[users@httpd] AWStats and security

[Mark McCulligh <mm...@visualtech.ca>]

I have a question for anyone else using awstats for their website stats.

I have it installed and running ok. But want to protect the stats so 
only valid users can access their stats.  I have created a .htaccess 
file to make sure only valid users can get in but how are people 
protecting valid users from looking at other valid users website stats. 
I don't want customer A looking at customers B stats.

I see that you can have awstats make static web pages using 
"staticlinks" but I want to keep it dynamic.

How are other people protecting their awstats.

Thanks,
Mark.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] AWStats and security

[Mark McCulligh <mm...@visualtech.ca>]

Yes your way will work, but you will have a fairly long Vhost setup for 
each customer now. 

You can also using /"SetEnv AWSTATS_FORCE_CONFIG customerA" in your 
Vhost to make it so customers can't overwrite the config filename. in 
the URL

I have been just reading the security doc on awstats website:
http://awstats.sourceforge.net/docs/awstats_security.html

To me you have 2 different options that will work.
Method 1:
One common .htaccess with all your customers then in each awstats config 
file you use /AllowAccessFromWebToAuthenticatedUsersOnly = 1 and 
AllowAccessFromWebToFollowingAuthenticatedUsers = customerA to protect 
the config file other customer.
Method 2:
In each vhost you have their own .htaccess and use /SetEnv 
AWSTATS_FORCE_CONFIG customerA OR your method of mod_rewrite.

I have not tested this out but both look like they will get the job 
done. It is up to the webmaster what method they like better. I think 
Method 1 for me would work better, only one .htaccess file to manage and 
set the customer config file right the first time you make it.
/
Just my two cents.
Mark.

Aman Raheja wrote:

> You can configure apache's VH setting for each host to disallow 
> anything in the query string other than config=CustomerA
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>
> How about if the put 
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such 
> that now the domain name part does not match the config= parameter - 
> you do a rewrite (using mod_rewrite) and display an error page. That's 
> easy to do.
>
> RewriteEngine On
> RewriteCond %{QUERYSTRING} !^config=customerA$
> RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]
>
> I have not tried the above - correction are welcome - though there 
> might be some other way of restricting - this is the one I could think 
> on the top of my head.
>
> Btw, don't forget to Load and add the mod_rewrite, if you choose to do 
> this.
> Aman Raheja
>
>
> Mark McCulligh wrote:
>
>> Aman Raheja wrote:
>>
>>> Mark McCulligh wrote:
>>>
>>>> I have a question for anyone else using awstats for their website 
>>>> stats.
>>>>
>>>> I have it installed and running ok. But want to protect the stats 
>>>> so only valid users can access their stats.  I have created a 
>>>> .htaccess file to make sure only valid users can get in but how are 
>>>> people protecting valid users from looking at other valid users 
>>>> website stats. I don't want customer A looking at customers B stats.
>>>>
>>>> I see that you can have awstats make static web pages using 
>>>> "staticlinks" but I want to keep it dynamic.
>>>>
>>>> How are other people protecting their awstats.
>>>>
>>>> Thanks,
>>>> Mark.
>>>>
>>> I have used awstats before i switched to webalizer which gives more 
>>> useful info for me.
>>> Well protecting is no big issue i think - esp if you are enabling 
>>> .htaccess control then how can users know each other's user/pass 
>>> info to look at someone else's stats!
>>>
>>> Aman Raheja
>>>
>> I am doing the opposite from you. I have used webalizer for years but 
>> find awstats just looks nicer. Both give about the same information. 
>> But customers are in to looks. I have even looked at Urchin or 
>> WebTrends to do stats but I don't want to spend the money right now 
>> on stats when both webalizer an awstats are good enough for most 
>> customers.
>>
>> Now about your .htacess question. It only makes sure valid customers 
>> with username/pwd have access to the cgi-bin folder.  But once a 
>> customer in logged in they can change their config file parameter and 
>> get another customer's stats.
>>
>> Example:
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>> User asked for username/pwd, then log in. Then change their URL to
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
>> Their how can see CustomerB stats. DOH
>>
>> Mark. 
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


-- 
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
mmcculli@visualtech.ca
(519)318-7905


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] AWStats and security

[Aman Raheja <ar...@techquotes.com>]

You can configure apache's VH setting for each host to disallow anything 
in the query string other than config=CustomerA
http://www.customerA.com/awstats/awstats.pl?config=CustomerA

How about if the put 
http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such that 
now the domain name part does not match the config= parameter - you do a 
rewrite (using mod_rewrite) and display an error page. That's easy to do.

