Securing awstats with htaccess

awstats

I'm trying to configure awstats in a way that I have a site that is not authenticated, and another site that is authenticated.
More specifically
domain/awstats/awstats.pl?config=X shouldn't be authenticated
domain/awstats/awstats.pl?config=Y should be authenticated

after a lot of searching I haven't found any solution due to the fact that this is query-string related.

Best Answer

Off the top of my head, here's one way you could do it. Start by putting awstats on a virtual host that only listens to localhost...

<VirtualHost 127.0.0.1:8080>
...
</VirtualHost>

Inside that virtual host, include RewriteRules that translate path-based URLs into the appropriate query strings:

RewriteRule /awstats/config/(.*) /awstats/awstats.pl?config=$1

With this in place, you can access:

/awstats/awstats.pl?config=X

Using:

/awstats/config/X

But note that, at the moment, this is all available only via localhost. We haven't yet established external connectivity. For that, we're going to put <Location> blocks in your main server config that will:

Implement the necessary access controls
Proxy requests to the "internal" virtual host

Like this:

<Location /awstats/config/X>
  ProxyPass http://localhost:8080/awstats/config/X
</Location>

<Location /awstats/config/Y>
  AuthType Basic
  AuthName "awstats X"
  AuthBasicProvider file
  AuthUserFile /path/to/htpasswd
  require valid-user

  ProxyPass http://localhost:8080/awstats/config/Y
</Location>

This is all off-the-cuff, so it's entirely possible that there are some errors here, but the basic idea is sound.

Best Answer

Related Solutions

Awstats not showing visitors

Tracking 301 redirects with awstats

Related Topic