apache: Fix logs still going into /var/log files

Closes: #2264.

- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.

- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.

- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.

- There is also file with CustomLog directive that logs for other vhosts.

- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.

- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.

Tests:

- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.

- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.

- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

data/etc/apache2/conf-available/freedombox-tls-site-macro.conf

@@ -7,9 +7,6 @@
             ServerName $domain
             DocumentRoot /var/www/html
 
-            ErrorLog ${APACHE_LOG_DIR}/error.log
-            CustomLog ${APACHE_LOG_DIR}/access.log combined
-
             SSLEngine on
 
             # Disable TLS1.1 and below. Client support: Firefox: 27, Android:

data/etc/apache2/conf-available/freedombox.conf

@@ -145,4 +145,7 @@ RedirectMatch "^/$" "/plinth"
 ##   journalctl --identifier apache-error --output cat > error.log
 ##
 ErrorLog "|/usr/bin/systemd-cat --identifier=apache-error"
+# Remove timestamp at the beginning from the default log format. journald
+# records its own timestamp.
+ErrorLogFormat "[%-m:%l] [pid %P:tid %{g}T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
 CustomLog "|/usr/bin/systemd-cat --identifier=apache-access" vhost_combined

plinth/modules/apache/__init__.py

@@ -21,7 +21,7 @@ class ApacheApp(app_module.App):
 
     app_id = 'apache'
 
-    _version = 10
+    _version = 11
 
     def __init__(self):
         """Create components for the app."""

plinth/modules/apache/data/etc/fail2ban/jail.d/apache-auth-freedombox.conf

@@ -1,3 +1,6 @@
 [apache-auth]
 enabled = true
-backend = auto
+# Tweak the filter regex to work with journal format. Use apache-error as the
+# syslog facility
+filter = apache-auth[logtype="journal",logging="syslog",_daemon="apache-error"]
+journalmatch = SYSLOG_IDENTIFIER=apache-error

plinth/modules/apache/privileged.py

@@ -89,6 +89,9 @@ def setup(old_version: int):
         webserver.enable('rewrite', kind='module')
         webserver.enable('macro', kind='module')
 
+        # Disable logging into files, use FreedomBox configured systemd logging
+        webserver.disable('other-vhosts-access-log', kind='config')
+
         # Disable /server-status page to avoid leaking private info.
         webserver.disable('status', kind='module')