database files. Set all AWStats database files (built by the update process) for config/domain1 to have read/write\r
for <i>user1</i> (or an admin user) and NO read and NO write permissions for any other users.<br>\r
Then, check that the <a href="awstats_config.html#SaveDatabaseFilesWithPermissionsForEveryone">SaveDatabaseFilesWithPermissionsForEveryone</a> parameter is set 0 in your config/domain files.<br>\r
-If AWStats database files for config/domain1 are read protected, only allowed users can see statistics for config/domain1.<br>\r
-If AWStats database files for config/domain1 are write protected, only allowed users can update statistics for config/domain1.<br>\r
+If AWStats database files/directory for config/domain1 are read protected, only allowed users can see statistics for config/domain1.<br>\r
+If AWStats database files/directory for config/domain1 are write protected, only allowed users can update statistics for config/domain1.<br>\r
<br><br>\r
\r
-<!--\r
-<br><a name="2"><H2 style="font: 22px arial,helvetica,sanserif color: #606060"><u>2) HIGHLY SECURED POLICY</u></H2></a><br>\r
-<font color=blue><b>Policy</b></font>:<br>\r
-You have several different domains owned by different users and you want each owner of a domain\r
-to be able to see only his/her domain and to be able to update his/her statistics dynamically.<br>\r
-This might be a good choice for web hosting providers with several small private or public customers.<br>\r
-<font color=blue><b>Advantage</b></font>:<br>\r
-Statistics view is dynamic. A site owner can view its statistics dynamically. Update can also\r
-be made (if allowed) on-line.<br>\r
-<font color=blue><b>Disadvantage</b></font>:<br>\r
-No way to have 2 configurations files for 1 particular domain.<br>\r
-<font color=blue><b>How</b></font>:<br>\r
-First, AWStats must be placed in its own cgi-bin-awstats directory with no way for users to\r
-put in it a hacked version of AWStats (an unwritable directory).<br>\r
-Then, you must add an environment variable called <b>AWSTATS_FORCE_CONFIG</b> in the web server environment\r
-for each domain to say which config file to use for a particular domain.<br>\r
-<u>With Apache web server, you must use the '<i>SetEnv</i>' directive. This is an example:</u><br><i>\r
-<VirtualHost www.xxx.yyy.zzz><br>\r
- ServerAdmin webmaster@mydomain.com<br>\r
- ServerName mydomain.com<br>\r
- ScriptAlias /cgi-bin-awstats/<br>\r
- DocumentRoot /usr/local/apache/html<br>\r
- SetEnv AWSTATS_FORCE_CONFIG myconfigvalueformydomain<br>\r
-</VirtualHost><br>\r
-</i>\r
-When using AWStats as a CGI with the following URL '<i>http://mydomain.com/cgi-bin-awstats/awstats.pl</i>', AWStats\r
-will use the config file called <i>awstats.myconfigvalueformydomain.conf</i> to choose which statistics used,\r
-even if a visitor try to force the config/domain file with the URL '<i>http://mydomain.com/cgi-bin-awstats/awstats.pl?config=xxx</i>'.<br>\r
-<br><br>\r
--->\r
-\r
<br><a name="2"><H2 style="font: 22px arial,helvetica,sanserif color: #606060"><u>2) MEDIUM SECURED POLICY</u></H2></a><br>\r
<font color=blue><b>Policy</b></font>:<br>\r
You have several config/domain and several users. You want to specify which user can see or update dynamically\r
Then edit each config/domain file you want to be protected to set <a href="awstats_config.html#AllowAccessFromWebToAuthenticatedUsersOnly">AllowAccessFromWebToAuthenticatedUsersOnly</a> to 1.<br>\r
You can also edit list of authorized users in the <a href="awstats_config.html#AllowAccessFromWebToFollowingAuthenticatedUsers">AllowAccessFromWebToFollowingAuthenticatedUsers</a> parameter.<br>\r
You can also specify a range of allowed browsers IP Addresses with the <a href="awstats_config.html#AllowAccessFromWebToFollowingIPAddresses">AllowAccessFromWebToFollowingIPAddresses</a> parameter.<br>\r
+\r
+You can also set <a href="awstats_config.html#SaveDatabaseFilesWithPermissionsForEveryone">SaveDatabaseFilesWithPermissionsForEveryone</a> parameter to 0 in all config/domain files,\r
+except if you want to allow update from web with option <a href="awstats_config.html#AllowToUpdateStatsFromBrowser">AllowToUpdateStatsFromBrowser</a>=1. But this is\r
+not recommanded as you need to give read/write permission for Web server user on all history\r
+files (Except if you setuid AWStats script for each authorized user, but this make setup much harder).<br>\r
The following parameters <a href="awstats_config.html#ErrorMessages">ErrorMessages</a> and <a href="awstats_config.html#DebugMessages">DebugMessages</a> are\r
-also related to security parameters.<br>\r
+also parameters related to security.<br>\r
+<br>\r
<br>\r
Other tip: If the <b>AWSTATS_FORCE_CONFIG</b> environment variable is defined, AWStats will always use\r
the config file <i>awstats.VALUE_OF_AWSTATS_FORCE_CONFIG.conf</i> as the config/domain file.\r
So if you add this environment variable into your web server environment, for example by adding the line<br>\r
<i>SetEnv AWSTATS_FORCE_CONFIG configvalueforthisdomain</i><br>\r
-with other directives in your Apache <i><VirtualHost></i> directive group in httpd.conf), AWStats will use the config file\r
+in your Apache <i><VirtualHost></i> directive group in httpd.conf (with other directives), AWStats will use the config file\r
called <i>awstats.configvalueforthisdomain.conf</i> to choose which statistics used,\r
even if a visitor try to force the config/domain file with the URL '<i>http://mydomain/cgi-bin/awstats.pl?config=otherdomain</i>'.\r
This might be usefull for thoose who edit their config/domain file with <a href="awstats_config.html#AllowAccessFromWebToFollowingAuthenticatedUsers">AllowAccessFromWebToFollowingAuthenticatedUsers</a>="__REMOTE_USER__"</i>\r
-instead of maintaning the list of authorized users into each AWStats config file.<br>\r
-<br><br>\r
+instead of maintaining the list of authorized users into each AWStats config file.<br>\r
+<br>\r
+<br>\r
+\r
\r
<br><a name="3"><H2 style="font: 22px arial,helvetica,sanserif color: #606060"><u>3) NO SECURITY POLICY</u></H2></a><br>\r
<font color=blue><b>Policy</b></font>:<br>\r
<br>\r
<br>\r
\r
-There is a lot of possible use for AWStats combining all its options/parameters with all web servers options/parameters.\r
-Just use the one you need...<br>\r
+There is a lot of possible use for AWStats combining all its options/parameters with all web servers options/parameters and operating\r
+systems security features. Just use the one you need...<br>\r
<br>\r
\r
\r
projects / thirdparty / AWStats.git / commitdiff
