Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

How To Install, Secure, And Automate AWStats (CentOS/RHEL)

AWStats is a free and very powerful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. It can analyze log files from all major server tools and convert them into nice graphical display. There are a lot of articles out there for AWStats, the reason I decided to write this one was to consolidate all the different tips and tricks I’ve learned through my journey into one comprehensive article associating the fantastic efforts of so many out there. There are a few methods of installing AWStats, this article will describe the simpler method of the two utilizing YUM.

This article assumes that you have root/sudo access to achieve all the goals required for a functional setup. This article also assumes you have SELinux set to permissive or disabled and that IPTables configuration is either disabled or customized for AWStats. Let’s begin.



Add RPMForge Yum Repository:

For x86 (32-bit) systems:

rpm -Uhv

from Dag Wieers.

For x64 (64-bit) systems:

rpm -Uhv

from Dag Wieers.


Install & Configure Prerequisites

Install Apache:

yum install httpd

Configure Apache to start on boot:

/sbin/chkconfig –levels 345 httpd on

Configure iptables to allow Apache traffic:

/sbin/iptables -I INPUT -p tcp –dport 80 -j ACCEPT
/etc/init.d/iptables save
/etc/init.d/iptables restart


Install & Configure AWStats

Now that YUM has its additional repository we are ready to install. From the commandline type:

yum install awstats

Modify AWStats Apache Configuration:

Edit /etc/httpd/conf.d/awstats.conf (Note: When putting your conf file in the /etc/httpd/conf.d/ folder it’s automatically loaded as part of the Apache configuration. There is no need to add it again into httpd.conf. This setup is usually for one of two reasons; A cleaner approach and separating of different applications in their own configuration files, or you are in a hosted environment that does not allow for direct editing of httpd.conf):

Alias /awstats/icon/ /var/www/awstats/icon/

ScriptAlias /awstats/ /var/www/awstats/
<Directory /var/www/awstats/>
        Options ExecCGI
        order deny,allow
        allow from all

Alias /awstatsclasses "/var/www/awstats/lib/"
Alias /awstats-icon/ "/var/www/awstats/icon/"
Alias /awstatscss "/var/www/awstats/examples/css"

Note: the mod_cgi module of Apache must be pre-loaded into Apache otherwise Apache will not try to view the file, it will try to execute it. This can be done in two ways, either enable for the entire web server, or utilizing VirtualHosts, enable for AWStats.

Edit the following lines in the default awstats configuration file /etc/awstats/awstats.localhost.localdomain.conf:

SiteDomain="<server name>.<domain>"
HostAliases="<any aliases for the server>"

Rename config file:

mv /etc/awstats/awstats.localhost.localdomain.conf /etc/awstats/awstats.<server name>.<domain>.conf

Update Statistics (Note: By default, statistics will be updated every hour.):

/usr/bin/ now -confdir=”/etc” -awstatsprog=”/var/www/awstats/”

Start Apache:

/etc/init.d/httpd start

To automate startup of Apache on boot up, type

chkconfig –add httpd


Verify Install

Go to http://<server name>.<domain>/awstats/<server name>.<domain>

Securing AWStats

Setting File System Permissions

The webserver needs only read-access to your files in order for you to be able to access AWStats from the browser. Limiting your own permissions will keep you from accidentally messing with files. Just remember that with this setup you will have to run Perl to execute scripts rather than executing the scripts themselves.

$ find ./awstats -type d -exec chmod 701 ‘{}’ \;
$ find ./awstats -not -type d -exec chmod 404 ‘{}’ \;

Apache doesn’t need direct access to AWStats configuration files therefore we can secure them tightly and not affect the relationship between them. To ensure that your .htaccess files are not readable via browser:

chmod 400 /etc/awstats/*.conf


Protecting The AWStats Directory With And Adding .htaccess

To secure the Awstats folder(s), is a measured process. Ensuring ownership of the AWStats folder is owned by the user that needs access to it, creating an htpasswd.users file and adding the corresponding .htaccess file to authenticate against it. Let’s first secure the AWStats folder by typing the below from the command-line:

find ./awstats -type d -exec chmod 701 ‘{}’ \;
find ./awstats -not -type d -exec chmod 404 ‘{}’ \;

Now that our folders have been secured, we’ll need to create the .htpasswd.users file. Go to the /etc/awstats folder and execute the following command:

htpasswd -c /etc/awstats/htpasswd.users user

(Select whatever username you’d like.)

