+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Awstats password protection (/thread-1562.html)
RE: Awstats password protection - BerserkerXP - 09-06-2008 09:14 PM
i think the Best would be to create/expand the password file when the a user was created or the usersettings would be changed. So the passwort für awstats would be the same like for the domain!
RE: Awstats password protection - lbm - 09-09-2008 04:04 AM
When thinking of encryption it may be interesting to put the awstats web access in a single place (I did this on a server once) e.g. https://iscpcontrolpanellink/awstats.
Then one could use something like the following in awstats:
AllowAccessFromWebToFollowingAuthenticatedUsers="user1 user1s_reseller"
and authenticate in Apache "normally" like (this is without the use of sql as an example):
Alias /awstats /usr/local/awstats/wwwroot/
<Directory /usr/local/awstats/wwwroot>
AuthType Basic
AuthUserFile /where/ever
<Limit GET>
require valid-user
</Limit>
</Directory>
So (if one is using encryption for the isp-panel; which imho should be the case on productive servers) the awstats pass is encrypted, too. Otherwise the admin pass will be exposed for the statistics since the domains are not encrypted usually...
The awstats-link can then be done this way per domain:
RewriteEngine on
RewriteRule ^/stats/$ http://iscpcontrolpanellink/awstats/cgi-bin/awstats.pl?config=domain [R]
(assuming http://ispcontrolpanellink redirects to https://ispcontrolpanellink -> thats how I do in my ispcp)
such that restriction is handled in the awstats config (see above). Furthermore this enables e.g. resellers to be able to see some stats of their domains, too (which in Germany at least would not be allowed by law)...
Tell me what you think and tell me if you need more information about how I did the setup.
Cheers,
Thorsten
RE: Awstats password protection - BeNe - 09-09-2008 06:07 AM
I understand, but maybe you can give us more information about the setup.
Or did you set it manually ??
Looks like AWStats is getting more interesting....
Greez BeNe
RE: Awstats password protection - lbm - 09-10-2008 08:27 PM
OK Guys its long but here is the script that we used essentially to do the awstats thingy. Authentication has been done with htaccess, though... As mentioned, this was done before we knew ispCP and I think your template based mechanism is smarter... still this is all I can provide
. Some paths are different than in a ispCP setup but that should be pretty easy to change.Below the script I included the webserver config (the part that should be included in the 00_master.conf in case of ispCP) and in the part of the vhost creation you see the recirect to this address.
Furthermore on my ispcp server I created a 00_master_ssl.conf and placed a redirect to the https site to anything coming from port 80 in the master.conf to force users to use ssl (they don't do it if you don't force them its awful). I included this also for convenience:
(if I forgot to delete any sensitive information, please do so, thanks
