How To Secure AWStats

System Requirements
Internet Information Services 6.0
AWStats 6.x installed and configured
Microsoft.NET Framework 2.0

Installation and Setup


1. Download AWStats.Viewer distribution:

AWStats.Viewer 1.5.1 (for DNP 1.5.x)
AWStats.Viewer 1.0 (for DNP 1.0.3)

2. Unpack the contents of “build” folder to “wwwroot” folder of AWStats installation so, “default.aspx” page and “bin” folder of the application are located right inside of “wwwroot” folder. For instance, if you have AWStats instaled in “c:\AWStats” folder and path to its “wwwroot” is “c:\AWStats\wwwroot” then the path to ”default.aspx” will be “c:\AWStats\wwwroot\default.aspx”

3. Open IIS Manager snap-in and open properties window for AWStats web site (or virtual directory).

4. On “ASP.NET” tab select “2.0.50727? version of the .NET Framework and on “Home Directory” (or “Virtual Directory”) tab specify correct Application Pool for ASP.NET 2.0 applications (different from DefaultAppPool). Click “OK” button to save changes.

5. Open application “web.config” and specify correct application settings (elements inside of
“<appSettings>” element):

AWStats.URL  - URL to “awstats.pl” Perl script. It may be an absolute or relative URL.

AWStats.Username - Username of Windows account used to login when Windows Integrated Security is enabled. If awstats.pl is available for anonymous visitors and doesn’t require Windows authentication you may leave this setting blank.

AWStats.Password - Password for the account above.

AWStats.AuthenticationProvider - Full-quialified name of the type (class inherited from DotNetPark.AWStats.Viewer.AuthenticationProvider) performing authentication of the user.

Authentication Providers

AWStats Viewer comes with 2 pre-compiled providers:

1. “DotNetPanelAuthenticationProvider” provider

Description:
Provider allows to authenticate users against usernames/passwords of the DNP Enterprise Server.

Qualified name:
“DotNetPark.AWStats.Viewer.DotNetPanelAuthenticationProvider, AWStats.Viewer”

Settings:
“AWStats.DotNetPanelAuthenticationProvider.EnterpriseServer” – URL to DNP Enterprise Server, for example “http://localhost/EnterpriseServer”

2. “ConfigFileAuthenticationProvider” provider

Description:
Provider allows to authenticate users against usernames/passwords stored in the awstats.<some-site>.conf file of the corresponding domain.

Provider looks for the following configuration setting in the appropriate .conf file:

SiteUsers=user1=psw1;user2=psw2;…

where “user1=psw1;user2=psw2? are user/password pairs of users granted to access the statistics of this domain.

Qualified name:
“DotNetPark.AWStats.Viewer.ConfigFileAuthenticationProvider, AWStats.Viewer”

Settings:
“AWStats.ConfigFileAuthenticationProvider.DataFolder” – path to the folder where domain awstats.<some-site>.conf files are stored. It may be a relative path with a “~” at the beginning and  an absolute path on the disk.

Securing AWStats
As soon as all requests to “awstats.pl” Perl script will be passing through AWStats.Viewer application
you should deny direct access to “awstats.pl” script.

We suggest two possible methods of securing “awstats.pl”:

1. Disable “Anonymous Access” and Enable “Windows Integrated Security”.
To do this open IIS Manager snap-in and open properties window for “awstats.pl” file.
On “File Security” tab click “Edit…” button in “Authentication and Access control” group.
Uncheck “Enable Anonymous Access” checkbox and check “Windows Integrated Security” one.
Click “OK” button to save changes.

After disabling anonymous access opening “awstats.pl” right in the browser window will ask for
Windows account credentials. You should provide the credentials of anonymous account under which AWStats web site (or virtual directory) is running.

If your “awstats.pl” script is not available for anonymous visitors you should specify “AWStats.Username” and “AWStats.Password” settings (see above) in web.config of the application.
2. Grant access to “awstats.pl” from local IP addresses only.
To do this open IIS Manager snap-in and open properties window for “awstats.pl” file.
On “File Security” tab click “Edit…” button in “IP address and doname name restrictions” group.
Check “Denied access” radiobutton and add “127.0.0.1? (or other local IP) to the list of granted IP addresses.

Not found yet.