Dotnetpanel Forums

Who said AWStats is insecure?

We are glad to announce AWStats.Viewer - the tool that allows to secure access to AWStats CGI script. AWStats Viewer comes with a full source code and it is a good example of how 3rd party program can be integrated with DotNetPanel EnterpriseServer.
AWStats Viewer comes with "DotNetPanelAuthenticationProvider" and "ConfigFileAuthenticationProvider" pre-compiled providers. Other user authentication mechanisms can be added by means of implementing custom AuthenticationProvider classes.

System Requirements
Internet Information Services 6.0
AWStats 6.x installed and configured
Microsoft.NET Framework 2.0

Installation and Setup
1. Download AWStats.Viewer distribution:

AWStats.Viewer 1.5.1 (for DNP 1.5.x): http://www.dotnetpanel.com/Portals/0/AWStats.Viewer-1.5.1.zip
AWStats.Viewer 1.0 (for DNP 1.0.3): http://www.dotnetpanel.com/Portals/0/AWStats.Viewer-1.0.zip

2. Unpack the contents of "build" folder to "wwwroot" folder of AWStats installation so, "default.aspx" page and "bin" folder of the application are located right inside of "wwwroot" folder. For instance, if you have AWStats instaled in "c:\AWStats" folder and path to its "wwwroot" is "c:\AWStats\wwwroot" then the path to "default.aspx" will be "c:\AWStats\wwwroot\default.aspx"

3. Open IIS Manager snap-in and open properties window for AWStats web site (or virtual directory).

4. On "ASP.NET" tab select "2.0.50727" version of the .NET Framework and on "Home Directory" (or "Virtual Directory") tab specify correct Application Pool for ASP.NET 2.0 applications (different from DefaultAppPool). Click "OK" button to save changes.

5. Open application "web.config" and specify correct application settings (elements inside of
 "<appSettings>" element):

   AWStats.URL  - URL to "awstats.pl" Perl script. It may be an absolute or relative URL.
  
   AWStats.Username - Username of Windows account used to login when Windows Integrated Security is enabled. If awstats.pl is available for anonymous visitors and doesn't require Windows authentication you may leave this setting blank.
      
   AWStats.Password - Password for the account above.
  
   AWStats.AuthenticationProvider - Full-quialified name of the type (class inherited from DotNetPark.AWStats.Viewer.AuthenticationProvider) performing authentication of the user.

Authentication Providers

AWStats Viewer comes with 2 pre-compiled providers:

1. "DotNetPanelAuthenticationProvider" provider

 Description:
  Provider allows to authenticate users against usernames/passwords of the DNP Enterprise Server.
 
 Qualified name:
  "DotNetPark.AWStats.Viewer.DotNetPanelAuthenticationProvider, AWStats.Viewer"
  
 Settings:
  "AWStats.DotNetPanelAuthenticationProvider.EnterpriseServer" - URL to DNP Enterprise Server, for example "http://localhost/EnterpriseServer"

2. "ConfigFileAuthenticationProvider" provider

 Description:
  Provider allows to authenticate users against usernames/passwords stored in the awstats.<some-site>.conf file of the corresponding domain.
 
  Provider looks for the following configuration setting in the appropriate .conf file:
 
   SiteUsers=user1=psw1;user2=psw2;...
   
   where "user1=psw1;user2=psw2" are user/password pairs of users granted to access the statistics of this domain.

 Qualified name:
  "DotNetPark.AWStats.Viewer.ConfigFileAuthenticationProvider, AWStats.Viewer"
  
 Settings:
  "AWStats.ConfigFileAuthenticationProvider.DataFolder" - path to the folder where domain awstats.<some-site>.conf files are stored. It may be a relative path with a "~" at the beginning and  an absolute path on the disk.

Securing AWStats
As soon as all requests to "awstats.pl" Perl script will be passing through AWStats.Viewer application
you should deny direct access to "awstats.pl" script.

We suggest two possible methods of securing "awstats.pl":

1. Disable "Anonymous Access" and Enable "Windows Integrated Security".
   To do this open IIS Manager snap-in and open properties window for "awstats.pl" file.
   On "File Security" tab click "Edit..." button in "Authentication and Access control" group.
   Uncheck "Enable Anonymous Access" checkbox and check "Windows Integrated Security" one.
   Click "OK" button to save changes.
  
   After disabling anonymous access opening "awstats.pl" right in the browser window will ask for
   Windows account credentials. You should provide the credentials of anonymous account under which AWStats web site (or virtual directory) is running.
  
   If your "awstats.pl" script is not available for anonymous visitors you should specify "AWStats.Username" and "AWStats.Password" settings (see above) in web.config of the application.

2. Grant access to "awstats.pl" from local IP addresses only.
   To do this open IIS Manager snap-in and open properties window for "awstats.pl" file.
   On "File Security" tab click "Edit..." button in "IP address and doname name restrictions" group.
   Check "Denied access" radiobutton and add "127.0.0.1" (or other local IP) to the list of granted IP addresses.
  

