|
 |
710b63c |
|
|
|
710b63c |
|
|
|
710b63c |
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
|
710b63c |
|
|
|
710b63c |
]>
|
|
|
ae962f3 |
|
|
|
5860daa |
Copyright 2018 Red Hat, Inc.
|
|
|
ae962f3 |
|
|
|
ae962f3 |
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
|
ae962f3 |
contributor license agreements. See the NOTICE file distributed with
|
|
|
ae962f3 |
this work for additional information regarding copyright ownership.
|
|
|
ae962f3 |
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
|
ae962f3 |
(the "License"); you may not use this file except in compliance with
|
|
|
ae962f3 |
the License. You may obtain a copy of the License at
|
|
|
ae962f3 |
|
|
|
ae962f3 |
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
ae962f3 |
|
|
|
ae962f3 |
Unless required by applicable law or agreed to in writing, software
|
|
|
ae962f3 |
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
ae962f3 |
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
ae962f3 |
See the License for the specific language governing permissions and
|
|
|
ae962f3 |
limitations under the License.
|
|
|
ae962f3 |
-->
|
|
|
710b63c |
|
|
|
710b63c |
<refentry>
|
|
|
710b63c |
<refentryinfo>
|
|
|
710b63c |
<title>httpd systemd units</title>
|
|
|
710b63c |
<productname>httpd</productname>
|
|
|
710b63c |
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
|
|
|
710b63c |
</refentryinfo>
|
|
|
710b63c |
|
|
|
710b63c |
<refmeta>
|
|
|
710b63c |
<refentrytitle>httpd.service</refentrytitle>
|
|
|
fce414a |
<manvolnum>8</manvolnum>
|
|
|
710b63c |
</refmeta>
|
|
|
710b63c |
|
|
|
710b63c |
<refnamediv>
|
|
|
710b63c |
<refname>httpd.service</refname>
|
|
|
5860daa |
<refname>httpd@.service</refname>
|
|
|
710b63c |
<refname>httpd.socket</refname>
|
|
|
6a77761 |
<refname>httpd-init.service</refname>
|
|
|
710b63c |
<refpurpose>httpd unit files for systemd</refpurpose>
|
|
|
710b63c |
</refnamediv>
|
|
|
710b63c |
|
|
|
710b63c |
<refsynopsisdiv>
|
|
|
710b63c |
<para>
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.service</filename>,
|
|
|
5860daa |
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
|
|
|
6a77761 |
<filename>/usr/lib/systemd/system/httpd-init.service</filename>,
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.socket</filename>
|
|
|
710b63c |
</para>
|
|
|
710b63c |
</refsynopsisdiv>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect1>
|
|
|
710b63c |
<title>Description</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>This manual page describes the <command>systemd</command>
|
|
|
710b63c |
unit files used to integrate the <command>httpd</command> daemon
|
|
|
16e8d75 |
with <command>systemd</command>. Two main unit files are
|
|
|
16e8d75 |
available: <command>httpd.service</command> allows the
|
|
|
710b63c |
<command>httpd</command> daemon to be run as a system service, and
|
|
|
710b63c |
<command>httpd.socket</command> allows httpd to be started via
|
|
|
710b63c |
socket-based activation. Most systems will use
|
|
|
710b63c |
<command>httpd.service</command>.</para>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>The <command>apachectl</command> command has been modified
|
|
|
6fd8793 |
to invoke <command>systemctl</command> for most uses, so for
|
|
|
6fd8793 |
example, running <command>apachectl start</command> is equivalent
|
|
|
6fd8793 |
to running <command>systemctl start httpd.service</command>. This
|
|
|
6fd8793 |
ensures that the running httpd daemon is tracked and managed by
|
|
|
6fd8793 |
<command>systemd</command>. In contrast, running
|
|
|
6fd8793 |
<command>httpd</command> directly from a root shell will start the
|
|
|
6fd8793 |
service outside of <command>systemd</command>; in this case,
|
|
|
6fd8793 |
default security restrictions described below (including, but not
|
|
|
6fd8793 |
limited to, SELinux) will not be enforced.</para>
|
|
|
6fd8793 |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Changing default behaviour</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>To change the default behaviour of the httpd service, an
|
|
|
710b63c |
<emphasis>over-ride</emphasis> file should be created, rather
|
|
|
710b63c |
than changing
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.service</filename>
|
|
|
710b63c |
directly, since such changes would be lost over package
