AWStatsを利用してバーチャルホストのアクセスログを解析し、バーチャルホスト用へのアクセス統計をWebブラウザから参照出来るようにします。
ここでは、次の環境とします。
バーチャルホスト名: linux.zoah.net
バーチャルホストのアクセスログ: /var/log/httpd/linux.zoah.net-access_log
↑ 暗号化している場合は、/var/log/httpd/linux.zoah.net-ssl_access_log とします。
バーチャルホストドキュメントルート: /var/www/linux.zoah.net/
[root@server1 ~]# cp /etc/awstats/awstats.model.conf /etc/awstats/awstats.linux.zoah.net.conf ← 設定ファイルをサンプルからコピーします。
[root@server1 ~]# vi /etc/awstats/awstats.linux.zoah.net.conf ← 設定ファイルを編集します。
# "LogFile" contains the web, ftp or mail server log file to analyze. # Possible values: A full path, or a relative path from awstats.pl directory. # Example: "/var/log/apache/access.log" # Example: "../logs/mycombinedlog.log" # You can also use tags in this filename if you need a dynamic file name # depending on date or time (Replacement is made by AWStats at the beginning # of its execution). This is available tags : # %YYYY-n is replaced with 4 digits year we were n hours ago # %YY-n is replaced with 2 digits year we were n hours ago # %MM-n is replaced with 2 digits month we were n hours ago # %MO-n is replaced with 3 letters month we were n hours ago # %DD-n is replaced with day we were n hours ago # %HH-n is replaced with hour we were n hours ago # %NS-n is replaced with number of seconds at 00:00 since 1970 # %WM-n is replaced with the week number in month (1-5) # %Wm-n is replaced with the week number in month (0-4) # %WY-n is replaced with the week number in year (01-52) # %Wy-n is replaced with the week number in year (00-51) # %DW-n is replaced with the day number in week (1-7, 1=sunday) # use n=24 if you need (1-7, 1=monday) # %Dw-n is replaced with the day number in week (0-6, 0=sunday) # use n=24 if you need (0-6, 0=monday) # Use 0 for n if you need current year, month, day, hour... # Example: "/var/log/access_log.%YYYY-0%MM-0%DD-0.log" # Example: "C:/WINNT/system32/LogFiles/W3SVC1/ex%YY-24%MM-24%DD-24.log" # You can also use a pipe if log file come from a pipe : # Example: "gzip -d </var/log/apache/access.log.gz |" # If there is several log files from load balancing servers : # Example: "/pathtotools/logresolvemerge.pl *.log |" # LogFile="/var/log/httpd/access_log" ↓ LogFile="/var/log/httpd/linux.zoah.net-access_log" ↑ バーチャルホストのアクセスログを指定します。暗号化している場合は、 linux.zoah.net-ssl_access_log を指定します。 # "SiteDomain" must contain the main domain name, or the main intranet web # server name, used to reach the web site. # If you share the same log file for several virtual web servers, this # parameter is used to tell AWStats to filter record that contains records for # this virtual host name only (So check that this virtual hostname can be # found in your log file and use a personalized log format that include the # %virtualname tag). # But for multi hosting a better solution is to have one log file for each # virtual web server. In this case, this parameter is only used to generate # full URL's links when ShowLinksOnUrl option is set to 1. # If analysing mail log, enter here the domain name of mail server. # Example: "myintranetserver" # Example: "www.domain.com" # Example: "ftp.domain.com" # Example: "domain.com" # SiteDomain="localhost.localdomain" ↓ SiteDomain="linux.zoah.net" ← Webサーバー名を指定します。 # If you want to have hosts reported by name instead of ip address, AWStats # need to make reverse DNS lookups (if not already done in your log file). # With DNSLookup to 0, all hosts will be reported by their IP addresses and # not by the full hostname of visitors (except if names are already available # in log file). # If you want/need to set DNSLookup to 1, don't forget that this will reduce # dramatically AWStats update process speed. Do not use on large web sites. # Note: Reverse DNS lookup is done on IPv4 only (Enable ipv6 plugin for IPv6). # Note: Result of DNS Lookup can be used to build the Country report. However # it is highly recommanded to enable the plugin 'geoipfree' or 'geoip' to # have an accurate Country report with no need of DNS Lookup. # Possible values: # 0 - No DNS Lookup # 1 - DNS Lookup is fully enabled # 2 - DNS Lookup is made only from static DNS cache file (if it exists) # Default: 2 # DNSLookup=2 ↓ DNSLookup=1 ← アクセス元の名前解決を行います。