I had quite the journey getting live stats working perfectly and in doing so, learned a lot, but for those who want to plug and play, this will help tremendously.
Requirements
You have configured websites before
You use let's encrypt for your certificates
Your WebServer is Apache2 minimum version 2.4.17
Compiled and built GoAccess from GitHub (utf8, openssl, and mmdb options)
Created a "public" folder where the webpage will be read
Want to run GoAccess as a daemon
All requests will run through the web interface and then be passed to GoAccess (who likes opening up ports anyway?)
Guide
Create a new A record subdomain let's say goaccess.domain.name and point to your existing server.
This is your Apache2 goaccess.conf file:
DEFINE serv_name goaccess.domain.name
DEFINE serv_admn no-reply@domain.name
DEFINE log_name goaccess
DEFINE stat_url domain.name
DEFINE serv_url 127.0.0.1
DEFINE serv_port 7890
ServerTokens Prod
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
## If you have Google Pagespeed Mod for apache, disable it, else, comment next line out
ModPagespeed Off
<VirtualHost *:80 [::]:80>
ServerName ${serv_name}
DocumentRoot /var/www/goaccess/public
ServerAdmin ${serv_admn}
RewriteEngine On
RewriteCond %{SERVER_NAME} =${serv_name}
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog ${APACHE_LOG_DIR}/${log_name}.error.log
CustomLog ${APACHE_LOG_DIR}/${log_name}.access.log combined
</VirtualHost>
<VirtualHost *:443 [::]:443>
ServerName ${serv_name}
DocumentRoot /var/www/goaccess/public
ServerAdmin ${serv_admn}
ErrorLog ${APACHE_LOG_DIR}/${log_name}.error.log
CustomLog ${APACHE_LOG_DIR}/${log_name}.access.log combined
### Let's Encrypt Section ###
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/domain.name/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.name/privkey.pem
Options -Includes -ExecCGI
#Include /etc/letsencrypt/options-ssl-apache.conf
## I am excluding the default Let's Encrypt apache security settings and using the following
#SSLCipherSuite ECDHE+RSA+AES256+GCM+SHA512:DHE+RSA+AES256+GCM+SHA512:ECDHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES256+SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder Off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Deny http1.0 requests ###
Protocols h2 http/1.1
### Harden Security ###
ProxyRequests On
ProxyPreserveHost On
ProxyTimeout 600
ProxyReceiveBufferSize 4096
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ServerSignature Off
SSLCompression Off
SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
SSLSessionTickets Off
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
#Header always set Content-Security-Policy-Report-Only "default-src 'self' https:; font-src 'self' data: ${stat_url} ${serv_name}; media-src 'self' ${stat_url} ${serv_name}; script-src 'self' 'unsafe-inline' ${stat_url} ${serv_name}; style-src 'self' ${stat_url} ${serv_name}; img-src 'self' data: blob: ${stat_url} ${serv_name}; worker-src *; frame-src https:; connect-src 'self' wss: https: ${stat_url} ${serv_name};"
### GoAccess Specific Section ###
<Location /ws/>
ProxyPass ws://${serv_url}:${serv_port}/ws/
</Location>
<Location /wss/>
ProxyPass wss://${serv_url}:${serv_port}/wss/
</Location>
</VirtualHost>
This is your GoAccess.conf file (located at /usr/local/etc/goaccess/goaccess.conf:
This is hacked together. It can be much better and for production environments, you should keep going and make it perfect (set up systemd [ew] startup stuff, create dedicated user, etc).
A Meditative Guide
I had quite the journey getting live stats working perfectly and in doing so, learned a lot, but for those who want to plug and play, this will help tremendously.
Requirements
Guide
Create a new A record subdomain let's say
goaccess.domain.name
and point to your existing server.This is your Apache2 goaccess.conf file:
/usr/local/etc/goaccess/goaccess.conf
:to
Extra
You should probably make its own user instead of what I'm doing which is just running it as root. But, this is my command nonetheless:
Not sure if GoAccess is running? Try
netstat -peanut | grep goaccess
which should then result in:Additional
This is hacked together. It can be much better and for production environments, you should keep going and make it perfect (set up systemd [ew] startup stuff, create dedicated user, etc).
HOPE THIS HELPS SOMEBODY.
PS Thanks for a great piece of software.