Anonymize web logs after rotating and disable explicit download logging in favor of grepping the regular web logs

2025-07-05 14:20:29 -04:00 · 2022-03-16 13:04:52 -04:00 · 2022-03-16 13:04:52 -04:00 · 1e698f2389
commit 1e698f2389
parent 1ea3b2f28b
4 changed files with 76 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@ PHP 7+ is required.

 ```shell
 # Install Apache, PHP, PHP-FPM, and various other dependencies.
-sudo apt install -y git composer php-fpm php-cli php-gd php-xml php-apcu php-mbstring php-intl apache2 apache2-utils libfcgi0ldbl task-spooler
+sudo apt install -y git composer php-fpm php-cli php-gd php-xml php-apcu php-mbstring php-intl apache2 apache2-utils libfcgi0ldbl task-spooler ipv6calc

 # Create the site root and logs root and clone this repo into it.
 sudo mkdir /standardebooks.org/
--- a/config/apache/standardebooks.org.conf
+++ b/config/apache/standardebooks.org.conf
@ -60,8 +60,9 @@ Define domain standardebooks.org
 	DocumentRoot		/standardebooks.org/web/www
 	ErrorDocument		404	/404
 	ErrorLog		/var/log/local/www-error.log
+	DirectorySlash		Off
 	RewriteEngine		on
-	CustomLog		"|/usr/bin/rotatelogs -f -p /standardebooks.org/scripts/rotate-www-logs /var/log/local/apache/www-access.log 86400"	combined
+	CustomLog		"|/usr/bin/rotatelogs -f -p /standardebooks.org/web/scripts/rotate-www-logs /var/log/local/apache/www-access.log 86400"	combined

 	SSLEngine on
 	SSLCertificateFile	/etc/letsencrypt/live/${domain}/fullchain.pem
@ -69,13 +70,6 @@ Define domain standardebooks.org
 	Header			always set Strict-Transport-Security "max-age=15768000"
 	Header			set Content-Security-Policy "default-src 'self';"

-	# Log downloads
-	SetEnvIf		Request_URI "\.epub$" logdownload
-	SetEnvIf		Request_URI "\.kepub.epub$" logdownload
-	SetEnvIf		Request_URI "\.azw3$" logdownload
-	CustomLog		/var/log/local/downloads.log "%h [%{%Y-%m-%d %H:%M:%S %Z}t] \"%r\" %>s %b" env=logdownload
-	DirectorySlash		Off
-
 	<Directory /standardebooks.org/web/www/>
 		# Disable .htaccess files
 		AllowOverride	none
--- a/config/apache/standardebooks.test.conf
+++ b/config/apache/standardebooks.test.conf
@ -60,6 +60,7 @@ Define domain standardebooks.test
 	DocumentRoot		/standardebooks.org/web/www
 	ErrorDocument		404	/404
 	ErrorLog		/var/log/local/www-error.log
+	DirectorySlash		Off
 	RewriteEngine		on

 	SSLEngine on
@ -68,13 +69,6 @@ Define domain standardebooks.test
 	Header			always set Strict-Transport-Security "max-age=15768000"
 	Header			set Content-Security-Policy "default-src 'self';"

-	# Log downloads
-	SetEnvIf		Request_URI "\.epub$" logdownload
-	SetEnvIf		Request_URI "\.kepub.epub$" logdownload
-	SetEnvIf		Request_URI "\.azw3$" logdownload
-	CustomLog		/var/log/local/downloads.log "%h [%{%Y-%m-%d %H:%M:%S %Z}t] \"%r\" %>s %b" env=logdownload
-	DirectorySlash		Off
-
 	<Directory /standardebooks.org/web/www/>
 		# Disable .htaccess files
 		AllowOverride	none
--- a/scripts/rotate-www-logs
+++ b/scripts/rotate-www-logs
@ -0,0 +1,72 @@
+#!/bin/bash
+
+usage(){
+	fmt <<EOF
+DESCRIPTION
+	Moves Apache access log files into a by-month subdirectory, and gzip them.
+
+	This script must be run as root, and is generally run by the Apache rotatelogs subprocess as such.
+
+	Log files are moved to <LOG-DIR>/apache/YYYY-MM/
+
+USAGE
+	rotate-www-logs NEW-LOG-FILENAME
+EOF
+	exit
+}
+die(){ printf "\033[0;7;31mError:\033[0m %s\n" "${1}" 1>&2; exit 1; }
+if [ $# -eq 1 ]; then if [ "$1" = "--help" ] || [ "$1" = "-h" ]; then usage; fi fi
+# End boilerplate
+
+if [ $# -eq 0 ]; then
+	usage
+fi
+
+# Apache has a habit of starting this script twice, which can stomp on its own files
+for pid in $(pidof -x rotate-www-logs); do
+	if [ "${pid}" != $$ ]; then
+		# We echo and exit instead of die() because Apache prints stderr to the log, but not stdout. We don't need this logged.
+		echo "rotate-www-logs is already running with PID ${pid}"
+		exit 1
+	fi
+done
+
+# Prevent the loop from entering if no matches are found for the pattern
+shopt -s nullglob
+
+filenameBase=$(basename "$1" | sed --regexp-extended "s/\.[0-9]+$//")
+directory=$(dirname "$1")
+
+for filename in ${directory}/${filenameBase}.*; do
+	# When Apache calls this script, it passes the filename of the new log file it created.
+	# Thus, we check here to make sure we don't process and then delete the brand-new log file!
+	if [ "${filename}" != "$1" ]; then
+		# Apache log files can have data for more than one day. Here we pull out entries for different days into different files.
+		dates=$(grep --extended-regexp --only-matching "\[[0-9]{1,2}\/[a-zA-Z]{3}\/20[0-9]{2}" "${filename}" | sort -u)
+
+		while read -r line; do
+			logRawDate=$(echo "${line}" | sed "s/\[//g" | sed "s/\// /g")
+			logDate=$(date -d"${logRawDate}" "+%Y-%m-%d")
+			logMonth=$(date -d"${logRawDate}" "+%Y-%m")
+			grepString=${line//\[/}
+			logFilename="www-access-${logDate}.log"
+
+			mkdir -p "${directory}/${logMonth}"
+
+			# Is the log file already existing and gzipped?
+			if [ -f "${directory}/${logMonth}/${logFilename}.gz" ]; then
+				gunzip "${directory}/${logMonth}/${logFilename}.gz"
+			fi
+
+			# ipv6loganon is provided by the `ipv6calc` package
+			grep --extended-regexp "\[${grepString}" "${filename}" | ipv6loganon --anonymize-paranoid >> "${directory}/${logMonth}/${logFilename}"
+
+			gzip --best "${directory}/${logMonth}/${logFilename}"
+
+			chown --preserve-root --recursive www-data:adm "${directory}/${logMonth}"
+			chmod --preserve-root --recursive g+w "${directory}/${logMonth}"
+		done <<< "${dates}"
+
+		rm "${filename}"
+	fi
+done