).###### SCRIPT START #####
#!/bin/sh
KDNNAME=$1 #customername
DOMAINNAME=$2 #domainname
PFADVHOST=/etc/apache2/sites-available/$KDNNAME/$DOMAINNAME.conf #path of vhost
IPADRESSE=XXX.XXX.XXX.XXX
PFADAWSTATS=/etc/awstats/awstats.$DOMAINNAME.conf #path of awstats config
HOMEDIR=/home/customers
SERVERNAME=example.com
## create vhost
mkdir -p /etc/apache2/sites-available/$KDNNAME
mkdir -p $HOMEDIR/"$KDNNAME"/htdocs/"$DOMAINNAME"/cgi-bin
echo '<VirtualHost *:80>' > $PFADVHOST
echo ' ServerAdmin webmaster@'$DOMAINNAME >> $PFADVHOST
echo ' ServerName '$DOMAINNAME >> $PFADVHOST
echo ' RewriteEngine on' >> $PFADVHOST
echo ' RewriteRule ^/stats/$ https://$SERVERNAME/awstats/cgi-bin/awstats.pl?config='$DOMAINNAME' [R]' >> $PFADVHOST
echo ' RewriteRule ^/stats$ https://$SERVERNAME/awstats/cgi-bin/awstats.pl?config='$DOMAINNAME' [R]' >> $PFADVHOST
echo ' DocumentRoot /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME >> $PFADVHOST
echo ' ErrorLog /home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-error.log' >> $PFADVHOST
echo ' LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined' >> $PFADVHOST
echo ' CustomLog /home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-access.log combined' >> $PFADVHOST
echo ' <Directory /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME'>' >> $PFADVHOST
echo ' AllowOverride All' >> $PFADVHOST
echo ' </Directory>' >> $PFADVHOST
echo ' <Directory /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME'/cgi-bin>' >> $PFADVHOST
echo ' AllowOverride All' >> $PFADVHOST
echo ' Options +ExecCGI' >> $PFADVHOST
echo ' </Directory>' >> $PFADVHOST
echo '</VirtualHost>' >> $PFADVHOST
ln -s /etc/apache2/sites-available/$KDNNAME/$DOMAINNAME.conf /etc/apache2/sites-enabled/$DOMAINNAME.conf
# create awstats config file
echo 'LogFile="/home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-access.log"' > $PFADAWSTATS
echo LogType=W >> $PFADAWSTATS
echo LogFormat=1 >> $PFADAWSTATS
echo 'LogSeparator=" "' >> $PFADAWSTATS
echo 'SiteDomain="'$DOMAINNAME'"' >> $PFADAWSTATS
echo 'HostAliases="localhost 127.0.0.1 REGEX[myserver\.com$]"' >> $PFADAWSTATS
echo DNSLookup=1 >> $PFADAWSTATS
echo 'DirData="/home/customers/'$KDNNAME'/awstats"' >> $PFADAWSTATS
echo 'DirCgi="/awstats/cgi-bin"' >> $PFADAWSTATS
echo 'DirIcons="/awstats/icon"' >> $PFADAWSTATS
echo AllowToUpdateStatsFromBrowser=0 >> $PFADAWSTATS
echo AllowFullYearView=3 >> $PFADAWSTATS
echo EnableLockForUpdate=0 >> $PFADAWSTATS
echo 'DNSStaticCacheFile="dnscache.'$DOMAINNAME'.txt"' >> $PFADAWSTATS
echo 'DNSLastUpdateCacheFile="dnscachelastupdate.'$DOMAINNAME'.txt"' >> $PFADAWSTATS
echo 'SkipDNSLookupFor=""' >> $PFADAWSTATS
echo 'AllowAccessFromWebToAuthenticatedUsersOnly=1' >> $PFADAWSTATS
echo 'AllowAccessFromWebToFollowingAuthenticatedUsers="SOME_SUPERUSER '$1'"' >> $PFADAWSTATS
echo 'AllowAccessFromWebToFollowingIPAddresses=""' >> $PFADAWSTATS
echo CreateDirDataIfNotExists=1 >> $PFADAWSTATS
echo BuildHistoryFormat=text >> $PFADAWSTATS
echo BuildReportFormat=html >> $PFADAWSTATS