(アクセス元をIPアドレスではなくホスト名で表示します。) # Plugin: GeoIPfree # Perl modules required: Geo::IPfree version 0.2+ (from Graciliano M.P.) # Country chart is built from an Internet IP-Country database. # This plugin is useless for intranet only log files. # Note: You must choose between using this plugin (need Perl Geo::IPfree # module, database less up to date) or the GeoIP plugin (need Perl Geo::IP # module from Maxmind, database more up to date). # Note: Activestate provide a corrupted version of Geo::IPfree 0.2 Perl # module, so install it from elsewhere (from www.cpan.org for example). # This plugin reduces AWStats speed of 10% ! # #LoadPlugin="geoipfree" LoadPlugin="geoipfree" ← 追加(アクセス元国情報を詳細に取得します。)
[root@server1 ~]# vi awstatsinit.sh ← AWStatsのデータベース初期作成スクリプトを作成します。
#!/bin/bash
# データベース作成先ディレクトリ作成
mkdir -p `grep ^DirData /etc/awstats/awstats.$1.conf | awk -F= '{print $2}'|tr -d \"`
# AWStats設定ファイルよりApacheログファイル名取得
logfile=`grep ^LogFile /etc/awstats/awstats.$1.conf|sed -e 's/LogFile="\([^ ]*\)"/\1/p' -e d`
# 過去ログを古い順に処理
grep dateext /etc/logrotate.conf > /dev/null 2>&1
if [ $? -eq 0 ]; then
# 過去ログファイル名に日付が設定されている場合
for log in `ls $logfile-*|sort`
do
`rpm -ql awstats|grep "awstats\.pl"` \
-config=$1 -update -logfile=$log
done
else
# 過去ログファイル名に通番が設定されている場合
for log in `ls $logfile.*|sort -r`
do
`rpm -ql awstats|grep "awstats\.pl"` \
-config=$1 -update -logfile=$log
done
fi
# 現在ログ処理
for log in `ls $logfile|sort`
do
`rpm -ql awstats|grep "awstats\.pl"` \
-config=$1 -update -logfile=$log
done
[root@server1 ~]# bash awstatsinit.sh linux.zoah.net ← AWStatsのデータベース初期作成スクリプトを実行します。
[root@server1 ~]# rm -f awstatsinit.sh ← AWStatsのデータベース初期作成スクリプトを削除します。
AWStatsのデータベースの更新は、/etc/cron.daily/awstatsにより毎日自動実行されます。
※注意
/etc/httpd/conf.d/virtualhost-linux.zoah.net.conf(バーチャルホスト用バーチャルホスト設定ファイル)に、
Alias / “/var/www/linux.zoah.net/” のように、エイリアスが / から始まる場合は、その前の行に以下のように記述して下さい。
/ より下から始まるエイリアスの場合、 / から始まるエイリアスより前に記述しないと正常に動作しません。
<VirtualHost *:80>
ServerName linux.zoah.net
DocumentRoot /var/www/linux.zoah.net
ErrorLog logs/linux.zoah.net-error_log
CustomLog logs/linux.zoah.net-access_log combined
Options ExecCGI FollowSymLinks Includes IncludesNOEXEC MultiViews
Alias /awstatsclasses "/usr/share/awstats/wwwroot/classes/" ← 追加します。
Alias /awstatscss "/usr/share/awstats/wwwroot/css/" ← 追加します。
Alias /awstatsicons "/usr/share/awstats/wwwroot/icon/" ← 追加します。
ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/" ← 追加します。
Alias / "/var/www/linux.zoah.net/"
<Directory "/var/www/linux.zoah.net">
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
Alias /awstatsclasses "/usr/share/awstats/wwwroot/classes/" ← 追加します。
Alias /awstatscss "/usr/share/awstats/wwwroot/css/" ← 追加します。
Alias /awstatsicons "/usr/share/awstats/wwwroot/icon/" ← 追加します。
ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/" ← 追加します。
Alias / "/var/www/linux.zoah.net/"
<Directory "/var/www/linux.zoah.net">
AllowOverride All
Require all granted
</Directory>
# General setup for the virtual host, inherited from global configuration
DocumentRoot /var/www/linux.zoah.net
ServerName linux.zoah.net:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/error_log
#TransferLog logs/linux.zoah.net-ssl_access_log
CustomLog "logs/linux.zoah.net-ssl_access_log" combined
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# List the protocol versions which clients are allowed to connect with.
# The OpenSSL system profile is used by default. See
# update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#SSLProxyProtocol all -SSLv3
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
SSLProxyCipherSuite PROFILE=SYSTEM
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/letsencrypt/live/linux.zoah.net/cert.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/letsencrypt/live/linux.zoah.net/privkey.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
SSLCertificateChainFile /etc/letsencrypt/live/linux.zoah.net/chain.pem
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
Header set Strict-Transport-Security "max-age=31536000"
Options ExecCGI FollowSymLinks Includes IncludesNOEXEC MultiViews
</VirtualHost>
http://linux.zoah.net/awstats/awstats.plへアクセスすると、アクセス統計ページが表示されます。