- Unresolved ip are now processed like resolved one.
- Added icons in browsers chart.
- Personalized log format can also have tab separator (not only space).
+- New ways to manage security/privacy with updated docs and new parameters:
+ AllowAccessFromWebToAuthenticatedUsersOnly
+ AllowAccessFromWebToFollowingAuthenticatedUsers
- New feature: Added mark on "grabber browsers" in browsers chart.
- New feature: Added average files size in Pages/URL report chart.
- New feature: You can put dynamic environnement variables into config file.
- New parameter: ShowLinksToWhoIs
- New parameter: LinksToWhoIs
- New parameter: StyleSheet
-- New tool: A log format converter common2combined.pl
- New option: -staticlinks to build static links in report page (to use
AWStats with no web servers).
+- New tool: A log format converter common2combined.pl
- Fixed: wrong size of bar in "average" report when average value was < 1.
- Fixed: pb of "Error: Not same number of records" when using some version
of mod_perl.
<br><b>OPTIONAL SETUP SECTION (Not required but increase AWStats features)</b><br>
<ul>
+<li><a href="#AllowAccessFromWebToAuthenticatedUsersOnly">AllowAccessFromWebToAuthenticatedUsersOnly</a>
+<li><a href="#AllowAccessFromWebToFollowingAuthenticatedUsers">AllowAccessFromWebToFollowingAuthenticatedUsers</a>
<li><a href="#CreateDirDataIfNotExists">CreateDirDataIfNotExists</a>
<li><a href="#SaveDatabaseFilesWithPermissionsForEveryone">SaveDatabaseFilesWithPermissionsForEveryone</a>
<li><a href="#PurgeLogFile">PurgeLogFile</a>
<br>color_TableRowTitle="FFFFFF" # Table row title font color (Default = "FFFFFF")
<br>color_TableBGRowTitle="ECECEC" # Background color for row title (Default = "ECECEC")
<br>color_TableBorder="ECECEC" # Table border color (Default = "ECECEC")
-<br>color_text="000000" # Color of main body text (Default = "000000")
+<br>color_text="000000" # Color of text (Default = "000000")
+<br>color_textpercent="606060" # Color of text for percent values (Default = "606060")
<br>color_titletext="000000" # Color of text title within colored Title Rows (Default = "000000")
<br>color_weekend="EAEAEA" # Color for week-end days (Default = "EAEAEA")
<br>color_link="0011BB" # Color of HTML links (Default = "0011BB")
statistics of user yyy (having a site www.yyy.com).<br>
<br><br>
This is example of possible way of working:<br>
-<br>
+<br><br>
+
<u>1) VERY HIGHLY SECURED</u><br>
<font color=blue><b>Policy</b></font>:<br>
You have several different config/domains owned by different users and you want to build statistics for each
If users have a command line access (telnet) on statistics server, you must set correct permissions on AWStats
database files. Set all AWStats database files (built by the update process) for config/domain1 to have read/write
for <i>user1</i> (or an admin user) and NO read and NO write permissions for any other users.<br>
-Then, check that the <i>SaveDatabaseFilesWithPermissionsForEveryone</i> is set 0 in your config/domain files.<br>
+Then, check that the <b>SaveDatabaseFilesWithPermissionsForEveryone</b> parameter is set 0 in your config/domain files.<br>
If AWStats database files for config/domain1 are read protected, only allowed users can see statistics for config/domain1.<br>
If AWStats database files for config/domain1 are write protected, only allowed users can update statistics for config/domain1.<br>
-<br>
+<br><br>
<u>2) HIGHLY SECURED</u><br>
<font color=blue><b>Policy</b></font>:<br>
When using AWStats as a CGI with the following URL '<i>http://mydomain.com/cgi-bin-awstats/awstats.pl</i>', AWStats
will use the config file called <i>awstats.myconfigvalueformydomain.conf</i> to choose which statistics used,
even if a visitor try to force the config file with the URL '<i>http://mydomain.com/cgi-bin-awstats/awstats.pl?config=xxx</i>'.<br>
-<br>
+<br><br>
<u>3) MEDIUM SECURED</u><br>
-!!! This policy is not possible yet as the use of file awstatsusers is not yet developed. !!!<br>
<font color=blue><b>Policy</b></font>:<br>
-You have several config/domain and several users. You want to specify (using a <b>awstatsusers</b> file) which user can see
-or update dynamically statistics for each config/domain.<br>
+You have several config/domain and several users. You want to specify which user can see or update dynamically
+statistics for each config/domain.<br>
<font color=blue><b>Advantage</b></font>:<br>
Statistics are dynamic. High level of manageability.<br>
<font color=blue><b>Disadvantage</b></font>:<br>
AWStats database files must be readable by anonymous web server user, so if an experimented user can have an access to
-the server where AWStats database files are stored, he will be able to install and run a hacked version
-of AWStats that does not check permissions into the awstatsusers file and see/update from other config files.<br>
+the server where AWStats database files are stored, he can succeed in installing and running a "hacked" version
+of AWStats that ignores value of parameter AllowAccessFromWebToAuthenticatedUsersOnly.<br>
<font color=blue><b>How</b></font>:<br>
-awstats.pl file must be saved in a web protected <b>realm</b> to allow awstats to get the username from
-when running as CGI.<br>
-Then you must create the text file awstatsusers. This file is a text file with several records that contains
-two fields separated by a "<b>;</b>". First field is the user name allowed to read statistics from a browser.
