1 rizwank 1.1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2 <html>
3 <head>
4 <meta name="description" content="AWStats Documentation - Security page">
5 <meta name="keywords" content="awstats, awstat, security, tips">
6 <meta name="robots" content="index,follow">
7 <meta name="title" content="AWStats Documentation - Security page">
8 <title>AWStats Documentation - Security page</title>
9 <link rel="stylesheet" href="styles.css" type="text/css">
10 <!-- $Revision: 1.33 $ - $Author: eldy $ - $Date: 2004/12/18 22:04:22 $ -->
11 </head>
12
13 <body topmargin=10 leftmargin=5>
14
15
16 <table style="font: 10pt arial,helvetica,verdana" cellpadding=0 cellspacing=0 border=0 bgcolor=#FFFFFF width=100%>
17
18 <!-- Large -->
19 <tr style="font: 10pt arial,helvetica,verdana">
20 <td bgcolor=#9999cc align=center><a href="/"><img src="images/awstats_logo4.png" border=0></a></td>
21 <td bgcolor=#9999cc align=center>
22 rizwank 1.1 <br>
23 <font style="font: 16pt arial,helvetica,sans-serif" color=#EEEEFF><b>AWStats logfile analyzer 6.3 Documentation</b></font><br>
24 <br>
25 </td>
26 <td bgcolor=#9999cc align=center>
27
28 </td>
29 </tr>
30
31 </table>
32
33
34 <br><br><H1 style="font: 26px arial,helvetica,sans-serif">Little Tips about Security</H1>
35
36 <br>
37 A lot of AWStats users have several web site to manage. This is particularly true for web hosting providers.
38 The most common things you would like to do is to prevent user xxx (having a site www.xxx.com) to see
39 statistics of user yyy (having a site www.yyy.com).<br>
40 <br><br>
41 This is example of possible way of working:<br>
42 <br><br>
43 rizwank 1.1
44 <br><a name="1"><H2 style="font: 22px arial,helvetica,sans-serif color: #606060"><u>1) HIGHLY SECURED POLICY</u></H2></a><br>
45 <font color=blue><b>Policy</b></font>:<br>
46 You have several different config/domains owned by different users and you want to build statistics for each
47 of them. You don't need that your customer have "real-time" statistics.<br>
48 This is a very good choice for web hosting providers with few but very large web sites of important customers.<br>
49 <font color=blue><b>Advantage</b></font>:<br>
50 Very highly secured.<br>
51 <font color=blue><b>Disadvantage</b></font>:<br>
52 Statistics are static, no dynamic update/view.<br>
53 <font color=blue><b>How</b></font>:<br>
54 All statistics pages for a config/domain file are built in static html files using <b>-output -staticlinks</b> option.<br>
55 There is no CGI use of AWStats and static built pages are stored in a web protected <b>realm</b> to
56 be securely viewed by correct allowed users only (or sent by mails).<br>
57 If users have a command line access (telnet) on statistics server, you must set correct permissions on AWStats
58 database files. Set all AWStats database files (built by the update process) for config/domain1 to have read/write
59 for <i>user1</i> (or an admin user) and NO read and NO write permissions for any other users.<br>
60 Then, check that the <a href="awstats_config.html#SaveDatabaseFilesWithPermissionsForEveryone">SaveDatabaseFilesWithPermissionsForEveryone</a> parameter is set 0 in your config/domain files.<br>
61 If AWStats database files/directory for config/domain1 are read protected, only allowed users can see statistics for config/domain1.<br>
62 If AWStats database files/directory for config/domain1 are write protected, only allowed users can update statistics for config/domain1.<br>
63 <br><br>
64 rizwank 1.1
65 <br><a name="2"><H2 style="font: 22px arial,helvetica,sans-serif color: #606060"><u>2) MEDIUM SECURED POLICY</u></H2></a><br>
66 <font color=blue><b>Policy</b></font>:<br>
67 You have several config/domain and several users. You want to specify which user can see or update dynamically
68 statistics for each config/domain.<br>
69 This is one of the most popular way of working.<br>
70 <font color=blue><b>Advantage</b></font>:<br>
71 Statistics are dynamic. High level of manageability.<br>
72 <font color=blue><b>Disadvantage</b></font>:<br>
73 AWStats database files must still be readable by anonymous web server user, so if an experienced user can have an access to
74 the server (telnet) where AWStats database files are stored, he can succeed in installing and running a "hacked" version
75 of AWStats that ignores value of parameter AllowAccessFromWebToAuthenticatedUsersOnly.<br>
76 <font color=blue><b>How</b></font>:<br>
77 awstats.pl file must be saved in a web protected <b>realm</b> to force a visitor to enter its username/password
78 to access AWStats CGI program.<br>
79 <br>
