Stats default to On

[patch0]

I strongly believe Stats should be disabled OR the stats http page be password protected by default.

Originally reported on Bytemark's Gitlab by @mpoland on 2017-03-07T15:00:28.117Z

[patch0]

password protection seems sensible. We could use PAM with mod_authnz_external to require the admin user? Quite possibly a dodgy idea, security wise. Could generate an htpasswd file specifically for the stats and dump the password out in /srv or something.

Originally posted by @telyn on 2017-03-13T11:03:37.946Z

[patch0]

ooh, or - disabled by default, add a 'config/stats' file containing user:pass entries and get symbiosis-httpd-configure to generate an htpasswd and enable it.

Originally posted by @telyn on 2017-03-14T10:12:27.861Z

[patch0]

I think as a first pass, we can disable stats by default.

[smsm1]

If the stats are enabled, they should probably only work over SSL and not plain text /non secure connections. With the ease of enabling secure connections now this shouldn't be a problem.