Opened 7 years ago

Closed 12 days ago

#2142 closed task (invalid)

Make log files on Downloads not public

Reported by: wildintellect Owned by: sac@…
Priority: major Milestone:
Component: SysAdmin Keywords:


User reported on SAC mailing list that awstats logs are publicly available on

We should at least restrict to OSGeo login, if not hide from the web entirely for user privacy.

Change History (11)

comment:1 by fgdrf, 7 years ago

Priority: normalmajor

comment:2 by martin, 7 years ago

I suspect that any method of making logs available in a "convenient" (TM) manner will be subject to laziness .... pardon, abuse. Thus, how about removing awstats and webalizer entirely ?

comment:3 by strk, 7 years ago

How about restricting access to LDAP users?

in reply to:  3 comment:4 by neteler, 7 years ago

Replying to strk:

How about restricting access to LDAP users?

Sounds very good to me. And the EU GDPR will be in place in a few days...

BTW: This is how FSFE handles that:

in reply to:  3 comment:5 by martin, 7 years ago

Replying to strk:

How about restricting access to LDAP users?

Do you think that'll suffice ? In fact this would mean that thousands of dummy accounts we have in LDAP would still have access to the relevant logs. As a compromise what about excluding IP's from the logs by defining a custom log format ?

Last edited 7 years ago by martin (previous) (diff)

comment:6 by jef, 7 years ago

The logfiles are outdated - who/what is using these logfiles?

in reply to:  6 comment:7 by neteler, 7 years ago

Replying to jef:

The logfiles are outdated - who/what is using these logfiles?

They are not outdated. Just sort by "Last modified" column:

Index of /logs
[ICO]	Name	Last modified	Size	Description
[DIR]	Parent Directory	 	- 	 
[ ]	20-May-2018 10:43 	98M	 
[ ]	20-May-2018 10:43 	98M	 
[ ]	20-May-2018 10:43 	98M	 
[ ]	16-Feb-2018 06:31 	20K	 
[TXT]	        16-Feb-2018 06:31 	97M	 

download:~$ cat /etc/awstats/

Used by

which is

  • not password protected either :(
  • not https

comment:8 by jef, 7 years ago

It was outdated - processing stopped on Feb 16th, because access to download access.log was changed and awstats wasn't able to access it anymore. The rotation of the logs also stopped back then. /var/log/apache2/download_access_log.1 is from Feb 11 and current download_access_log is 16GB big - is still processing it...

AFAIK the logs in question don't need to be public anyway - will use them internally to produce the page.

Version 1, edited 7 years ago by jef (previous) (next) (diff)

comment:9 by jef, 7 years ago

/stats/ is now password protected (username/password added to access.txt on secure)

comment:10 by jef, 7 years ago

BTW DirData="/var/lib/awstats" is the default - not sure why that was changed to a public location.

Last edited 7 years ago by jef (previous) (diff)

comment:11 by cvvergara, 12 days ago

Resolution: invalid
Status: newclosed

We do not have awstats

Note: See TracTickets for help on using tickets.