Hey all, I'm also working on putting awstats as I like it more than webalizer even though the security flaws it's had in the past but with htaccess it would prevent alot more attacks from anonymous access anyway. I've got it all working but 1 thing, .htpasswd files... The problem is that awstats uses cgi and it's own path instead of /cgi-bin/ but I want to put .htacces inside that so only users can access the page but maintaining a common .htpasswd inside a common path is my issue. Currently .htpasswd and .htaccess for stats are inside users home paths and to change that to a common path seems like hell for me. any ideas? only thing I could think of was searching each home path and `cat $home/.htpasswd >> /home/httpd/awstats-cgibin/.htpasswd` so any changes are copied over.. very crude but it could work.. is there a neater way I can maintain this command password file if someone changes their password it would also change in this common file? I also have another issue with a htpasswd file which the user is admin:$1${somehashvalue} which is not the user.. how did this get there and how do I change it? I already created an admin user for the site but it doesn't change this file..????
Ah cool. I've been modifying /root/ispconfig/scripts/shell/webalizer.php and made it update the global .htpasswd list in the stats page. All good. just have an issue where i modified the .htaccess in the /stats/ directory to auto redirect the user to /ispcstats/awstats.pl?config=www.domain.com but what happens is that the browser seems to auto add a / at the end which causes problems with awstats picking up the "config" parameter as www.domain.com/ not www.domain.com so I had to use an index.php and use the header("Location:...." ) method which works but if a site isn't php enabled then i'm screwed.
Did this redirect (.html file) solve the problem? Code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta http-equiv="refresh" content="0;URL=/ispcstats/awstats.pl?config=www.domain.com" /> <title>Statistics</title> </head> <body> </body> </html>
I actually ended up cheating a little and placed this into the .htaccess file in the ./stats dir. Redirect 301 /stats http://www.domainsite.com.au/ispcstats/awstats.pl?config=www.domainsite.com.au& The & at the end stopped the / getting into the domain parameter. I'll keep a note on that for next time. I'll even put in a mod for anyone who prefers to use awstats on their server once I get all the mods down and checked.
@DJ: What about generating static stats with awstats? So you don't need to care about security flaws by stats accessing users, and don't need to care about cgi-bin stuff
I can create a static output but when you select another month/date it calls the cgi... unless I'm doing something wrong. Doesn't matter, works well now.
Are the user accounts in your awstats configuration still separated, so that customer A can not read the statistics from customer B even if he uses the domain of customer B as domain= parameter?
the configuration is always seperate, it's the awstats.pl script thats global and the problem. Once I've logged in and if I know another domain that is hosted on the same server, I just change the config=www.domain1.com to conf=www.domain2.com and i can see it. You just have to know it's there to begin with. Because the .htpasswd file contains all the users together, i don't know how (without seperating the awstats) to lock each domain. hmm.. ill sleep on this one.
hey all, I managed to get some time and work on this awstats auth problem. there's 2 settings in the conf file which you can set to check the authentication. AllowAccessFromWebToAuthenticatedUsersOnly=1 AllowAccessFromWebToFollowingAuthenticatedUsers="" I changed it in a way so eahc sites config has it's own custom settings and it includes the main template config. the site's config contains the AllowAccessFromWebToFollowingAuthenticatedUsers="myuser1 myuser2" Now, attempting to browse someone elses stats with your login now failed with PHP: Error: User 'web15_djtremors' is not allowed to access statistics of this domain/config. works like a treat.
thanks. Atm I'm fighting legal issues with my local council as they plan to rip my attic from me but when I get a chance, I'll post up a HowTo for those others who would like to use Awstats instead. I admit, it does look alot nicer than webalizer (but not as secure as we've seen in the past ) I'm trying to go for the auto install as well.....trying........