80 <u>Example of directives you can add into Apache to have awstats.pl in a web protected realm:</u><br>
81 <i>
82 <Files "awstats.pl"><br>
83 AuthUserFile /path/to/.passwd<br>
84 AuthGroupFile /path/to/.group<br>
85 rizwank 1.1 AuthName "Restricted Area For Customers"<br>
86 AuthType Basic<br>
87 require valid-user<br>
88 </Files>
89 </i><br>
90 If you add such directives into a .htaccess file, you must also check that the <i>AllowOverride</i> directive is set
91 to <i>All</i> in Apache config file to allow the use of .htaccess files.<br>
92 <br>
93 To known how to create a protected realm for servers other than Apache, see your web server manual.<br>
94 <br>
95 Then edit each config/domain file you want to be protected to set <a href="awstats_config.html#AllowAccessFromWebToAuthenticatedUsersOnly">AllowAccessFromWebToAuthenticatedUsersOnly</a> to 1.<br>
96 You can also edit list of authorized users in the <a href="awstats_config.html#AllowAccessFromWebToFollowingAuthenticatedUsers">AllowAccessFromWebToFollowingAuthenticatedUsers</a> parameter.<br>
97 You can also specify a range of allowed browsers IP Addresses with the <a href="awstats_config.html#AllowAccessFromWebToFollowingIPAddresses">AllowAccessFromWebToFollowingIPAddresses</a> parameter.<br>
98
99 You can also set <a href="awstats_config.html#SaveDatabaseFilesWithPermissionsForEveryone">SaveDatabaseFilesWithPermissionsForEveryone</a> parameter to 0 in all config/domain files,
100 except if you want to allow update from web with option <a href="awstats_config.html#AllowToUpdateStatsFromBrowser">AllowToUpdateStatsFromBrowser</a>=1. But this is
101 not recommanded as you need to give read/write permission for Web server user on all history
102 files (Except if you setuid AWStats script for each authorized user, but this make setup much harder).<br>
103 The following parameters <a href="awstats_config.html#ErrorMessages">ErrorMessages</a> and <a href="awstats_config.html#DebugMessages">DebugMessages</a> are
104 also parameters related to security.<br>
105 <br>
106 rizwank 1.1 <br>
107 Other tip: If the <b>AWSTATS_FORCE_CONFIG</b> environment variable is defined, AWStats will always use
108 the config file <i>awstats.VALUE_OF_AWSTATS_FORCE_CONFIG.conf</i> as the config/domain file.
109 So if you add this environment variable into your web server environment, for example by adding the line<br>
110 <i>SetEnv AWSTATS_FORCE_CONFIG configvalueforthisdomain</i><br>
111 in your Apache <i><VirtualHost></i> directive group in httpd.conf (with other directives), AWStats will use the config file
112 called <i>awstats.configvalueforthisdomain.conf</i> to choose which statistics used,
113 even if a visitor try to force the config/domain file with the URL '<i>http://mydomain/cgi-bin/awstats.pl?config=otherdomain</i>'.
114 This might be usefull for thoose who edit their config/domain file with <a href="awstats_config.html#AllowAccessFromWebToFollowingAuthenticatedUsers">AllowAccessFromWebToFollowingAuthenticatedUsers</a>="__REMOTE_USER__"</i>
115 instead of maintaining the list of authorized users into each AWStats config file.<br>
116 <br>
117 <br>
118
119
120 <br><a name="3"><H2 style="font: 22px arial,helvetica,sans-serif color: #606060"><u>3) NO SECURITY POLICY</u></H2></a><br>
121 <font color=blue><b>Policy</b></font>:<br>
122 You have only one hosts or several hosts or users but you don't need to manage particular permissions
123 for your different config/domain statistics.<br>
124 <font color=blue><b>Advantage</b></font>:<br>
125 Setup is very easy (No need of particular setup). Statistics are dynamic.<br>
126 <font color=blue><b>Disadvantage</b></font>:<br>
127 rizwank 1.1 No way to prevent stats for config/domain to be seen by a user that known the
128 config/domain name and the url syntax to see stats of a particular config/domain.<br>
129 <font color=blue><b>How</b></font>:<br>
130 No particular things to do (You can however easily use <a href="awstats_config.html#AllowAccessFromWebToFollowingIPAddresses">AllowAccessFromWebToFollowingIPAddresses</a> parameter
131 to have a minimum of security).<br>
132 <br>
133 <br>
134 <br>
135
136 There is a lot of possible use for AWStats combining all its options/parameters with all web servers options/parameters and operating
137 systems security features. Just use the one you need...<br>
138 <br>
139
140
141 <br>
142 <hr>
143
144 <script language=javascript>
145 var date='$Date: 2004/12/18 22:04:22 $';
146 document.writeln("Last revision: "+date);
147 </script>
148 rizwank 1.1
149 </body>
150 </html>
|
Return to
awstats_security.html
CVS log
Up to [RizwankCVS] / geekymedia_web / awstats-6.3 / docs