diff --git a/playbooks/roles/mirror/files/apache-connection-tuning b/playbooks/roles/mirror/files/apache-connection-tuning
new file mode 100644
index 0000000000..8cc4e55431
--- /dev/null
+++ b/playbooks/roles/mirror/files/apache-connection-tuning
@@ -0,0 +1,14 @@
+# worker MPM
+# MaxConnectionsPerChild: maximum number of requests a server process serves
+#
+# We've noticed that our mirrors occasionally have stale workers. This leads
+# to ssl certs not being refreshed properly after reload and we've also seen
+# ssl connections to round robin backend services have trouble. Restarting
+# the workers so that they load up new info seems to fix this. Try and force
+# that to happen regularly with a connections limit per worker.
+<IfModule mpm_worker_module>
+    MaxConnectionsPerChild 8192
+</IfModule>
+<IfModule mpm_event_module>
+    MaxConnectionsPerChild 8192
+</IfModule>
diff --git a/playbooks/roles/mirror/tasks/main.yaml b/playbooks/roles/mirror/tasks/main.yaml
index dfa6d46b54..f700c29dc0 100644
--- a/playbooks/roles/mirror/tasks/main.yaml
+++ b/playbooks/roles/mirror/tasks/main.yaml
@@ -121,6 +121,15 @@
     # becomes mirror.region...)  for the serveralias
     apache_server_alias: '{{ inventory_hostname | regex_replace("^mirror\d\d\.", "mirror.") }}'
 
+- name: Copy apache tuning
+  copy:
+    src: apache-connection-tuning
+    dest: /etc/apache2/conf-enabled/connection-tuning.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart apache2
+
 - name: Create mirror virtual host
   template:
     src: mirror.vhost.j2