Complete Geek Boutique

Nothing in cyberspace is sacred

Protect AWSTATS from prying eyes on Mac OS 10.5 Leopard

One of the more irritaing things you see when you look at your AWSTATS totals each day is seeing how many other people are also looking at your stats.

If you’re running an Apache server on Mac OS 10.5.5 (or earlier), inlcuding your own personal server, there is a way to password-protect your AWSTATS folder, using your htpasswd and your httpd.conf file. This should also work for earlier versions of Mac OS X. For our model, we’re running Apache 2.8.

This is a three-step procedure, that you will perform in Terminal:

1. Creating a htpasswd file. This file will contain a user name and password, and that password will be MD5-encypted.

2. Creating a directive in the /etc/apache2/httpd.conf file. Don’t worry; it’s painless. Just be sure you backup your httpd.conf before editing it … just in case.

3. Rebooting Apache.

Step 1: Creating the htpasswd file

In terminal, either as sudo or superuser, type this, subsituting your information for the example data:

> htpasswd -cm /users/yourmacusername/.htpasswd usernameforthefile

In the example above, the -c stands for “create a file” and the “m” stands for “encrypt the password with MD 5 encryption. To sum up, we’re telling OS X to create a htpassword file, put it in the /users folder under your Mac user name, name that file “.htpassword”, and use the user name you specified. Once you enter the information above, using your own information, you will be prompted to enter a password, and you will be asked to type it again. Your file is created. Not so bad, huh? Before you ask: Yes, you can put the file anywhere you want — just don’t put it in the Apache root, or anywhere that can be reached with a web browser. If you put it in /etc/, be sure to also change the group to either “www” or “wheel.” ‘Nuff said.

Step 2: Creating the directive in /etc/apache2/httpd.conf

The httpd.conf file is a whole lot easier to read if you have a text program that can read line numbers, such as TextWrangler (free) or Smultuon (free). You can also use TextEdit, but you won’t have line numbers. And of course, you can also use the Unix text processors such as vi, pico, or Joe. Rather than give a lesson on how to use these text editors, I will just tell you what needs to be done, and you can figure out how to do it, using the text editor of your choice.

We will assume your awstats folder is in: /Library/WebServer/CGI-Executables/awstats. We will further assume that you have only put the stuff that was in the original AWSTATS wwwroot folder into that folder. In other words, we won’t have to have a complicated folder structure just to view your AWSTATS data. However, if your setup is different, just adjust the instructions below.

Open up the httpd.conf file with your text editor. If you have line numbers, you can look for Line #343. If you don’t have line numbers in your editor, search for this term (sorry, WordPress won’t let me give the exact wordage here):

Go down past that directive, which ends in /Directory (sorry, WordPress again), and add these lines. Include the lines that begin with #, which are comment lines, so you can find the section again, and know what this directive does (sorry, WordPress won’t let me use brackets to enclose the opening and closing “Directory” entries below):

# Next directive protects awstats directory


AllowOverride None
Options None
Order allow,deny
Allow from all
Authname “Restricted”
AuthType Basic
AuthUserFile /users/yourmacusername/.htpasswd

Require valid-user

Note we did not include your password after the term “.htpasswd” in the directive above, because the user name and password are inside that file. Thus, all you need to stipulate is the file name, which is “.htpasswd”.

Step 3: Reboot Apache

Using either sudo or su, in Terminal, type:

>apachectl graceful

That’s it. You’re all done. Now, when you request AWSTATS from your server’s CGI-bin, you’ll be presented with a log-in screen where you will enter the user name and password that are in your htpasswd file. Once you enter that informaton, you will see your AWSTATS data. For security’s sake, make sure you rotate passwords, and try to use letters, numbers, etc., in your passwords so it will be extremely difficult for others to guess your password.

Now, at last, only you will see your AWSTATS data. You can, of course, also add other users to you htpasswd reparte.

These instructions should also work for those running on UNIX/Linux or Windows servers (with some modifications). The concepts are the same.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


This entry was posted on October 26, 2008 by in Geek, Web Log Analysis and tagged , , , , , , , , , , , .
%d bloggers like this: