HTTPD.SERVICE(8) httpd systemd units HTTPD.SERVICE(8)
NAME
httpd.service, httpd@.service, httpd.socket, httpd-init.service - httpd
unit files for systemd
SYNOPSIS
/usr/lib/systemd/system/httpd.service,
/usr/lib/systemd/system/httpd@.service,
/usr/lib/systemd/system/httpd-init.service,
/usr/lib/systemd/system/httpd.socket
DESCRIPTION
This manual page describes the systemd unit files used to integrate the
httpd daemon with systemd. Two main unit files are available:
httpd.service allows the httpd daemon to be run as a system service,
and httpd.socket allows httpd to be started via socket-based
activation. Most systems will use httpd.service.
The apachectl command has been modified to invoke systemctl for most
uses, so for example, running apachectl start is equivalent to running
systemctl start httpd.service. This ensures that the running httpd
daemon is tracked and managed by systemd. In contrast, running httpd
directly from a root shell will start the service outside of systemd;
in this case, default security restrictions described below (including,
but not limited to, SELinux) will not be enforced.
Changing default behaviour
To change the default behaviour of the httpd service, an over-ride file
should be created, rather than changing
/usr/lib/systemd/system/httpd.service directly, since such changes
would be lost over package upgrades. Running systemctl edit
httpd.service or systemctl edit httpd.socket as root will create a
drop-in file (in the former case, in
/etc/systemd/system/httpd.service.d) which over-rides the system
defaults.
For example, to set the LD_LIBRARY_PATH environment variable for the
daemon, run systemctl edit httpd.service and enter:
[Service]
Environment=LD_LIBRARY_PATH=/opt/vendor/lib
Starting the service at boot time
The httpd.service and httpd.socket units are disabled by default. To
start the httpd service at boot time, run: systemctl enable
httpd.service. In the default configuration, the httpd daemon will
accept connections on port 80 (and, if mod_ssl is installed, TLS
connections on port 443) for any configured IPv4 or IPv6 address.
If httpd is configured to depend on any specific IP address (for
example, with a "Listen" directive) which may only become available
during start-up, or if httpd depends on other services (such as a
database daemon), the service must be configured to ensure correct
start-up ordering.
For example, to ensure httpd is only running after all configured
network interfaces are configured, create a drop-in file (as described
above) with the following section:
[Unit]
After=network-online.target
Wants=network-online.target
See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
for more information on start-up ordering with systemd.
SSL/TLS certificate generation
The httpd-init.service unit is provided with the mod_ssl package. This
oneshot unit automatically creates a TLS server certificate and key
(using a generated self-signed CA certificate and key) for testing
purposes before httpd is started. To inhibit certificate generation,
use systemctl mask httpd-init.service after installing mod_ssl, and
adjust the mod_ssl configuration to use an appropriate certificate and
key.
Reloading and stopping the service
When running systemctl reload httpd.service, a graceful restart is
used, which sends a signal to the httpd parent process to reload the
configuration and re-open log files. Any children with open connections
at the time of reload will terminate only once they have completed
serving requests. This prevents users of the server seeing errors (or
potentially losing data) due to the reload, but means some there is
some delay before any configuration changes take effect for all users.
Similarly, a graceful stop is used when systemctl stop httpd.service is
run, which terminates the server only once active connections have been
processed.
To "ungracefully" stop the server without waiting for requests to
complete, use systemctl kill --kill-who=main httpd; similarly to
"ungracefully" reload the configuration, use systemctl kill
--kill-who=main --signal=HUP httpd.
Automated service restarts
System packages (including the httpd package itself) may restart the
httpd service automatically after packages are upgraded, installed, or
removed. This is done using the systemctl reload httpd.service, which
produces a graceful restart by default as described above.
To suppress automatic reloads entirely, create the file
/etc/sysconfig/httpd-disable-posttrans.
Changing the default MPM (Multi-Processing Module)
httpd offers a choice of multi-processing modules (MPMs), which can be
configured in /etc/httpd/conf.modules.d/00-mpm.conf. See httpd.conf(5)
for more information on changing the MPM.
systemd integration and mod_systemd
The httpd service uses the notify systemd service type. The mod_systemd
module must be loaded (as in the default configuration) for this to
work correctly - the service will fail if this module is not loaded.
mod_systemd also makes worker and request statistics available when
running systemctl status httpd. See systemd.exec(5) for more
information on systemd service types.
Security and SELinux
The default SELinux policy restricts the httpd service in various ways.
For example, the default policy limits the ports to which httpd can
bind (using the Listen directive), which parts of the filesystem can be
accessed, and whether outgoing TCP connections are possible. Many of
these restrictions can be relaxed or adjusted by using semanage to
change booleans or other types. See httpd_selinux(8) for more
information.
The httpd service enables PrivateTmp by default. The /tmp and /var/tmp
directories available within the httpd process (and CGI scripts, etc)
are not shared by other processes. See systemd.exec(5) for more
information.
Socket activation
Socket activation (see systemd.socket(5) for more information) can be
used with httpd by enabling the httpd.socket unit. The httpd listener
configuration must exactly match the ListenStream options configured
for the httpd.socket unit. The default httpd.socket has a
ListenStream=80 and, if mod_ssl is installed, ListenStream=443 by a
drop-in file. If additional Listen directives are added to the httpd
configuration, corresponding ListenStream options should be added via
drop-in files, for example via systemctl edit httpd.socket.
If using socket activation with httpd, only one listener on any given
TCP port is supported; a configuration with both "Listen 127.0.0.1:80"
and "Listen 192.168.1.2:80" will not work.
Instantiated services
The httpd@.service unit is an instantiated template service. An
instance of this unit will be started using the configuration file
/etc/httpd/conf/INSTANCE.conf, where INSTANCE is replaced with the
instance name. For example, systemctl start httpd AT foobar.service will
start httpd using the configuration file /etc/httpd/conf/foobar.conf.
The HTTPD_INSTANCE environment variable is set to the instance name by
the unit and is available for use within the configuration file.
To allow multiple instances of httpd to run simultaneously, a number of
configuration directives must be changed, such as PidFile and
DefaultRuntimeDir to pick non-conflicting paths, and Listen to choose
different ports. The example configuration file
/usr/share/doc/httpd/instance.conf demonstrates how to make such
changes using HTTPD_INSTANCE variable.
It can be useful to configure instances of httpd@.service to reload
when httpd.service is reloaded; for example, logrotate will reload only
httpd.service when logs are rotated. If this behaviour is required,
create a drop-in file for the instance as follows:
[Unit]
ReloadPropagatedFrom=httpd.service
As with normal units, drop-in files for instances can be created using
systemctl edit, e.g. systemctl edit httpd AT foobar.service.
FILES
/usr/lib/systemd/system/httpd.service,
/usr/lib/systemd/system/httpd.socket,
/usr/lib/systemd/system/httpd@.service,
/etc/systemd/systemd/httpd.service.d
SEE ALSO
httpd(8), httpd.conf(5), systemd(1), systemctl(1), systemd.service(5),
systemd.exec(5), systemd.socket(5), httpd_selinux(8), semanage(8)
AUTHOR
Joe Orton <jorton AT redhat.com>
Author
httpd 08/12/2024 HTTPD.SERVICE(8)
Linux-Distributionen
Huschi als Linux-Admin