Current time: 11-23-2024, 08:29 PM Hello There, Guest! (LoginRegister)


Post Reply 
Awstats password protection
Author Message
BerserkerXP Offline


Posts: 2
Joined: Aug 2008
Reputation: 0
Post: #51
RE: Awstats password protection
i think the Best would be to create/expand the password file when the a user was created or the usersettings would be changed. So the passwort für awstats would be the same like for the domain!
09-06-2008 09:14 PM
Find all posts by this user Quote this message in a reply
lbm Offline
Junior Member
*

Posts: 11
Joined: Apr 2008
Reputation: 0
Post: #52
RE: Awstats password protection
When thinking of encryption it may be interesting to put the awstats web access in a single place (I did this on a server once) e.g. https://iscpcontrolpanellink/awstats.
Then one could use something like the following in awstats:

AllowAccessFromWebToFollowingAuthenticatedUsers="user1 user1s_reseller"

and authenticate in Apache "normally" like (this is without the use of sql as an example):

Alias /awstats /usr/local/awstats/wwwroot/
<Directory /usr/local/awstats/wwwroot>
AuthType Basic
AuthUserFile /where/ever
<Limit GET>
require valid-user
</Limit>
</Directory>

So (if one is using encryption for the isp-panel; which imho should be the case on productive servers) the awstats pass is encrypted, too. Otherwise the admin pass will be exposed for the statistics since the domains are not encrypted usually...

The awstats-link can then be done this way per domain:

RewriteEngine on
RewriteRule ^/stats/$ http://iscpcontrolpanellink/awstats/cgi-bin/awstats.pl?config=domain [R]
(assuming http://ispcontrolpanellink redirects to https://ispcontrolpanellink -> thats how I do in my ispcp)

such that restriction is handled in the awstats config (see above). Furthermore this enables e.g. resellers to be able to see some stats of their domains, too (which in Germany at least would not be allowed by law)...

Tell me what you think and tell me if you need more information about how I did the setup.

Cheers,
Thorsten
(This post was last modified: 09-09-2008 04:06 AM by lbm.)
09-09-2008 04:04 AM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #53
RE: Awstats password protection
I understand, but maybe you can give us more information about the setup.
Or did you set it manually ??

Looks like AWStats is getting more interesting.... Wink

Greez BeNe
09-09-2008 06:07 AM
Visit this user's website Find all posts by this user Quote this message in a reply
lbm Offline
Junior Member
*

Posts: 11
Joined: Apr 2008
Reputation: 0
Post: #54
RE: Awstats password protection
OK Guys its long but here is the script that we used essentially to do the awstats thingy. Authentication has been done with htaccess, though... As mentioned, this was done before we knew ispCP and I think your template based mechanism is smarter... still this is all I can provide Wink. Some paths are different than in a ispCP setup but that should be pretty easy to change.
Below the script I included the webserver config (the part that should be included in the 00_master.conf in case of ispCP) and in the part of the vhost creation you see the recirect to this address.
Furthermore on my ispcp server I created a 00_master_ssl.conf and placed a redirect to the https site to anything coming from port 80 in the master.conf to force users to use ssl (they don't do it if you don't force them its awful). I included this also for convenience:

(if I forgot to delete any sensitive information, please do so, thanks Wink ).

###### SCRIPT START #####
#!/bin/sh
KDNNAME=$1 #customername
DOMAINNAME=$2 #domainname
PFADVHOST=/etc/apache2/sites-available/$KDNNAME/$DOMAINNAME.conf #path of vhost
IPADRESSE=XXX.XXX.XXX.XXX
PFADAWSTATS=/etc/awstats/awstats.$DOMAINNAME.conf #path of awstats config
HOMEDIR=/home/customers
SERVERNAME=example.com

