The Apache Tomcat Connector - Reference Guide

Configuring Apache

Most of the directives are allowed once in the global part of the Apache httpd configuration and once in every <VirtualHost> elements. Exceptions from this rule are explicitely listed in the table below.

Values are inherited from the main server to the virtual hosts. Since version 1.2.20 they can be overwritten in the virtual hosts. Exceptions from this rule are again explicitely listed in the table below.

Waring: If Apache httpd and Tomcat are configured to serve content from the same filing system location then care must be taken to ensure that httpd is not able to serve inappropriate content such as the contents of the WEB-INF directory or JSP source code. This could occur if the httpd DocumentRoot overlaps with a Tomcat Host's appBase or the docBase of any Context. It could also occur when using the httpd Alias directive with a Tomcat Host's appBase or the docBase of any Context.

Here are the all directives supported by Apache:

Directive	Description
JkWorkersFile	The name of a worker file for the Tomcat servlet containers. This directive is only allowed once. It must be put into the global part of the configuration. If you don't use the JkWorkerProperty directives, then you must define your workers with a valid JkWorkersFile. There is no default value.
JkWorkerProperty	Enables setting worker properties inside Apache configuration file. The syntax is the same as in the JkWorkersFile (usually workers.properties). Simply prefix each line with "JkWorkerProperty" to put it directly into the Apache httpd config files. This directive is allowed multiple times. It must be put into the global part of the configuration. If you don't use the JkWorkerProperty directives, then you must define your workers with a valid JkWorkersFile. There is no default value. This directive is available in jk1.2.7 version and later.
JkShmFile	Shared memory file name. Used only on unix platforms. This directive is only allowed once. It must be put into the global part of the configuration. The default value is logs/jk-runtime-status.
JkShmSize	Size of the shared memory file name. This directive is only allowed once. It must be put into the global part of the configuration. The default value depends on the platform. It is usually less than 64KB.
JkMountFile	File containing multiple mappings from a context to a Tomcat worker. It is usually called uriworkermap.properties. For inheritance rules, see: JkMountCopy. There is no default value.
JkMountFileReload	This directive configures the reload check interval in seconds. The JkMountFile is checked periodically for changes. A changed file gets reloaded automatically. If you set this directive to "0", reload checking is turned off. The default value is 60 seconds. This directive has been added in version 1.2.20 of mod_jk.
JkMount	A mount point from a context to a Tomcat worker. This directive is allowed multiple times. It is allowed in the global configuration and in VirtualHost. You can also use it inside Location with a different syntax. Inside Location, one omits the first argument (path), which gets inherited from the Location. For inheritance rules, see: JkMountCopy.
JkUnMount	An exclusion mount point from a context to a Tomcat worker. All exclusion mounts are checked after mapping a request to a tomcat worker. If the request maps also to an exclusion, it will not be forwarded to tomcat, and instead be served locally. This directive is allowed multiple times. It is allowed in the global configuration and in VirtualHost. You can also use it inside Location with a different syntax. Inside Location, one omits the first argument (path), which gets inherited from the Location. For inheritance rules, see: JkMountCopy. This directive is available in jk1.2.7 version and later.
JkAutoAlias	Automatically Alias webapp context directories into the Apache document space. Care should be taken to ensure that only static content is served via httpd as a result of using this directive. Any static content served by httpd will bypass any security constraints defined in the application's web.xml. For inheritance rules, see: JkMountCopy. There is no default value.
