diff --git a/playbooks/roles/static/files/apache-connection-tuning b/playbooks/roles/static/files/apache-connection-tuning
new file mode 100644
index 0000000000..8cc4e55431
--- /dev/null
+++ b/playbooks/roles/static/files/apache-connection-tuning
@@ -0,0 +1,14 @@
+# worker MPM
+# MaxConnectionsPerChild: maximum number of requests a server process serves
+#
+# We've noticed that our mirrors occasionally have stale workers. This leads
+# to ssl certs not being refreshed properly after reload and we've also seen
+# ssl connections to round robin backend services have trouble. Restarting
+# the workers so that they load up new info seems to fix this. Try and force
+# that to happen regularly with a connections limit per worker.
+<IfModule mpm_worker_module>
+    MaxConnectionsPerChild 8192
+</IfModule>
+<IfModule mpm_event_module>
+    MaxConnectionsPerChild 8192
+</IfModule>
diff --git a/playbooks/roles/static/handlers/main.yaml b/playbooks/roles/static/handlers/main.yaml
index 4c5855ec0f..fe996bf164 100644
--- a/playbooks/roles/static/handlers/main.yaml
+++ b/playbooks/roles/static/handlers/main.yaml
@@ -1,4 +1,9 @@
 - name: Reload apache2
   service:
     name: apache2
-    state: reloaded
\ No newline at end of file
+    state: reloaded
+
+- name: Restart apache2
+  service:
+    name: apache2
+    state: restarted
diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml
index f687fe778f..fcbca23f8c 100644
--- a/playbooks/roles/static/tasks/main.yaml
+++ b/playbooks/roles/static/tasks/main.yaml
@@ -61,6 +61,15 @@
     state: present
     name: headers
 
+- name: Copy apache tuning
+  copy:
+    src: apache-connection-tuning
+    dest: /etc/apache2/conf-enabled/connection-tuning.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart apache2
+
 - name: Make sure packaged default site disabled
   command: a2dissite 000-default.conf
   args: