Awstats password protection - Printable Version

Awstats password protection - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Awstats password protection (/thread-1562.html)

Pages: 1 2 3 4 5 6 7

Awstats password protection - Cube - 10-18-2007 06:05 AM

I don't like that the stats are public. I don't want that everybody can see them.
So i thought about how a password protection could be realised. With awstats static it's no problem, because the user can password protect the directory by itself. Perhaps it would be a good idea to protect this directory by default.

For awstats dynamic it's more complicated. The directory where awstats.pl is should be password protected. For this there should be an entry in 01_awstats.conf and each time a new user is generated his username and password should be added to a .htpasswd-file.
Because now each user could also access all other statistics, additionally the single usernames should be added to the awstats-config-files.

Code:

AllowAccessFromWebToAuthenticatedUsersOnly=1

AllowAccessFromWebToFollowingAuthenticatedUsers="user"

As the default username and password we could take the login-data from ispcp. Additionally the user should have the possibility to change the awstats login-data in ispcp. It would be perfect to give the users the possibility to disable password protection and to make the stats public, but I think this is not possible with the method described above.

What do you think about it?

RE: Awstats password protection - RatS - 10-18-2007 07:52 AM

Dev team decided against it. reasons won't be discussed yet. No default password protection for stats

RE: Awstats password protection - Cube - 10-18-2007 08:32 AM

I don't know one webhoster, which makes his customers' stats public.
I see security and privacy problems with that. The stats provide IPs from visitors for example.

RE: Awstats password protection - raphael - 10-18-2007 09:48 AM

Quote:Dev team decided against it

oh really?

RE: Awstats password protection - ephigenie - 10-18-2007 06:11 PM

Yeah @raphael i was wondering about it, too ...

I think password protection is a must have.
Although it should be possible (perhaps in 1.1 ) to allow users to make stats public.

RE: Awstats password protection - BioALIEN - 10-18-2007 07:08 PM

Three words: Data Protection Act Smile

I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).

However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.

RE: Awstats password protection - robmorin - 10-24-2007 12:43 AM

I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....

Rob...

BioALIEN Wrote:Three words: Data Protection Act

I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).

However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.

RE: Awstats password protection - BeNe - 10-25-2007 10:29 PM

Quote:I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....

Any news about it ?
Maybe you can write down what you did - so i can test it...

Greez BeNe

RE: Awstats password protection - BeNe - 10-25-2007 11:42 PM

This could maybe work or not ?

Code:

AuthType Basic

        AuthName "Secure Stats"

        AuthMySQLHost localhost

        AuthMySQLCryptedPasswords off

        AuthMySQLDB ispcp

        AuthMySQLUser mysqluser

        AuthMySQLPassword yourpass

        AuthMySQLUserTable admin

        AuthMySQLNameField admin_name

        AuthMySQLPasswordField admin_pass

        AuthMySQLKeepAlive Off

        <LIMIT GET POST>

        require valid-user

        </LIMIT>

But here is libapache2-mod-auth-mysql needed which is no more in Etch included.
So we must use libapache2-mod-auth-pam ? Rolleyes

Greez BeNe

RE: Awstats password protection - ephigenie - 10-26-2007 03:19 AM

mod_auth_mysql is somewhat unstable on etch (sometimes it works - sometimes not)

But it has been replaced with a newer approach by the following modules:
auth_basic
mod_authn_dbd
sample here :

Code:

DBDriver mysql

DBDParams "dbname=auth user=authuser password=******"

<Directory /path/to/private>

    AuthType Basic

    AuthName "private"

    AuthBasicProvider dbd

    Require valid-user

    AuthDBDUserPWQuery "select password from authn where username = %s"

</Directory>