JkMountCopy	If this directive is set to On in some virtual server, the mounts from the global server will be copied to the virtual server, more precisely all mounts defined by JkMount or JkUnMount. The Mounts defined by JkMountFile and JkAutoAlias will only be inherited, if the VirtualHost does not define it's own JkMountFile or JkAutoAlias. This directive is only allowed inside VirtualHost. The default is Off.
JkWorkerIndicator	Name of the Apache environment variable that can be used to set worker names in combination with SetHandler jakarta-servlet. This directive is only allowed once per virtual server. It is allowed in the global configuration and in VirtualHost. The default value is JK_WORKER_NAME.
JkLogFile	Full or server relative path to the Tomcat Connector module log file. It will also work with pipe, by using a value of the form "| ...". The default value is logs/mod_jk.log. Pipes are supported for Apache 1.3 only since version 1.2.16. The default value exists only since version 1.2.20.
JkLogLevel	The Tomcat Connector module log level, can be debug, info, warn error or trace. The default value is info.
JkLogStampFormat	The Tomcat Connector module date log format, using an extended strftime syntax. This format will be used for the time stamps in the JkLogFile. The maximum length of the format is 63 characters. Starting with version 1.2.24 of mod_jk you can also use %Q for adding milliseconds to the log and %q for microseconds. These conversion specifiers are an extension to strftime. They will only work on platforms with a gettimeofday() function. You can use %Q and %q only once in the pattern and also not both together in the same pattern. The default value is "[%a %b %d %H:%M:%S %Y] " and beginning with version 1.2.24 on platforms with a gettimeofday() function it is "[%a %b %d %H:%M:%S.%Q %Y] ".
JkRequestLogFormat	Request log format string. See detailed description below. There is no default value. Without defining a value, the request logging is turned off.
JkExtractSSL	Turns on SSL processing and information gathering by mod_jk The default value is On.
JkHTTPSIndicator	Name of the Apache environment variable that contains SSL indication. The default value is "HTTPS".
JkCERTSIndicator	Name of the Apache environment variable that contains SSL client certificates. The default value is "SSL_CLIENT_CERT".
JkCIPHERIndicator	Name of the Apache environment variable that contains SSL client cipher. The default value is "SSL_CIPHER".
JkCERTCHAINPrefix	Name of the Apache environment (prefix) that contains SSL client chain certificates. The default value is "SSL_CLIENT_CERT_CHAIN_".
JkSESSIONIndicator	Name of the Apache environment variable that contains SSL session. The default value is "SSL_SESSION_ID".
JkKEYSIZEIndicator	Name of the Apache environment variable that contains SSL key size in use. The default value is "SSL_CIPHER_USEKEYSIZE".
JkOptions	Set one of more options to configure the mod_jk module. See below for details about this directive. This directive can be used multiple times per virtual server. The default value is "ForwardURIProxy" since version 1.2.24. It was "ForwardURICompatUnparsed" in version 1.2.23 and "ForwardURICompat" until version 1.2.22.
JkEnvVar	Adds a name and an optional default value of environment variable that should be sent to servlet-engine as a request attribute. If the default value is not given explicitely, the variable will only be send, if it is set during runtime. This directive can be used multiple times per virtual server. The default is empty, so no additional variables will be sent. Empty default values are supported since version 1.2.20. Not sending variables with empty defaults and empty runtime value has been introduced in version 1.2.21.
JkStripSession	If this directive is set to On in some virtual server, the session IDs ;jsessionid=... will be removed for non matched URLs. This directive is only allowed inside VirtualHost. The default is Off. This directive has been introduced in version 1.2.21.

