Kill HTTP(S) connection in Apache

Let say Apache is configured to allow long living connections (KeepAlive). And it's configured with reasonably high timeout.

And we have some special case, when we should forcefully shutdown/kill some of these long living connections (we can't wait till it will timeout).

Can you give me some pointer, how to do that?

I will appreciate even more, if this information will be useful for a) SSL b) Reverse SSL Proxy

Generally, final solut开发者_开发问答ion will be a Apache with SSL and client cert authentication. Apache will work as reverse proxy. And I will need to kill some connections based on client cert subject.

Keep two separate instances of Apache running, 1 for SSL 1 for not. If you use the prefork model you can iteratively kill off the the old PIDs that have a parent path to the proper instance based upon the process lifetime.

Not sure you can introspect or obtain the PID of the httpd process forked for each subject though...

I'm not sure having long keepalive settings will really help you to optimize SSL sessions. SSL session negociation occures at first connect and we can assume it make the first request 20% longer. But then an SSL cache is activated on the server side, and further SSL requests from the same browser will not be impacted by SSL negociation.

I would recommend a 5s Keepalive Timeout, this is generally sufficent to handle a page load and css/js/images attached on this page. Maybe you can try 15s as well. But anything bigger make no sense for me unless you use COMET persitent connexions handling. I can be wrong. Make some tests.

Note that you can have some problems of SSL negociation reoccurring if you do some load balancer stuff behind apache and if the ssl session cache is not shared by the different apache servers. This is the reason why load balancer sometimes try to keep the link in SSL mode (always target this guy to that server). But I've never read that HTTP Keepalive should be use for SSL optimization.

Back when I was researching this, I didn't find existing solutions for this problem. However, I was able to prototype Apache module, which did exactly what's described (killing a long lived connection).