-Second field is a list (separated by comma "<b>,</b>") of all visible config/domain allowed for this user.<br>
-<u>Example of awstatsusers file:</u><br><i>
-user1;*<br>
-user2;www.domain2.com<br>
-user3;www.domain3a.com,www.domain3b.com<br>
-</i>
+awstats.pl file must be saved in a web protected <b>realm</b> to force a visitor to enter its username/password
+to access AWStats CGI program.<br>
<u>Example of directives you can add into Apache to have awstats.pl in a web protected realm:</u><br><i>
<Files "awstats.pl"><br>
AuthUserFile /path/to/.passwd<br>
require valid-user<br>
</Files>
</i><br>
-And save the <b>awstatsusers</b> file in the <b>DirData</b> directory (directory where AWStats save its database) and put on this file "read only"
-permissions for everyone.<br>
-<br>
+Then edit each config/domain file you want to be protected to set <b>AllowAccessFromWebToAuthenticatedUsersOnly</b> to 1.<br>
+You can also edit list of authorized users in the <b>AllowAccessFromWebToFollowingAuthenticatedUsers</b> parameter.<br>
+<br><br>
+
<u>4) LOW SECURED</u><br>
<font color=blue><b>Policy</b></font>:<br>
-Same as 3 with no use of <b>awstatsusers</b>.<br>
-This is the most common way of working for all users that have only one hosts
-and don't want to have restricted accounts to manage.<br>
+You have only one hosts or several hosts or users but you don't need to manage particular permissions
+for your different config/domain statistics.<br>
+This is the most popular way of working as this requires no particular setup.<br>
<font color=blue><b>Advantage</b></font>:<br>
Setup is very easy (No need of particular setup). Statistics are dynamic.<br>
<font color=blue><b>Disadvantage</b></font>:<br>
#
LogFormat=1
-# If you want to have informations on domains/countries visitors, you must ask
+# If you want to have information on domains/countries visitors, you must ask
# AWStats to make reverse DNS lookup (if not already done in your log file).
# If you set DNSLookup to 1, don't forget that reverse DNS lookup decrease
# seriously AWStats time processing.
# Put here all other possible domain names, addresses or virtual host aliases
# someone can use to access your site. Try to keep only the minimum number of
-# possible names/adresses to have the best performances.
+# possible names/addresses to have the best performances.
# You can repeat the "SiteDomain" value in this list.
# Use space between each value and put a backslash before each dot.
# This parameter is used to analyze referer field in log file and to help
# When this parameter is set to 1, AWStats add a button on report page to
# allow to "update" statistics from a web browser. Warning, when "update" is
-# made from a browser, AWStats is runned as a CGI by the web server user
+# made from a browser, AWStats is ran as a CGI by the web server user
# defined in your web server (user "nobody" by default with Apache, "IUSR_XXX"
# with IIS), so the "DirData" directory and all already existing history files
# (awstatsMMYYYY[.xxx].txt) must be writable by this user. Change permissions
# if required.
# Warning: Update process can be long so you might experience "time out"
# browser errors if you don't launch AWStats enough frequently.
-# When set to 0, update is only made when AWStats is runned from the command
+# When set to 0, update is only made when AWStats is ran from the command
# line interface (or a task scheduler).
# Possible values: 1 or 0
# Default: 0
# OPTIONAL SETUP SECTION (Not required but increase AWStats features)
#-----------------------------------------------------------------------------
+# The following two parameters allow you to protect a config file to be used
+# by your AWStats program called from a browser only if web user has been
+# authenticated. Your AWStats program must be in a web protected "realm" (With
+# Apache, you can use .htaccess files to do so. With other web servers, see
+# your server setup manual).
