armbrustconsulting.com

Resources | Security | Securing Access-log

Securing Your Web Access-log:

This tutorial only applies to websites hosted on Apache Servers

If your website is being hosted on someone else's server, your web access-log is most likely in your root ("www") directory. This makes it easy for you to open up the log from within your own browser, but it has the drawback of allowing anyone to view your web logs. Here is code to password protect the file, and compress it into the GZIP format (I did not write this code -- there is a link to the author in the code itself). Add the following code to your .htaccess file:

----------- Add these lines to .htaccess <Files access-log> RedirectMatch permanent (.*) access-log.php </Files> ----------- Put these lines in a file called access-log.php ----------- and be sure to change the username and password <?php ; /** Written by Tim Macinta (twm@alum.mit.edu) **/ //// // // Please customize the following variables // //// $username = "dummyuser"; $password = "dummypass"; //// // End of customizable variables //// if($PHP_AUTH_USER != $username || $PHP_AUTH_PW != $password) { Header("WWW-Authenticate: Basic realm="Access Log""); Header("HTTP/1.0 401 Unauthorized"); echo "You must log in first.n"; exit; } // This code only works if the gzip binary is present header("Content-Type: application/x-gzip"); $in = popen("gzip -9c access-log", "r"); fpassthru($in); ?>

Related Links: Using the Web Access-log | Access-log entries

Want to discuss this article, or other development issues? Visit our message boards!

Or contact us directly with a comment or question on this article: click here !

armbrustconsulting.com