httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martinez Gonzalez, Francisco" <fmartin...@endesa.es>
Subject RE: [users@httpd] AWStats and security
Date Wed, 29 Sep 2004 15:02:07 GMT

Yes, the way that you say is more secure and correct, but I found difficult
that the customers find the valid domains for make a correct URL. If you
know how do it, say me, I have been interested because I'm a customer of an
ISP that handle they stats by the way that I say, and I want to try that...


Saludos.
Fran



-----Mensaje original-----
De: Mark McCulligh [mailto:mmcculli@visualtech.ca]
Enviado el: miércoles, 29 de septiembre de 2004 16:41
Para: users@httpd.apache.org
Asunto: Re: [users@httpd] AWStats and security


It would not be that difficult for say Customer A to figure out other 
customers who are hosted by me if they really wanted to.  Then guess the 
config file name.

The only think I found that I think will work, have not tested it yet. 
is use AllowAccessFromWebToAuthenticatedUsersOnly and 
AllowAccessFromWebToFollowingAuthenticatedUsers in the config file.

Set
AllowAccessFromWebToAuthenticatedUsersOnly = 1
AllowAccessFromWebToFollowingAuthenticatedUsers = customerA

Plus of course have the .htaccess setup on the cgi-bin folder.  
.htaccess will only yet valid customers access to the perl script 
awstats.pl and by use these two parameters in the config file you can 
control what customers have access to what config files.

Like I said I have not tested it, but it should work.  It does add a 
couple more steps to each site you setup.

Maybe someone else knows a better ways to protect your awstats then this 
method. I hope today to give the above solution a try to see if it works.

Best Regards,
Mark.


Martinez Gonzalez, Francisco wrote:

>Well, I think that the users must know the url for each customer...
>
>If the URL for customer A is:
>http://yourpublicip/cgi-bin/awstats.pl?config=customerA
>
>The customer B can´t look thats stats if he doesn´t know that URL or
domain.
>And viceversa.
>
>
>Saludos. Fran.
>
>
>
>
>-----Mensaje original-----
>De: Mark McCulligh [mailto:mmcculli@visualtech.ca]
>Enviado el: martes, 28 de septiembre de 2004 17:37
>Para: users@httpd.apache.org
>Asunto: [users@httpd] AWStats and security
>
>
>I have a question for anyone else using awstats for their website stats.
>
>I have it installed and running ok. But want to protect the stats so 
>only valid users can access their stats.  I have created a .htaccess 
>file to make sure only valid users can get in but how are people 
>protecting valid users from looking at other valid users website stats. 
>I don't want customer A looking at customers B stats.
>
>I see that you can have awstats make static web pages using 
>"staticlinks" but I want to keep it dynamic.
>
>How are other people protecting their awstats.
>
>Thanks,
>Mark.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>Este mensaje de correo electrónico y sus documentos adjuntos están
dirigidos
>EXCLUSIVAMENTE a los destinatarios especificados. La información contenida
>puede ser CONFIDENCIAL y/o estar LEGALMENTE PROTEGIDA y no necesariamente
>refleja la opinión de ENDESA. Si usted recibe este mensaje por ERROR, por
>favor comuníqueselo inmediatamente al remitente y  ELIMÍNELO ya que usted
>NO ESTA AUTORIZADO al uso, revelación, distribución, impresión o copia de
>toda o alguna parte de la información contenida. Gracias. 
>
>This e-mail message and any attached files are intended SOLELY for the
>addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY
>PRIVILEGED  information and may not necessarily represent the opinion of
>ENDESA. If you receive this message in ERROR, please immediately notify the
>sender and DELETE it since you ARE NOT AUTHORIZED  to use, disclose,
>distribute, print or copy all or part of the contained information. Thank
>you.  
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>  
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Este mensaje de correo electrónico y sus documentos adjuntos están dirigidos
EXCLUSIVAMENTE a los destinatarios especificados. La información contenida
puede ser CONFIDENCIAL y/o estar LEGALMENTE PROTEGIDA y no necesariamente
refleja la opinión de ENDESA. Si usted recibe este mensaje por ERROR, por
favor comuníqueselo inmediatamente al remitente y  ELIMÍNELO ya que usted
NO ESTA AUTORIZADO al uso, revelación, distribución, impresión o copia de
toda o alguna parte de la información contenida. Gracias. 

This e-mail message and any attached files are intended SOLELY for the
addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY
PRIVILEGED  information and may not necessarily represent the opinion of
ENDESA. If you receive this message in ERROR, please immediately notify the
sender and DELETE it since you ARE NOT AUTHORIZED  to use, disclose,
distribute, print or copy all or part of the contained information. Thank
you.  

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message