Opened 6 years ago
Last modified 6 years ago
#2142 new task
Make log files on Downloads not public
| Reported by: | wildintellect | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
User reported on SAC mailing list that awstats logs are publicly available on http://download.osgeo.org/logs
We should at least restrict to OSGeo login, if not hide from the web entirely for user privacy.
Change History (10)
comment:1 by , 6 years ago
| Priority: | normal → major |
|---|
comment:2 by , 6 years ago
comment:4 by , 6 years ago
Replying to strk:
How about restricting access to LDAP users?
Sounds very good to me. And the EU GDPR will be in place in a few days...
BTW: This is how FSFE handles that:
comment:5 by , 6 years ago
Replying to strk:
How about restricting access to LDAP users?
Do you think that'll suffice ? In fact this would mean that thousands of dummy accounts we have in LDAP would still have access to the relevant logs. As a compromise what about excluding IP's from the logs by defining a custom log format ?
follow-up: 7 comment:6 by , 6 years ago
The logfiles are outdated - who/what is using these logfiles?
comment:7 by , 6 years ago
Replying to jef:
The logfiles are outdated - who/what is using these logfiles?
They are not outdated. Just sort by "Last modified" column:
Index of /logs [ICO] Name Last modified Size Description [DIR] Parent Directory - [ ] awstats022018.download.osgeo.org.tmp.5858 20-May-2018 10:43 98M [ ] awstats022018.download.osgeo.org.tmp.5851 20-May-2018 10:43 98M [ ] awstats022018.download.osgeo.org.tmp.5945 20-May-2018 10:43 98M [ ] dnscachelastupdate.download.osgeo.org.hash 16-Feb-2018 06:31 20K [TXT] awstats022018.download.osgeo.org.txt 16-Feb-2018 06:31 97M ...
download:~$ cat /etc/awstats/awstats.download.osgeo.org.conf
Used by http://download.osgeo.org/stats/
which is
- not password protected either :(
- not https
comment:8 by , 6 years ago
It was outdated - processing stopped on Feb 16th, because access to download access.log was changed and awstats wasn't able to access it anymore. The rotation of the logs also stopped back then. /var/log/apache2/download_access_log.1 is from Feb 11 and current download_access_log is 16GB big - awstats.pl is still processing it...
AFAIK the logs in question don't need to be public anyway - awstats.pl will use them internally to produce the page.
comment:9 by , 6 years ago
/stats/ is now password protected (username/password added to access.txt on secure)
comment:10 by , 6 years ago
BTW DirData="/var/lib/awstats" is the default - not sure why that was changed to a public location.
I suspect that any method of making logs available in a "convenient" (TM) manner will be subject to laziness .... pardon, abuse. Thus, how about removing awstats and webalizer entirely ?