RewriteEngine On
RewriteCond %{QUERYSTRING} !^config=customerA$
RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]

I have not tried the above - correction are welcome - though there might 
be some other way of restricting - this is the one I could think on the 
top of my head.

Btw, don't forget to Load and add the mod_rewrite, if you choose to do this.
Aman Raheja


Mark McCulligh wrote:

> Aman Raheja wrote:
>
>> Mark McCulligh wrote:
>>
>>> I have a question for anyone else using awstats for their website 
>>> stats.
>>>
>>> I have it installed and running ok. But want to protect the stats so 
>>> only valid users can access their stats.  I have created a .htaccess 
>>> file to make sure only valid users can get in but how are people 
>>> protecting valid users from looking at other valid users website 
>>> stats. I don't want customer A looking at customers B stats.
>>>
>>> I see that you can have awstats make static web pages using 
>>> "staticlinks" but I want to keep it dynamic.
>>>
>>> How are other people protecting their awstats.
>>>
>>> Thanks,
>>> Mark.
>>>
>> I have used awstats before i switched to webalizer which gives more 
>> useful info for me.
>> Well protecting is no big issue i think - esp if you are enabling 
>> .htaccess control then how can users know each other's user/pass info 
>> to look at someone else's stats!
>>
>> Aman Raheja
>>
> I am doing the opposite from you. I have used webalizer for years but 
> find awstats just looks nicer. Both give about the same information. 
> But customers are in to looks. I have even looked at Urchin or 
> WebTrends to do stats but I don't want to spend the money right now on 
> stats when both webalizer an awstats are good enough for most customers.
>
> Now about your .htacess question. It only makes sure valid customers 
> with username/pwd have access to the cgi-bin folder.  But once a 
> customer in logged in they can change their config file parameter and 
> get another customer's stats.
>
> Example:
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
> User asked for username/pwd, then log in. Then change their URL to
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
> Their how can see CustomerB stats. DOH
>
> Mark. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] AWStats and security

[Mark McCulligh <mm...@visualtech.ca>]

Aman Raheja wrote:

> Mark McCulligh wrote:
>
>> I have a question for anyone else using awstats for their website stats.
>>
>> I have it installed and running ok. But want to protect the stats so 
>> only valid users can access their stats.  I have created a .htaccess 
>> file to make sure only valid users can get in but how are people 
>> protecting valid users from looking at other valid users website 
>> stats. I don't want customer A looking at customers B stats.
>>
>> I see that you can have awstats make static web pages using 
>> "staticlinks" but I want to keep it dynamic.
>>
>> How are other people protecting their awstats.
>>
>> Thanks,
>> Mark.
>>
> I have used awstats before i switched to webalizer which gives more 
> useful info for me.
> Well protecting is no big issue i think - esp if you are enabling 
> .htaccess control then how can users know each other's user/pass info 
> to look at someone else's stats!
>
> Aman Raheja
>
I am doing the opposite from you. I have used webalizer for years but 
find awstats just looks nicer. Both give about the same information. But 
customers are in to looks. I have even looked at Urchin or WebTrends to 
do stats but I don't want to spend the money right now on stats when 
both webalizer an awstats are good enough for most customers.

Now about your .htacess question. It only makes sure valid customers 
with username/pwd have access to the cgi-bin folder.  But once a 
customer in logged in they can change their config file parameter and 
get another customer's stats.

Example:
http://www.customerA.com/awstats/awstats.pl?config=CustomerA
User asked for username/pwd, then log in. Then change their URL to
http://www.customerA.com/awstats/awstats.pl?config=CustomerB
Their how can see CustomerB stats. DOH

Mark.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] AWStats and security

[Aman Raheja <ar...@techquotes.com>]

Mark McCulligh wrote:

> I have a question for anyone else using awstats for their website stats.
>
> I have it installed and running ok. But want to protect the stats so 
> only valid users can access their stats.  I have created a .htaccess 
> file to make sure only valid users can get in but how are people 
> protecting valid users from looking at other valid users website 
> stats. I don't want customer A looking at customers B stats.
>
> I see that you can have awstats make static web pages using 
> "staticlinks" but I want to keep it dynamic.
>
> How are other people protecting their awstats.
>
> Thanks,
> Mark.
>
I have used awstats before i switched to webalizer which gives more 
useful info for me.
Well protecting is no big issue i think - esp if you are enabling 
.htaccess control then how can users know each other's user/pass info to 
look at someone else's stats!

Aman Raheja

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org