i think the Best would be to create/expand the password file when the a user was created or the usersettings would be changed. So the passwort für awstats would be the same like for the domain!

When thinking of encryption it may be interesting to put the awstats web access in a single place (I did this on a server once) e.g. https://iscpcontrolpanellink/awstats.
Then one could use something like the following in awstats:

AllowAccessFromWebToFollowingAuthenticatedUsers="user1 user1s_reseller"

and authenticate in Apache "normally" like (this is without the use of sql as an example):

Alias /awstats /usr/local/awstats/wwwroot/
<Directory /usr/local/awstats/wwwroot>
AuthType Basic
AuthUserFile /where/ever
<Limit GET>
require valid-user
</Limit>
</Directory>

So (if one is using encryption for the isp-panel; which imho should be the case on productive servers) the awstats pass is encrypted, too. Otherwise the admin pass will be exposed for the statistics since the domains are not encrypted usually...

The awstats-link can then be done this way per domain:

RewriteEngine on
RewriteRule ^/stats/$ http://iscpcontrolpanellink/awstats/cgi-bin/awstats.pl?config=domain [R]
(assuming http://ispcontrolpanellink redirects to https://ispcontrolpanellink -> thats how I do in my ispcp)

such that restriction is handled in the awstats config (see above). Furthermore this enables e.g. resellers to be able to see some stats of their domains, too (which in Germany at least would not be allowed by law)...

Tell me what you think and tell me if you need more information about how I did the setup.

Cheers,
Thorsten

I understand, but maybe you can give us more information about the setup.
Or did you set it manually ??

Looks like AWStats is getting more interesting....

Greez BeNe

OK Guys its long but here is the script that we used essentially to do the awstats thingy. Authentication has been done with htaccess, though... As mentioned, this was done before we knew ispCP and I think your template based mechanism is smarter... still this is all I can provide . Some paths are different than in a ispCP setup but that should be pretty easy to change.
Below the script I included the webserver config (the part that should be included in the 00_master.conf in case of ispCP) and in the part of the vhost creation you see the recirect to this address.
Furthermore on my ispcp server I created a 00_master_ssl.conf and placed a redirect to the https site to anything coming from port 80 in the master.conf to force users to use ssl (they don't do it if you don't force them its awful). I included this also for convenience:

(if I forgot to delete any sensitive information, please do so, thanks ).

###### SCRIPT START #####
#!/bin/sh
KDNNAME=$1 #customername
DOMAINNAME=$2 #domainname
PFADVHOST=/etc/apache2/sites-available/$KDNNAME/$DOMAINNAME.conf #path of vhost
IPADRESSE=XXX.XXX.XXX.XXX
PFADAWSTATS=/etc/awstats/awstats.$DOMAINNAME.conf #path of awstats config
HOMEDIR=/home/customers
SERVERNAME=example.com

## create vhost
mkdir -p /etc/apache2/sites-available/$KDNNAME

mkdir -p $HOMEDIR/"$KDNNAME"/htdocs/"$DOMAINNAME"/cgi-bin

echo '<VirtualHost *:80>' > $PFADVHOST
echo ' ServerAdmin webmaster@'$DOMAINNAME >> $PFADVHOST
echo ' ServerName '$DOMAINNAME >> $PFADVHOST
echo ' RewriteEngine on' >> $PFADVHOST
echo ' RewriteRule ^/stats/$ https://$SERVERNAME/awstats/cgi-bin/awstats.pl?config='$DOMAINNAME' [R]' >> $PFADVHOST
echo ' RewriteRule ^/stats$ https://$SERVERNAME/awstats/cgi-bin/awstats.pl?config='$DOMAINNAME' [R]' >> $PFADVHOST
echo ' DocumentRoot /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME >> $PFADVHOST
echo ' ErrorLog /home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-error.log' >> $PFADVHOST
echo ' LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined' >> $PFADVHOST
echo ' CustomLog /home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-access.log combined' >> $PFADVHOST
echo ' <Directory /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME'>' >> $PFADVHOST
echo ' AllowOverride All' >> $PFADVHOST
echo ' </Directory>' >> $PFADVHOST
echo ' <Directory /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME'/cgi-bin>' >> $PFADVHOST
echo ' AllowOverride All' >> $PFADVHOST
echo ' Options +ExecCGI' >> $PFADVHOST
echo ' </Directory>' >> $PFADVHOST
echo '</VirtualHost>' >> $PFADVHOST

ln -s /etc/apache2/sites-available/$KDNNAME/$DOMAINNAME.conf /etc/apache2/sites-enabled/$DOMAINNAME.conf