Release Notes
1. To open and work with "awstats.csproj" project you need Microsoft Visual Studio.NET 2005 and installed "Web Application Projects" add-on (http://msdn.microsoft.com/asp.net/reference/infrastructure/wap/default.aspx)

Please, let us know if you have an idea how this tool can be improved or find any bug.

All our existing DotNetPanel customers can send request for the installation of AWStats.Viewer.

Thanks for the tutorial.  I have followed this using a dedicated IP but I am having an issue; can someone check I have made the correct settings.

I get the following error when using the domain prefixed without www:

System.UriFormatException: Invalid URI: The hostname could not be parsed. at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) at System.Net.WebRequest.Create(String requestUriString) at DotNetPark.AWStats.Viewer.Default.GetWebDocument(String url)

I get the following 'friendly' error when using the domain prefixed with www:

Advanced statistics is not enabled for the specified domain. Login to control panel, open 'My Resources -> Advanced Statistics' page and add a new statistics site.

Edited: the statistics site has been created for the specific domain.

The most probably reason of this error is wrong URL to AWStats.

Also, do not prefix domain with "www." as it would not be found on the system. We'll add this check to the next version.

There is a lot of different references to AWStats i.e. DNS settings, IP settings etc...I have tried virtual and physical path in the web.config file for AWStats and the authentication provider...

i.e. <add key="AWStats.URL" value="C:\AWStats\wwwroot\cgi-bin\awstats.pl"/>
or <add key="AWStats.URL" value="~\cgi-bin\awstats.pl"/>

Well, there (in AWStats Viewer's web.config) should be a URL, something like http://statsserver.com/cgi-bin/awstats.pl or "/awstats/cgi-bin/awstats.pl".

 

All the URL's to AWStats are fine, in the web.config and in DNP. 

I have found an issue although I still haven't resolved it yet so don't know if this is the cause of the exception...it seems to be with the data folder declared by 'DirData' in the .conf files.

They would declare them as "." I guess placing the data in the root of awstats, in my case "D:\AWStats\Data" but this directory does not exist, nor does it in any other directory.

I would like some insight into your assembly please.  Does it perform the creation of the html file in code, which contains the statistics and then updates that via the UpdateStats.bat?  Or does the UpdateStats.bat simply update something, which should be in the data directory by using the .conf files settings and then the assembly retreives that data in code, generates a html file to be viewed in a browser?

One thing is certain, I can't find the data file.  Also, normally when setting up AWStats manually, you generate html files from a command prompt and then these either retreive the data from the data directory or contain the data when they are generated; viewing the html file would be your statistics page.  Do you use a different method for generating and displaying the html statistic pages?

 

Hi, I beleive I have found the issue....although I need my licence key unblocked please?!

AWStats doesn't like being installed on the partitioned drive D:\ for whatever reason?  Possibly my configuration but I haven't got the time to fiddle with it right now.  All my data is on a partitioned drive so I can re-image the system drive at any point without loosing data...but because it doesn't work, i'll make an exception.  Therefore I was reinstalling AWStats on my system drive and re-configuring the links in DNP when it said it had blocked my licence for some reason?  Did changing the drive letter give it the impression of being installed on mutilple servers?  Anyhow, would you please unblock my licence key

Interesting enough. Is that NTFS partition?

Matt Morrison:

All the URL's to AWStats are fine, in the web.config and in DNP. 

I have found an issue although I still haven't resolved it yet so don't know if this is the cause of the exception...it seems to be with the data folder declared by 'DirData' in the .conf files.

They would declare them as "." I guess placing the data in the root of awstats, in my case "D:\AWStats\Data" but this directory does not exist, nor does it in any other directory.

I would like some insight into your assembly please.  Does it perform the creation of the html file in code, which contains the statistics and then updates that via the UpdateStats.bat?  Or does the UpdateStats.bat simply update something, which should be in the data directory by using the .conf files settings and then the assembly retreives that data in code, generates a html file to be viewed in a browser?

You should schedule UpdateStats.bat in order to calculate statistics on timely basis. That UpdateStats.but will fill "Data" folder with data.

Matt Morrison:

One thing is certain, I can't find the data file.  Also, normally when setting up AWStats manually, you generate html files from a command prompt and then these either retreive the data from the data directory or contain the data when they are generated; viewing the html file would be your statistics page.  Do you use a different method for generating and displaying the html statistic pages?

By default AWStats generates its internal files with aggregated data. Those files are used to display statistics. AWStats can generate static HTML and XML files too.

thanks for the info.  I have re-installed and the same exception for the URL occurs.  I do have the updatestats.bat working now (it writes to a data directory and creates those .txt file just fine) but still I can't open the stats page?!  I have double checked all links in web.config and DNP and I can't see any issues at all?

Try to see the stats for some web site:

http://<awstats_site>/cgi-bin/awstats.pl?config=<domain.com>

Does it work?

I typed in http://stats.collectableprints.co.uk/cgi-bin/awstats.pl?config=collectableprints.co.uk 

It gave me the network login because I've secured awstat.pl but when I get passed that I get 'the page can not be found'.

Just for anyone reading these posts, it has now been resolved thanks to Feodor The issue was I did not have the web service extension allowed in IIS for perl cgi

Does this work with webportal

Yes, it will work with any client as it depends on Enterprise Server only.