I've been improving the functionality of the virtualmin-awstats configuration and thought these changes would be useful in the next release.
The basic premise is that, like Webalizer, the AWStats reports are protected by basic authentication.
Here's what I did manually. From what I see it wouldn't be difficult to adjust the awstats module to do this.
1) change the location of the cgi-bin files/symlinks to
/home//cgi-bin/awstats/
2) modify the directives added to the domain configuration in apache
ScriptAlias /awstats ${HOME}/cgi-bin/awstats
AuthType Basic
AuthName "Visitor Statistics"
AuthUserFile ${HOME}/.stats-htpasswd
Require valid-user
You can see this uses the same htpasswd file as Webalizer.
By moving the awstats cgi-bin entries into their own sub-directory it allows us to easily moderate access whilst keeping the public URL the same.
This change doesn't affect access to the awstats reports from within the Virtualmin management interface.