Webalizer Statistics /stats/ folder and .htaccess (HTTPS ONLY HELP)

Hi guys,

I have been months now configuring my ispconfig 3 on CentOS 6.4 installation for PCI DSS Compliance. I have overcome almost all the issues that I was prompted with on the security shortcomings so if anyone has questions (my site scans are performed by security metrics).

However I have one question. The /stats/ folder which is generated by ispconfig daily, the .htaccess it creates allows the username/password to be sent in cleartext. I am trying to force /stats/ to redirect to https://mydomain.com/stats BEFORE it asks for username/password.

I can do this with the following (appended to the already generated .htaccess at the top)

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "mydomain.com"

However the .htaccess is overwritten frequently I believe.

My issue would be resolved with either of the following,
A) I can modify the code written to .htaccess file in the ispconfig cron files, I have had a brief look but cannot actually find the script which writes them at the moment.

B) I can disable ispconfig from creating the stats folder automatically.

What solutions would you think suitable and any further ideas on this would be a great help!

 

Are you using apache or nginx?

 

Apache. Thank you.

Jim

 

Any ideas on this, would like to make the changes before the start of the bank holiday weekend so i can set the sitescans and hopefully have passed the tests by my return.

Regards,
Jim Dixon