[Pkg-awstats-devel] Bug#590953: Docs should illustrate how to protect access to /cgi-bin/awstats.pl

Olivier Berger olivier.berger at it-sudparis.eu
Fri Jul 30 13:59:24 UTC 2010


Package: awstats
Severity: wishlist

I'd suggest to add in the README.Debian.gz instructions on how to protect access to the awstats.pl cgi using an .htaccess and .htpasswd.

For instance, this should indicate to :
1) change the deafult / default-ssl conf file to allow overriding AuthConfig :
        <Directory "/usr/lib/cgi-bin">
#               AllowOverride None
                AllowOverride AuthConfig
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
2) to mention adding a /usr/lib/cgi-bin/.htaccess containing for instance :
<FilesMatch "awstats.pl">
AuthName "Login Required"
AuthType Basic
AuthUserFile /etc/awstats/.htpasswd
require valid-user
</FilesMatch>

3) that one could create the /etc/awstats/.htpasswd with :
 # htpasswd -c /etc/awstats/.htpasswd whatever_user

4) and that apache needs restarting.

This is basic web server admin tasks, but may help anyway, just as an example of what to do next.

Hope this helps.

Best regards,

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash





More information about the Pkg-awstats-devel mailing list