echo SaveDatabaseFilesWithPermissionsForEveryone=1 >> $PFADAWSTATS
echo PurgeLogFile=0 >> $PFADAWSTATS
echo ArchiveLogRecords=0 >> $PFADAWSTATS
echo KeepBackupOfHistoricFiles=0 >> $PFADAWSTATS
echo 'DefaultFile="index.html"' >> $PFADAWSTATS
echo 'SkipHosts=""' >> $PFADAWSTATS
echo 'SkipUserAgents=""' >> $PFADAWSTATS
echo 'SkipFiles=""' >> $PFADAWSTATS
echo 'OnlyHosts=""' >> $PFADAWSTATS
echo 'OnlyUserAgents=""' >> $PFADAWSTATS
echo 'OnlyFiles=""' >> $PFADAWSTATS
echo 'NotPageList="css js class gif jpg jpeg png bmp ico"' >> $PFADAWSTATS
echo 'ValidHTTPCodes="200 304"' >> $PFADAWSTATS
echo 'ValidSMTPCodes="1 250"' >> $PFADAWSTATS
echo 'AuthenticatedUsersNotCaseSensitive=0'>> $PFADAWSTATS
echo 'URLNotCaseSensitive=0' >> $PFADAWSTATS
echo 'URLWithAnchor=0' >> $PFADAWSTATS
echo 'URLQuerySeparators="?;"' >> $PFADAWSTATS
echo 'URLWithQuery=0' >> $PFADAWSTATS
echo 'URLWithQueryWithoutFollowingParameters=""' >> $PFADAWSTATS
echo 'URLReferrerWithQuery=0' >> $PFADAWSTATS
echo 'WarningMessages=1' >> $PFADAWSTATS
echo 'ErrorMessages=""' >> $PFADAWSTATS
echo 'DebugMessages=1' >> $PFADAWSTATS
echo 'NbOfLinesForCorruptedLog=50' >> $PFADAWSTATS
echo 'WrapperScript=""' >> $PFADAWSTATS
echo 'DecodeUA=0' >> $PFADAWSTATS
echo 'MiscTrackerUrl="/js/awstats_misc_tracker.js"' >> $PFADAWSTATS
echo 'LevelForRobotsDetection=2' >> $PFADAWSTATS
echo 'LevelForBrowsersDetection=2' >> $PFADAWSTATS
echo 'LevelForOSDetection=2' >> $PFADAWSTATS
echo 'LevelForRefererAnalyze=2' >> $PFADAWSTATS
echo 'UseFramesWhenCGI=0' >> $PFADAWSTATS
echo 'DetailedReportsOnNewWindows=1' >> $PFADAWSTATS
echo 'Expires=0' >> $PFADAWSTATS
echo 'MaxRowsInHTMLOutput=1000' >> $PFADAWSTATS
echo 'Lang="de"' >> $PFADAWSTATS
echo 'DirLang="./lang"' >> $PFADAWSTATS
echo 'ShowMenu=1' >> $PFADAWSTATS
echo 'ShowMonthStats=UVPHB' >> $PFADAWSTATS
echo 'ShowDaysOfMonthStats=VPHB' >> $PFADAWSTATS
echo 'ShowDaysOfWeekStats=PHB' >> $PFADAWSTATS
echo 'ShowHoursStats=PHB' >> $PFADAWSTATS
echo 'ShowDomainsStats=PHB' >> $PFADAWSTATS
echo 'ShowHostsStats=PHBL' >> $PFADAWSTATS
echo 'ShowAuthenticatedUsers=0' >> $PFADAWSTATS
echo 'ShowSessionsStats=1' >> $PFADAWSTATS
echo 'ShowPagesStats=PBEX' >> $PFADAWSTATS
echo 'ShowFileTypesStats=HB' >> $PFADAWSTATS
echo 'ShowOSStats=1' >> $PFADAWSTATS
echo 'ShowBrowsersStats=1' >> $PFADAWSTATS
echo 'ShowScreenSizeStats=0' >> $PFADAWSTATS
echo 'ShowOriginStats=PH' >> $PFADAWSTATS
echo 'ShowKeyphrasesStats=1' >> $PFADAWSTATS
echo 'ShowKeywordsStats=1' >> $PFADAWSTATS
echo 'ShowMiscStats=a' >> $PFADAWSTATS
echo 'ShowHTTPErrorsStats=1' >> $PFADAWSTATS
echo 'ShowSMTPErrorsStats=0' >> $PFADAWSTATS
echo 'ShowClusterStats=0' >> $PFADAWSTATS
echo 'AddDataArrayMonthStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowDaysOfMonthStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowDaysOfWeekStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowHoursStats=1' >> $PFADAWSTATS
echo 'MaxNbOfDomain = 10' >> $PFADAWSTATS
echo 'MinHitDomain = 1' >> $PFADAWSTATS
echo 'MaxNbOfHostsShown = 10' >> $PFADAWSTATS
