Hiding OWA behind HTTP-AUTH

[joho1968]

It'd be nice if the main part of an external OWA installation could be "hidden" (or "protected") behind a simple HTTP-AUTH (just to let the web server take the first hit instead of PHP) but still allow for statistics collection.

Perhaps this is a web server configuration issue though (in my case, nginx), in which case the documentation wiki could be a good place to explain how to accomplish this.

[bennet-esyoil]

You probably want to reverse-proxy everything except the collector with basic http-auth. A nativ implementation would be (in my opinion) not useful for enough people.

[padams]

What would the stats collect in? the web server log file?

It's possible that OWA's async tracking event processor could be modified to read/parse an a non-OWA log format. That's where i would start.

Right now when you put OWA into async tracking mode, the PHP endpoint just writes the incoming tracking request data to an OWA events log file. OWA is then evoked on the command line to process that file(s).

The events log file processor is well abstracted already so it's just an issue of writing a custom or configurable parser and putting in the proper config switches to tell OWA to use that instead of the default file processor.

[Maaiins]

You can block access by IP-Address through .htaccess.

I used this, to accomplish this:

Order deny,allow
Deny from all
Allow from xxx.xxx.xxx.xxx

<FilesMatch "log\.php|api\.php">
  Allow from all
</FilesMatch>

[padams]

I'm going ot close this as I'm not sure there's a feature here. If someone wants get more specific on an implementation change lets use a new issue to track that.