Awstats password protection

[Cube]

I don't like that the stats are public. I don't want that everybody can see them.
So i thought about how a password protection could be realised. With awstats static it's no problem, because the user can password protect the directory by itself. Perhaps it would be a good idea to protect this directory by default.

For awstats dynamic it's more complicated. The directory where awstats.pl is should be password protected. For this there should be an entry in 01_awstats.conf and each time a new user is generated his username and password should be added to a .htpasswd-file.
Because now each user could also access all other statistics, additionally the single usernames should be added to the awstats-config-files.

Code:

AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="user"

As the default username and password we could take the login-data from ispcp. Additionally the user should have the possibility to change the awstats login-data in ispcp. It would be perfect to give the users the possibility to disable password protection and to make the stats public, but I think this is not possible with the method described above.

What do you think about it?

[RatS]

Dev team decided against it. reasons won't be discussed yet. No default password protection for stats

[Cube]

I don't know one webhoster, which makes his customers' stats public.
I see security and privacy problems with that. The stats provide IPs from visitors for example.

[raphael]

Quote:Dev team decided against it

oh really?

[ephigenie]

Yeah @raphael i was wondering about it, too ...

I think password protection is a must have.
Although it should be possible (perhaps in 1.1 ) to allow users to make stats public.

[BioALIEN]

Three words: Data Protection Act

I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).

However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.

[robmorin]

I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....

Rob...

BioALIEN Wrote:Three words: Data Protection Act

I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).

However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.

[BeNe]

Quote:I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....

Any news about it ?
Maybe you can write down what you did - so i can test it...

Greez BeNe

[BeNe]

This could maybe work or not ?

Code:

AuthType Basic
        AuthName "Secure Stats"
        AuthMySQLHost localhost
        AuthMySQLCryptedPasswords off
        AuthMySQLDB ispcp
        AuthMySQLUser mysqluser
        AuthMySQLPassword yourpass
        AuthMySQLUserTable admin
        AuthMySQLNameField admin_name
        AuthMySQLPasswordField admin_pass
        AuthMySQLKeepAlive Off
        <LIMIT GET POST>
        require valid-user
        </LIMIT>

But here is libapache2-mod-auth-mysql needed which is no more in Etch included.
So we must use libapache2-mod-auth-pam ?

Greez BeNe

[ephigenie]

mod_auth_mysql is somewhat unstable on etch (sometimes it works - sometimes not)

But it has been replaced with a newer approach by the following modules:
auth_basic
mod_authn_dbd
sample here :

Code:

DBDriver mysql
DBDParams "dbname=auth user=authuser password=******"
<Directory /path/to/private>
    AuthType Basic
    AuthName "private"
    AuthBasicProvider dbd
    Require valid-user
    AuthDBDUserPWQuery "select password from authn where username = %s"
</Directory>