httpd.service - Man Page

httpd unit files for systemd

Synopsis

/usr/lib/systemd/system/httpd.service, /usr/lib/systemd/system/httpd@.service, /usr/lib/systemd/system/httpd-init.service, /usr/lib/systemd/system/httpd.socket

Description

This manual page describes the systemd unit files used to integrate the httpd daemon with systemd. Two main unit files are available: httpd.service allows the httpd daemon to be run as a system service, and httpd.socket allows httpd to be started via socket-based activation. Most systems will use httpd.service.

The apachectl command has been modified to invoke systemctl for most uses, so for example, running apachectl start is equivalent to running systemctl start httpd.service. This ensures that the running httpd daemon is tracked and managed by systemd. In contrast, running httpd directly from a root shell will start the service outside of systemd; in this case, default security restrictions described below (including, but not limited to, SELinux) will not be enforced.

Changing default behaviour

To change the default behaviour of the httpd service, an over-ride file should be created, rather than changing /usr/lib/systemd/system/httpd.service directly, since such changes would be lost over package upgrades. Running systemctl edit httpd.service or systemctl edit httpd.socket as root will create a drop-in file (in the former case, in /etc/systemd/system/httpd.service.d) which over-rides the system defaults.

For example, to set the LD_LIBRARY_PATH environment variable for the daemon, run systemctl edit httpd.service and enter:

[Service]
Environment=LD_LIBRARY_PATH=/opt/vendor/lib

Starting the service at boot time

The httpd.service and httpd.socket units are disabled by default. To start the httpd service at boot time, run: systemctl enable httpd.service. In the default configuration, the httpd daemon will accept connections on port 80 (and, if mod_ssl is installed, TLS connections on port 443) for any configured IPv4 or IPv6 address.

If httpd is configured to depend on any specific IP address (for example, with a "Listen" directive) which may only become available during start-up, or if httpd depends on other services (such as a database daemon), the service must be configured to ensure correct start-up ordering.

For example, to ensure httpd is only running after all configured network interfaces are configured, create a drop-in file (as described above) with the following section:

[Unit]
After=network-online.target
Wants=network-online.target

See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ for more information on start-up ordering with systemd.

SSL/TLS certificate generation

The httpd-init.service unit is provided with the mod_ssl package. This oneshot unit automatically creates a TLS server certificate and key (using a generated self-signed CA certificate and key) for testing purposes before httpd is started. To inhibit certificate generation, use systemctl mask httpd-init.service after installing mod_ssl, and adjust the mod_ssl configuration to use an appropriate certificate and key.

Reloading and stopping the service

When running systemctl reload httpd.service, a graceful restart is used, which sends a signal to the httpd parent process to reload the configuration and re-open log files. Any children with open connections at the time of reload will terminate only once they have completed serving requests. This prevents users of the server seeing errors (or potentially losing data) due to the reload, but means some there is some delay before any configuration changes take effect for all users.

Similarly, a graceful stop is used when systemctl stop httpd.service is run, which terminates the server only once active connections have been processed.

To "ungracefully" stop the server without waiting for requests to complete, use systemctl kill --kill-who=main httpd; similarly to "ungracefully" reload the configuration, use systemctl kill --kill-who=main --signal=HUP httpd.

Automated service restarts

System packages (including the httpd package itself) may restart the httpd service automatically after packages are upgraded, installed, or removed. This is done using the systemctl try-restart httpd.service command, which stops then starts the service if it is running.

To disable automatic restarts, create the file /etc/sysconfig/httpd-disable-posttrans. When httpd interfaces are added in an update, it may not be safe to reload a running service after upgrading, if updated modules require interfaces only available in the updated httpd binary. It is recommended to allow automatic restarts for this reason.

Changing the default MPM (Multi-Processing Module)

httpd offers a choice of multi-processing modules (MPMs), which can be configured in /etc/httpd/conf.modules.d/00-mpm.conf. See httpd.conf(5) for more information on changing the MPM.

systemd integration and mod_systemd

The httpd service uses the notify systemd service type. The mod_systemd module must be loaded (as in the default configuration) for this to work correctly - the service will fail if this module is not loaded. mod_systemd also makes worker and request statistics available when running systemctl status httpd. See systemd.exec(5) for more information on systemd service types.