# create awstats config file
echo 'LogFile="/home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-access.log"' > $PFADAWSTATS
echo LogType=W >> $PFADAWSTATS
echo LogFormat=1 >> $PFADAWSTATS
echo 'LogSeparator=" "' >> $PFADAWSTATS
echo 'SiteDomain="'$DOMAINNAME'"' >> $PFADAWSTATS
echo 'HostAliases="localhost 127.0.0.1 REGEX[myserver\.com$]"' >> $PFADAWSTATS
echo DNSLookup=1 >> $PFADAWSTATS
echo 'DirData="/home/customers/'$KDNNAME'/awstats"' >> $PFADAWSTATS
echo 'DirCgi="/awstats/cgi-bin"' >> $PFADAWSTATS
echo 'DirIcons="/awstats/icon"' >> $PFADAWSTATS
echo AllowToUpdateStatsFromBrowser=0 >> $PFADAWSTATS
echo AllowFullYearView=3 >> $PFADAWSTATS
echo EnableLockForUpdate=0 >> $PFADAWSTATS
echo 'DNSStaticCacheFile="dnscache.'$DOMAINNAME'.txt"' >> $PFADAWSTATS
echo 'DNSLastUpdateCacheFile="dnscachelastupdate.'$DOMAINNAME'.txt"' >> $PFADAWSTATS
echo 'SkipDNSLookupFor=""' >> $PFADAWSTATS
echo 'AllowAccessFromWebToAuthenticatedUsersOnly=1' >> $PFADAWSTATS
echo 'AllowAccessFromWebToFollowingAuthenticatedUsers="SOME_SUPERUSER '$1'"' >> $PFADAWSTATS
echo 'AllowAccessFromWebToFollowingIPAddresses=""' >> $PFADAWSTATS
echo CreateDirDataIfNotExists=1 >> $PFADAWSTATS
echo BuildHistoryFormat=text >> $PFADAWSTATS
echo BuildReportFormat=html >> $PFADAWSTATS
echo SaveDatabaseFilesWithPermissionsForEveryone=1 >> $PFADAWSTATS
echo PurgeLogFile=0 >> $PFADAWSTATS
echo ArchiveLogRecords=0 >> $PFADAWSTATS
echo KeepBackupOfHistoricFiles=0 >> $PFADAWSTATS
echo 'DefaultFile="index.html"' >> $PFADAWSTATS
echo 'SkipHosts=""' >> $PFADAWSTATS
echo 'SkipUserAgents=""' >> $PFADAWSTATS
echo 'SkipFiles=""' >> $PFADAWSTATS
echo 'OnlyHosts=""' >> $PFADAWSTATS
echo 'OnlyUserAgents=""' >> $PFADAWSTATS
echo 'OnlyFiles=""' >> $PFADAWSTATS
echo 'NotPageList="css js class gif jpg jpeg png bmp ico"' >> $PFADAWSTATS
echo 'ValidHTTPCodes="200 304"' >> $PFADAWSTATS
echo 'ValidSMTPCodes="1 250"' >> $PFADAWSTATS
echo 'AuthenticatedUsersNotCaseSensitive=0'>> $PFADAWSTATS
echo 'URLNotCaseSensitive=0' >> $PFADAWSTATS
echo 'URLWithAnchor=0' >> $PFADAWSTATS
echo 'URLQuerySeparators="?;"' >> $PFADAWSTATS
echo 'URLWithQuery=0' >> $PFADAWSTATS
echo 'URLWithQueryWithoutFollowingParameters=""' >> $PFADAWSTATS
echo 'URLReferrerWithQuery=0' >> $PFADAWSTATS
echo 'WarningMessages=1' >> $PFADAWSTATS
echo 'ErrorMessages=""' >> $PFADAWSTATS
echo 'DebugMessages=1' >> $PFADAWSTATS
echo 'NbOfLinesForCorruptedLog=50' >> $PFADAWSTATS
echo 'WrapperScript=""' >> $PFADAWSTATS
echo 'DecodeUA=0' >> $PFADAWSTATS
echo 'MiscTrackerUrl="/js/awstats_misc_tracker.js"' >> $PFADAWSTATS
echo 'LevelForRobotsDetection=2' >> $PFADAWSTATS
echo 'LevelForBrowsersDetection=2' >> $PFADAWSTATS
echo 'LevelForOSDetection=2' >> $PFADAWSTATS
echo 'LevelForRefererAnalyze=2' >> $PFADAWSTATS
echo 'UseFramesWhenCGI=0' >> $PFADAWSTATS
echo 'DetailedReportsOnNewWindows=1' >> $PFADAWSTATS
echo 'Expires=0' >> $PFADAWSTATS
