Securing ax-admin with .htaccess security
This document describes how to secure the AXS ax-admin script with Apache .htaccess/.htpasswd security (hereafter referred to as "htpasswd security").
This additional layer of security can be used in place of, or in addition to, the AXS internal password-protection feature described at Security: How to set or update your password.
Follow these steps to enable:
First, create a subfolder of the /axs/ folder named "admin". Your script directory structure should look like:
/axs/ /axs/admin/ # new folder to secure /axs/ax.pl /axs/ax-admin.pl /axs/axs.dat /axs/data/ /axs/log.txt
Some systems will use the *.cgi extension instead of *.pl. If your system is like this, just replace ".pl" with ".cgi" in these instructions. There are also several other files included in the distribution, like install.html and license.html. All files not listed can remain where they are and do not need to be modified.
Next, use your server's .htaccess/.htpasswd security system to secure the /axs/admin/ folder with a username and password. On some servers, this is done with the htpasswd command-line tool. On other servers, it is done using a web-based control panel provided by your web host.
The exact steps for setting up htpasswd security differ from system to system, and are not available on all systems, and so the exact details cannot be provided here. Contact your web hosting provider for help on setting it up.
Next, download all files and folders from the /axs/ folder to your local computer. Move copies of ax-admin.pl, axs.dat, log.txt, and data subfolder into /axs/admin/, and upload them. The file /axs/ax.pl is not moved.
Your directory structure should now look like:
/axs/ /axs/admin/ # secured folder /axs/admin/ax-admin.pl # new /axs/admin/axs.dat # new /axs/admin/data/ # new /axs/admin/log.txt # new /axs/ax.pl /axs/ax-admin.pl # (old) /axs/axs.dat # (old) /axs/data/ # (old) /axs/log.txt # (old)
Next, apply file permissions to your new files. The ax-admin.pl file must be executable (chmod 755), while axs.dat and log.txt must be writable (chmod 666).
Next, try to visit your new copy of ax-admin with your browser, at /axs/admin/ax-admin.pl
Verify that you are prompted for the htpasswd username and password. If you are not, then close all instances of your web browser, then open it again and connect to /axs/admin/ax-admin.pl. You should then be prompted for your password.
Verify that the ax-admin.pl script appears properly after you've logged in.
Next, visit /axs/ax.pl?debugme in your browser. Confirm that all debug output appears properly. Under "Standard Debugging Information," confirm that the following sentence is present:
The critical file system variable is $LogFile = "log.txt";.
Keep your browser window with /axs/ax.pl?debugme open as you move on to the next step.
Next, edit /axs/ax.pl on your local computer. Find the line that reads:
my $LogFile = 'log.txt';
Change it to read:
my $LogFile = 'admin/log.txt';
Upload the modified ax.pl file to your server.
Return to your browser and refresh the /axs/ax.pl?debugme page. Confirm that the page opens and prints all standard debugging information. Confirm that the file system test passes. Confirm that the following line is now present:
The critical file system variable is $LogFile = "admin/log.txt";.
You have now created a secure folder and moved all admin-only files to that secure folder. You've re-configured the public ax.pl script to point to the new log location. You are almost finished. The next step is to delete the old files ax-admin.pl, axs.dat, log.txt, and the data subfolder from the base /axs/ folder.
Your directory structure should now look like:
/axs/ /axs/admin/ # secured folder /axs/admin/ax-admin.pl # new /axs/admin/axs.dat # new /axs/admin/data/ # new /axs/admin/log.txt # new /axs/ax.pl # modified
/axs/ax-admin.pl # deleted /axs/axs.dat # deleted /axs/data/ # deleted /axs/log.txt # deleted
Your AXS system has now been secured with htpasswd security.
As a side-effect of placing ax.pl and ax-admin.pl in separate folders, the link "Instructions for Tagging HTML Pages" will no longer appear at the bottom of ax-admin. That link points to ax.pl?debugme. If you still need the tagging instructions, you will need to manually enter ax.pl?debugme in your browser.
If you simply apply htpasswd security to the /axs/ folder, without first separating the ax.pl and ax-admin.pl scripts, then most likely all of your pages that contain the AXS tracking code will trigger a username/password dialog for your visitors. This will annoy and confuse your visitors, and will prevent tracking from working. The solution to this problem is to cancel the htpasswd security on the /axs/ folder, and to then follow the steps outlined in this help file.
"Securing ax-admin with .htaccess security" http://www.xav.com/scripts/axs/help/1008.html