diff --git a/actions/apache b/actions/apache
index e2554fc34..3a69648ff 100755
--- a/actions/apache
+++ b/actions/apache
@@ -168,11 +168,12 @@ def subcommand_setup(arguments):
         webserver.enable('javascript-common', kind='config')
 
         # default sites
-        webserver.enable('000-default', kind='site')
+        webserver.disable('000-default', kind='site')
         webserver.disable('default-tls', kind='site')
-        webserver.enable('default-ssl', kind='site')
+        webserver.disable('default-ssl', kind='site')
         webserver.disable('plinth', kind='site')
         webserver.disable('plinth-ssl', kind='site')
+        webserver.enable('freedombox-default', kind='site')
 
 
 # TODO: Check that the (name, kind) is a managed by FreedomBox before
diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index f765b047f..d493cc0de 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -129,3 +129,20 @@ RedirectMatch "^/$" "/plinth"
 <IfModule mod_deflate.c>
   AddOutputFilterByType DEFLATE image/svg+xml
 </IfModule>
+
+##
+## Send all logs to systemd journal by default. This may be overridden per host
+## in <VirtualHost>. With all system logs in journald, it is possible to turn
+## off persistent logging to improve SD card lifetime and performance. It is
+## also easy to improve privacy by turning off logging altogether.
+##
+## - To obtain the old style access log run the following command (note that the
+## first field is the name of the virtual host accessed as Apache format logged
+## is vhost_combined):
+##   journalctl --identifier apache-access --output cat > access.log
+##
+## - To obtain the old style error log run the following command:
+##   journalctl --identifier apache-error --output cat > error.log
+##
+ErrorLog "|/usr/bin/systemd-cat --identifier=apache-error"
+CustomLog "|/usr/bin/systemd-cat --identifier=apache-access" vhost_combined
diff --git a/data/etc/apache2/sites-available/freedombox-default.conf b/data/etc/apache2/sites-available/freedombox-default.conf
new file mode 100644
index 000000000..ef08dffa7
--- /dev/null
+++ b/data/etc/apache2/sites-available/freedombox-default.conf
@@ -0,0 +1,35 @@
+## SPDX-License-Identifier: AGPL-3.0-or-later
+##
+## DO NOT EDIT. If you do, FreedomBox will not automatically upgrade.
+##
+## Apache configuration managed by FreedomBox. If customization is needed,
+## create a new configuration file with higher priority and override directives.
+##
+## Default apache sites default.conf and 000-default-ssl.conf will be disabled
+## for the sake of the following configuration. This is primarily to override
+## the logging directives (to allow default values to prevail).
+##
+
+# Keep this in sync with apache default 000-default.conf
+<VirtualHost *:80>
+    ServerAdmin webmaster@localhost
+    DocumentRoot /var/www/html
+</VirtualHost>
+
+# Keep this in sync with apache default default-ssl.conf
+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+
+        SSLEngine on
+        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+        <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
+            SSLOptions +StdEnvVars
+        </FilesMatch>
+        <Directory /usr/lib/cgi-bin>
+            SSLOptions +StdEnvVars
+        </Directory>
+    </VirtualHost>
+</IfModule>