From: eldy <>
Date: Fri, 11 Oct 2002 08:12:07 +0000 (+0000)
Subject: Updated documentation.
X-Git-Tag: AWSTATS_5_1_BETA~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b28feabf4a13b9f276c7923b3db16577be2afd74;p=thirdparty%2FAWStats.git
Updated documentation.
---
diff --git a/docs/awstats_security.html b/docs/awstats_security.html
index bef64c92..d6089715 100644
--- a/docs/awstats_security.html
+++ b/docs/awstats_security.html
@@ -101,12 +101,13 @@ This is one of the most popular way of working.
Advantage:
Statistics are dynamic. High level of manageability.
Disadvantage:
-AWStats database files must still be readable by anonymous web server user, so if an experimented user can have an access to
+AWStats database files must still be readable by anonymous web server user, so if an experienced user can have an access to
the server (telnet) where AWStats database files are stored, he can succeed in installing and running a "hacked" version
of AWStats that ignores value of parameter AllowAccessFromWebToAuthenticatedUsersOnly.
How:
awstats.pl file must be saved in a web protected realm to force a visitor to enter its username/password
to access AWStats CGI program.
+
Example of directives you can add into Apache to have awstats.pl in a web protected realm:
<Files "awstats.pl">
@@ -117,6 +118,11 @@ AuthType Basic
require valid-user
</Files>
+If you add such directives into a .htaccess file, you must also check that the AllowOverride directive is set
+to All in Apache config file to allow the use of .htaccess files.
+
+To known how to create a protected realm for servers other than Apache, see your web server manual.
+
Then edit each config/domain file you want to be protected to set AllowAccessFromWebToAuthenticatedUsersOnly to 1.
You can also edit list of authorized users in the AllowAccessFromWebToFollowingAuthenticatedUsers parameter.
You can also specify a range of allowed browsers IP Addresses with the AllowAccessFromWebToFollowingIPAddresses parameter.
@@ -124,8 +130,9 @@ You can also specify a range of allowed browsers IP Addresses with the AllowAccessFromWebToFollowingAuthenticatedUsers="__REMOTE_USER__".
+even if a visitor try to force the config/domain file with the URL 'http://mydomain/cgi-bin/awstats.pl?config=otherdomain'.
+This might be usefull for thoose who edit their config/domain file with AllowAccessFromWebToFollowingAuthenticatedUsers="__REMOTE_USER__"
+to avoid managing account lists in AWStats config files.
3) NO SECURITY POLICY
@@ -138,12 +145,13 @@ Setup is very easy (No need of particular setup). Statistics are dynamic.
No way to prevent stats for config/domain to be seen by a user that known the
config/domain name and the url syntax to see stats of a particular config/domain.
How:
-No particular things to do (You can however use AllowAccessFromWebToFollowingIPAddresses parameter).
+No particular things to do (You can however easily use AllowAccessFromWebToFollowingIPAddresses parameter
+to have a minimum of security).
-There is a lot of possible use for AWStats combining all its options/parameter with all web servers options/parameters.
+There is a lot of possible use for AWStats combining all its options/parameters with all web servers options/parameters.
Just use the one you need...