Webalizer Statistics /stats/ folder and .htaccess (HTTPS ONLY HELP)

Discussion in 'Installation/Configuration' started by jims_a_winner, Mar 28, 2013.

  1. jims_a_winner

    jims_a_winner New Member

    Hi guys,

    I have been months now configuring my ispconfig 3 on CentOS 6.4 installation for PCI DSS Compliance. I have overcome almost all the issues that I was prompted with on the security shortcomings so if anyone has questions (my site scans are performed by security metrics).

    However I have one question. The /stats/ folder which is generated by ispconfig daily, the .htaccess it creates allows the username/password to be sent in cleartext. I am trying to force /stats/ to redirect to https://mydomain.com/stats BEFORE it asks for username/password.

    I can do this with the following (appended to the already generated .htaccess at the top)

    SSLOptions +StrictRequire
    SSLRequireSSL
    SSLRequire %{HTTP_HOST} eq "mydomain.com"

    However the .htaccess is overwritten frequently I believe.

    My issue would be resolved with either of the following,
    A) I can modify the code written to .htaccess file in the ispconfig cron files, I have had a brief look but cannot actually find the script which writes them at the moment.

    B) I can disable ispconfig from creating the stats folder automatically.

    What solutions would you think suitable and any further ideas on this would be a great help!
     
  2. Rockdrala

    Rockdrala New Member

    Are you using apache or nginx?
     
  3. jims_a_winner

    jims_a_winner New Member

    Apache. Thank you.

    Jim
     
  4. jims_a_winner

    jims_a_winner New Member

    Any ideas on this, would like to make the changes before the start of the bank holiday weekend so i can set the sitescans and hopefully have passed the tests by my return.

    Regards,
    Jim Dixon
     

Share This Page