echo 'MaxRowsInHTMLOutput=1000' >> $PFADAWSTATS
echo 'Lang="de"' >> $PFADAWSTATS
echo 'DirLang="./lang"' >> $PFADAWSTATS
echo 'ShowMenu=1' >> $PFADAWSTATS
echo 'ShowMonthStats=UVPHB' >> $PFADAWSTATS
echo 'ShowDaysOfMonthStats=VPHB' >> $PFADAWSTATS
echo 'ShowDaysOfWeekStats=PHB' >> $PFADAWSTATS
echo 'ShowHoursStats=PHB' >> $PFADAWSTATS
echo 'ShowDomainsStats=PHB' >> $PFADAWSTATS
echo 'ShowHostsStats=PHBL' >> $PFADAWSTATS
echo 'ShowAuthenticatedUsers=0' >> $PFADAWSTATS
echo 'ShowSessionsStats=1' >> $PFADAWSTATS
echo 'ShowPagesStats=PBEX' >> $PFADAWSTATS
echo 'ShowFileTypesStats=HB' >> $PFADAWSTATS
echo 'ShowOSStats=1' >> $PFADAWSTATS
echo 'ShowBrowsersStats=1' >> $PFADAWSTATS
echo 'ShowScreenSizeStats=0' >> $PFADAWSTATS
echo 'ShowOriginStats=PH' >> $PFADAWSTATS
echo 'ShowKeyphrasesStats=1' >> $PFADAWSTATS
echo 'ShowKeywordsStats=1' >> $PFADAWSTATS
echo 'ShowMiscStats=a' >> $PFADAWSTATS
echo 'ShowHTTPErrorsStats=1' >> $PFADAWSTATS
echo 'ShowSMTPErrorsStats=0' >> $PFADAWSTATS
echo 'ShowClusterStats=0' >> $PFADAWSTATS
echo 'AddDataArrayMonthStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowDaysOfMonthStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowDaysOfWeekStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowHoursStats=1' >> $PFADAWSTATS
echo 'MaxNbOfDomain = 10' >> $PFADAWSTATS
echo 'MinHitDomain = 1' >> $PFADAWSTATS
echo 'MaxNbOfHostsShown = 10' >> $PFADAWSTATS
echo 'MinHitHost = 1' >> $PFADAWSTATS
echo 'MaxNbOfLoginShown = 10' >> $PFADAWSTATS
echo 'MinHitLogin = 1' >> $PFADAWSTATS
echo 'MaxNbOfRobotShown = 10' >> $PFADAWSTATS
echo 'MinHitRobot = 1' >> $PFADAWSTATS
echo 'MaxNbOfPageShown = 10' >> $PFADAWSTATS
echo 'MinHitFile = 1' >> $PFADAWSTATS
echo 'MaxNbOfOsShown = 10' >> $PFADAWSTATS
echo 'MinHitOs = 1' >> $PFADAWSTATS
echo 'MaxNbOfBrowsersShown = 10' >> $PFADAWSTATS
echo 'MinHitBrowser = 1' >> $PFADAWSTATS
echo 'MaxNbOfScreenSizesShown = 5' >> $PFADAWSTATS
echo 'MinHitScreenSize = 1' >> $PFADAWSTATS
echo 'MaxNbOfRefererShown = 10' >> $PFADAWSTATS
echo 'MinHitRefer = 1' >> $PFADAWSTATS
echo 'MaxNbOfKeyphrasesShown = 10' >> $PFADAWSTATS
echo 'MinHitKeyphrase = 1' >> $PFADAWSTATS
echo 'MaxNbOfKeywordsShown = 10' >> $PFADAWSTATS
echo 'MinHitKeyword = 1' >> $PFADAWSTATS
echo 'MaxNbOfEMailsShown = 20' >> $PFADAWSTATS
echo 'MinHitEMail = 1' >> $PFADAWSTATS
echo 'FirstDayOfWeek=1' >> $PFADAWSTATS
echo 'ShowLinksOnUrl=1' >> $PFADAWSTATS
echo 'UseHTTPSLinkForUrl=""' >> $PFADAWSTATS
echo 'MaxLengthOfURL=70' >> $PFADAWSTATS
echo 'LinksToWhoIs="http://www.whois.net/search.cgi2?str="' >> $PFADAWSTATS
echo 'LinksToIPWhoIs="http://ws.arin.net/cgi-bin/whois.pl?queryinput="' >> $PFADAWSTATS
echo 'HTMLHeadSection=""' >> $PFADAWSTATS
echo 'HTMLEndSection=""' >> $PFADAWSTATS
echo 'Logo="awstats_logo6.png"' >> $PFADAWSTATS
echo 'LogoLink="http://awstats.sourceforge.net"' >> $PFADAWSTATS
echo 'BarWidth = 260' >> $PFADAWSTATS
echo 'BarHeight = 90' >> $PFADAWSTATS

