+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Awstats password protection (/thread-1562.html)
RE: Awstats password protection - NoFutureKid - 01-23-2008 08:38 PM
I don't get it to compile. I think it's only up to Apache 2.0, but i'm not sure.
@BeNe: Perhaps you can tell me more about your dirty hack
RE: Awstats password protection - BeNe - 01-24-2008 12:12 AM
Yes, of course. i modified my /etc/apache2/sites-enabled/01_awstats.conf like this
Code:
#
# AWStats Begin
#
Alias /awstatsicons "/usr/share/awstats/icon/"
NameVirtualHost 127.0.0.1:80
<VirtualHost 127.0.0.1:80>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/stats/(.+)/$ http://localhost/awstats/?config=$1 [P]
RewriteRule ^/stats/(.+)/awstats.pl(.*)$ http://localhost/awstats/$2 [P]
</IfModule>
ScriptAlias /awstats "/usr/lib/cgi-bin/awstats.pl"
<Directory /usr/lib/cgi-bin>
Options +ExecCGI
DirectoryIndex awstats.pl
Order allow,deny
Allow from all
AuthType Basic
AuthName "AWStats"
AuthUserFile /var/www/virtual/.htpasswd <- Could be a path...
Require user User1 User 2 .... <- USERs
</Directory>
</VirtualHost>
#
# AWStats End
#Greez BeNe
RE: Awstats password protection - BioALIEN - 01-24-2008 12:27 AM
BeNe, I think your dirty hack deserves a place in the DocuWiki with a nice step by step so we can all copy
From the code above, I see you've added users, but no mention of how to do the password side of things for these users.
RE: Awstats password protection - NoFutureKid - 01-24-2008 06:07 AM
Ahh, sorry. I thought you have a hack for auth against mysql
The way you did i already know.
RE: Awstats password protection - BeNe - 01-24-2008 06:10 AM
Quote:BeNe, I think your dirty hack deserves a place in the DocuWiki with a nice step by step so we can all copyWell, this is only a dirty workaround - but why not.
Quote:Ahh, sorry. I thought you have a hack for auth against mysqlNo! I search also for a solution with mysql which we can use later out of the box.
Greez BeNe
RE: Awstats password protection - Cube - 02-19-2008 10:22 AM
I once again thought about realising the password protection and would like to hear your opinion about yet another possible solution.
We should start using our own AWStats like we do with the other tools too. We would have a more up-to-date version which generates better stats. New versions there are very rarely and there are not much security updates like in PMA, so there should not be much more work with that.
We put AWStats into the tools-directory (some files perhaps somewhere else) and protected it with a htaccess-file (require valid-user). We also modify the config-template, so that AllowAccessFromWebToAuthenticatedUsersOnly and AllowAccessFromWebToFollowingAuthenticatedUsers are set correctly. Until now there is not much work. Now we have to modify ispcp-dmn-mngr so that the login-data of a new user will be written into a htpasswd-file. Accordingly they should be deleted if you delete the user and modified if you change the password. Probably for this big parts from ispcp-htuser-mngr can be used.
In a further step we could extend the GUI, so that the users can set a separate password for AWStats.
Unfortunately I don't understand enough Perl to realise this.
Another interesting possibility was the script from Jan, but regrettably the thread is broken and he did not respond to my mail to post it again.
RE: Awstats password protection - Kwik - 02-22-2008 07:03 PM
Just want to mention that a password protection is a MUST HAVE, please, please. I will use BeNes workaround meanwhile. ^^
RE: Awstats password protection - schultzconsult - 04-14-2008 11:48 PM
Kwik Wrote:Just want to mention that a password protection is a MUST HAVE, please, please. I will use BeNes workaround meanwhile. ^^
What about using a combination of perl and htaccess?
If someone may enhance this script, it might be a solution. http://perl.apache.org/docs/1.0/guide/security.html#Authentication_code_snippets
inserted into a .htaccess file
Code:
PerlModule My::Auth
<Location /private>
PerlAccessHandler My::Auth::access_handler
PerlSetVar Intranet "10.10.10.1 => userA, 10.10.10.2 => userB"
PerlAuthenHandler My::Auth::authen_handler
AuthName realm
AuthType Basic
Require valid-user
Order deny, allow
Deny from all
</Location>Code:
sub access_handler {
my $r = shift;
unless ($r->some_auth_required) {
$r->log_reason("No authentication has been configured");
return FORBIDDEN;
}
# get list of IP addresses
my %ips = split /\s*(?:=>|,)\s*/, $r->dir_config("Intranet");
if (my $user = $ips{$r->connection->remote_ip}) {
# update connection record
$r->connection->user($user);
# do not ask for a password
$r->set_handlers(PerlAuthenHandler => [\&OK]);
}
return OK;
}
sub authen_handler {
my $r = shift;
# get user's authentication credentials
my ($res, $sent_pw) = $r->get_basic_auth_pw;
return $res if $res != OK;
my $user = $r->connection->user;
# authenticate through DBI
my $reason = authen_dbi($r, $user, $sent_pw);
if ($reason) {
$r->note_basic_auth_failure;
$r->log_reason($reason, $r->uri);
return AUTH_REQUIRED;
}
return OK;
}
sub authen_dbi{
my ($r, $user, $sent_pw) = @_;
# validate username/passwd
return 0 if (*PASSED*) # replace with real code!!!
return "Failed for X reason";
}
# don't forget 1;
1;RE: Awstats password protection - BeNe - 04-16-2008 05:25 PM
If this works - why not ?
We should try it
Greez BeNe
RE: Awstats password protection - ephigenie - 04-16-2008 08:04 PM
yeah but this only works with enabled mod_perl ... and mod_perl with mpm-worker is currently not supported...
Although there're approaches / patches to make it run ... but this should be considered unstable.