View Single Post
  #1  
Old 28th March 2013, 13:11
jims_a_winner jims_a_winner is offline
Junior Member
 
Join Date: Mar 2013
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
Wink Webalizer Statistics /stats/ folder and .htaccess (HTTPS ONLY HELP)

Hi guys,

I have been months now configuring my ispconfig 3 on CentOS 6.4 installation for PCI DSS Compliance. I have overcome almost all the issues that I was prompted with on the security shortcomings so if anyone has questions (my site scans are performed by security metrics).

However I have one question. The /stats/ folder which is generated by ispconfig daily, the .htaccess it creates allows the username/password to be sent in cleartext. I am trying to force /stats/ to redirect to https://mydomain.com/stats BEFORE it asks for username/password.

I can do this with the following (appended to the already generated .htaccess at the top)

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "mydomain.com"

However the .htaccess is overwritten frequently I believe.

My issue would be resolved with either of the following,
A) I can modify the code written to .htaccess file in the ispconfig cron files, I have had a brief look but cannot actually find the script which writes them at the moment.

B) I can disable ispconfig from creating the stats folder automatically.

What solutions would you think suitable and any further ideas on this would be a great help!
Reply With Quote
Sponsored Links