Current time: 11-26-2020, 10:29 PM Hello There, Guest! (LoginRegister)


Post Reply 
Awstats password protection
Author Message
Cube Offline
Member
***

Posts: 740
Joined: Apr 2007
Reputation: 9
Post: #1
Awstats password protection
I don't like that the stats are public. I don't want that everybody can see them.
So i thought about how a password protection could be realised. With awstats static it's no problem, because the user can password protect the directory by itself. Perhaps it would be a good idea to protect this directory by default.

For awstats dynamic it's more complicated. The directory where awstats.pl is should be password protected. For this there should be an entry in 01_awstats.conf and each time a new user is generated his username and password should be added to a .htpasswd-file.
Because now each user could also access all other statistics, additionally the single usernames should be added to the awstats-config-files.
Code:
AllowAccessFromWebToAuthenticatedUsersOnly=1
AllowAccessFromWebToFollowingAuthenticatedUsers="user"
As the default username and password we could take the login-data from ispcp. Additionally the user should have the possibility to change the awstats login-data in ispcp. It would be perfect to give the users the possibility to disable password protection and to make the stats public, but I think this is not possible with the method described above.

What do you think about it?
10-18-2007 06:05 AM
Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #2
RE: Awstats password protection
Dev team decided against it. reasons won't be discussed yet. No default password protection for stats
10-18-2007 07:52 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Cube Offline
Member
***

Posts: 740
Joined: Apr 2007
Reputation: 9
Post: #3
RE: Awstats password protection
I don't know one webhoster, which makes his customers' stats public.
I see security and privacy problems with that. The stats provide IPs from visitors for example.
10-18-2007 08:32 AM
Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #4
RE: Awstats password protection
Quote:Dev team decided against it
oh really?
10-18-2007 09:48 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #5
RE: Awstats password protection
Yeah @raphael i was wondering about it, too ...

I think password protection is a must have.
Although it should be possible (perhaps in 1.1 ) to allow users to make stats public.
10-18-2007 06:11 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BioALIEN Offline
Public Relations Officer
*****
Dev Team

Posts: 620
Joined: Feb 2007
Reputation: 5
Post: #6
RE: Awstats password protection
Three words: Data Protection Act Smile

I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).

However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.
(This post was last modified: 10-18-2007 07:09 PM by BioALIEN.)
10-18-2007 07:08 PM
Find all posts by this user Quote this message in a reply
robmorin Offline
Junior Member
*

Posts: 208
Joined: Apr 2007
Reputation: 0
Post: #7
RE: Awstats password protection
I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....

Rob...

BioALIEN Wrote:Three words: Data Protection Act Smile

I say we start secure and let the server admin hack away to make whatever parts public (until 1.1).

However, whats stopping us from securing dynamic, and also static. Then if the server admin wants public stats, they can choose static mode and open the directory to the public? Seems very simple to me.
10-24-2007 12:43 AM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #8
RE: Awstats password protection
Quote:I use to use a .htaccess file with mysql to allow the user to log in via the same password as the domain admin user and pass worked great for a long tie until i changed version of mysql then everythign broke... i will try it again and post a how to....

Any news about it ?
Maybe you can write down what you did - so i can test it...

Greez BeNe
10-25-2007 10:29 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #9
RE: Awstats password protection
This could maybe work or not ?
Code:
AuthType Basic
        AuthName "Secure Stats"
        AuthMySQLHost localhost
        AuthMySQLCryptedPasswords off
        AuthMySQLDB ispcp
        AuthMySQLUser mysqluser
        AuthMySQLPassword yourpass
        AuthMySQLUserTable admin
        AuthMySQLNameField admin_name
        AuthMySQLPasswordField admin_pass
        AuthMySQLKeepAlive Off
        <LIMIT GET POST>
        require valid-user
        </LIMIT>

But here is libapache2-mod-auth-mysql needed which is no more in Etch included.
So we must use libapache2-mod-auth-pam ? Rolleyes

Greez BeNe
10-25-2007 11:42 PM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #10
RE: Awstats password protection
mod_auth_mysql is somewhat unstable on etch (sometimes it works - sometimes not)

But it has been replaced with a newer approach by the following modules:
auth_basic
mod_authn_dbd
sample here :
Code:
DBDriver mysql
DBDParams "dbname=auth user=authuser password=******"
<Directory /path/to/private>
    AuthType Basic
    AuthName "private"
    AuthBasicProvider dbd
    Require valid-user
    AuthDBDUserPWQuery "select password from authn where username = %s"
</Directory>
10-26-2007 03:19 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)