httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Mehler <>
Subject Re: [users@httpd] awstats removing script path and authentication check
Date Tue, 03 Apr 2018 21:40:06 GMT

Thank you. Do you have a setup similar to mine?

Does this configuration look better? I took out the <location> entries
and put the authentication section that was previously in it in the
awstats cgi directory.


# awstats
Alias /awstatsclasses "/usr/local/www/awstats/classes/"
Alias /awstatscss "/usr/local/www/awstats/css/"
Alias /awstatsicons "/usr/local/www/awstats/icon/"
ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"

     <Directory "/usr/local/www/awstats/">
         Options None
         AllowOverride None
         Require all granted

     <Directory "/usr/local/www/awstats/cgi-bin/">
         Options ExecCGI
         AddHandler cgi-script .cgi .pl

# This is to force authentication when trying to access /awstats
# mod_authn_core and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName "Awstats Access"
# To cache credentials, put socache ahead of dbd here
AuthBasicProvider socache dbd
# Also required for caching: tell the cache to cache dbd lookups!
AuthnCacheProvideFor dbd
#AuthnCacheContext my-server
 # mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT passwd FROM auth WHERE username = %s AND active=1"
require valid-user

On 4/3/18, Eric Covener <> wrote:
> On Tue, Apr 3, 2018 at 9:32 AM, David Mehler <> wrote:
>> Hello,
>> I've got two questions both about running awstats in a multiple domain
>> setup on apache 2.4.
>> I've got the below block in each of my ssl-enabled virtual hosts that
>> use awstats. Everything is working. First of all can I get a
>> confirmation that my authentication and authorization settings are
>> good?
> It is unwise to use Location for this, because a subtly different URL
> might lead to the CGI on disk -- which is not even hypothetical in
> this case!
> Use Directory for the auth (you have the cfg section already) so it
> doesn't matter how you get there.
>> Second, currently I have to:
>> which does work. I'd like to change things so that the last
>> is not needed so that users can just go to:
> Since the static elements are in separate dirs (from you Alias
> directives), it might be safe to access the script as /awstats. But
> generally you want to avoid stripping things like segments as it will
> screw with the other relative stuff.
>> and they'll be prompted for a username/password and then be able to use
>> awstats.
>> # awstats
>> Alias /awstatsclasses "/usr/local/www/awstats/classes/"
>> Alias /awstatscss "/usr/local/www/awstats/css/"
>> Alias /awstatsicons "/usr/local/www/awstats/icon/"
>> ScriptAlias /awstats/ "/usr/local/www/awstats/cgi-bin/"
> I guess the above does not work. ScriptAliasMatch might be more
> clear/concise and will work.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message