It’ll ask you to add a password for the user you’ve selected, add it and re-type it for confirmation and then save. The final step is to create a .htaccess file pointing to the .htpasswd file for authentication. Go to /var/www/awstats/ and create a new file called .htaccess using your favorite editor, typically nano or vi tend to be the more popular ones. In this example, we’ll use vi. From the command line type

vi .htaccess

An alternate method of creating a .htaccess file is using the Htaccess Password Generator. Add the following content to your newly created .htaccess file:

AuthName "STOP - Do not continue unless you are authorized to view this site! - Server Access"
AuthType Basic
AuthUserFile /etc/awstats/htpasswd.users
Require valid-user
htpasswd -c /etc/awstat/htpasswd.users awstats_online

Once done, secure the .htaccess file by typing:

chmod 404 awstats/.htaccess

Running AWStats Over An SSL Connection

If the above mentioned secure tactics aren’t enough, you can also choose to run AWStats over an SSL connection. Prior to configuring, ensure that your web server has the appropriate configurations in place to support SSL. To create a self-signed SSL certificate for Apache, follow the instructions below:


Create A Certificate

OpenSSL should be installed on the server as this will be used to create the keys. Install on a CentOS or RHEL5 server. Move into the /etc/pki/tls/certs/ directory:

yum install mod_ssl

Create a RSA private key for the server:

# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

# openssl rsa -noout -text -in server.key

Enter pass phrase for server.key:

Create a Certificate Signing Request with the server’s RSA private key:

# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields, there will be a default value,

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [GB]:JO
State or Province Name (full name) [Berkshire]:State
Locality Name (eg, city) [Newbury]: Your Location
Organization Name (eg, company) [My Company Ltd]:My Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: If you hit enter here, it will be empty
An optional company name []:

# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=JO/ST=State/L=Your Location/O=My Company/ Getting Private key

Enter pass phrase for server.key:

# cp server.crt /etc/pki/tls/certs/
# cp server.key /etc/pki/tls/private/
# cp server.csr /etc/pki/tls/private

Add permissions to each key:

# chmod go-rwx /etc/pki/tls/certs/server.crt
# chmod go-rwx /etc/pki/tls/private/server.key
# chmod go-rwx /etc/pki/tls/private/server.csr

Edit your httpd.conf (CentOS) and add these lines:

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

Verify that the server is now listening on port 443. Now go into the /var/www/html/ directory.

netstat -aunt

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN


Configuring Apache With SSL

Use https:// to access the web page instead of http://; when you access the webpage you will see the request to accept the self-signed certificate. If you are not asked to accept a certificate, review your configuration. In your .htaccess file add the following (modify the URL according to your install):

# redirect awstats to https
RewriteCond %{REQUEST_URI} ^/awstats(.*)
RewriteRule ^/rawe/awstats(.*)$$1 [R,L]

In your file modify the below entry to reflect your SSL connection:

Version : 4.0+
# When AWStats build HTML links in its report pages, it starts thoose link
# with "http://". However some links might be HTTPS links, so you can enter
# here the root of all your HTTPS links. If all your site is a SSL web site,
# just enter "/".
# This parameter is not used if ShowLinksOnUrl is 0.
# Example: "/shopping"
# Example: "/"
# Default: ""


Automate Updating Of AWStats With Cron

In order to avoid updating AWStats manually, you can create a cron job. There are several different schedules that can be applied; my recommended one is doing so daily to avoid adding overhead to the web server if your site generates a lot of traffic. To accomplish this:

$ crontab -e

VIM opens up. Hit i and enter the following line: The Letter i is for “insert”.

45 9 * */usr/bin/ now -confdir="/etc" -awstatsprog="/var/www/awstats/"

This cron job will update AWStats at 9.45am on a daily basis. -confdir=”/etc” refers to all your config files inside AWStats.

Make sure there is a trailing empty line at the end of your crontab file (after your last command-line). Then hit “[Escape]” to leave the editing mode and type 😡 or ZZ to save the file and close VIM. You can also use a logrotate setup via apache which is easy and effective:

Edit /etc/logrotate.d:

/var/log/httpd/*log {
/etc/init.d/httpd reload > /dev/null 2>&1 || true


Cron Job For Many Configuration Files

If you have many config files, adding lots of cron jobs may not be very comfortable. In that case, you might want to make use of, a tool that comes with AWStats, by choosing this alternative cron job (without line breaks):

15 4 * * * perl $HOME/awstats/tools/ now -awstatsprog=$HOME/awstats/cgi-bin/ -configdir=$HOME/awstats/cgi-bin/

Using will call and run an update for all config-files to be found in the specified directory (awstats/cgi-bin). Since in this case is being executed you need to make sure that permissions are set accordingly:

$ chmod 504 awstats/cgi-bin/

This will allow yourself and thus your cronjob to execute


Configuring Addons For AWStats

Normally Hostname lookups are done via DNS where Apache will enter information into a dns.txt file and Awstats will utilize that file to resolve the location of visiting countries (or people). If traffic on your site is high this may cause overhead slowing down the performance of AWStats (and Apache). A different method of accomplishing the same task and reducing the overhead is using an add-on module called GeoIP. Here is a very nice article GeoIP Information for AWStats (all credit goes to them) detailing the steps.

There you have it, you are ready to go. There are so many things you can do with Awstats I’d suggest you research additional topics such as ExtraSections, performance configurations, etc…