We'll discuss here the mod_jk directive types.

Define workers

JkWorkersFile specify the location where mod_jk will find the workers definitions. Take a look at Workers documentation for detailed description. JkWorkersFile /etc/httpd/conf/workers.properties

Logging

JkLogFile specify the location where mod_jk is going to place its log file. JkLogFile /var/log/httpd/mod_jk.log Since JK 1.2.3 for Apache 2.0 and JK 1.2.16 for Apache 1.3 this can also be used for piped logging: JkLogFile "|/usr/bin/rotatelogs /var/log/httpd/mod_jk.log 86400" JkLogLevel set the log level between : info log will contain standard mod_jk activity (default). warn log will contain non fatal error reports. error log will contain also error reports. debug log will contain all information on mod_jk activity trace log will contain all tracing information on mod_jk activity JkLogLevel info info should be your default selection for normal operations. JkLogStampFormat will configure the date/time format found on mod_jk log file. Using the strftime() format string it's set by default to "[%a %b %d %H:%M:%S %Y]" JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " JkRequestLogFormat will configure the format of mod_jk individual request logging. Request logging is configured and enabled on a per virtual host basis. To enable request logging for a virtual host just add a JkRequestLogFormat config. The syntax of the format string is similar to the Apache LogFormat command, here is a list of the available request log format options: Options Description %b Bytes sent, excluding HTTP headers (CLF format) %B Bytes sent, excluding HTTP headers %H The request protocol %m The request method %p The canonical Port of the server serving the request %q The query string (prepended with a ? if a query string exists, otherwise an empty string) %r First line of request %s Request HTTP status code %T Request duration, elapsed time to handle request in seconds '.' micro seconds %U The URL path requested, not including any query string. %v The canonical ServerName of the server serving the request %V The server name according to the UseCanonicalName setting %w Tomcat worker name %R Real worker name JkRequestLogFormat "%w %V %T" You can also log mod_jk information using the Apache standard module mod_log_config. The module sets several notes in the Apache httpd notes table. Most of them are are only useful in combination with a load balancer worker. Note Description JK_WORKER_NAME Name of the worker selected by the URI mapping JK_WORKER_TYPE Type of the worker selected by the URI mapping JK_WORKER_ROUTE Actual worker name selected by the URI mapping (usually a member of the load balancer) JK_REQUEST_DURATION Request duration in seconds and microseconds. At the moment only available if JkRequestLogFormat is set. JK_LB_FIRST_NAME Load-Balancer: Name of the first worker tried JK_LB_FIRST_TYPE Load-Balancer: Type of the first worker tried JK_LB_FIRST_ACCESSED Load-Balancer: Access count for the first worker tried JK_LB_FIRST_READ Load-Balancer: Bytes read for the first worker tried JK_LB_FIRST_TRANSFERRED Load-Balancer: Bytes transferred for the first worker tried JK_LB_FIRST_ERRORS Load-Balancer: Error count for the first worker tried JK_LB_FIRST_BUSY Load-Balancer: Busy count for the first worker tried JK_LB_FIRST_ACTIVATION Load-Balancer: Activation state for the first worker tried JK_LB_FIRST_STATE Load-Balancer: Error state for the first worker tried JK_LB_LAST_NAME Load-Balancer: Name of the last worker tried JK_LB_LAST_TYPE Load-Balancer: Type of the last worker tried JK_LB_LAST_ACCESSED Load-Balancer: Access count for the last worker tried JK_LB_LAST_READ Load-Balancer: Bytes read for the last worker tried JK_LB_LAST_TRANSFERRED Load-Balancer: Bytes transferred for the last worker tried JK_LB_LAST_ERRORS Load-Balancer: Error count for the last worker tried JK_LB_LAST_BUSY Load-Balancer: Busy count for the last worker tried JK_LB_LAST_ACTIVATION Load-Balancer: Activation state for the last worker tried JK_LB_LAST_STATE Load-Balancer: Error state for the last worker tried LogFormat "%h %l %u %t \"%r\" %>s %b %{JK_WORKER_NAME}n %{JK_LB_FIRST_NAME}n \ %{JK_LB_FIRST_BUSY}n %{JK_LB_LAST_NAME}n %{JK_LB_LAST_BUSY}n" mod_jk_log CustomLog logs/access_log mod_jk_log

