httpd systemd units httpd AuthorOrtonJoejorton@redhat.com httpd.service 8 httpd.service httpd.socket httpd-init.service httpd unit files for systemd /usr/lib/systemd/system/httpd.service, /usr/lib/systemd/system/httpd-init.service, /usr/lib/systemd/system/httpd.socket Description This manual page describes the systemd unit files used to integrate the httpd daemon with systemd. Two unit files are available: httpd.service allows the httpd daemon to be run as a system service, and httpd.socket allows httpd to be started via socket-based activation. Most systems will use httpd.service. The apachectl command has been modified to invoke systemctl for most uses, so for example, running apachectl start is equivalent to running systemctl start httpd.service. This ensures that the running httpd daemon is tracked and managed by systemd. In contrast, running httpd directly from a root shell will start the service outside of systemd; in this case, default security restrictions described below (including, but not limited to, SELinux) will not be enforced. Changing default behaviour To change the default behaviour of the httpd service, an over-ride file should be created, rather than changing /usr/lib/systemd/system/httpd.service directly, since such changes would be lost over package upgrades. Running systemctl edit httpd.service or systemctl edit httpd.socket as root will create a drop-in file in /etc/systemd/system/httpd.service.d which over-rides the system defaults. For example, to set the environment variable for the daemon, run systemctl edit httpd.service and enter: [Service] Environment=LD_LIBRARY_PATH=/opt/vendor/lib Starting the service at boot time The httpd.service and httpd.socket units are disabled by default. To start the httpd service at boot time, run: systemctl enable httpd.service. In the default configuration, the httpd daemon will accept connections on port 80 (and, if mod_ssl is installed, TLS connections on port 443) for any configured IPv4 or IPv6 address. If httpd is configured to depend on any specific IP address (for example, with a "Listen" directive) which may only become available during startup, or if httpd depends on other services (such as a database daemon), the service must be configured to ensure correct startup ordering. For example, to ensure httpd is only running after all configured network interfaces are configured, create a drop-in file (as described above) with the following section: [Unit] After=network-online.target Wants=network-online.target See for more information on startup ordering with systemd. SSL/TLS certificate generation The httpd-init.service unit is provided with the mod_ssl package. This oneshot unit automatically creates a TLS server certificate and key (using a generated self-signed CA certificate and key) for testing purposes before httpd is started. To inhibit certificate generation, use systemctl mask httpd-init.service after installing mod_ssl, and adjust the mod_ssl configuration to use an appropriate certicate and key. Reloading and stopping the service When running systemctl reload httpd.service, a graceful restart is used, which sends a signal to the httpd parent process to reload the configuration and re-open log files. Any children with open connections at the time of reload will terminate only once they have completed serving requests. This prevents users of the server seeing errors (or potentially losing data) due to the reload, but means some there is some delay before any configuration changes take effect for all users. Similarly, a graceful stop is used when systemctl stop httpd.service is run, which terminates the server only once active connections have been processed. To "ungracefully" stop the server without waiting for requests to complete, use systemctl kill --kill-who=main httpd; similarly to "ungracefully" reload the configuration, use systemctl kill --kill-who=main --signal=HUP httpd. Changing the default MPM (Multi-Processing Module) httpd offers a choice of multi-processing modules (MPMs), which can be configured in /etc/httpd/conf.modules.d/00-mpm.conf. The default is to use the @MPM@ MPM. If using the prefork MPM, the "httpd_graceful_shutdown" SELinux boolean should also be enabled, since with this MPM, httpd needs to establish TCP connections to local ports to successfully complete a graceful restart or shutdown. This boolean can be enabled by running the command: semanage boolean -m --on httpd_graceful_shutdown systemd integration and mod_systemd The httpd service uses the systemd service type. The mod_systemd module must be loaded (as in the default configuration) for this to work correctly - the service will fail if this module is not loaded. mod_systemd also makes worker and request statistics available when running systemctl status httpd. See systemd.exec5 for more information on systemd service types. Security and SELinux The default SELinux policy restricts the httpd service in various ways. For example, the default policy limits the ports to which httpd can bind (using the Listen directive), which parts of the filesystem can be accessed, and whether outgoing TCP connections are possible. Many of these restrictions can be adjusted using semanage to change booleans or other types. See httpd_selinux8 for more information. The httpd service enables PrivateTmp by default. The /tmp and /var/tmp directories available within the httpd process (and CGI scripts, etc) are not shared by other processes. See systemd.exec5 for more information. Socket activation Socket activation (see systemd.socket5 for more information) can be used with httpd by enabling the httpd.socket unit. The httpd listener configuration must exactly match the ListenStream options configured for the httpd.socket unit. The default httpd.socket has a ListenStream=80 and, if mod_ssl is installed, ListenStream=443 by a drop-in file. If additional Listen directives are added to the httpd configuration, corresponding ListenStream options should be added via drop-in files, for example via systemctl edit httpd.socket. If using socket activation with httpd, only one listener on any given TCP port is supported; a configuration with both "Listen 127.0.0.1:80" and "Listen 192.168.1.2:80" will not work. Files /usr/lib/systemd/system/httpd.service, /usr/lib/systemd/system/httpd.socket, /etc/systemd/systemd/httpd.service.d See also httpd8, systemd1, systemctl1, systemd.service5, systemd.exec5, systemd.socket5, httpd_selinux8, semanage8