Alternate stats page

Discussion in 'Developers' Forum' started by djtremors, Jul 27, 2006.

  1. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Hey all,

    I'm also working on putting awstats as I like it more than webalizer even though the security flaws it's had in the past but with htaccess it would prevent alot more attacks from anonymous access anyway.

    I've got it all working but 1 thing, .htpasswd files...

    The problem is that awstats uses cgi and it's own path instead of /cgi-bin/ but I want to put .htacces inside that so only users can access the page but maintaining a common .htpasswd inside a common path is my issue.
    Currently .htpasswd and .htaccess for stats are inside users home paths and to change that to a common path seems like hell for me.

    any ideas?

    only thing I could think of was searching each home path and `cat $home/.htpasswd >> /home/httpd/awstats-cgibin/.htpasswd` so any changes are copied over.. very crude but it could work..

    is there a neater way I can maintain this command password file if someone changes their password it would also change in this common file?

    I also have another issue with a htpasswd file which the user is admin:$1${somehashvalue} which is not the user.. how did this get there and how do I change it? I already created an admin user for the site but it doesn't change this file..????
  2. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    Ah cool. I've been modifying /root/ispconfig/scripts/shell/webalizer.php and made it update the global .htpasswd list in the stats page.

    All good. just have an issue where i modified the .htaccess in the /stats/ directory to auto redirect the user to /ispcstats/ but what happens is that the browser seems to auto add a / at the end which causes problems with awstats picking up the "config" parameter as not

    so I had to use an index.php and use the header("Location:...." ) method which works but if a site isn't php enabled then i'm screwed. :(
    Last edited: Jul 27, 2006
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Did this redirect (.html file) solve the problem?

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
    <html xmlns="">
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <meta http-equiv="refresh" content="0;URL=/ispcstats/" />
  4. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    I actually ended up cheating a little and placed this into the .htaccess file in the ./stats dir.

    Redirect 301 /stats

    The & at the end stopped the / getting into the domain parameter.

    I'll keep a note on that for next time.

    I'll even put in a mod for anyone who prefers to use awstats on their server once I get all the mods down and checked.;)
  5. Ben

    Ben ISPConfig Developer ISPConfig Developer

    @DJ: What about generating static stats with awstats? So you don't need to care about security flaws by stats accessing users, and don't need to care about cgi-bin stuff ;)
  6. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    I can create a static output but when you select another month/date it calls the cgi... unless I'm doing something wrong.
    Doesn't matter, works well now.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Are the user accounts in your awstats configuration still separated, so that customer A can not read the statistics from customer B even if he uses the domain of customer B as domain= parameter?
  8. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    the configuration is always seperate, it's the script thats global and the problem. Once I've logged in and if I know another domain that is hosted on the same server, I just change the to and i can see it.
    You just have to know it's there to begin with.

    Because the .htpasswd file contains all the users together, i don't know how (without seperating the awstats) to lock each domain.

    hmm.. ill sleep on this one.
  9. djtremors

    djtremors ISPConfig Developer ISPConfig Developer

    hey all, I managed to get some time and work on this awstats auth problem.

    there's 2 settings in the conf file which you can set to check the authentication.


    I changed it in a way so eahc sites config has it's own custom settings and it includes the main template config.
    the site's config contains the AllowAccessFromWebToFollowingAuthenticatedUsers="myuser1 myuser2"

    Now, attempting to browse someone elses stats with your login now failed with
    ErrorUser 'web15_djtremors' is not allowed to access statistics of this domain/config
    works like a treat.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Sounds great :)
  11. djtremors

    djtremors ISPConfig Developer ISPConfig Developer


    Atm I'm fighting legal issues with my local council as they plan to rip my attic from me but when I get a chance, I'll post up a HowTo for those others who would like to use Awstats instead. I admit, it does look alot nicer than webalizer (but not as secure as we've seen in the past ;) )

    I'm trying to go for the auto install as well.....trying........

Share This Page