echo 'MinHitHost = 1' >> $PFADAWSTATS
echo 'MaxNbOfLoginShown = 10' >> $PFADAWSTATS
echo 'MinHitLogin = 1' >> $PFADAWSTATS
echo 'MaxNbOfRobotShown = 10' >> $PFADAWSTATS
echo 'MinHitRobot = 1' >> $PFADAWSTATS
echo 'MaxNbOfPageShown = 10' >> $PFADAWSTATS
echo 'MinHitFile = 1' >> $PFADAWSTATS
echo 'MaxNbOfOsShown = 10' >> $PFADAWSTATS
echo 'MinHitOs = 1' >> $PFADAWSTATS
echo 'MaxNbOfBrowsersShown = 10' >> $PFADAWSTATS
echo 'MinHitBrowser = 1' >> $PFADAWSTATS
echo 'MaxNbOfScreenSizesShown = 5' >> $PFADAWSTATS
echo 'MinHitScreenSize = 1' >> $PFADAWSTATS
echo 'MaxNbOfRefererShown = 10' >> $PFADAWSTATS
echo 'MinHitRefer = 1' >> $PFADAWSTATS
echo 'MaxNbOfKeyphrasesShown = 10' >> $PFADAWSTATS
echo 'MinHitKeyphrase = 1' >> $PFADAWSTATS
echo 'MaxNbOfKeywordsShown = 10' >> $PFADAWSTATS
echo 'MinHitKeyword = 1' >> $PFADAWSTATS
echo 'MaxNbOfEMailsShown = 20' >> $PFADAWSTATS
echo 'MinHitEMail = 1' >> $PFADAWSTATS
echo 'FirstDayOfWeek=1' >> $PFADAWSTATS
echo 'ShowLinksOnUrl=1' >> $PFADAWSTATS
echo 'UseHTTPSLinkForUrl=""' >> $PFADAWSTATS
echo 'MaxLengthOfURL=70' >> $PFADAWSTATS
echo 'LinksToWhoIs="http://www.whois.net/search.cgi2?str="' >> $PFADAWSTATS
echo 'LinksToIPWhoIs="http://ws.arin.net/cgi-bin/whois.pl?queryinput="' >> $PFADAWSTATS
echo 'HTMLHeadSection=""' >> $PFADAWSTATS
echo 'HTMLEndSection=""' >> $PFADAWSTATS
echo 'Logo="awstats_logo6.png"' >> $PFADAWSTATS
echo 'LogoLink="http://awstats.sourceforge.net"' >> $PFADAWSTATS
echo 'BarWidth = 260' >> $PFADAWSTATS
echo 'BarHeight = 90' >> $PFADAWSTATS
echo '/usr/local/awstats/wwwroot/cgi-bin/awstats.pl -config='$2' -update' >> /usr/local/scripts/run_awstats
###### SCRIPT END #####
###### AWSTATS APACHE SECTION #####
apache config is done this way (in your case this would be in the master config and authentication would be done via db. Still awstats would be able to get the authenticatet username and provide the stats of atstats.example.com.config only to the guys mentioned in the line
# AllowAccessFromWebToFollowingAuthenticatedUsers="superuser reseller customername"
Alias /awstats /usr/local/awstats/wwwroot/
<Directory /usr/local/awstats/wwwroot>
AuthType Basic
AuthName "Enter pass for stats..."
AuthUserFile /etc/apache2/.htpasswd.d/awstats
<Limit GET>
require valid-user
</Limit>
</Directory>
<Directory /usr/local/awstats/wwwroot/cgi-bin>
AllowOverride All
AllowOverride FileInfo
Options +ExecCGI
</Directory>
###### REDIRCT START (my 00_master.conf) #####
<VirtualHost MYIP:80>
ServerAdmin info@example.com
ServerName example.com
RewriteEngine On
Redirect / https://example.com/
ErrorLog /var/log/apache2/users/example.com-error.log
TransferLog /var/log/apache2/users/example.com-access.log
CustomLog /var/log/apache2/example.com-traf.log traff
CustomLog /var/log/apache2/example.com-combined.log combined
</VirtualHost>
RE: Awstats password protection - noel - 10-27-2008 11:41 AM
Hi, a quick suggestion:
mod_authnz_external + perl script check usr/pwd in mysql + adapt vhost file?
Anybody experience with it? I try now, if it works I'll post it here.