echo '/usr/local/awstats/wwwroot/cgi-bin/awstats.pl -config='$2' -update' >> /usr/local/scripts/run_awstats

###### SCRIPT END #####

###### AWSTATS APACHE SECTION #####
apache config is done this way (in your case this would be in the master config and authentication would be done via db. Still awstats would be able to get the authenticatet username and provide the stats of atstats.example.com.config only to the guys mentioned in the line
# AllowAccessFromWebToFollowingAuthenticatedUsers="superuser reseller customername"

Alias /awstats /usr/local/awstats/wwwroot/
<Directory /usr/local/awstats/wwwroot>
AuthType Basic
AuthName "Enter pass for stats..."
AuthUserFile /etc/apache2/.htpasswd.d/awstats
<Limit GET>
require valid-user
</Limit>
</Directory>
<Directory /usr/local/awstats/wwwroot/cgi-bin>
AllowOverride All
AllowOverride FileInfo
Options +ExecCGI
</Directory>

###### REDIRCT START (my 00_master.conf) #####
<VirtualHost MYIP:80>
ServerAdmin info@example.com
ServerName example.com
RewriteEngine On
Redirect / https://example.com/

ErrorLog /var/log/apache2/users/example.com-error.log
TransferLog /var/log/apache2/users/example.com-access.log
CustomLog /var/log/apache2/example.com-traf.log traff
CustomLog /var/log/apache2/example.com-combined.log combined
</VirtualHost>

Hi, a quick suggestion:
mod_authnz_external + perl script check usr/pwd in mysql + adapt vhost file?
Anybody experience with it? I try now, if it works I'll post it here.

It works! It was quite easy to make awstat (or anything else) authenticate users using mysql. For those who are looking for a quick solution, here it is:

1. You need mod_authnz_external (Apache 2.2) or mod_auth_external (Apache <2.1) from http://unixpapa.com/mod_auth_external.html

2. You need a tiny perl script to perform the query and the test, feel free to get mine from http://www.2go.ge/mysql-auth.tar.gz and extract it into /usr/share/awstats/wwwroot/cgi-bin/

3. Edit this script /usr/share/awstats/wwwroot/cgi-bin/mysql-auth.pl and put in your mysql username and password which has read access to the ispcp.admin table

3. Edit your domain's awstats files in /etc/awstats/awstats.yourdomain.conf and replace
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="yourdomain"

4. Edit the awstats template /etc/ispcp/awstats/awstats.ispcp_tpl.conf and replace
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="{DOMAIN_NAME}"

5. Edit the awstats apache conf /etc/httpd/vhosts/01_awstats.conf and add
<Directory /usr/share/awstats>
AllowOverride none
Options ExecCGI FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider external
AuthExternal mysql-auth
Require valid-user
</Directory>
AddExternalAuth mysql-auth /usr/share/awstats/wwwroot/cgi-bin/mysql-auth.pl
SetExternalAuthMethod mysql-auth.pl pipe

Restart apache and enjoy password protected awstats. Note: I observed that mod_auth_mysql is slightly faster than mod_authnz_external, but _external is more stable, allows to run scripts in root while apache runs suexec and even if your db-script crashes it won't make apache crash as well. For me it works so well that I decided to replaced the default ISPCP login with this solution. Attacker won't even notice that there is ISPCP on the server...