## create vhost
mkdir -p /etc/apache2/sites-available/$KDNNAME

mkdir -p $HOMEDIR/"$KDNNAME"/htdocs/"$DOMAINNAME"/cgi-bin

echo '<VirtualHost *:80>' > $PFADVHOST
echo ' ServerAdmin webmaster@'$DOMAINNAME >> $PFADVHOST
echo ' ServerName '$DOMAINNAME >> $PFADVHOST
echo ' RewriteEngine on' >> $PFADVHOST
echo ' RewriteRule ^/stats/$ https://$SERVERNAME/awstats/cgi-bin/awstats.pl?config='$DOMAINNAME' [R]' >> $PFADVHOST
echo ' RewriteRule ^/stats$ https://$SERVERNAME/awstats/cgi-bin/awstats.pl?config='$DOMAINNAME' [R]' >> $PFADVHOST
echo ' DocumentRoot /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME >> $PFADVHOST
echo ' ErrorLog /home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-error.log' >> $PFADVHOST
echo ' LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined' >> $PFADVHOST
echo ' CustomLog /home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-access.log combined' >> $PFADVHOST
echo ' <Directory /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME'>' >> $PFADVHOST
echo ' AllowOverride All' >> $PFADVHOST
echo ' </Directory>' >> $PFADVHOST
echo ' <Directory /home/customers/'$KDNNAME'/htdocs/'$DOMAINNAME'/cgi-bin>' >> $PFADVHOST
echo ' AllowOverride All' >> $PFADVHOST
echo ' Options +ExecCGI' >> $PFADVHOST
echo ' </Directory>' >> $PFADVHOST
echo '</VirtualHost>' >> $PFADVHOST

ln -s /etc/apache2/sites-available/$KDNNAME/$DOMAINNAME.conf /etc/apache2/sites-enabled/$DOMAINNAME.conf