|
|
|
710b63c |
upgrades. Running <command>systemctl edit
|
|
|
710b63c |
httpd.service</command> or <command>systemctl edit
|
|
|
5860daa |
httpd.socket</command> as root will create a drop-in file (in
|
|
|
5860daa |
the former case, in
|
|
|
5860daa |
<filename>/etc/systemd/system/httpd.service.d</filename>) which
|
|
|
710b63c |
over-rides the system defaults.</para>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>For example, to set the <option>LD_LIBRARY_PATH</option>
|
|
|
710b63c |
environment variable for the daemon, run <command>systemctl edit
|
|
|
710b63c |
httpd.service</command> and enter:
|
|
|
710b63c |
|
|
|
710b63c |
<programlisting>[Service]
|
|
|
710b63c |
Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Starting the service at boot time</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>The httpd.service and httpd.socket units are
|
|
|
710b63c |
<emphasis>disabled</emphasis> by default. To start the httpd
|
|
|
710b63c |
service at boot time, run: <command>systemctl enable
|
|
|
710b63c |
httpd.service</command>. In the default configuration, the
|
|
|
710b63c |
httpd daemon will accept connections on port 80 (and, if mod_ssl
|
|
|
710b63c |
is installed, TLS connections on port 443) for any configured
|
|
|
710b63c |
IPv4 or IPv6 address.</para>
|
|
|
710b63c |
|
|
|
710b63c |
<para>If httpd is configured to depend on any specific IP
|
|
|
6fd8793 |
address (for example, with a "Listen" directive) which may only
|
|
|
890b608 |
become available during start-up, or if httpd depends on other
|
|
|
710b63c |
services (such as a database daemon), the service
|
|
|
710b63c |
<emphasis>must</emphasis> be configured to ensure correct
|
|
|
890b608 |
start-up ordering.</para>
|
|
|
710b63c |
|
|
|
710b63c |
<para>For example, to ensure httpd is only running after all
|
|
|
710b63c |
configured network interfaces are configured, create a drop-in
|
|
|
6fd8793 |
file (as described above) with the following section:
|
|
|
710b63c |
|
|
|
710b63c |
<programlisting>[Unit]
|
|
|
710b63c |
After=network-online.target
|
|
|
710b63c |
Wants=network-online.target</programlisting>
|
|
|
710b63c |
|
|
|
710b63c |
See
|
|
|
710b63c |
url="https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/"/>
|
|
|
890b608 |
for more information on start-up ordering with systemd.</para>
|
|
|
6a77761 |
|
|
|
6a77761 |
</refsect2>
|
|
|
6a77761 |
|
|
|
6a77761 |
<refsect2>
|
|
|
6a77761 |
<title>SSL/TLS certificate generation</title>
|
|
|
6a77761 |
|
|
|
6a77761 |
<para>The <command>httpd-init.service</command> unit is provided
|
|
|
6a77761 |
with the mod_ssl package. This oneshot unit automatically
|
|
|
6a77761 |
creates a TLS server certificate and key (using a generated
|
|
|
6a77761 |
self-signed CA certificate and key) for testing purposes before
|
|
|
6a77761 |
httpd is started. To inhibit certificate generation, use
|
|
|
6a77761 |
<command>systemctl mask httpd-init.service</command> after
|
|
|
6a77761 |
installing mod_ssl, and adjust the mod_ssl configuration to use
|
|
|
5d40f92 |
an appropriate certificate and key.</para>
|
|
|
710b63c |
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Reloading and stopping the service</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>When running <command>systemctl reload
|
|
|
6fd8793 |
httpd.service</command>, a <emphasis>graceful</emphasis>
|
|
|
710b63c |
restart is used, which sends a signal to the httpd parent
|
|
|
710b63c |
process to reload the configuration and re-open log files. Any
|
|
|
710b63c |
children with open connections at the time of reload will
|
|
|
710b63c |
terminate only once they have completed serving requests. This
|
|
|
710b63c |
prevents users of the server seeing errors (or potentially
|
|
|
710b63c |
losing data) due to the reload, but means some there is some
|
|
|
710b63c |
delay before any configuration changes take effect for all
|
|
|
710b63c |
users.</para>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>Similarly, a <emphasis>graceful stop</emphasis> is used
|
|
|
710b63c |
when <command>systemctl stop httpd.service</command> is run,
|
|
|
710b63c |
which terminates the server only once active connections have
|
|
|
710b63c |
been processed.</para>
|
|
|
710b63c |
|
|
|
870b71c |
