You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mark McCulligh <mm...@visualtech.ca> on 2004/09/28 17:37:20 UTC
[users@httpd] AWStats and security
I have a question for anyone else using awstats for their website stats.
I have it installed and running ok. But want to protect the stats so
only valid users can access their stats. I have created a .htaccess
file to make sure only valid users can get in but how are people
protecting valid users from looking at other valid users website stats.
I don't want customer A looking at customers B stats.
I see that you can have awstats make static web pages using
"staticlinks" but I want to keep it dynamic.
How are other people protecting their awstats.
Thanks,
Mark.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Mark McCulligh <mm...@visualtech.ca>.
Yes your way will work, but you will have a fairly long Vhost setup for
each customer now.
You can also using /"SetEnv AWSTATS_FORCE_CONFIG customerA" in your
Vhost to make it so customers can't overwrite the config filename. in
the URL
I have been just reading the security doc on awstats website:
http://awstats.sourceforge.net/docs/awstats_security.html
To me you have 2 different options that will work.
Method 1:
One common .htaccess with all your customers then in each awstats config
file you use /AllowAccessFromWebToAuthenticatedUsersOnly = 1 and
AllowAccessFromWebToFollowingAuthenticatedUsers = customerA to protect
the config file other customer.
Method 2:
In each vhost you have their own .htaccess and use /SetEnv
AWSTATS_FORCE_CONFIG customerA OR your method of mod_rewrite.
I have not tested this out but both look like they will get the job
done. It is up to the webmaster what method they like better. I think
Method 1 for me would work better, only one .htaccess file to manage and
set the customer config file right the first time you make it.
/
Just my two cents.
Mark.
Aman Raheja wrote:
> You can configure apache's VH setting for each host to disallow
> anything in the query string other than config=CustomerA
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>
> How about if the put
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such
> that now the domain name part does not match the config= parameter -
> you do a rewrite (using mod_rewrite) and display an error page. That's
> easy to do.
>
> RewriteEngine On
> RewriteCond %{QUERYSTRING} !^config=customerA$
> RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]
>
> I have not tried the above - correction are welcome - though there
> might be some other way of restricting - this is the one I could think
> on the top of my head.
>
> Btw, don't forget to Load and add the mod_rewrite, if you choose to do
> this.
> Aman Raheja
>
>
> Mark McCulligh wrote:
>
>> Aman Raheja wrote:
>>
>>> Mark McCulligh wrote:
>>>
>>>> I have a question for anyone else using awstats for their website
>>>> stats.
>>>>
>>>> I have it installed and running ok. But want to protect the stats
>>>> so only valid users can access their stats. I have created a
>>>> .htaccess file to make sure only valid users can get in but how are
>>>> people protecting valid users from looking at other valid users
>>>> website stats. I don't want customer A looking at customers B stats.
>>>>
>>>> I see that you can have awstats make static web pages using
>>>> "staticlinks" but I want to keep it dynamic.
>>>>
>>>> How are other people protecting their awstats.
>>>>
>>>> Thanks,
>>>> Mark.
>>>>
>>> I have used awstats before i switched to webalizer which gives more
>>> useful info for me.
>>> Well protecting is no big issue i think - esp if you are enabling
>>> .htaccess control then how can users know each other's user/pass
>>> info to look at someone else's stats!
>>>
>>> Aman Raheja
>>>
>> I am doing the opposite from you. I have used webalizer for years but
>> find awstats just looks nicer. Both give about the same information.
>> But customers are in to looks. I have even looked at Urchin or
>> WebTrends to do stats but I don't want to spend the money right now
>> on stats when both webalizer an awstats are good enough for most
>> customers.
>>
>> Now about your .htacess question. It only makes sure valid customers
>> with username/pwd have access to the cgi-bin folder. But once a
>> customer in logged in they can change their config file parameter and
>> get another customer's stats.
>>
>> Example:
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>> User asked for username/pwd, then log in. Then change their URL to
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
>> Their how can see CustomerB stats. DOH
>>
>> Mark.
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
mmcculli@visualtech.ca
(519)318-7905
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Aman Raheja <ar...@techquotes.com>.
You can configure apache's VH setting for each host to disallow anything
in the query string other than config=CustomerA
http://www.customerA.com/awstats/awstats.pl?config=CustomerA
How about if the put
http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such that
now the domain name part does not match the config= parameter - you do a
rewrite (using mod_rewrite) and display an error page. That's easy to do.
