Changesets can be listed by changeset number.
The Git repository is here.
- Revision:
- 297
- Log:
Updated to AWStats 7.0.
- Author:
- rool
- Date:
- Fri Mar 18 13:33:29 +0000 2011
- Size:
- 8635 Bytes
- Properties:
- Property svn:executable is set
| 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
| 2 | <html> |
| 3 | <head> |
| 4 | <meta name="description" content="AWStats Documentation - Security page"> |
| 5 | <meta name="keywords" content="awstats, awstat, security, tips"> |
| 6 | <meta name="robots" content="index,follow"> |
| 7 | <meta name="title" content="AWStats Documentation - Security page"> |
| 8 | <title>AWStats Documentation - Security page</title> |
| 9 | <link rel="stylesheet" href="styles.css" type="text/css"> |
| 10 | <!-- $Revision: 1.41 $ - $Author: eldy $ - $Date: 2010/06/22 21:35:24 $ --> |
| 11 | </head> |
| 12 | |
| 13 | <body topmargin=10 leftmargin=5> |
| 14 | |
| 15 | |
| 16 | <table style="font: 10pt arial,helvetica,verdana" cellpadding=0 cellspacing=0 border=0 bgcolor=#FFFFFF width=100%> |
| 17 | |
| 18 | <!-- Large --> |
| 19 | <tr style="font: 10pt arial,helvetica,verdana"> |
| 20 | <td bgcolor=#9999cc align=center><a href="/"><img src="images/awstats_logo4.png" border=0></a></td> |
| 21 | <td bgcolor=#9999cc align=center> |
| 22 | <br> |
| 23 | <font style="font: 16pt arial,helvetica,sans-serif" color=#EEEEFF><b>AWStats logfile analyzer 7.0 Documentation</b></font><br> |
| 24 | <br> |
| 25 | </td> |
| 26 | <td bgcolor=#9999cc align=center> |
| 27 | |
| 28 | </td> |
| 29 | </tr> |
| 30 | |
| 31 | </table> |
| 32 | |
| 33 | |
| 34 | <br><br><H1 style="font: 26px arial,helvetica,sans-serif">Little Tips about Security</H1> |
| 35 | |
| 36 | <br> |
| 37 | A lot of AWStats users have several web site to manage. This is particularly true for web hosting providers. |
| 38 | The most common things you would like to do is to prevent user xxx (having a site www.xxx.com) to see |
| 39 | statistics of user yyy (having a site www.yyy.com).<br> |
| 40 | <br><br> |
| 41 | This is example of possible way of working:<br> |
| 42 | <br><br> |
| 43 | |
| 44 | <br><a name="1"><H2 style="font: 22px arial,helvetica,sans-serif color: #606060"><u>1) HIGHLY SECURED POLICY</u></H2></a><br> |
| 45 | <font color=blue><b>Policy</b></font>:<br> |
| 46 | You have several different config/domains owned by different users and you want to build statistics for each |
| 47 | of them. You don't need that your customer have "real-time" statistics.<br> |
| 48 | This is a very good choice for web hosting providers with few but very large web sites of important customers.<br> |
| 49 | <font color=blue><b>Advantage</b></font>:<br> |
| 50 | Very highly secured.<br> |
| 51 | <font color=blue><b>Disadvantage</b></font>:<br> |
| 52 | Statistics are static, no dynamic update/view.<br> |
| 53 | <font color=blue><b>How</b></font>:<br> |
| 54 | All statistics pages for a config/domain file are built in static html files using <b>-output -staticlinks</b> option.<br> |
| 55 | There is no CGI use of AWStats and static built pages are stored in a web protected <b>realm</b> to |
| 56 | be securely viewed by correct allowed users only (or sent by mails).<br> |
| 57 | If users have a command line access (telnet) on statistics server, you must set correct permissions on AWStats |
| 58 | database files. Set all AWStats database files (built by the update process) for config/domain1 to have read/write |
| 59 | for <i>user1</i> (or an admin user) and NO read and NO write permissions for any other users.<br> |
| 60 | Then, check that the <a href="awstats_config.html#SaveDatabaseFilesWithPermissionsForEveryone">SaveDatabaseFilesWithPermissionsForEveryone</a> parameter is set 0 in your config/domain files.<br> |
| 61 | If AWStats database files/directory for config/domain1 are read protected, only allowed users can see statistics for config/domain1.<br> |
| 62 | If AWStats database files/directory for config/domain1 are write protected, only allowed users can update statistics for config/domain1.<br> |
| 63 | <br><br> |
| 64 | |
| 65 | <br><a name="2"><H2 style="font: 22px arial,helvetica,sans-serif color: #606060"><u>2) MEDIUM SECURED POLICY</u></H2></a><br> |
| 66 | <font color=blue><b>Policy</b></font>:<br> |
| 67 | You have several config/domain and several users. You want to specify which user can see or update dynamically |
| 68 | statistics for each config/domain.<br> |
| 69 | This is one of the most popular way of working.<br> |
| 70 | <font color=blue><b>Advantage</b></font>:<br> |
| 71 | Statistics are dynamic. High level of manageability.<br> |
| 72 | <font color=blue><b>Disadvantage</b></font>:<br> |
| 73 | AWStats database files must still be readable by anonymous web server user, so if an experienced user can have an access to |
| 74 | the server (telnet) where AWStats database files are stored, he can succeed in installing and running a "hacked" version |
| 75 | of AWStats that ignores value of parameter AllowAccessFromWebToAuthenticatedUsersOnly.<br> |
| 76 | <font color=blue><b>How</b></font>:<br> |