RE: Awstats password protection - noel - 10-27-2008 10:21 PM
It works! It was quite easy to make awstat (or anything else) authenticate users using mysql. For those who are looking for a quick solution, here it is:
1. You need mod_authnz_external (Apache 2.2) or mod_auth_external (Apache <2.1) from http://unixpapa.com/mod_auth_external.html
2. You need a tiny perl script to perform the query and the test, feel free to get mine from http://www.2go.ge/mysql-auth.tar.gz and extract it into /usr/share/awstats/wwwroot/cgi-bin/
3. Edit this script /usr/share/awstats/wwwroot/cgi-bin/mysql-auth.pl and put in your mysql username and password which has read access to the ispcp.admin table
3. Edit your domain's awstats files in /etc/awstats/awstats.yourdomain.conf and replace
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="yourdomain"
4. Edit the awstats template /etc/ispcp/awstats/awstats.ispcp_tpl.conf and replace
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="{DOMAIN_NAME}"
5. Edit the awstats apache conf /etc/httpd/vhosts/01_awstats.conf and add
<Directory /usr/share/awstats>
AllowOverride none
Options ExecCGI FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider external
AuthExternal mysql-auth
Require valid-user
</Directory>
AddExternalAuth mysql-auth /usr/share/awstats/wwwroot/cgi-bin/mysql-auth.pl
SetExternalAuthMethod mysql-auth.pl pipe
Restart apache and enjoy password protected awstats. Note: I observed that mod_auth_mysql is slightly faster than mod_authnz_external, but _external is more stable, allows to run scripts in root while apache runs suexec and even if your db-script crashes it won't make apache crash as well. For me it works so well that I decided to replaced the default ISPCP login with this solution. Attacker won't even notice that there is ISPCP on the server...
RE: Awstats password protection - simple - 11-24-2008 04:55 AM
RaTs: any news from your end of the work? I would really need the security right now and would make the solution as cube suggested. If you have allready started please provide the input so I can spare some work.
regards
Markus
RE: Awstats password protection - sci2tech - 11-24-2008 05:15 AM
(11-24-2008 04:55 AM)simple Wrote: RaTs: any news from your end of the work? I would really need the security right now and would make the solution as cube suggested. If you have allready started please provide the input so I can spare some work.My next commit will solve this ticket. And it will be tonight or tomorow, as soon as i`ll finish testing.
regards
Markus
RE: Awstats password protection - simple - 11-25-2008 06:57 PM
I did a quick but working fix: I manually compiled mod_auth_mysql from source, there are some pretty good explanations in the web. One would be:
Code:
wget http://heanet.dl.sourceforge.net/sourceforge/modauthmysql/mod_auth_mysql-3.0.0.tar.gz
wget http://www.bleb.org/software/mod_auth_mysql-3.0.0-apache-2.2.3.patch
tar zxf mod_auth_mysql-3.0.0.tar.gz
apt-get install apache2-prefork-dev libmysqlclient15-dev
cd mod_auth_mysql-3.0.0
patch < ../mod_auth_mysql-3.0.0-apache-2.2.3.patch
sed -i 's|#include <mysql.h>|#include <mysql/mysql.h>|' mod_auth_mysql.c
apxs2 -c -lmysqlclient -lm -lz mod_auth_mysql.c
apxs2 -i mod_auth_mysql.la
echo 'LoadModule mysql_auth_module /usr/lib/apache2/modules/mod_auth_mysql.so' >/etc/apache2/mods-available/auth_mysql.load
a2enmod auth_mysql
apache2ctl gracefulNext step would be activating the protection in /etc/apache2/sites-available/01_awstats.conf like this:
Code:
<Directory /usr/lib/cgi-bin>
[..]
AuthName "AWStats Login"
AuthType Basic
AuthMYSQLEnable on
AuthMySQLAuthoritative on
AuthMySQLHost localhost
AuthMySQLUser <sql-user with access to DB ispcp>
AuthMySQLPassword <password of mysql-user>
AuthMySQLDB ispcp
AuthMySQLUserTable admin
AuthMySQLNameField admin_name
AuthMySQLPasswordField admin_pass
AuthMySQLNoPasswd off
AuthMySQLPwEncryption PHP_MD5
</Directory>This is only a quick fix so the stats are password protected. Customers of the server can still log in to all stats hosted there, but still pretty much better than without any authentication.
RE: Awstats password protection - sci2tech - 11-26-2008 02:02 AM
I did not manage to finish but I do work on it and as soon as possible it will be fixed. Give me 1-2 days to finish my work