# create awstats config file
echo 'LogFile="/home/customers/'$KDNNAME'/logs/'$DOMAINNAME'-access.log"' > $PFADAWSTATS
echo LogType=W >> $PFADAWSTATS
echo LogFormat=1 >> $PFADAWSTATS
echo 'LogSeparator=" "' >> $PFADAWSTATS
echo 'SiteDomain="'$DOMAINNAME'"' >> $PFADAWSTATS
echo 'HostAliases="localhost 127.0.0.1 REGEX[myserver\.com$]"' >> $PFADAWSTATS
echo DNSLookup=1 >> $PFADAWSTATS
echo 'DirData="/home/customers/'$KDNNAME'/awstats"' >> $PFADAWSTATS
echo 'DirCgi="/awstats/cgi-bin"' >> $PFADAWSTATS
echo 'DirIcons="/awstats/icon"' >> $PFADAWSTATS
echo AllowToUpdateStatsFromBrowser=0 >> $PFADAWSTATS
echo AllowFullYearView=3 >> $PFADAWSTATS
echo EnableLockForUpdate=0 >> $PFADAWSTATS
echo 'DNSStaticCacheFile="dnscache.'$DOMAINNAME'.txt"' >> $PFADAWSTATS
echo 'DNSLastUpdateCacheFile="dnscachelastupdate.'$DOMAINNAME'.txt"' >> $PFADAWSTATS
echo 'SkipDNSLookupFor=""' >> $PFADAWSTATS
echo 'AllowAccessFromWebToAuthenticatedUsersOnly=1' >> $PFADAWSTATS
echo 'AllowAccessFromWebToFollowingAuthenticatedUsers="SOME_SUPERUSER '$1'"' >> $PFADAWSTATS
echo 'AllowAccessFromWebToFollowingIPAddresses=""' >> $PFADAWSTATS
echo CreateDirDataIfNotExists=1 >> $PFADAWSTATS
echo BuildHistoryFormat=text >> $PFADAWSTATS
echo BuildReportFormat=html >> $PFADAWSTATS
echo SaveDatabaseFilesWithPermissionsForEveryone=1 >> $PFADAWSTATS
echo PurgeLogFile=0 >> $PFADAWSTATS
echo ArchiveLogRecords=0 >> $PFADAWSTATS
echo KeepBackupOfHistoricFiles=0 >> $PFADAWSTATS
echo 'DefaultFile="index.html"' >> $PFADAWSTATS
echo 'SkipHosts=""' >> $PFADAWSTATS
echo 'SkipUserAgents=""' >> $PFADAWSTATS
echo 'SkipFiles=""' >> $PFADAWSTATS
echo 'OnlyHosts=""' >> $PFADAWSTATS
echo 'OnlyUserAgents=""' >> $PFADAWSTATS
echo 'OnlyFiles=""' >> $PFADAWSTATS
echo 'NotPageList="css js class gif jpg jpeg png bmp ico"' >> $PFADAWSTATS
echo 'ValidHTTPCodes="200 304"' >> $PFADAWSTATS
echo 'ValidSMTPCodes="1 250"' >> $PFADAWSTATS
echo 'AuthenticatedUsersNotCaseSensitive=0'>> $PFADAWSTATS
echo 'URLNotCaseSensitive=0' >> $PFADAWSTATS
echo 'URLWithAnchor=0' >> $PFADAWSTATS
echo 'URLQuerySeparators="?;"' >> $PFADAWSTATS
echo 'URLWithQuery=0' >> $PFADAWSTATS
echo 'URLWithQueryWithoutFollowingParameters=""' >> $PFADAWSTATS
echo 'URLReferrerWithQuery=0' >> $PFADAWSTATS
echo 'WarningMessages=1' >> $PFADAWSTATS
echo 'ErrorMessages=""' >> $PFADAWSTATS
echo 'DebugMessages=1' >> $PFADAWSTATS
echo 'NbOfLinesForCorruptedLog=50' >> $PFADAWSTATS
echo 'WrapperScript=""' >> $PFADAWSTATS
echo 'DecodeUA=0' >> $PFADAWSTATS
echo 'MiscTrackerUrl="/js/awstats_misc_tracker.js"' >> $PFADAWSTATS
echo 'LevelForRobotsDetection=2' >> $PFADAWSTATS
echo 'LevelForBrowsersDetection=2' >> $PFADAWSTATS
echo 'LevelForOSDetection=2' >> $PFADAWSTATS
echo 'LevelForRefererAnalyze=2' >> $PFADAWSTATS
echo 'UseFramesWhenCGI=0' >> $PFADAWSTATS
echo 'DetailedReportsOnNewWindows=1' >> $PFADAWSTATS
echo 'Expires=0' >> $PFADAWSTATS
echo 'MaxRowsInHTMLOutput=1000' >> $PFADAWSTATS
echo 'Lang="de"' >> $PFADAWSTATS
echo 'DirLang="./lang"' >> $PFADAWSTATS
echo 'ShowMenu=1' >> $PFADAWSTATS
echo 'ShowMonthStats=UVPHB' >> $PFADAWSTATS
echo 'ShowDaysOfMonthStats=VPHB' >> $PFADAWSTATS
echo 'ShowDaysOfWeekStats=PHB' >> $PFADAWSTATS
echo 'ShowHoursStats=PHB' >> $PFADAWSTATS
echo 'ShowDomainsStats=PHB' >> $PFADAWSTATS
echo 'ShowHostsStats=PHBL' >> $PFADAWSTATS
echo 'ShowAuthenticatedUsers=0' >> $PFADAWSTATS
echo 'ShowSessionsStats=1' >> $PFADAWSTATS
echo 'ShowPagesStats=PBEX' >> $PFADAWSTATS
echo 'ShowFileTypesStats=HB' >> $PFADAWSTATS
echo 'ShowOSStats=1' >> $PFADAWSTATS
echo 'ShowBrowsersStats=1' >> $PFADAWSTATS
echo 'ShowScreenSizeStats=0' >> $PFADAWSTATS
echo 'ShowOriginStats=PH' >> $PFADAWSTATS
echo 'ShowKeyphrasesStats=1' >> $PFADAWSTATS
echo 'ShowKeywordsStats=1' >> $PFADAWSTATS
echo 'ShowMiscStats=a' >> $PFADAWSTATS
echo 'ShowHTTPErrorsStats=1' >> $PFADAWSTATS
echo 'ShowSMTPErrorsStats=0' >> $PFADAWSTATS
echo 'ShowClusterStats=0' >> $PFADAWSTATS
echo 'AddDataArrayMonthStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowDaysOfMonthStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowDaysOfWeekStats=1' >> $PFADAWSTATS
echo 'AddDataArrayShowHoursStats=1' >> $PFADAWSTATS
echo 'MaxNbOfDomain = 10' >> $PFADAWSTATS
echo 'MinHitDomain = 1' >> $PFADAWSTATS
echo 'MaxNbOfHostsShown = 10' >> $PFADAWSTATS
echo 'MinHitHost = 1' >> $PFADAWSTATS
echo 'MaxNbOfLoginShown = 10' >> $PFADAWSTATS
echo 'MinHitLogin = 1' >> $PFADAWSTATS
echo 'MaxNbOfRobotShown = 10' >> $PFADAWSTATS
echo 'MinHitRobot = 1' >> $PFADAWSTATS
echo 'MaxNbOfPageShown = 10' >> $PFADAWSTATS
echo 'MinHitFile = 1' >> $PFADAWSTATS
echo 'MaxNbOfOsShown = 10' >> $PFADAWSTATS
echo 'MinHitOs = 1' >> $PFADAWSTATS
echo 'MaxNbOfBrowsersShown = 10' >> $PFADAWSTATS
echo 'MinHitBrowser = 1' >> $PFADAWSTATS
echo 'MaxNbOfScreenSizesShown = 5' >> $PFADAWSTATS
echo 'MinHitScreenSize = 1' >> $PFADAWSTATS
echo 'MaxNbOfRefererShown = 10' >> $PFADAWSTATS
echo 'MinHitRefer = 1' >> $PFADAWSTATS
echo 'MaxNbOfKeyphrasesShown = 10' >> $PFADAWSTATS
echo 'MinHitKeyphrase = 1' >> $PFADAWSTATS
echo 'MaxNbOfKeywordsShown = 10' >> $PFADAWSTATS
echo 'MinHitKeyword = 1' >> $PFADAWSTATS
echo 'MaxNbOfEMailsShown = 20' >> $PFADAWSTATS
echo 'MinHitEMail = 1' >> $PFADAWSTATS
echo 'FirstDayOfWeek=1' >> $PFADAWSTATS
echo 'ShowLinksOnUrl=1' >> $PFADAWSTATS
echo 'UseHTTPSLinkForUrl=""' >> $PFADAWSTATS
echo 'MaxLengthOfURL=70' >> $PFADAWSTATS
echo 'LinksToWhoIs="http://www.whois.net/search.cgi2?str="' >> $PFADAWSTATS
echo 'LinksToIPWhoIs="http://ws.arin.net/cgi-bin/whois.pl?queryinput="' >> $PFADAWSTATS
echo 'HTMLHeadSection=""' >> $PFADAWSTATS
echo 'HTMLEndSection=""' >> $PFADAWSTATS
echo 'Logo="awstats_logo6.png"' >> $PFADAWSTATS
echo 'LogoLink="http://awstats.sourceforge.net"' >> $PFADAWSTATS
echo 'BarWidth = 260' >> $PFADAWSTATS
echo 'BarHeight = 90' >> $PFADAWSTATS

