How to secure AWStats
AWStats.Viewer is a tool that allows to secure access to AWStats CGI script. AWStats Viewer comes with a full source code and it is a good example of how 3rd party program can be integrated with WebsitePanel Enterprise Server.
AWStats Viewer comes with “WebsitePanelAuthenticationProvider” and “ConfigFileAuthenticationProvider” pre-compiled providers. Other user authentication mechanisms can be added by means of implementing custom AuthenticationProvider classes.
System Requirements
- Internet Information Services 6.0
- AWStats 6.x installed and configured
- Microsoft.NET Framework 2.0
Installation and Setup
1. Download AWStats.Viewer 2.0.1 distribution from SourceForge: http://sourceforge.net/projects/websitepanel/files/Releases/WebsitePanel/. It is located in Tools folder for each WSP release.
2. Unpack the contents of “build” folder to “wwwroot” folder of AWStats installation so, “default.aspx” page and “bin” folder of the application are located right inside of “wwwroot” folder. For instance, if you have AWStats instaled in “c:\AWStats” folder and path to its “wwwroot” is “c:\AWStats\wwwroot” then the path to “default.aspx” will be “c:\AWStats\wwwroot\default.aspx”
3. Open IIS Manager snap-in and open properties window for AWStats web site (or virtual directory).
4. On “ASP.NET” tab select “2.0.50727” version of the .NET Framework and on “Home Directory” (or “Virtual Directory”) tab specify correct Application Pool for ASP.NET 2.0 applications (different from DefaultAppPool). Click “OK” button to save changes.
5. Open application “web.config” and specify correct application settings (elements inside of “<appSettings>” element):
AWStats.URL – URL to “awstats.pl” Perl script. It may be an absolute or relative URL.
AWStats.Username – Username of Windows account used to login when Windows Integrated Security is enabled. If awstats.pl is available for anonymous visitors and doesn’t require Windows authentication you may leave this setting blank.
AWStats.Password – Password for the account above.
AWStats.AuthenticationProvider – Full-quialified name of the type (class inherited from Smbsaas.AWStats.Viewer.AuthenticationProvider) performing authentication of the user.
Authentication Providers
AWStats Viewer comes with 2 pre-compiled providers:
1. “WebsitePanelAuthenticationProvider” provider
Description:
Provider allows to authenticate users against usernames/passwords of the WSP Enterprise Server.
Qualified name:
“Smbsaas.AWStats.Viewer.WebsitePanelAuthenticationProvider, AWStats.Viewer”
Settings:
“AWStats.WebsitePanelAuthenticationProvider.EnterpriseServer” – URL to WSP Enterprise Server, for example “http://localhost/EnterpriseServer”
In the web.config file, when you put the address of your Enterprise server, make sure you put the port number if your are not using the default of 80.
Example:
<add key="AWStats.DotNetPanelAuthenticationProvider.EnterpriseServer" value="http://1.2.3.4:9002"/>
2. “ConfigFileAuthenticationProvider” provider
Description:
Provider allows to authenticate users against usernames/passwords stored in the awstats.<some-site>.conf file of the corresponding domain.
Provider looks for the following configuration setting in the appropriate .conf file:
SiteUsers=user1=psw1;user2=psw2;…
where “user1=psw1;user2=psw2” are user/password pairs of users granted to access the statistics of this domain.
Qualified name:
“Smbsaas.AWStats.Viewer.ConfigFileAuthenticationProvider, AWStats.Viewer”
Settings:
“AWStats.ConfigFileAuthenticationProvider.DataFolder” – path to the folder where domain awstats.<some-site>.conf files are stored. It may be a relative path with a “~” at the beginning and an absolute path on the disk.
Securing AWStats
As soon as all requests to “awstats.pl” Perl script will be passing through AWStats.Viewer application
you should deny direct access to “awstats.pl” script.
We suggest two possible methods of securing “awstats.pl”:
1. Disable “Anonymous Access” and Enable “Windows Integrated Security”.
To do this open IIS Manager snap-in and open properties window for “awstats.pl” file.
On “File Security” tab click “Edit…” button in “Authentication and Access control” group.
Uncheck “Enable Anonymous Access” checkbox and check “Windows Integrated Security” one.
Click “OK” button to save changes.
After disabling anonymous access opening “awstats.pl” right in the browser window will ask for Windows account credentials. You should provide the credentials of anonymous account under which AWStats web site (or virtual directory) is running.
If your “awstats.pl” script is not available for anonymous visitors you should specify “AWStats.Username” and “AWStats.Password” settings (see above) in web.config of the application.
2. Grant access to “awstats.pl” from local IP addresses only.
To do this open IIS Manager snap-in and open properties window for “awstats.pl” file.
On “File Security” tab click “Edit…” button in “IP address and domain name restrictions” group.
Check “Denied access” radio button and add “127.0.0.1” (or other local IP) to the list of granted IP addresses.
Autologin Mode
AWStats.Viewer supports autologin mode which is very suitable when integrated with WSP.
To use autologin mode you should provide domain, username and password in the request URL as following:
http://stats-web-site.com/default.aspx?domain=<domain>&username=<username>&password=<password>
where:
default.aspx – default page of AWStats.Viewer
<domain> – domain for which you want to browse the statistics
<username> – user name
<password> – password
Release Notes
1. To open and work with “awstats.csproj” project you need Microsoft Visual Studio.NET 2005 and installed “Web Application Projects” add-on (http://msdn.microsoft.com/asp.net/reference/infrastructure/wap/default.aspx)