From 72d7a05eada279a83ecf2bbb09d7514615b10801 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Thu, 22 Sep 2022 17:20:48 -0700
Subject: [PATCH] apache: Fix logs still going into /var/log files

Closes: #2264.

- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.

- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.

- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.

- There is also file with CustomLog directive that logs for other vhosts.

- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.

- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.

Tests:

- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.

- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.

- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 .../apache2/conf-available/freedombox-tls-site-macro.conf    | 3 ---
 data/etc/apache2/conf-available/freedombox.conf              | 3 +++
 plinth/modules/apache/__init__.py                            | 2 +-
 .../data/etc/fail2ban/jail.d/apache-auth-freedombox.conf     | 5 ++++-
 plinth/modules/apache/privileged.py                          | 3 +++
 5 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf b/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
index 9f8389408..0eecd13ed 100644
--- a/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
+++ b/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
@@ -7,9 +7,6 @@
             ServerName $domain
             DocumentRoot /var/www/html
 
-            ErrorLog ${APACHE_LOG_DIR}/error.log
-            CustomLog ${APACHE_LOG_DIR}/access.log combined
-
             SSLEngine on
 
             # Disable TLS1.1 and below. Client support: Firefox: 27, Android:
diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index d493cc0de..95023151d 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -145,4 +145,7 @@ RedirectMatch "^/$" "/plinth"
 ##   journalctl --identifier apache-error --output cat > error.log
 ##
 ErrorLog "|/usr/bin/systemd-cat --identifier=apache-error"
+# Remove timestamp at the beginning from the default log format. journald
+# records its own timestamp.
+ErrorLogFormat "[%-m:%l] [pid %P:tid %{g}T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
 CustomLog "|/usr/bin/systemd-cat --identifier=apache-access" vhost_combined
diff --git a/plinth/modules/apache/__init__.py b/plinth/modules/apache/__init__.py
index 9d78c1e99..c0dffcae3 100644
--- a/plinth/modules/apache/__init__.py
+++ b/plinth/modules/apache/__init__.py
@@ -21,7 +21,7 @@ class ApacheApp(app_module.App):
 
     app_id = 'apache'
 
-    _version = 10
+    _version = 11
 
     def __init__(self):
         """Create components for the app."""
diff --git a/plinth/modules/apache/data/etc/fail2ban/jail.d/apache-auth-freedombox.conf b/plinth/modules/apache/data/etc/fail2ban/jail.d/apache-auth-freedombox.conf
index 9e20fb6dc..25a0c8335 100644
--- a/plinth/modules/apache/data/etc/fail2ban/jail.d/apache-auth-freedombox.conf
+++ b/plinth/modules/apache/data/etc/fail2ban/jail.d/apache-auth-freedombox.conf
@@ -1,3 +1,6 @@
 [apache-auth]
 enabled = true
-backend = auto
+# Tweak the filter regex to work with journal format. Use apache-error as the
+# syslog facility
+filter = apache-auth[logtype="journal",logging="syslog",_daemon="apache-error"]
+journalmatch = SYSLOG_IDENTIFIER=apache-error
diff --git a/plinth/modules/apache/privileged.py b/plinth/modules/apache/privileged.py
index 3e0f35e26..812df5c1f 100644
--- a/plinth/modules/apache/privileged.py
+++ b/plinth/modules/apache/privileged.py
@@ -89,6 +89,9 @@ def setup(old_version: int):
         webserver.enable('rewrite', kind='module')
         webserver.enable('macro', kind='module')
 
+        # Disable logging into files, use FreedomBox configured systemd logging
+        webserver.disable('other-vhosts-access-log', kind='config')
+
         # Disable /server-status page to avoid leaking private info.
         webserver.disable('status', kind='module')