echo '/usr/local/awstats/wwwroot/cgi-bin/awstats.pl -config='$2' -update' >> /usr/local/scripts/run_awstats

###### SCRIPT END #####

###### AWSTATS APACHE SECTION #####
apache config is done this way (in your case this would be in the master config and authentication would be done via db. Still awstats would be able to get the authenticatet username and provide the stats of atstats.example.com.config only to the guys mentioned in the line
# AllowAccessFromWebToFollowingAuthenticatedUsers="superuser reseller customername"

Alias /awstats /usr/local/awstats/wwwroot/
<Directory /usr/local/awstats/wwwroot>
AuthType Basic
AuthName "Enter pass for stats..."
AuthUserFile /etc/apache2/.htpasswd.d/awstats
<Limit GET>
require valid-user
</Limit>
</Directory>
<Directory /usr/local/awstats/wwwroot/cgi-bin>
AllowOverride All
AllowOverride FileInfo
Options +ExecCGI
</Directory>

###### REDIRCT START (my 00_master.conf) #####
<VirtualHost MYIP:80>
ServerAdmin info@example.com
ServerName example.com
RewriteEngine On
Redirect / https://example.com/

ErrorLog /var/log/apache2/users/example.com-error.log
TransferLog /var/log/apache2/users/example.com-access.log
CustomLog /var/log/apache2/example.com-traf.log traff
CustomLog /var/log/apache2/example.com-combined.log combined
</VirtualHost>
09-10-2008 08:27 PM
Find all posts by this user Quote this message in a reply
noel Offline


Posts: 4
Joined: Aug 2008
Reputation: 0
Post: #55
RE: Awstats password protection
Hi, a quick suggestion:
mod_authnz_external + perl script check usr/pwd in mysql + adapt vhost file?
Anybody experience with it? I try now, if it works I'll post it here.
10-27-2008 11:41 AM
Find all posts by this user Quote this message in a reply
noel Offline


Posts: 4
Joined: Aug 2008
Reputation: 0
Post: #56
Toungue RE: Awstats password protection
It works! It was quite easy to make awstat (or anything else) authenticate users using mysql. For those who are looking for a quick solution, here it is:

1. You need mod_authnz_external (Apache 2.2) or mod_auth_external (Apache <2.1) from http://unixpapa.com/mod_auth_external.html

2. You need a tiny perl script to perform the query and the test, feel free to get mine from http://www.2go.ge/mysql-auth.tar.gz and extract it into /usr/share/awstats/wwwroot/cgi-bin/

3. Edit this script /usr/share/awstats/wwwroot/cgi-bin/mysql-auth.pl and put in your mysql username and password which has read access to the ispcp.admin table

3. Edit your domain's awstats files in /etc/awstats/awstats.yourdomain.conf and replace
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="yourdomain"

