=====Webalizer=====
//20051102//



Installing Webalizer is not very difficult - I think, because I haven't really documented it when I did install it. Anyway, there was an issue with Webalizer not showing the countries and urls for the visitor statistics. This can simply be remedied by... going to the Apache ''**httpd.conf**'' file and turning ''**HostnameLookups**'' 'on':



<code c>
HostnameLookups On
</code>


That's all!





//20051108//



Well, almost. There's one more thing to do. 






====Webmin module for Webalizer====
The Webmin module for Webalizer stores its configuration files for each virtualHost under:

<code c>
/etc/webmin/webalizer
</code>


This is important to know, because Webalizer not only reads the ''**webalizer.conf**'' file, but also these webmin-specific configuration files, somehow.


====Showing referers (which website did the visitor come from?)====
You want to know where your visitors came from? For instance, if they used a portal site, or a search engine where they clicked on a link to your site, you want Webalizer to show it.

In this case, too, you have to tell Apache webserver to log this information. You do this by adding the following line to the ''**httpd.conf **''file:



<code c>
CustomLog /var/lib/httpd/logs/access_log combined
</code>


But that's not all, because Virtualmin (Webmin's website configuration tool) also adds virtualHost sections in the ''**httpd.conf**'' file for each website. So, make sure that each website has the same line, telling Apache to make a "combined" log.

If you're tired of doing this manually, go to the Virtualmin module in Webmin, and select the button "Server Templates". Here, select "Default Settings" and find the textarea called ''**Directives and settings for new websites**''. 

Here, replace the line

<code c>
CustomLog ${HOME}/logs/access_log common
</code>


with

<code c>
CustomLog ${HOME}/logs/access_log combined
</code>





=====Installing Awstats=====
I couldn't get Webalizer to consistently display the referer urls, so I decided to give Awstats a try. This is  also a weblog analyzer, but it shows fancier graphics at the price of slower performance. This shouldn't be a problem for small websites, however.

I followed the instructions on [[http://www.dotvoid.com/view.php?id=29|http://www.dotvoid.com/view.php?id=29]] and downloaded the rpm from [[http://dag.wieers.com/packages/awstats/|http://dag.wieers.com/packages/awstats/]].



<code c>
[root@1038 /]# rpm -i --nosignature /etc/rpm/awstats-6.4-1.1.fc2.rf.noarch.rpm
[root@1038 /]# rpm -q awstats
awstats-6.4-1.1.fc2.rf
[root@1038 /]#
</code>


I quickly found out that the first website is not applicable to my situation however. So I got myself a Webmin module for Awstats instead: [[http://prdownloads.sourceforge.net/awstats/awstats-1.5.wbm|http://prdownloads.sourceforge.net/awstats/awstats-1.5.wbm]]. But Webmin had problems installing this particular download, so I took another sourceforge file from this page: [[http://sourceforge.net/project/showfiles.php?group_id=13764|http://sourceforge.net/project/showfiles.php?group_id=13764]].

I then followed the documentation in [[http://awstats.sourceforge.net/docs/awstats_webmin.html|http://awstats.sourceforge.net/docs/awstats_webmin.html]]. This does not quite cut it either, because the webmin module assumes that the Awstats tool can run under the Webmin perl webserver - which it cannot (at least not out of the box). Fortunately, the Webmin Awstats module is still very usefull for the initial configuration of a single Awstats website analyzer (after installation, you'll find the Awstats webmin module under "System > AWStats Logfile Analyzer").

What I did, in the end, was:

  -Setting up the awstat lines for the Apache webserver's  ''**httpd.conf**'' file manually, to:


<code c>
Alias /awstatsclasses "/var/www/awstats/classes/"
Alias /awstatscss "/var/www/awstats/css/"
Alias /awstatsicons "/var/www/awstats/icon/" 
 
ScriptAlias /awstats "/var/www/awstats/"
<Directory "/var/www/awstats">
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
</code>


Just add these lines at the end of the ''**httpd.conf**'' file. Make sure that the ScriptAlias directory differs from the Alias directories, or you'll end up seeing the perl script code of the awstats.pl file in your web browser.