Security and SELinux

The default SELinux policy restricts the httpd service in various ways. For example, the default policy limits the ports to which httpd can bind (using the Listen directive), which parts of the filesystem can be accessed, and whether outgoing TCP connections are possible. Many of these restrictions can be relaxed or adjusted by using semanage to change booleans or other types. See httpd_selinux(8) for more information.

Process policies and restrictions

The httpd.service unit enables a variety of sandboxing options. Many of these prevent the service from changing the system configuration or attributes of the kernel - such as ProtectClock and ProtectKernelModules. See systemd.exec(5) and systemd.service(5) for more information on these options. Particular notice should be taken of the following:

  • PrivateTmp is enabled by default. The /tmp and /var/tmp directories available within the httpd process (and CGI scripts, etc) are not shared by other processes.
  • OOMPolicy is set to continue by default. Under the default Out-of-Memory policy, the entire service will be terminated if any process is killed by the kernel OOM killer. By setting the policy to continue, httpd will continue to run (and recover) if a single child is terminated because of excess memory consumption.
  • ProtectHome is set to read-only by default. CGI scripts run via UserDir will not be able modify any content in /home by default.
  • ProtectSystem is set to yes by default; this mounts various system paths like /usr and /boot as read-only by default.

Logging and log file rotation

The httpd daemon is configured to log to the /var/log/httpd directory by default, and a drop-in for logrotate is provided at /etc/logrotate.d/httpd to enable log file rotation. The httpd.service systemd unit is reloaded after a logrotate run.

Log file compression is not enabled by default; since httpd can continue writing to open log files for some time after a reload (graceful restart), if compression is enabled the delaycompress option must be present (as in the default) to delay compression of log files to a later rotation run.

Socket activation

Socket activation (see systemd.socket(5) for more information) can be used with httpd by enabling the httpd.socket unit. The httpd listener configuration must exactly match the ListenStream options configured for the httpd.socket unit. The default httpd.socket has a ListenStream=80 and, if mod_ssl is installed, ListenStream=443 by a drop-in file. If additional Listen directives are added to the httpd configuration, corresponding ListenStream options should be added via drop-in files, for example via systemctl edit httpd.socket.

If using socket activation with httpd, only one listener on any given TCP port is supported; a configuration with both "Listen 127.0.0.1:80" and "Listen 192.168.1.2:80" will not work.

Instantiated services

The httpd@.service unit is a template for creating instantiated services. An instance of this unit will be started using the configuration file /etc/httpd/conf/INSTANCE.conf, where INSTANCE is replaced with the instance name. For example, systemctl start httpd@foobar.service will start httpd using the configuration file /etc/httpd/conf/foobar.conf. The HTTPD_INSTANCE environment variable is set to the instance name by the unit and is available for use within the configuration file.

To allow multiple instances of httpd to run simultaneously, a number of configuration directives must be changed, such as PidFile and DefaultRuntimeDir to pick non-conflicting paths, and Listen to choose different ports. The example configuration file /usr/share/doc/httpd/instance.conf demonstrates how to make such changes using the HTTPD_INSTANCE variable.

It can be useful to configure instances of httpd@.service to reload when httpd.service is reloaded; for example, logrotate will reload only httpd.service when logs are rotated. If this behaviour is required, create a drop-in file for the instance as follows:

[Unit]
ReloadPropagatedFrom=httpd.service

As with normal units, drop-in files for instances can be created using systemctl edit, e.g. systemctl edit httpd@foobar.service.

Files

/usr/lib/systemd/system/httpd.service, /usr/lib/systemd/system/httpd.socket, /usr/lib/systemd/system/httpd@.service, /etc/systemd/systemd/httpd.service.d

Reporting Bugs

Please report bugs by filing an issue in https://bugzilla.redhat.com/.

See Also

httpd(8), httpd.conf(5), systemd(1), systemctl(1), systemd.service(5), systemd.exec(5), systemd.socket(5), httpd_selinux(8), semanage(8), logrotate(8)

Author

Joe Orton <jorton@redhat.com>

Author

Referenced By

apachectl(8), htcacheclean.service(8), httpd.conf(5).

The man pages httpd-init.service(8), httpd@.service(8) and httpd.socket(8) are aliases of httpd.service(8).

10/11/2024 httpd systemd units