20051102

Installing Webalizer is not very difficult - I think, because I haven't really documented it when I did install it. Anyway, there was an issue with Webalizer not showing the countries and urls for the visitor statistics. This can simply be remedied by… going to the Apache httpd.conf file and turning HostnameLookups 'on':

HostnameLookups On

That's all!

20051108

Well, almost. There's one more thing to do.

The Webmin module for Webalizer stores its configuration files for each virtualHost under:

/etc/webmin/webalizer

This is important to know, because Webalizer not only reads the webalizer.conf file, but also these webmin-specific configuration files, somehow.

You want to know where your visitors came from? For instance, if they used a portal site, or a search engine where they clicked on a link to your site, you want Webalizer to show it.

In this case, too, you have to tell Apache webserver to log this information. You do this by adding the following line to the httpd.conf file:

CustomLog /var/lib/httpd/logs/access_log combined

But that's not all, because Virtualmin (Webmin's website configuration tool) also adds virtualHost sections in the httpd.conf file for each website. So, make sure that each website has the same line, telling Apache to make a “combined” log.

If you're tired of doing this manually, go to the Virtualmin module in Webmin, and select the button “Server Templates”. Here, select “Default Settings” and find the textarea called Directives and settings for new websites.

Here, replace the line

CustomLog ${HOME}/logs/access_log common

with

CustomLog ${HOME}/logs/access_log combined

I couldn't get Webalizer to consistently display the referer urls, so I decided to give Awstats a try. This is also a weblog analyzer, but it shows fancier graphics at the price of slower performance. This shouldn't be a problem for small websites, however.

I followed the instructions on http://www.dotvoid.com/view.php?id=29 and downloaded the rpm from http://dag.wieers.com/packages/awstats/.

[root@1038 /]# rpm -i --nosignature /etc/rpm/awstats-6.4-1.1.fc2.rf.noarch.rpm
[root@1038 /]# rpm -q awstats
awstats-6.4-1.1.fc2.rf
[root@1038 /]#

I quickly found out that the first website is not applicable to my situation however. So I got myself a Webmin module for Awstats instead: http://prdownloads.sourceforge.net/awstats/awstats-1.5.wbm. But Webmin had problems installing this particular download, so I took another sourceforge file from this page: http://sourceforge.net/project/showfiles.php?group_id=13764.

I then followed the documentation in http://awstats.sourceforge.net/docs/awstats_webmin.html. This does not quite cut it either, because the webmin module assumes that the Awstats tool can run under the Webmin perl webserver - which it cannot (at least not out of the box). Fortunately, the Webmin Awstats module is still very usefull for the initial configuration of a single Awstats website analyzer (after installation, you'll find the Awstats webmin module under “System > AWStats Logfile Analyzer”).

What I did, in the end, was:

1. Setting up the awstat lines for the Apache webserver's httpd.conf file manually, to:

Alias /awstatsclasses "/var/www/awstats/classes/"
Alias /awstatscss "/var/www/awstats/css/"
Alias /awstatsicons "/var/www/awstats/icon/" 
 
ScriptAlias /awstats "/var/www/awstats/"
<Directory "/var/www/awstats">
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Just add these lines at the end of the httpd.conf file. Make sure that the ScriptAlias directory differs from the Alias directories, or you'll end up seeing the perl script code of the awstats.pl file in your web browser.

Now take a good look at the Alias directories, and compare them with the directories of the awstats installation. There are no awstatsicons, etc. directories! So:

1. Make an awstats.dopperdude.conf file (you can use the Webmin module for this).

Look for the DirIcons= directive, and, following our example httpd.conf file, set it to:

DirIcons="/awstatsicons"

1. Now, you cannot use Webmin to check the results of your configuration, so run a check on the command line:

[root@1038 awstats]# perl awstats.pl -config=dopperdude -update
Update for config "/etc/awstats/awstats.dopperdude.conf"
With data in log file "/home/dopperdude/logs/access_log"...
Phase 1 : First bypass old records, searching new record...
Searching new records from beginning of log file...
Phase 2 : Now process new records (Flush history on disk after 20000 hosts)...
Jumped lines in file: 0
Parsed lines in file: 3275
 Found 0 dropped records,
 Found 0 corrupted records,
 Found 0 old records,
 Found 3275 new qualified records.
[root@1038 awstats]#

Looking good. Let's see how it looks in the browser:

http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude

1. The query string call to the perl script is hard to remember, so let's add a few redirects:

Redirect /report/ http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude
Redirect /stat/ http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude

Now, there are a few more things to do: we need to limit the access to the right persons. You should not be able to do something like http://www.dopperdude.com/awstats/awstats.pl?config=solin - i.e. investigating the “solin” statistics using the “dopperdude” website!

Also, ideally the awstats.SomeSiteOrOther.conf files are set up automatically by Virtualmin, when we add new virtual hosts.

This link: http://awstats.sourceforge.net/docs/awstats_security.html is about implementing security measures for Awstats. If have chosen the 2^nd option: users get to see their stats dynamically. Another option is to serve static html pages only, which makes it possible to restrict access to the Awstats “database”. Solin's clients will be able to hack into each others' statistics if they really try, but the easy way in is blocked.

First, make a password file in the Awstats directory that contains the perl script. Use the htpasswd command with the -c parameter to create a new file, and without the -c parameter to just update the file. Be careful though: using -c on an existing file will overwrite it!

[root@1038 awstats]# pwd
/etc/awstats
[root@1038 awstats]# /www/bin/htpasswd -c awstats.pwd dopperdude
New password:
Re-type new password:
Adding password for user dopperdude

To have Apache use this awstats.pwd file, add the following directives to Apache's httpd.conf file:

<Directory "/var/www/awstats">
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName stats
    AuthUserFile /etc/awstats/awstats.pwd
    require valid-user
</Directory>

Now, go to http://www.dopperdude.com/awstats/awstats.pl?config=dopperdude and observe that you cannot get in unless you provide a valid username and password. This is a good thing.

To make it even better, shut this backdoor:

http://www.dopperdude.com/awstats/awstats.pl?config=solin

This backdoor allows Solin's clients to visit each others' statistics pages.

To activate the Awstats security measures, add the following lines to each awstats.someSiteOrOther.conf file:

AllowAccessFromWebToAuthenticatedUsersOnly="1"
AllowAccessFromWebToFollowingAuthenticatedUsers="dopperdude"

Of course, the users will be different for each virtual host (website).

The setup of an Awstats reporting function for a new virtual host can at least be automated partially. Take a look at the server templates for VirtualMin and add these lines:

Redirect /report/ http://www.${DOM}/awstats/awstats.pl?config=${USER}
Redirect /stat/ http://www.${DOM}/awstats/awstats.pl?config=${USER} 

There is also the option of installing the “Virtualmin AWstats Reporting” module. This add-on for Virtualmin promises to create Awstats reporting for each new virtual host. I have not had the time to figure out how (if) this works completely yet.

Here are all add-ons for Virtualmin: http://webadminmodules.sourceforge.net/?page=Virtualmin.