httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark McCulligh <mmccu...@visualtech.ca>
Subject Re: [users@httpd] AWStats and security
Date Wed, 29 Sep 2004 15:33:15 GMT
Yes your way will work, but you will have a fairly long Vhost setup for 
each customer now. 

You can also using /"SetEnv AWSTATS_FORCE_CONFIG customerA" in your 
Vhost to make it so customers can't overwrite the config filename. in 
the URL

I have been just reading the security doc on awstats website:
http://awstats.sourceforge.net/docs/awstats_security.html

To me you have 2 different options that will work.
Method 1:
One common .htaccess with all your customers then in each awstats config 
file you use /AllowAccessFromWebToAuthenticatedUsersOnly = 1 and 
AllowAccessFromWebToFollowingAuthenticatedUsers = customerA to protect 
the config file other customer.
Method 2:
In each vhost you have their own .htaccess and use /SetEnv 
AWSTATS_FORCE_CONFIG customerA OR your method of mod_rewrite.

I have not tested this out but both look like they will get the job 
done. It is up to the webmaster what method they like better. I think 
Method 1 for me would work better, only one .htaccess file to manage and 
set the customer config file right the first time you make it.
/
Just my two cents.
Mark.

Aman Raheja wrote:

> You can configure apache's VH setting for each host to disallow 
> anything in the query string other than config=CustomerA
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>
> How about if the put 
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such 
> that now the domain name part does not match the config= parameter - 
> you do a rewrite (using mod_rewrite) and display an error page. That's 
> easy to do.
>
> RewriteEngine On
> RewriteCond %{QUERYSTRING} !^config=customerA$
> RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]
>
> I have not tried the above - correction are welcome - though there 
> might be some other way of restricting - this is the one I could think 
> on the top of my head.
>
> Btw, don't forget to Load and add the mod_rewrite, if you choose to do 
> this.
> Aman Raheja
>
>
> Mark McCulligh wrote:
>
>> Aman Raheja wrote:
>>
>>> Mark McCulligh wrote:
>>>
>>>> I have a question for anyone else using awstats for their website 
>>>> stats.
>>>>
>>>> I have it installed and running ok. But want to protect the stats 
>>>> so only valid users can access their stats.  I have created a 
>>>> .htaccess file to make sure only valid users can get in but how are 
>>>> people protecting valid users from looking at other valid users 
>>>> website stats. I don't want customer A looking at customers B stats.
>>>>
>>>> I see that you can have awstats make static web pages using 
>>>> "staticlinks" but I want to keep it dynamic.
>>>>
>>>> How are other people protecting their awstats.
>>>>
>>>> Thanks,
>>>> Mark.
>>>>
>>> I have used awstats before i switched to webalizer which gives more 
>>> useful info for me.
>>> Well protecting is no big issue i think - esp if you are enabling 
>>> .htaccess control then how can users know each other's user/pass 
>>> info to look at someone else's stats!
>>>
>>> Aman Raheja
>>>
>> I am doing the opposite from you. I have used webalizer for years but 
>> find awstats just looks nicer. Both give about the same information. 
>> But customers are in to looks. I have even looked at Urchin or 
>> WebTrends to do stats but I don't want to spend the money right now 
>> on stats when both webalizer an awstats are good enough for most 
>> customers.
>>
>> Now about your .htacess question. It only makes sure valid customers 
>> with username/pwd have access to the cgi-bin folder.  But once a 
>> customer in logged in they can change their config file parameter and 
>> get another customer's stats.
>>
>> Example:
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>> User asked for username/pwd, then log in. Then change their URL to
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
>> Their how can see CustomerB stats. DOH
>>
>> Mark. 
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


-- 
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
mmcculli@visualtech.ca
(519)318-7905


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message