httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark McCulligh <>
Subject Re: [users@httpd] AWStats and security
Date Wed, 29 Sep 2004 15:33:15 GMT
Yes your way will work, but you will have a fairly long Vhost setup for 
each customer now. 

You can also using /"SetEnv AWSTATS_FORCE_CONFIG customerA" in your 
Vhost to make it so customers can't overwrite the config filename. in 
the URL

I have been just reading the security doc on awstats website:

To me you have 2 different options that will work.
Method 1:
One common .htaccess with all your customers then in each awstats config 
file you use /AllowAccessFromWebToAuthenticatedUsersOnly = 1 and 
AllowAccessFromWebToFollowingAuthenticatedUsers = customerA to protect 
the config file other customer.
Method 2:
In each vhost you have their own .htaccess and use /SetEnv 
AWSTATS_FORCE_CONFIG customerA OR your method of mod_rewrite.

I have not tested this out but both look like they will get the job 
done. It is up to the webmaster what method they like better. I think 
Method 1 for me would work better, only one .htaccess file to manage and 
set the customer config file right the first time you make it.
Just my two cents.

Aman Raheja wrote:

> You can configure apache's VH setting for each host to disallow 
> anything in the query string other than config=CustomerA
> How about if the put 
> - such 
> that now the domain name part does not match the config= parameter - 
> you do a rewrite (using mod_rewrite) and display an error page. That's 
> easy to do.
> RewriteEngine On
> RewriteCond %{QUERYSTRING} !^config=customerA$
> RewriteRule /awstats/ <some-error-page-url>? [R,L]
> I have not tried the above - correction are welcome - though there 
> might be some other way of restricting - this is the one I could think 
> on the top of my head.
> Btw, don't forget to Load and add the mod_rewrite, if you choose to do 
> this.
> Aman Raheja
> Mark McCulligh wrote:
>> Aman Raheja wrote:
>>> Mark McCulligh wrote:
>>>> I have a question for anyone else using awstats for their website 
>>>> stats.
>>>> I have it installed and running ok. But want to protect the stats 
>>>> so only valid users can access their stats.  I have created a 
>>>> .htaccess file to make sure only valid users can get in but how are 
>>>> people protecting valid users from looking at other valid users 
>>>> website stats. I don't want customer A looking at customers B stats.
>>>> I see that you can have awstats make static web pages using 
>>>> "staticlinks" but I want to keep it dynamic.
>>>> How are other people protecting their awstats.
>>>> Thanks,
>>>> Mark.
>>> I have used awstats before i switched to webalizer which gives more 
>>> useful info for me.
>>> Well protecting is no big issue i think - esp if you are enabling 
>>> .htaccess control then how can users know each other's user/pass 
>>> info to look at someone else's stats!
>>> Aman Raheja
>> I am doing the opposite from you. I have used webalizer for years but 
>> find awstats just looks nicer. Both give about the same information. 
>> But customers are in to looks. I have even looked at Urchin or 
>> WebTrends to do stats but I don't want to spend the money right now 
>> on stats when both webalizer an awstats are good enough for most 
>> customers.
>> Now about your .htacess question. It only makes sure valid customers 
>> with username/pwd have access to the cgi-bin folder.  But once a 
>> customer in logged in they can change their config file parameter and 
>> get another customer's stats.
>> Example:
>> User asked for username/pwd, then log in. Then change their URL to
>> Their how can see CustomerB stats. DOH
>> Mark. 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>   "   from the digest:
> For additional commands, e-mail:

Mark McCulligh, Web Consultant
VisualTech Components

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message