| 77 | awstats.pl file must be saved in a web protected <b>realm</b> to force a visitor to enter its username/password |
| 78 | to access AWStats CGI program.<br> |
| 79 | <br> |
| 80 | <u>Example of directives you can add into Apache to have awstats.pl in a web protected realm:</u><br> |
| 81 | <i> |
| 82 | <Files "awstats.pl"><br> |
| 83 | AuthUserFile /path/to/.passwd<br> |
| 84 | AuthGroupFile /path/to/.group<br> |
| 85 | AuthName "Restricted Area For Customers"<br> |
| 86 | AuthType Basic<br> |
| 87 | require valid-user<br> |
| 88 | </Files> |
| 89 | </i><br> |
| 90 | If you add such directives into a .htaccess file, you must also check that the <i>AllowOverride</i> directive is set |
| 91 | to <i>All</i> in Apache config file to allow the use of .htaccess files.<br> |
| 92 | <br> |
| 93 | To known how to create a protected realm for servers other than Apache, see your web server manual.<br> |
| 94 | <br> |
| 95 | Then edit each config/domain file you want to be protected to set <a href="awstats_config.html#AllowAccessFromWebToAuthenticatedUsersOnly">AllowAccessFromWebToAuthenticatedUsersOnly</a> to 1.<br> |
| 96 | You can also edit list of authorized users in the <a href="awstats_config.html#AllowAccessFromWebToFollowingAuthenticatedUsers">AllowAccessFromWebToFollowingAuthenticatedUsers</a> parameter.<br> |
| 97 | You can also specify a range of allowed browsers IP Addresses with the <a href="awstats_config.html#AllowAccessFromWebToFollowingIPAddresses">AllowAccessFromWebToFollowingIPAddresses</a> parameter.<br> |
| 98 | |
| 99 | You can also set <a href="awstats_config.html#SaveDatabaseFilesWithPermissionsForEveryone">SaveDatabaseFilesWithPermissionsForEveryone</a> parameter to 0 in all config/domain files, |
| 100 | except if you want to allow update from web with option <a href="awstats_config.html#AllowToUpdateStatsFromBrowser">AllowToUpdateStatsFromBrowser</a>=1. But this is |
| 101 | not recommanded as you need to give read/write permission for Web server user on all history |
| 102 | files (Except if you setuid AWStats script for each authorized user, but this make setup much harder).<br> |
| 103 | The following parameters <a href="awstats_config.html#ErrorMessages">ErrorMessages</a> and <a href="awstats_config.html#DebugMessages">DebugMessages</a> are |
| 104 | also parameters related to security.<br> |
| 105 | <br> |
| 106 | <br> |
| 107 | Other tip: If the <b>AWSTATS_FORCE_CONFIG</b> environment variable is defined, AWStats will always use |
| 108 | the config file <i>awstats.VALUE_OF_AWSTATS_FORCE_CONFIG.conf</i> as the config/domain file. |
| 109 | So if you add this environment variable into your web server environment, for example by adding the line<br> |
| 110 | <i>SetEnv AWSTATS_FORCE_CONFIG configvalueforthisdomain</i><br> |
| 111 | in your Apache <i><VirtualHost></i> directive group in httpd.conf (with other directives), AWStats will use the config file |
| 112 | called <i>awstats.configvalueforthisdomain.conf</i> to choose which statistics used, |
| 113 | even if a visitor try to force the config/domain file with the URL '<i>http://mydomain/cgi-bin/awstats.pl?config=otherdomain</i>'. |
| 114 | This might be usefull for thoose who edit their config/domain file with <a href="awstats_config.html#AllowAccessFromWebToFollowingAuthenticatedUsers">AllowAccessFromWebToFollowingAuthenticatedUsers</a>="__REMOTE_USER__"</i> |
| 115 | instead of maintaining the list of authorized users into each AWStats config file.<br> |
| 116 | <br> |
| 117 | <br> |
| 118 | |
| 119 | |
| 120 | <br><a name="3"><H2 style="font: 22px arial,helvetica,sans-serif color: #606060"><u>3) NO SECURITY POLICY</u></H2></a><br> |
| 121 | <font color=blue><b>Policy</b></font>:<br> |
| 122 | You have only one hosts or several hosts or users but you don't need to manage particular permissions |
| 123 | for your different config/domain statistics.<br> |
| 124 | <font color=blue><b>Advantage</b></font>:<br> |
| 125 | Setup is very easy (No need of particular setup). Statistics are dynamic.<br> |
| 126 | <font color=blue><b>Disadvantage</b></font>:<br> |
| 127 | No way to prevent stats for config/domain to be seen by a user that known the |
| 128 | config/domain name and the url syntax to see stats of a particular config/domain.<br> |
| 129 | <font color=blue><b>How</b></font>:<br> |
| 130 | No particular things to do (You can however easily use <a href="awstats_config.html#AllowAccessFromWebToFollowingIPAddresses">AllowAccessFromWebToFollowingIPAddresses</a> parameter |
| 131 | to have a minimum of security).<br> |
| 132 | <br> |
| 133 | <br> |
| 134 | <br> |
| 135 | |
| 136 | There is a lot of possible use for AWStats combining all its options/parameters with all web servers options/parameters and operating |
| 137 | systems security features. Just use the one you need...<br> |
| 138 | <br> |
| 139 | |
| 140 | |
| 141 | <br> |
| 142 | <hr> |
| 143 | |
| 144 | <script language=javascript> |
| 145 | var date='$Date: 2010/06/22 21:35:24 $'; |
| 146 | document.writeln("Last revision: "+date); |
| 147 | </script> |
| 148 | |
| 149 | </body> |
| 150 | </html> |