Now take a good look at the Alias directories, and compare them with the directories of the awstats installation. There are no awstatsicons, etc. directories! So:

  -Make an awstats.dopperdude.conf file (you can use the Webmin module for this).
Look for the ''**DirIcons=**'' directive, and, following our example httpd.conf file, set it to:

<code c>
DirIcons="/awstatsicons"
</code>


  -Now, you cannot use Webmin to check the results of your configuration, so run a check on the command line:
<code c>
[root@1038 awstats]# perl awstats.pl -config=dopperdude -update
Update for config "/etc/awstats/awstats.dopperdude.conf"
With data in log file "/home/dopperdude/logs/access_log"...
Phase 1 : First bypass old records, searching new record...
Searching new records from beginning of log file...
Phase 2 : Now process new records (Flush history on disk after 20000 hosts)...
Jumped lines in file: 0
Parsed lines in file: 3275
 Found 0 dropped records,
 Found 0 corrupted records,
 Found 0 old records,
 Found 3275 new qualified records.
[root@1038 awstats]#
</code>


Looking good. Let's see how it looks in the browser:

<code c>
http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude
</code>


  -The query string call to the perl script is hard to remember, so let's add a few redirects:
<code c>
Redirect /report/ http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude
Redirect /stat/ http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude
</code>


Now, there are a few more things to do: we need to limit the access to the right persons. You should not be able to do something like ''**http:%%//%%www.dopperdude.com/awstats/awstats.pl?config=solin**'' - i.e. investigating the "solin" statistics using the "dopperdude" website!

Also, ideally the ''**awstats.SomeSiteOrOther.conf**'' files are set up automatically by Virtualmin, when we add new virtual hosts.




====Security for Awstats====
This link: [[http://awstats.sourceforge.net/docs/awstats_security.html|http://awstats.sourceforge.net/docs/awstats_security.html]] is about implementing security measures for Awstats. If have chosen the 2<sup>nd</sup> option: users get to see their stats dynamically. Another option is to serve static html pages only, which makes it possible to restrict access to the Awstats "database". Solin's clients will be able to hack into each others' statistics if they really try, but the easy way in is blocked.


===Apache security measures===
First, make a password file in the Awstats directory that contains the perl script. Use the ''**htpasswd**'' command with the ''**-c**'' parameter to create a new file, and without the ''**-c**'' parameter to just update the file. Be careful though: using ''**-c **''on an existing file will overwrite it!

<code c>
[root@1038 awstats]# pwd
/etc/awstats
[root@1038 awstats]# /www/bin/htpasswd -c awstats.pwd dopperdude
New password:
Re-type new password:
Adding password for user dopperdude
</code>


To have Apache use this ''**awstats.pwd**'' file, add the following directives to Apache's ''**httpd.conf **''file:

<code c>
<Directory "/var/www/awstats">
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName stats
    AuthUserFile /etc/awstats/awstats.pwd
    require valid-user
</Directory>
</code>


Now, go to [[http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude|http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude]] and observe that you cannot get in unless you provide a valid username and password. This is a good thing.

To make it even better, shut this backdoor:

[[http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude|http://www.dopperdude.com/awstats/awstats.pl?config=solin]] 

This backdoor allows Solin's clients to visit each others' statistics pages.




===Awstats security measures===
To activate the Awstats security measures, add the following lines to each ''**awstats.someSiteOrOther.conf**'' file:

<code c>
AllowAccessFromWebToAuthenticatedUsersOnly="1"
AllowAccessFromWebToFollowingAuthenticatedUsers="dopperdude"
</code>


Of course, the users will be different for each virtual host (website).




====Automating the setup of Awstats for new virtual hosts====
The setup of an Awstats reporting function for a new virtual host can at least be automated partially. Take a look at the server templates for VirtualMin and add these lines:



<code c>
Redirect /report/ http://www.${DOM}/awstats/awstats.pl?config=${USER}
Redirect /stat/ http://www.${DOM}/awstats/awstats.pl?config=${USER} 
</code>


There is also the option of installing the "**Virtualmin AWstats Reporting**" module. This add-on for Virtualmin promises to create Awstats reporting for each new virtual host. I have not had the time to figure out how (if) this works completely yet.

Here are all add-ons for Virtualmin: [[http://webadminmodules.sourceforge.net/?page=Virtualmin|http://webadminmodules.sourceforge.net/?page=Virtualmin]].