|
Little Tips about SecurityA lot of AWStats users have several web site to manage. This is particularly true for web hosting providers. The most common things you would like to do is to prevent user xxx (having a site www.xxx.com) to see statistics of user yyy (having a site www.yyy.com). This is example of possible way of working: 1) HIGHLY SECURED POLICYPolicy: You have several different config/domains owned by different users and you want to build statistics for each of them. You don't need that your customer have "real-time" statistics. This is a very good choice for web hosting providers with few but very large web sites of important customers. Advantage: Very highly secured. Disadvantage: Statistics are static, no dynamic update/view. How: All statistics pages for a config/domain file are built in static html files using -output -staticlinks option. There is no CGI use of AWStats and static built pages are stored in a web protected realm to be securely viewed by correct allowed users only (or sent by mails). If users have a command line access (telnet) on statistics server, you must set correct permissions on AWStats database files. Set all AWStats database files (built by the update process) for config/domain1 to have read/write for user1 (or an admin user) and NO read and NO write permissions for any other users. Then, check that the SaveDatabaseFilesWithPermissionsForEveryone parameter is set 0 in your config/domain files. If AWStats database files for config/domain1 are read protected, only allowed users can see statistics for config/domain1. If AWStats database files for config/domain1 are write protected, only allowed users can update statistics for config/domain1. 2) MEDIUM SECURED POLICYPolicy: You have several config/domain and several users. You want to specify which user can see or update dynamically statistics for each config/domain. This is one of the most popular way of working. Advantage: Statistics are dynamic. High level of manageability. Disadvantage: AWStats database files must still be readable by anonymous web server user, so if an experienced user can have an access to the server (telnet) where AWStats database files are stored, he can succeed in installing and running a "hacked" version of AWStats that ignores value of parameter AllowAccessFromWebToAuthenticatedUsersOnly. How: awstats.pl file must be saved in a web protected realm to force a visitor to enter its username/password to access AWStats CGI program. Example of directives you can add into Apache to have awstats.pl in a web protected realm: <Files "awstats.pl"> AuthUserFile /path/to/.passwd AuthGroupFile /path/to/.group AuthName "Restricted Area For Customers" AuthType Basic require valid-user </Files> If you add such directives into a .htaccess file, you must also check that the AllowOverride directive is set to All in Apache config file to allow the use of .htaccess files. To known how to create a protected realm for servers other than Apache, see your web server manual. Then edit each config/domain file you want to be protected to set AllowAccessFromWebToAuthenticatedUsersOnly to 1. You can also edit list of authorized users in the AllowAccessFromWebToFollowingAuthenticatedUsers parameter. You can also specify a range of allowed browsers IP Addresses with the AllowAccessFromWebToFollowingIPAddresses parameter. Other tip: If you define AWSTATS_CONFIG environment variable in your web server environment (Adding SetEnv AWSTATS_CONFIG myconfigvalueformydomain with other directives in your Apache VirtualHost config), AWStats will use the config file called awstats.myconfigvalueformydomain.conf to choose which statistics used, even if a visitor try to force the config/domain file with the URL 'http://mydomain/cgi-bin/awstats.pl?config=otherdomain'. This might be usefull for thoose who edit their config/domain file with AllowAccessFromWebToFollowingAuthenticatedUsers="__REMOTE_USER__" to avoid managing account lists in AWStats config files. 3) NO SECURITY POLICYPolicy: You have only one hosts or several hosts or users but you don't need to manage particular permissions for your different config/domain statistics. Advantage: Setup is very easy (No need of particular setup). Statistics are dynamic. Disadvantage: No way to prevent stats for config/domain to be seen by a user that known the config/domain name and the url syntax to see stats of a particular config/domain. How: No particular things to do (You can however easily use AllowAccessFromWebToFollowingIPAddresses parameter to have a minimum of security). There is a lot of possible use for AWStats combining all its options/parameters with all web servers options/parameters. Just use the one you need... |