Forum Moderators: phranque
I'd like to password protect access to the AWStats results.
System:
WinXP Pro
Apache 2
ActiveState Perl 5.8
AWStats 6.3
etc.
I've installed AWStats to the default 'c:\Program Files\AWStats\', which places the awstats.pl location at 'c:\Program Files\AWStats\wwwroot\cgi-bin\awstats.pl'. Since AWStats seems to be working primarily from this directory (the logs and config files are there), I thought using htaccess and htpasswd would work to password protect the results, but it doesn't.
(example)
AuthUserFile c:/Program Files/AWStats/wwwroot/cgi-bin/.htpasswd
AuthType Basic
AuthName "AWStats Login"
<Limit GET POST>
require valid-user
</Limit>
Since you access the logs via a web browser with a URL that doesn't exist (http://mydomain.com/awstats/awstats.pl?config=mydomain.com), I don't understand where (or if) you can place the htaccess/htpasswd file to affect the result display.
Perhaps changing/adding something to my VirtualHost description in regards to the CustomLog?:
<VirtualHost *:80>
ServerAdmin me@mydomain.com
DocumentRoot C:/clients/mydomain/public_html
ServerName www.mydomain.com
ServerAlias mydomain.com
ErrorLog logs/mydomain.com-error_log
CustomLog logs/mydomain.com-access.log combined
</VirtualHost>
I'm using htaccess to password protect a couple of other directories on this domain, and it works fine. So I assume, there's no other directives I need to enable in the VirtualHost tag to make it work.
Any suggestions or help would be appreciated.
Thanks.
This problem really isn't AWStats-specific; Generally, your whole cgi-bin directory should be protected from direct web access.
Jim
the module that maps the script into your web space executes *after* mod_auth.
Well, mod_auth is right at the top of the LoadModule list, so it looks like it's being executed first. AWStats is the only CGI based program I'm using, though Apache is setup to run scripts from any directory.
I just found an option in the AWStats config file for requiring authentication by using htaccess, but it's not explained in a way I understand. I enabled it (while keeping the htaccess/htpasswd files there), and I receive a browser error stating 'Authentication is required'. (Seem to be in a catch-22, there.)
I've never run anything from a "Program Files" subdirectory, and I wondered if maybe the:
AuthUserFile c:/Program Files/AWStats/wwwroot/cgi-bin/.htpasswd
should instead be:
AuthUserFile c:/progra~1/AWStats/wwwroot/cgi-bin/.htpasswd
Windows long file names have always thrown me when using to describe a path. Though, I'be tried both ways. I've disabled AWStats for now until I can figure this out...
Not sure about Apache 2, but in Apache 1.3, modules are executed in reverse priority from their position in the LoadModule list. In other words, listed first, executed last.
The path given in AuthFile should be below Apache, not out in the general filesystem of your machine.
Jim
It's been stange using Windows and installing server software. Some recommend (like AWStats) to install under "Program Files", some (like Perl) in \www\bin...etc. I installed most everything under a "www" directory...except for AWStats. I think my best option is to reinstall, as you've said, under my Apache directory.
Thanks!
A real easy solution I used for 'protecting AWStats' from the public was to simply add "Allow from localhost" in Apache's <Directory> tag for AWStats; all other IP's are forbidden...which was my goal.
