11

We are trying to reload Apache gracefully using a command such as:

apache2ctl -k graceful

This works as expected for HTTP users and the Apache config is reloaded without affecting users of the website.

However, we have found that users accessing the server via HTTPS are disconnected during a graceful reload.

How can Apache be gracefully reloaded without affecting SSL connections?

In case it helps, we are using HTTP 2 on Apache 2.4.20.

jones
  • 296
  • 1
  • 7
  • 5
    Well, you could "reload" instead of restart apache. Assuming you run stuff like Diffie-Hellman key exchange, after a restart, the key's used in the previous "session" will not exist anymore, so new ones are beeing created. A different option would be to put some kind of load balancer that also handels ssl in front of your apache servers. – Harrys Kavan Apr 18 '16 at 11:35
  • Yes we are reloading (graceful) instead of restarting. – jones Apr 18 '16 at 11:56
  • 5
    Terminating SSL at HAProxy is an option for us, if anyone can confirm that is a workable solution? – jones Apr 18 '16 at 12:30
  • 2
    It is rather common nowadays to have a proxy or loadbalancer terminating the end-user ssl. Then for maximum security you'll add "in-house" ssl-encryption between the apache and the proxy's/loadbalancers. – Harrys Kavan Apr 18 '16 at 13:07
  • 5
    We have now confirmed the bug as an issue with the HTTP2 module in Apache 2.4.10, hoping that can be fixed upstream. When we switch off HTTP2, Apache can be reloaded without disconnecting SSL users. – jones Apr 18 '16 at 20:19
  • Raise an issue here: https://github.com/icing/mod_h2/issues. The developer (@icing) is very responsive to bugs raised for mod_http2. Though personally I'm not convinced this is a bug. Graceful restart means finish with current requests then restart. It's expected a new connection will be needed after this. – Barry Pollard Apr 18 '16 at 20:25
  • It has been logged here: https://bz.apache.org/bugzilla/show_bug.cgi?id=59348 – jones Apr 18 '16 at 20:32
  • The bug we're referring to is existing requests being killed off midway through. For example, a PHP script running a long process being halted by the reload. Under normal conditions this doesn't happen and a 'graceful' reload does exactly what it is supposed to do, and no clients notice the reload. Only under HTTP2 can we reproduce this now. – jones Apr 18 '16 at 20:34

1 Answers1

1

To ensure that H2-based HTTP sessions are left alone (and not terminated) when executing apachectl -k graceful, upgrade your Apache software to 2.4.24 and your mod_h2 package to 1.4.7.

John Greene
  • 799
  • 7
  • 28