4. Edit the awstats template /etc/ispcp/awstats/awstats.ispcp_tpl.conf and replace
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="{DOMAIN_NAME}"

5. Edit the awstats apache conf /etc/httpd/vhosts/01_awstats.conf and add
<Directory /usr/share/awstats>
AllowOverride none
Options ExecCGI FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider external
AuthExternal mysql-auth
Require valid-user
</Directory>
AddExternalAuth mysql-auth /usr/share/awstats/wwwroot/cgi-bin/mysql-auth.pl
SetExternalAuthMethod mysql-auth.pl pipe

Restart apache and enjoy password protected awstats. Note: I observed that mod_auth_mysql is slightly faster than mod_authnz_external, but _external is more stable, allows to run scripts in root while apache runs suexec and even if your db-script crashes it won't make apache crash as well. For me it works so well that I decided to replaced the default ISPCP login with this solution. Attacker won't even notice that there is ISPCP on the server...
10-27-2008 10:21 PM
Find all posts by this user Quote this message in a reply
simple Offline
Junior Member
**
Graph Team

Posts: 143
Joined: Dec 2006
Reputation: 0
Post: #57
RE: Awstats password protection
RaTs: any news from your end of the work? I would really need the security right now and would make the solution as cube suggested. If you have allready started please provide the input so I can spare some work.

regards
Markus
11-24-2008 04:55 AM
Visit this user's website Find all posts by this user Quote this message in a reply
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #58
RE: Awstats password protection
(11-24-2008 04:55 AM)simple Wrote:  RaTs: any news from your end of the work? I would really need the security right now and would make the solution as cube suggested. If you have allready started please provide the input so I can spare some work.

regards
Markus
My next commit will solve this ticket. And it will be tonight or tomorow, as soon as i`ll finish testing.
(This post was last modified: 11-24-2008 05:15 AM by sci2tech.)
11-24-2008 05:15 AM
Visit this user's website Find all posts by this user Quote this message in a reply
simple Offline
Junior Member
**
Graph Team

Posts: 143
Joined: Dec 2006
Reputation: 0
Post: #59
RE: Awstats password protection
I did a quick but working fix: I manually compiled mod_auth_mysql from source, there are some pretty good explanations in the web. One would be:
Code:
wget http://heanet.dl.sourceforge.net/sourceforge/modauthmysql/mod_auth_mysql-3.0.0.tar.gz
wget http://www.bleb.org/software/mod_auth_mysql-3.0.0-apache-2.2.3.patch
tar zxf mod_auth_mysql-3.0.0.tar.gz
apt-get install apache2-prefork-dev libmysqlclient15-dev
cd mod_auth_mysql-3.0.0
patch < ../mod_auth_mysql-3.0.0-apache-2.2.3.patch
sed -i 's|#include <mysql.h>|#include <mysql/mysql.h>|' mod_auth_mysql.c
apxs2 -c -lmysqlclient -lm -lz mod_auth_mysql.c
apxs2 -i mod_auth_mysql.la
echo 'LoadModule mysql_auth_module /usr/lib/apache2/modules/mod_auth_mysql.so' >/etc/apache2/mods-available/auth_mysql.load
a2enmod auth_mysql
apache2ctl graceful

Next step would be activating the protection in /etc/apache2/sites-available/01_awstats.conf like this:
Code:
<Directory /usr/lib/cgi-bin>
   [..]        
    AuthName                        "AWStats Login"
    AuthType                        Basic
    AuthMYSQLEnable                 on
    AuthMySQLAuthoritative          on
    AuthMySQLHost                   localhost
    AuthMySQLUser                   <sql-user with access to DB ispcp>
    AuthMySQLPassword               <password of mysql-user>
    AuthMySQLDB                     ispcp
    AuthMySQLUserTable              admin
    AuthMySQLNameField              admin_name
    AuthMySQLPasswordField          admin_pass
    AuthMySQLNoPasswd               off
    AuthMySQLPwEncryption           PHP_MD5
</Directory>

This is only a quick fix so the stats are password protected. Customers of the server can still log in to all stats hosted there, but still pretty much better than without any authentication.
11-25-2008 06:57 PM
Visit this user's website Find all posts by this user Quote this message in a reply
sci2tech Away
Senior Member
****

Posts: 1,285
Joined: Jan 2007
Reputation: 23
Post: #60
RE: Awstats password protection
I did not manage to finish but I do work on it and as soon as possible it will be fixed. Give me 1-2 days to finish my work
11-26-2008 02:02 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)