<para>To "ungracefully" stop the server without waiting for
|
|
|
870b71c |
requests to complete, use <command>systemctl kill
|
|
|
870b71c |
--kill-who=main httpd</command>; similarly to "ungracefully"
|
|
|
870b71c |
reload the configuration, use <command>systemctl kill
|
|
|
870b71c |
--kill-who=main --signal=HUP httpd</command>.</para>
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
6a73e2c |
<title>Automated service restarts</title>
|
|
|
6a73e2c |
|
|
|
6a73e2c |
<para>System packages (including the httpd package itself) may
|
|
|
6a73e2c |
restart the httpd service automatically after packages are
|
|
|
6a73e2c |
upgraded, installed, or removed. This is done using the
|
|
|
6a73e2c |
<command>systemctl reload httpd.service</command>, which
|
|
|
6a73e2c |
produces a <emphasis>graceful</emphasis> restart by default as
|
|
|
6a73e2c |
described above.</para>
|
|
|
6a73e2c |
|
|
|
6a73e2c |
<para>To suppress automatic reloads entirely, create the file
|
|
|
6a73e2c |
<filename>/etc/sysconfig/httpd-disable-posttrans</filename>.</para>
|
|
|
6a73e2c |
</refsect2>
|
|
|
6a73e2c |
|
|
|
6a73e2c |
<refsect2>
|
|
|
6d96e6a |
<title>Changing the default MPM (Multi-Processing Module)</title>
|
|
|
6d96e6a |
|
|
|
6d96e6a |
<para>httpd offers a choice of multi-processing modules (MPMs),
|
|
|
6d96e6a |
which can be configured in
|
|
|
36d7a68 |
<filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename>.
|
|
|
36d7a68 |
See
|
|
|
36d7a68 |
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
36d7a68 |
for more information on changing the MPM.</para>
|
|
|
6d96e6a |
</refsect2>
|
|
|
6d96e6a |
|
|
|
6d96e6a |
<refsect2>
|
|
|
710b63c |
<title>systemd integration and mod_systemd</title>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>The httpd service uses the <option>notify</option> systemd
|
|
|
710b63c |
service type. The <literal>mod_systemd</literal> module must be
|
|
|
710b63c |
loaded (as in the default configuration) for this to work
|
|
|
710b63c |
correctly - the service will fail if this module is not
|
|
|
710b63c |
loaded. <literal>mod_systemd</literal> also makes worker and
|
|
|
710b63c |
request statistics available when running <command>systemctl status
|
|
|
710b63c |
httpd</command>. See
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
710b63c |
for more information on systemd service types.</para>
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Security and SELinux</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>The default SELinux policy restricts the httpd service in
|
|
|
6fd8793 |
various ways. For example, the default policy limits the ports
|
|
|
6fd8793 |
to which httpd can bind (using the <literal>Listen</literal>
|
|
|
6fd8793 |
directive), which parts of the filesystem can be accessed, and
|
|
|
6fd8793 |
whether outgoing TCP connections are possible. Many of these
|
|
|
16e8d75 |
restrictions can be relaxed or adjusted by using
|
|
|
16e8d75 |
<command>semanage</command> to change booleans or other
|
|
|
16e8d75 |
types. See
|
|
|
710b63c |
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
710b63c |
for more information.</para>
|
|
|
710b63c |
|
|
|
710b63c |
<para>The httpd service enables <emphasis>PrivateTmp</emphasis>
|
|
|
710b63c |
by default. The <filename>/tmp</filename> and
|
|
|
710b63c |
<filename>/var/tmp</filename> directories available within the
|
|
|
710b63c |
httpd process (and CGI scripts, etc) are not shared by other
|
|
|
710b63c |
processes. See
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
710b63c |
for more information.</para>
|
|
|
710b63c |
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
9c91812 |
<refsect2>
|
|
|
9c91812 |
<title>Socket activation</title>
|
|
|
9c91812 |
|
|
|
9c91812 |
<para>Socket activation (see
|
|
|
9c91812 |
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
9c91812 |
for more information) can be used with <command>httpd</command>
|
|
|
9c91812 |
by enabling the <command>httpd.socket</command> unit. The
|
|
|
9c91812 |
<command>httpd</command> listener configuration must exactly
|
|
|
9c91812 |
match the <literal>ListenStream</literal> options configured for
|
|
|
9c91812 |
the <command>httpd.socket</command> unit. The default
|
|
|
9c91812 |
<command>httpd.socket</command> has a
|
|
|
9c91812 |
