You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by David Mehler <da...@gmail.com> on 2018/04/03 13:32:57 UTC

[users@httpd] awstats removing script path and authentication check

Hello,

I've got two questions both about running awstats in a multiple domain
setup on apache 2.4.

I've got the below block in each of my ssl-enabled virtual hosts that
use awstats. Everything is working. First of all can I get a
confirmation that my authentication and authorization settings are
good?

Second, currently I have to:

domain.com/awstats/awstats.pl

which does work. I'd like to change things so that the last awstats.pl
is not needed so that users can just go to:

domain.com/awstats

and they'll be prompted for a username/password and then be able to use awstats.

# awstats
Alias /awstatsclasses "/usr/local/www/awstats/classes/"
Alias /awstatscss "/usr/local/www/awstats/css/"
Alias /awstatsicons "/usr/local/www/awstats/icon/"
ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"

     <Directory "/usr/local/www/awstats/">
         Options None
         AllowOverride None
         Require all granted
     </Directory>

     <Directory "/usr/local/www/awstats/cgi-bin/">
         Options ExecCGI
         AddHandler cgi-script .cgi .pl
         </Directory>

# This is to force authentication when trying to access /awstats
<Location /awstats>
# mod_authn_core and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName "Awstats Access"
# To cache credentials, put socache ahead of dbd here
AuthBasicProvider socache dbd
# Also required for caching: tell the cache to cache dbd lookups!
AuthnCacheProvideFor dbd
# is the AuthnCacheContext line needed?
#AuthnCacheContext my-server
 # mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT passwd FROM auth WHERE username = %s AND active=1"
require valid-user
</Location>


Thanks.
Dave.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] awstats removing script path and authentication check

Posted by David Mehler <da...@gmail.com>.

Hello,

Thank you. Do you have a setup similar to mine?


Does this configuration look better? I took out the <location> entries
and put the authentication section that was previously in it in the
awstats cgi directory.

Thanks.
Dave.

# awstats
Alias /awstatsclasses "/usr/local/www/awstats/classes/"
Alias /awstatscss "/usr/local/www/awstats/css/"
Alias /awstatsicons "/usr/local/www/awstats/icon/"
ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"

     <Directory "/usr/local/www/awstats/">
         Options None
         AllowOverride None
         Require all granted
     </Directory>

     <Directory "/usr/local/www/awstats/cgi-bin/">
         Options ExecCGI
         AddHandler cgi-script .cgi .pl

# This is to force authentication when trying to access /awstats
# mod_authn_core and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName "Awstats Access"
# To cache credentials, put socache ahead of dbd here
AuthBasicProvider socache dbd
# Also required for caching: tell the cache to cache dbd lookups!
AuthnCacheProvideFor dbd
#AuthnCacheContext my-server
 # mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT passwd FROM auth WHERE username = %s AND active=1"
require valid-user
         </Directory>


On 4/3/18, Eric Covener <co...@gmail.com> wrote:
> On Tue, Apr 3, 2018 at 9:32 AM, David Mehler <da...@gmail.com> wrote:
>> Hello,
>>
>> I've got two questions both about running awstats in a multiple domain
>> setup on apache 2.4.
>>
>> I've got the below block in each of my ssl-enabled virtual hosts that
>> use awstats. Everything is working. First of all can I get a
>> confirmation that my authentication and authorization settings are
>> good?
>
> It is unwise to use Location for this, because a subtly different URL
> might lead to the CGI on disk -- which is not even hypothetical in
> this case!
>
> Use Directory for the auth (you have the cfg section already) so it
> doesn't matter how you get there.
>
>> Second, currently I have to:
>>
>> domain.com/awstats/awstats.pl
>>
>> which does work. I'd like to change things so that the last awstats.pl
>> is not needed so that users can just go to:
>>
>> domain.com/awstats
>>
>
> Since the static elements are in separate dirs (from you Alias
> directives), it might be safe to access the script as /awstats. But
> generally you want to avoid stripping things like segments as it will
> screw with the other relative stuff.
>
>> and they'll be prompted for a username/password and then be able to use
>> awstats.
>>
>> # awstats
>> Alias /awstatsclasses "/usr/local/www/awstats/classes/"
>> Alias /awstatscss "/usr/local/www/awstats/css/"
>> Alias /awstatsicons "/usr/local/www/awstats/icon/"
>> ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"
>
> I guess the above does not work. ScriptAliasMatch might be more
> clear/concise and will work.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] awstats removing script path and authentication check

Posted by Eric Covener <co...@gmail.com>.

On Tue, Apr 3, 2018 at 9:32 AM, David Mehler <da...@gmail.com> wrote:
> Hello,
>
> I've got two questions both about running awstats in a multiple domain
> setup on apache 2.4.
>
> I've got the below block in each of my ssl-enabled virtual hosts that
> use awstats. Everything is working. First of all can I get a
> confirmation that my authentication and authorization settings are
> good?

It is unwise to use Location for this, because a subtly different URL
might lead to the CGI on disk -- which is not even hypothetical in
this case!

Use Directory for the auth (you have the cfg section already) so it
doesn't matter how you get there.

> Second, currently I have to:
>
> domain.com/awstats/awstats.pl
>
> which does work. I'd like to change things so that the last awstats.pl
> is not needed so that users can just go to:
>
> domain.com/awstats
>

Since the static elements are in separate dirs (from you Alias
directives), it might be safe to access the script as /awstats. But
generally you want to avoid stripping things like segments as it will
screw with the other relative stuff.

> and they'll be prompted for a username/password and then be able to use awstats.
>
> # awstats
> Alias /awstatsclasses "/usr/local/www/awstats/classes/"
> Alias /awstatscss "/usr/local/www/awstats/css/"
> Alias /awstatsicons "/usr/local/www/awstats/icon/"
> ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"

I guess the above does not work. ScriptAliasMatch might be more
clear/concise and will work.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org