+# Possible values: 1 or 0
+# Default: 0
+#
+AllowAccessFromWebToAuthenticatedUsersOnly=0
+
+# This parameter give the list of all authorized authenticated users to view
+# statistics for this domain/config file. This parameter is used only if
+# AllowAccessToAuthenticatedUsersOnly is set to 1.
+# Example: "user1 user2"
+# Default: ""
+#
+AllowAccessFromWebToFollowingAuthenticatedUsers=""
+
# If the "DirData" directory (see above) does not exists, AWStats return an
-# error. However, you can ask AWStats to create it. This option can be used by
-# some Web Hosting Providers that has defined a dynamic value for DirData (for
-# example DirData="/home/__REMOTE_USER__").
+# error. However, you can ask AWStats to create it.
+# This option can be used by some Web Hosting Providers that has defined a
+# dynamic value for DirData (for example DirData="/home/__REMOTE_USER__") and
+# don't want to have to create a new directory each time they add a new user.
# Possible values: 1 or 0
# Default: 0
#
CreateDirDataIfNotExists=0
-# In most case, AWStats is used as a cgi program. So AWStats process is runned
+# In most case, AWStats is used as a cgi program. So AWStats process is ran
# by default web server user (nobody for Unix, IUSR_xxx for IIS/Windows,...).
-# To avoid permission problems between update process often runned by an admin
-# user (root for Unix, Administrator for Windows,...), AWStats save its
-# database files by default with read and write for everyone. You can set this
-# parameter to 0, if you want AWStats to keep default process user permission.
+# To make use easier and avoid permission problems between update process
+# (run by an admin user) and CGI process (ran by a low level user), AWStats
+# save its database files with read and write for everyone.
+# If you have experience on managing security policies (Web Hosting Provider),
+# you should set this parameter to 0. AWStats will keep default process user
+# permissions on its files.
# Possible values: 1 or 0
# Default: 1
#
# you can launch AWStats as soon as you want, even with this parameter to 0.
# With 0, no purge is made, so you must use a scheduled task or a web server
# that make this purge frequently.
-# With 1, the purge of the log file is made each time AWStats is runned.
+# With 1, the purge of the log file is made each time AWStats is ran.
# This parameter doesn't work with IIS (This web server doesn't let its log
# file to be purged).
# Possible values: 1 or 0
color_TableRowTitle="FFFFFF" # Table row title font color (Default = "FFFFFF")
color_TableBGRowTitle="ECECEC" # Background color for row title (Default = "ECECEC")
color_TableBorder="ECECEC" # Table border color (Default = "ECECEC")
-color_text="000000" # Color of main body text (Default = "000000")
+color_text="000000" # Color of text (Default = "000000")
+color_textpercent="606060" # Color of text for percent values (Default = "606060")
color_titletext="000000" # Color of text title within colored Title Rows (Default = "000000")
color_weekend="EAEAEA" # Color for week-end days (Default = "EAEAEA")
color_link="0011BB" # Color of HTML links (Default = "0011BB")
#-------------------------------------------------------
# Defines
#-------------------------------------------------------
-my $VERSION="4.0 (build 59)";
+my $VERSION="4.0 (build 60)";
# ---------- Init variables -------
my $Debug=0;
my $nowsec = my $nowmin = my $nowhour = my $nowday = my $nowmonth = my $nowyear = my $nowwday = 0;
my $tomorrowtime = my $tomorrowsmallyear = 0;
my $tomorrowsec = my $tomorrowmin = my $tomorrowhour = my $tomorrowday = my $tomorrowmonth = my $tomorrowyear = my $tomorrowwday = 0;
-my ($BarHeight,$BarWidth,$DebugResetDone,$Expires,
+my ($AllowAccessFromWebToAuthenticatedUsersOnly,$BarHeight,$BarWidth,$DebugResetDone,$Expires,
$CreateDirDataIfNotExists, $KeepBackupOfHistoricFiles, $MaxLengthOfURL,
$MaxNbOfDomain, $MaxNbOfHostsShown, $MaxNbOfKeywordsShown, $MaxNbOfLoginShown,
$MaxNbOfPageShown, $MaxNbOfRefererShown, $MaxNbOfRobotShown,
# ---------- Init arrays --------
my @Message=();
my @HostAliases=();
+my @AllowAccessFromWebToFollowingAuthenticatedUsers=();
my @OnlyFiles = my @SkipDNSLookupFor = my @SkipFiles = my @SkipHosts = ();
my @DOWIndex=();
my @RobotArrayList = my @RobotsSearchIDOrder = ();
if ($param =~ /^DirCgi/) { $DirCgi=$value; next; }
if ($param =~ /^DirIcons/) { $DirIcons=$value; next; }
if ($param =~ /^DNSLookup/) { $DNSLookup=$value; next; }
- if ($param =~ /^AllowToUpdateStatsFromBrowser/) { $AllowToUpdateStatsFromBrowser=$value; next; }
if ($param =~ /^SiteDomain/) {
$value =~ s/\\\./\./g; $value =~ s/([^\\])\./$1\\\./g; $value =~ s/^\./\\\./; # Replace . into \.