<literal>ListenStream=80</literal> and, if mod_ssl is installed,
|
|
|
9c91812 |
<literal>ListenStream=443</literal> by a drop-in file. If
|
|
|
9c91812 |
additional <literal>Listen</literal> directives are added to the
|
|
|
9c91812 |
httpd configuration, corresponding
|
|
|
9c91812 |
<literal>ListenStream</literal> options should be added via
|
|
|
9c91812 |
drop-in files, for example via <command>systemctl edit
|
|
|
9c91812 |
httpd.socket</command>.</para>
|
|
|
9c91812 |
|
|
|
9c91812 |
<para>If using socket activation with httpd, only one listener
|
|
|
9c91812 |
on any given TCP port is supported; a configuration with both
|
|
|
9c91812 |
"<literal>Listen 127.0.0.1:80</literal>" and "<literal>Listen
|
|
|
9c91812 |
192.168.1.2:80</literal>" will not work.</para>
|
|
|
9c91812 |
</refsect2>
|
|
|
9c91812 |
|
|
|
5860daa |
<refsect2>
|
|
|
890b608 |
<title>Instantiated services</title>
|
|
|
5860daa |
|
|
|
5860daa |
<para>The <command>httpd@.service</command> unit is an
|
|
|
890b608 |
instantiated template service. An instance of this unit will be
|
|
|
5860daa |
started using the configuration file
|
|
|
5860daa |
<filename>/etc/httpd/conf/INSTANCE.conf</filename>, where
|
|
|
5860daa |
<emphasis>INSTANCE</emphasis> is replaced with the instance
|
|
|
5860daa |
name. For example, <command>systemctl start
|
|
|
5860daa |
httpd@foobar.service</command> will start httpd using the
|
|
|
5860daa |
configuration file
|
|
|
5860daa |
<filename>/etc/httpd/conf/foobar.conf</filename>. The
|
|
|
5860daa |
<option>HTTPD_INSTANCE</option> environment variable is set to
|
|
|
5d40f92 |
the instance name by the unit and is available for use within
|
|
|
5d40f92 |
the configuration file.</para>
|
|
|
5860daa |
|
|
|
5860daa |
<para>To allow multiple instances of httpd to run
|
|
|
5860daa |
simultaneously, a number of configuration directives must be
|
|
|
5d40f92 |
changed, such as <command>PidFile</command> and
|
|
|
5d40f92 |
<command>DefaultRuntimeDir</command> to pick non-conflicting
|
|
|
5d40f92 |
paths, and <command>Listen</command> to choose different ports.
|
|
|
5d40f92 |
The example configuration file
|
|
|
5860daa |
<filename>/usr/share/doc/httpd/instance.conf</filename>
|
|
|
5860daa |
demonstrates how to make such changes using
|
|
|
5860daa |
<option>HTTPD_INSTANCE</option> variable.</para>
|
|
|
5860daa |
|
|
|
5860daa |
<para>It can be useful to configure instances of
|
|
|
5860daa |
<command>httpd@.service</command> to reload when
|
|
|
5860daa |
<command>httpd.service</command> is reloaded; for example,
|
|
|
5860daa |
<command>logrotate</command> will reload only
|
|
|
5860daa |
<command>httpd.service</command> when logs are rotated. If this
|
|
|
5860daa |
behaviour is required, create a drop-in file for the instance as
|
|
|
5860daa |
follows:
|
|
|
5860daa |
|
|
|
5860daa |
<programlisting>[Unit]
|
|
|
5860daa |
ReloadPropagatedFrom=httpd.service</programlisting>
|
|
|
5860daa |
|
|
|
5860daa |
As with normal units, drop-in files for instances can be created
|
|
|
5860daa |
using <command>systemctl edit</command>, e.g. <command>systemctl edit
|
|
|
5860daa |
httpd@foobar.service</command>.</para>
|
|
|
5860daa |
</refsect2>
|
|
|
5860daa |
|
|
|
710b63c |
</refsect1>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect1>
|
|
|
710b63c |
<title>Files</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para><filename>/usr/lib/systemd/system/httpd.service</filename>,
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.socket</filename>,
|
|
|
5d40f92 |
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
|
|
|
710b63c |
<filename>/etc/systemd/systemd/httpd.service.d</filename></para>
|
|
|
710b63c |
</refsect1>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect1>
|
|
|
710b63c |
<title>See also</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>
|
|
|
710b63c |
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
36d7a68 |
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
9c91812 |
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
6fd8793 |
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
6fd8793 |
<citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
710b63c |
</para>
|
|
|
710b63c |
</refsect1>
|
|
|
710b63c |
|
|
|
710b63c |
</refentry>
|
|
|
890b608 |
|
|
|
890b608 |
|
|
|
890b608 |
-->
|