Awstats password protection

[Eminos]

Cube Wrote:I have not tested this yet, but I think it is still necessary to modify the awstats-configs (AllowAccessFromWebToAuthenticatedUsersOnly / AllowAccessFromWebToFollowingAuthenticatedUsers) to avoid that the users can access their stats one another.

True. I have done this, and it works great

/E

[momo]

@rycardo
Thanks a lot, works great
@cube
Exactly what I was looking for


The awstats-configs for all domain is
/etc/ispcp/awstats/awstats.ispcp_tpl.conf

Code:

AllowAccessFromWebToAuthenticatedUsersOnly=1

If you set :

Code:

AllowAccessFromWebToFollowingAuthenticatedUsers=""

All known users can access other domain stats

So you must define AllowAccessFromWebToFollowingAuthenticatedUsers for every domain. These config files location is :

Code:

/etc/awstats

Now, everytime you will "regenerate" ispcp, these config files will be overwritten by

Code:

/etc/ispcp/awstats/awstats.ispcp_tpl.conf

So you will need to change once more all config files 1 by 1, which is annoying and time consuming.

To avoid that, I would like to make regeneration skip awstats config

Any ideas ?

[Eminos]

Why don't you just change that awstats ispcp template (/etc/ispcp/awstats/awstats.ispcp_tpl.conf), so that the domain is set from the variable for all new or regenerated domains.

That works for me.

/E

[momo]

When I put

Code:

AllowAccessFromWebToFollowingAuthenticatedUsers = "user1 user2"

user2 will successfully log into

http://www.user1.com/stats/ and http://www.user2.com/stats/

and vice-versa

[Eminos]

momo Wrote:When I put

Code:

AllowAccessFromWebToFollowingAuthenticatedUsers = "user1 user2"

user2 will successfully log into

http://www.user1.com/stats/ and http://www.user2.com/stats/

and vice-versa

You should only add ONE domain (user1). In the template file you can use the variable {DOMAIN_NAME} to set the correct domain name/user.

/E

[momo]

Hmmm that makes a lot of sense
and it is working perfectly!

Thank you

[memic]

i wrote a little script to create a htpasswd file for awstats access,
my Apache Directory in /etc/apache2/sites-enabled/01_awstats.conf looks like this:

<Directory /usr/lib/cgi-bin>
Options +ExecCGI
DirectoryIndex awstats.pl
Order allow,deny
Allow from all

AuthType Basic
AuthName "AWStats"
AuthUserFile /etc/apache2/awstatsusers
Require valid-user <- no users needed here since this is done in the awstats config files
</Directory>

I changed the template /etc/ispcp/awstats/awstats.ispcp_tpl.conf, the same way i have seen this in post before:

AllowAccessFromWebToAuthenticatedUsersOnly="1"
AllowAccessFromWebToFollowingAuthenticatedUsers="{DOMAIN_NAME}"

My first idea was to use the md5 sums from the admin table
to create the htpasswd file, but there is the problem that
md5sum which htpasswd creates are salted, so there is no
way to use the existing hashes for authentication.

Here is the script, it does the job of creating a password
for every domain in the /etc/apache2/awstatsusers file.
Attention the file /etc/apache2/awstatsusers gets deleted every
time, and new passwords are generated.
Fell free to edit/copy do whatever..

#!/usr/bin/perl -w

use DBI;

my $dbh = DBI->connect('dbi:mysql:ispcp:localhost:3306','root','yourpassword',{ RaiseError => 1, AutoCommit => 1});

my $sql = qq{select admin_name from admin;};
my $sth = $dbh->prepare($sql);
$sth->execute();

my $mypass="";
unlink ("/etc/apache2/awstatsusers");
system ("touch /etc/apache2/awstatsusers");
while(@ergebnis=$sth->fetchrow_array)
{

$mypass=randomPassword();
print $ergebnis[0], ":", $mypass, "\n";

system "htpasswd -mb /etc/apache2/awstatsusers $ergebnis[0] $mypass &> /dev/null";
}
sub randomPassword {
my $password;
my $_rand;

my $password_length = $_[0];
if (!$password_length) {
$password_length = 10;
}

my @chars = split(" ", "a b c d e f g h i j k l m n o
p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9");

srand;

for (my $i=0; $i <= $password_length ;$i++) {
$_rand = int(rand 36);
$password .= $chars[$_rand];
}

return $password;
}

---------

maybe a new table for the awstats user should be added, with
the possibilty to change the the password via webinterface, as
default password the login password for the domain.

memic

[RatS]

I started implementing the password protection. I guess it will on the path Cube used...

[obey]

i have implemented a custom script incl. button to update the file created by memic's script.

i had to make a few changes so ispcp was able to fetch the file over php, regarding a open basedir restriction. What i changed was the path to the awstatsusers file. i put it in /var/www/ispcp/gui/include/awstatsusers . that worked for me

i have implemented the solution on a debian etch ispcp rc5 and on a CentOS5 with ispcp rc4.

also i will write a full howto soon, but i'm going on vacation in a week and i have a looong todo list before that, so i've got not much time to finish this.
nevertheless i attached the relevant files :
- /var/www/ispcp/gui/client/protected_awstats.php
- /var/www/ispcp/gui/themes/omega_original/client/protected_awstats.tpl (damn, the forum won't pick that one up?)

pls feel free to pm or email me for a short description.

greetz
obey!
  protected_awstats.php (Size: 4.88 KB / Downloads: 30)

[RatS]

zip it and attach it or open a ticket. Thank you so much!