|
Awstats password protection
|
| Author |
Message |
Cube
Documentation Team
Posts: 664
Group: Docu Team
Joined: Apr 2007
Status:
Offline
Reputation: 8
|
Awstats password protection
I don't like that the stats are public. I don't want that everybody can see them.
So i thought about how a password protection could be realised. With awstats static it's no problem, because the user can password protect the directory by itself. Perhaps it would be a good idea to protect this directory by default.
For awstats dynamic it's more complicated. The directory where awstats.pl is should be password protected. For this there should be an entry in 01_awstats.conf and each time a new user is generated his username and password should be added to a .htpasswd-file.
Because now each user could also access all other statistics, additionally the single usernames should be added to the awstats-config-files.
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="user"
As the default username and password we could take the login-data from ispcp. Additionally the user should have the possibility to change the awstats login-data in ispcp. It would be perfect to give the users the possibility to disable password protection and to make the stats public, but I think this is not possible with the method described above.
What do you think about it?
|
|
| 10-18-2007 06:05 AM |
|
 |
RatS
The Project's Fire Worker
Posts: 684
Group: Super Moderators
Joined: Oct 2006
Status:
Offline
Reputation: 18
|
RE: Awstats password protection
Dev team decided against it. reasons won't be discussed yet. No default password protection for stats
|
|
| 10-18-2007 07:52 AM |
|
|
Cube
Documentation Team
Posts: 664
Group: Docu Team
Joined: Apr 2007
Status:
Offline
Reputation: 8
|
RE: Awstats password protection
I don't know one webhoster, which makes his customers' stats public.
I see security and privacy problems with that. The stats provide IPs from visitors for example.
|
|
| 10-18-2007 08:32 AM |
|
|
raphael
Member
Posts: 474
Group: Dev Team
Joined: Apr 2007
Status:
Offline
Reputation: 8
|
|
| 10-18-2007 09:48 AM |
|
|
ephigenie
Administrator
Posts: 664
Group: Administrators
Joined: Oct 2006
Status:
Offline
Reputation: 12
|
RE: Awstats password protection
Yeah @raphael i was wondering about it, too ...
I think password protection is a must have.
Although it should be possible (perhaps in 1.1 ) to allow users to make stats public.
|
|
| 10-18-2007 06:11 PM |
|
|
BioALIEN
Junior Member
Posts: 226
Group: Graph Team
Joined: Feb 2007
Status:
Offline
Reputation: 0
|
RE: Awstats password protection
Three words: Data Protection Act 
I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).
However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.
BioALIEN
OS: Debian 4.0 Etch
ispCP Build: RC3 r953 - 28.12.07
Mods: AWStats dynamic
This post was last modified: 10-18-2007 07:09 PM by BioALIEN.
|
|
| 10-18-2007 07:08 PM |
|
|
robmorin
Junior Member
Posts: 188
Group: Registered
Joined: Apr 2007
Status:
Offline
Reputation: 0
|
RE: Awstats password protection
I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....
Rob...
Three words: Data Protection Act
I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).
However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.
|
|
| 10-24-2007 12:43 AM |
|
|
BeNe
Moderator
Posts: 2,614
Group: Moderators
Joined: Jan 2007
Status:
Offline
Reputation: 36
|
RE: Awstats password protection
I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....
Any news about it ?
Maybe you can write down what you did - so i can test it...
Greez BeNe
In Holiday´s this week :-)
|
|
| 10-25-2007 10:29 PM |
|
|
BeNe
Moderator
Posts: 2,614
Group: Moderators
Joined: Jan 2007
Status:
Offline
Reputation: 36
|
RE: Awstats password protection
This could maybe work or not ?
AuthType Basic
AuthName "Secure Stats"
AuthMySQLHost localhost
AuthMySQLCryptedPasswords off
AuthMySQLDB ispcp
AuthMySQLUser mysqluser
AuthMySQLPassword yourpass
AuthMySQLUserTable admin
AuthMySQLNameField admin_name
AuthMySQLPasswordField admin_pass
AuthMySQLKeepAlive Off
<LIMIT GET POST>
require valid-user
</LIMIT>
But here is libapache2-mod-auth-mysql needed which is no more in Etch included.
So we must use libapache2-mod-auth-pam ? 
Greez BeNe
In Holiday´s this week :-)
|
|
| 10-25-2007 11:42 PM |
|
|
ephigenie
Administrator
Posts: 664
Group: Administrators
Joined: Oct 2006
Status:
Offline
Reputation: 12
|
RE: Awstats password protection
mod_auth_mysql is somewhat unstable on etch (sometimes it works - sometimes not)
But it has been replaced with a newer approach by the following modules:
auth_basic
mod_authn_dbd
sample here :
DBDriver mysql
DBDParams "dbname=auth user=authuser password=******"
<Directory /path/to/private>
AuthType Basic
AuthName "private"
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery "select password from authn where username = %s"
</Directory>
|
|
| 10-26-2007 03:19 AM |
|
|
|
|
Search
Member List
Calendar
Help
