1

Topic: awstat without authentication!?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: CentOS 7.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

Hi, after fresh installation the https://example.org/awstats/awstats.pl is accessible  without login!
The /etc/httpd/conf.d/awstats.conf looks fine for ldap authentication.

Any Hint?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: awstat without authentication!?

Did you access this url before? Your web browser may remember the credential and login automatically for you. Try another web browser.

3

Re: awstat without authentication!?

This was my first idea too. Different browser, different desktop, always the same: without login...

4

Re: awstat without authentication!?

Hmm...

could you help test it with steps below:

*) Comment out the ldap auth related settings in Awstats http config file, restart apache, access https://xxx/awstats/awstats.pl again.
*) Uncomment the ldap auth settings, restart apache, access again.

Any difference?

5 (edited by Bronko 2017-01-09 17:09:23)

Re: awstat without authentication!?

Damn, didn't notice that:

Require all granted

was set and after commented out, it works as it should. But it isn't in your awstats.sh. Where did it come from? It was fresh and untouched after iredmail installation.

Btw.
I reversed your (awstats.sh) out commenting of all Alias and ScriptAlias and reduced Directory back as default to /usr/share/awstats/wwwroot (/cgi-bin/ deleted) to avoid a lot of error messages like:

"...client denied by server configuration: /usr/share/awstats/wwwroot/icon/clock/hr2.png..."

in /var/log/httpd/ssl_error_log

6

Re: awstat without authentication!?

Bronko wrote:

Require all granted

This is directive for Apache 2.4+.

Try to replace it by:

    <IfVersion < 2.4>      
        Order deny,allow
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>

7 (edited by Bronko 2017-01-09 21:07:59)

Re: awstat without authentication!?

Don't understand...?

It's Apache 2.4.6 and

Require all granted

let the ldap authentication to be obsolete. But the idea was/is to have it.

8

Re: awstat without authentication!?

My misunderstanding, sorry.

In upcoming iRedMail-0.9.6, we use file based auth file instead of SQL/LDAP, so that we can have Awstats for both Apache and Nginx. Since auth accounts won't be changed frequently, i suppose it's not a big deal to lose SQL/LDAP auth.

9

Re: awstat without authentication!?

No, isn't it... Thanks for support!