Forwarding

The directive JkOptions allow you to set many forwarding options which will enable (+) or disable (-) following option. Without any leading signs, options will be enabled. The four following options +ForwardURIxxx are mutually exclusive. Exactly one of them is required, a negative sign prefix is not allowed with them. The default value is "ForwardURIProxy" since version 1.2.24. It was "ForwardURICompatUnparsed" in version 1.2.23 and "ForwardURICompat" until version 1.2.22. You can turn the default off by switching on one of the other two options. You should leave this at it's default value, unless you have a very good reason to change it. All options are inherited from the global server to virtual hosts. Options that support enabling (plus options) and disabling (minus options), are inherited in the following way: options(vhost) = plus_options(global) - minus_options(global) + plus_options(vhost) - minus_options(vhost) Using JkOptions ForwardURIProxy, the forwarded URI will be partially reencoded after processing inside Apache httpd and before forwarding to Tomcat. This will be compatible with local URL manipulation by mod_rewrite and with URL encoded session ids. JkOptions +ForwardURIProxy Using JkOptions ForwardURICompatUnparsed, the forwarded URI will be unparsed. It's spec compliant and secure. It will always forward the original request URI, so rewriting URIs with mod_rewrite and then forwarding the rewritten URI will not work. JkOptions +ForwardURICompatUnparsed Using JkOptions ForwardURICompat, the forwarded URI will be decoded by Apache httpd. Encoded characters will be decoded and explicit path components like ".." will already be resolved. This is less spec compliant and is not safe if you are using prefix JkMount. This option will allow to rewrite URIs with mod_rewrite before forwarding. JkOptions +ForwardURICompat Using JkOptions ForwardURIEscaped, the forwarded URI will be the encoded form of the URI used by ForwardURICompat. Explicit path components like ".." will already be resolved. This will not work in combination with URL encoded session IDs, but it will allow to rewrite URIs with mod_rewrite before forwarding. JkOptions +ForwardURIEscaped JkOptions RejectUnsafeURI will block all URLs, which contain percent signs '%' or backslashes '\' after decoding. Most web apps do not use such URLs. Using the option RejectUnsafeURI, you can block several well known URL encoding attacks. By default, this option is not set. You can also realize such a check with mod_rewrite, which is more powerful but also slightly more complicated. JkOptions +RejectUnsafeURI JkOptions ForwardDirectories is used in conjunction with DirectoryIndex directive of Apache web server. As such mod_dir should be available to Apache, statically or dynamically (DSO) When DirectoryIndex is configured, Apache will create sub-requests for each of the local-url's specified in the directive, to determine if there is a local file that matches (this is done by stat-ing the file). If ForwardDirectories is set to false (default) and Apache doesn't find any files that match, Apache will serve the content of the directory (if directive Options specifies Indexes for that directory) or a 403 Forbidden response (if directive Options doesn't specify Indexes for that directory). If ForwardDirectories is set to true and Apache doesn't find any files that match, the request will be forwarded to Tomcat for resolution. This is used in cases when Apache cannot see the index files on the file system for various reasons: Tomcat is running on a different machine, the JSP file has been precompiled etc. Note that locally visible files will take precedence over the ones visible only to Tomcat (i.e. if Apache can see the file, that's the one that's going to get served). This is important if there is more then one type of file that Tomcat normally serves - for instance Velocity pages and JSP pages. JkOptions +ForwardDirectories JkOptions ForwardLocalAddress, you ask mod_jk to send the local address, of the Apache web server instead remote client address. This can be used by Tomcat remote address valve for allowing connections only from registered Apache web servers. JkOptions +ForwardLocalAddress JkOptions FlushPackets, you ask mod_jk to flush Apache's connection buffer after each AJP packet chunk received from Tomcat. This option can have a strong performance penalty for Apache and Tomcat as writes are performed more often than would normally be required (ie: at the end of each response). JkOptions +FlushPackets JkOptions FlushHeader, you ask mod_jk to flush Apache's connection buffer after the response headers have been received from Tomcat. JkOptions +FlushHeader JkOptions DisableReuse, you ask mod_jk to close connections immediately after their use. Normally mod_jk uses persistent connections and pools idle connections to reuse them, when new requests have to be sent to Tomcat. Using this option will have a strong performance penalty for Apache and Tomcat. Use this only as a last resort in case of unfixable network problems. If a firewall between Apache and Tomcat silently kills idle connections, try to use the worker attribute socket_keepalive in combination with an appropriate TCP keepalive value in your OS. JkOptions +DisableReuse JkOptions ForwardKeySize, you ask mod_jk, when using ajp13, to forward also the SSL Key Size as required by Servlet API 2.3. This flag shouldn't be set when servlet engine is Tomcat 3.2.x (on by default). JkOptions +ForwardKeySize JkOptions ForwardSSLCertChain, you ask mod_jk, when using ajp13, to forward SSL certificate chain (off by default). Mod_jk only passes the SSL_CLIENT_CERT to the AJP connector. This is not a problem with self-signed certificates or certificates directly signed by the root CA certificate. However, there's a large number of certificates signed by an intermediate CA certificate, where this is a significant problem: A servlet will not have the possibility to validate the client certificate on its own. The bug would be fixed by passing on the SSL_CLIENT_CERT_CHAIN to Tomcat via the AJP connector. This directive exists only since version 1.2.22. JkOptions +ForwardSSLCertChain The directive JkEnvVar allows you to forward environment variables from Apache server to Tomcat engine. The variables can be retrieved on the Tomcat side as request attributes. You can add a default value as a second parameter to the directive. If the default value is not given explicitely, the variable will only be send, if it is set during runtime. The variables are inherited from the global server to virtual hosts. JkEnvVar SSL_CLIENT_V_START undefined