RewriteEngine On
RewriteCond %{QUERYSTRING} !^config=customerA$
RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]
I have not tried the above - correction are welcome - though there might
be some other way of restricting - this is the one I could think on the
top of my head.
Btw, don't forget to Load and add the mod_rewrite, if you choose to do this.
Aman Raheja
Mark McCulligh wrote:
> Aman Raheja wrote:
>
>> Mark McCulligh wrote:
>>
>>> I have a question for anyone else using awstats for their website
>>> stats.
>>>
>>> I have it installed and running ok. But want to protect the stats so
>>> only valid users can access their stats. I have created a .htaccess
>>> file to make sure only valid users can get in but how are people
>>> protecting valid users from looking at other valid users website
>>> stats. I don't want customer A looking at customers B stats.
>>>
>>> I see that you can have awstats make static web pages using
>>> "staticlinks" but I want to keep it dynamic.
>>>
>>> How are other people protecting their awstats.
>>>
>>> Thanks,
>>> Mark.
>>>
>> I have used awstats before i switched to webalizer which gives more
>> useful info for me.
>> Well protecting is no big issue i think - esp if you are enabling
>> .htaccess control then how can users know each other's user/pass info
>> to look at someone else's stats!
>>
>> Aman Raheja
>>
> I am doing the opposite from you. I have used webalizer for years but
> find awstats just looks nicer. Both give about the same information.
> But customers are in to looks. I have even looked at Urchin or
> WebTrends to do stats but I don't want to spend the money right now on
> stats when both webalizer an awstats are good enough for most customers.
>
> Now about your .htacess question. It only makes sure valid customers
> with username/pwd have access to the cgi-bin folder. But once a
> customer in logged in they can change their config file parameter and
> get another customer's stats.
>
> Example:
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
> User asked for username/pwd, then log in. Then change their URL to
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
> Their how can see CustomerB stats. DOH
>
> Mark.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Mark McCulligh <mm...@visualtech.ca>.
Aman Raheja wrote:
> Mark McCulligh wrote:
>
>> I have a question for anyone else using awstats for their website stats.
>>
>> I have it installed and running ok. But want to protect the stats so
>> only valid users can access their stats. I have created a .htaccess
>> file to make sure only valid users can get in but how are people
>> protecting valid users from looking at other valid users website
>> stats. I don't want customer A looking at customers B stats.
>>
>> I see that you can have awstats make static web pages using
>> "staticlinks" but I want to keep it dynamic.
>>
>> How are other people protecting their awstats.
>>
>> Thanks,
>> Mark.
>>
> I have used awstats before i switched to webalizer which gives more
> useful info for me.
> Well protecting is no big issue i think - esp if you are enabling
> .htaccess control then how can users know each other's user/pass info
> to look at someone else's stats!
>
> Aman Raheja
>
I am doing the opposite from you. I have used webalizer for years but
find awstats just looks nicer. Both give about the same information. But
customers are in to looks. I have even looked at Urchin or WebTrends to
do stats but I don't want to spend the money right now on stats when
both webalizer an awstats are good enough for most customers.
Now about your .htacess question. It only makes sure valid customers
with username/pwd have access to the cgi-bin folder. But once a
customer in logged in they can change their config file parameter and
get another customer's stats.
Example:
http://www.customerA.com/awstats/awstats.pl?config=CustomerA
User asked for username/pwd, then log in. Then change their URL to
http://www.customerA.com/awstats/awstats.pl?config=CustomerB
Their how can see CustomerB stats. DOH
Mark.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Aman Raheja <ar...@techquotes.com>.
Mark McCulligh wrote:
> I have a question for anyone else using awstats for their website stats.
>
> I have it installed and running ok. But want to protect the stats so
> only valid users can access their stats. I have created a .htaccess
> file to make sure only valid users can get in but how are people
> protecting valid users from looking at other valid users website
> stats. I don't want customer A looking at customers B stats.
>
> I see that you can have awstats make static web pages using
> "staticlinks" but I want to keep it dynamic.
>
> How are other people protecting their awstats.
>
> Thanks,
> Mark.
>
I have used awstats before i switched to webalizer which gives more
useful info for me.
Well protecting is no big issue i think - esp if you are enabling
.htaccess control then how can users know each other's user/pass info to
look at someone else's stats!
Aman Raheja
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org