> Their how can see CustomerB stats. DOH
> Mark. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message