$SiteDomain=$value; next;
foreach my $elem (@felter) { push @HostAliases,$elem; }
next;
}
+ if ($param =~ /^AllowToUpdateStatsFromBrowser/) { $AllowToUpdateStatsFromBrowser=$value; next; }
# Read optional setup section
+ if ($param =~ /^AllowAccessFromWebToAuthenticatedUsersOnly/) { $AllowAccessFromWebToAuthenticatedUsersOnly=$value; next; }
+ if ($param =~ /^AllowAccessFromWebToFollowingAuthenticatedUsers/) {
+ my @felter=split(/\s+/,$value);
+ foreach my $elem (@felter) { push @AllowAccessFromWebToFollowingAuthenticatedUsers,$elem; }
+ next;
+ }
if ($param =~ /^CreateDirDataIfNotExists/) { $CreateDirDataIfNotExists=$value; next; }
if ($param =~ /^SaveDatabaseFilesWithPermissionsForEveryone/) { $SaveDatabaseFilesWithPermissionsForEveryone=$value; next; }
if ($param =~ /^PurgeLogFile/) { $PurgeLogFile=$value; next; }
if ($DNSLookup !~ /[0-1]/) { error("Error: DNSLookup parameter is wrong. Value is '$DNSLookup' (should be 0 or 1)"); }
if ($AllowToUpdateStatsFromBrowser !~ /[0-1]/) { $AllowToUpdateStatsFromBrowser=0; }
# Optional setup section
+ if ($AllowAccessFromWebToAuthenticatedUsersOnly !~ /[0-1]/) { $AllowAccessFromWebToAuthenticatedUsersOnly=0; }
if ($CreateDirDataIfNotExists !~ /[0-1]/) { $CreateDirDataIfNotExists=0; }
if ($SaveDatabaseFilesWithPermissionsForEveryone !~ /[0-1]/) { $SaveDatabaseFilesWithPermissionsForEveryone=1; }
if ($PurgeLogFile !~ /[0-1]/) { $PurgeLogFile=0; }
&html_head;
# Security check
-if ($UpdateStats && (! $AllowToUpdateStatsFromBrowser) && ($ENV{"GATEWAY_INTERFACE"})) {
+if ($AllowAccessFromWebToAuthenticatedUsersOnly && $ENV{"GATEWAY_INTERFACE"}) {
+ debug("REMOTE_USER is ".$ENV{"REMOTE_USER"});
+ if (! $ENV{"REMOTE_USER"}) {
+ error("Error: Access to statistics is only allowed from an authenticated session to authenticated users.");
+ }
+ if (@AllowAccessFromWebToFollowingAuthenticatedUsers) {
+ my $userisinlist=0;
+ foreach my $key (@AllowAccessFromWebToFollowingAuthenticatedUsers) {
+ if ($ENV{"REMOTE_USER"} eq $key) { $userisinlist=1; last; }
+ }
+ if (! $userisinlist) {
+ error("Error: User <b>".$ENV{"REMOTE_USER"}."</b> is not allowed to access statistics of this domain/config.");
+ }
+ }
+}
+if ($UpdateStats && (! $AllowToUpdateStatsFromBrowser) && $ENV{"GATEWAY_INTERFACE"}) {
error("Error: Update of statistics is not allowed from a browser.");
}
projects / thirdparty / AWStats.git / commitdiff