Assigning URLs to Tomcat

If you have created a custom or local version of mod_jk.conf-local as noted above, you can change settings such as the workers or URL prefix. JkMount directive assign specific URLs to Tomcat. In general the structure of a JkMount directive is: JkMount [URL prefix] [Worker name] # send all requests ending in .jsp to worker1 JkMount /*.jsp worker1 # send all requests ending /servlet to worker1 JkMount /*/servlet/ worker1 # send all requests jsp requests to files located in /otherworker will go worker2 JkMount /otherworker/*.jsp worker2 You can use the JkMount directive at the top level or inside <VirtualHost> sections of your httpd.conf file. JkUnmount directive acts as an opposite to JkMount and blocks access to a particular URL. The purpose is to be able to filter out the particular content types from mounted context. The following example mounts /servlet/* context, but all .gif files that belongs to that context are not served. # send all requests ending with /servlet to worker1 JkMount /servlet/* worker1 # do not send requests ending with .gif to worker1 JkUnMount /servlet/*.gif worker1 JkUnMount takes precedence over JkMount directives, meaning that the JK will first look for unmount and then for mount directives. The following example will block all .gif files. # do not send requests ending with .gif to worker1 JkUnMount /*.gif worker1 # The .gif files will not be mounted cause JkUnMount takes # precedence over JkMount directive JkMount /servlet/*.gif worker1 JkAutoAlias directive automatically Alias webapp context directories into the Apache document space. It enables Apache to serve a static context while Tomcat serving dynamic context. This directive is used for convenience so that you don't have to put an apache Alias directive for each application directory inside Tomcat's webapp directory. For security reasons is is strongly recommended that JkMount is used to pass all requests to Tomcat by default and JkUnMount is used to explicitly exclude static content to be served by httpd. It should also be noted that content served by httpd will bypass any security constraints defined in the application's web.xml. # enter the full path to the tomcat webapps directory JkAutoAlias /opt/tomtact/webapps The following example shows how to serve a dynamic context by Tomcat and static using Apache. The webapps directory has to be accessible by apache. # enter the full path to the tomcat webapps directory JkAutoAlias /opt/tomtact/webapps # Mount 'servlets-examples' directory. It's physical location # is assumed to be in the /opt/tomtact/webapps/servlets-examples # ajp13w is a worker defined in the workers.properties JkMount /servlets-examples/* ajp13w # Unmount desired static content from servlets-examples webapp. # This content will be served by the httpd directly. JkUnMount /servlets-examples/*.gif ajp13w JkUnMount /servlets-examples/*.jpg ajp13w Note that you can have a single JkAutoAlias directive per virtual host inside your httpd.conf JkWorkerProperty is a new directive available from JK 1.2.7 version. It is a convenient method for setting directives that are usually set inside workers.propetiesfile. The parameter for that directive is raw line from workers.properties file. # Just like workers.properties but exact line is prefixed # with JkWorkerProperty # Minimal jk configuration JkWorkerProperty worker.list=ajp13w JkWorkerProperty worker.ajp13w.type=ajp13 JkWorkerProperty worker.ajp13w.host=localhost JkWorkerProperty worker.ajp13w.port=8009 JkMountFile is a new directive available from JK 1.2.9 version. It is used for dynamic updates of mount points at runtime. When the mount file is changed, JK will reload it's content. # Load mount points JkMountFile conf/uriworkermap.properties If the mount point uri starts with an exclamation mark '!' it defines an exclusion in the same way JkUnmount does. If the mount point uri starts with minus sign '-' the mount point will only be disabled. A disabled mount can be reenabled by deleting the minus sign and waiting for the JkMountFile to reload. An exclusion can be disabled by prefixing it with a mninus sign. # Sample uriworkermap.properties file /servlets-examples/*=ajp13w # Do not map .jpeg files !/servlets-examples/*.jpeg=ajp13w # Make jsp examples initially disabled -/jsp-examples/*=ajp13w At run time you can change the content of this file. For example removing minus signs will enable the previously disabled uri mappings. You can add any number of new entries at runtime that reflects the newly deployed applications. Apache will reload the file and update the mount points within 60 second interval. There is no way to delete entries by dynamic reloading, but you can disable or exclude mappings.

Using SetHandler and Environment Variables

Alternatively to the mod_jk specific directives, you can also use SetHandler and environment variables to control, which requests are being forwarded via which worker. This gives you more flexibility, but the results might be more difficult to understand. If you mix both ways of defining the forwards, in general to mod_jk directives will win. SetHandler jakarta-servlet forces requests to be handled by mod_jk. If you neither specify any workers via JkMount and the related directives, not via the environment variable described below, the first worker in the list of all worker will be chosen. You can use SetHandler for example in Location blocks or with Apache 2.2 also in RewriteRule. In order to control the worker using SetEnvIf or RewriteRule for more complex rules, you can set the environment variable JK_WORKER_NAME to the name of your chosen target worker. This enables you to decide on the chosen worker in a more flexible way, including dependencies on cookie values. This feature has been added in version 1.2.19 of mod_jk. In order to use another variable than JK_WORKER_NAME, you can set the name of this variable via the JkWorkerIndicator directive. Finally you can define exclusions from mod_jk forwards by setting the environment variable no-jk. # Automatically map all encoded urls <Location *;jsessionid=> SetHandler jakarta-servlet SetEnv JK_WORKER_NAME my_worker </Location> # Map all subdirs to workers via naming rule # and exclude static content. <Location /apps/> SetHandler jakarta-servlet SetEnvIf REQUEST_URI ^/apps/([^/]*)/ JK_WORKER_NAME=$1 SetEnvIf REQUEST_URI ^/apps/([^/]*)/static no-jk </Location>