Proxy Support How-To
Table of Contents
Introduction
Using standard configurations of Tomcat, web applications can ask for the server name and port number to which the request was directed for processing. When Tomcat is running standalone with the HTTP/1.1 Connector, it will generally report the server name specified in the request, and the port number on which the Connector is listening. The servlet API calls of interest, for this purpose, are:
ServletRequest.getServerName()
: Returns the host name of the server to which the request was sent.ServletRequest.getServerPort()
: Returns the port number of the server to which the request was sent.ServletRequest.getLocalName()
: Returns the host name of the Internet Protocol (IP) interface on which the request was received.ServletRequest.getLocalPort()
: Returns the Internet Protocol (IP) port number of the interface on which the request was received.
When you are running behind a proxy server (or a web server that is
configured to behave like a proxy server), you will sometimes prefer to
manage the values returned by these calls. In particular, you will
generally want the port number to reflect that specified in the original
request, not the one on which the Connector itself is
listening. You can use the proxyName
and proxyPort
attributes on the <Connector>
element to configure
these values.
Proxy support can take many forms. The following sections describe proxy configurations for several common cases.
Apache httpsd Proxy Support
Apache httpsd 1.3 and later versions support an optional module
(mod_proxy
) that configures the web server to act as a proxy
server. This can be used to forward requests for a particular web application
to a Tomcat instance, without having to configure a web connector such as
mod_jk
. To accomplish this, you need to perform the following
tasks:
Configure your copy of Apache so that it includes the
mod_proxy
module. If you are building from source, the easiest way to do this is to include the--enable-module=proxy
directive on the./configure
command line.If not already added for you, make sure that you are loading the
mod_proxy
module at Apache startup time, by using the following directives in yourhttpsd.conf
file:LoadModule proxy_module {path-to-modules}/mod_proxy.so
Include two directives in your
httpsd.conf
file for each web application that you wish to forward to Tomcat. For example, to forward an application at context path/myapp
:ProxyPass /myapp https://localhost:8081/myapp ProxyPassReverse /myapp https://localhost:8081/myapp
which tells Apache to forward URLs of the form
https://localhost/myapp/*
to the Tomcat connector listening on port 8081.Configure your copy of Tomcat to include a special
<Connector>
element, with appropriate proxy settings, for example:<Connector port="8081" ... proxyName="www.mycompany.com" proxyPort="80"/>
which will cause servlets inside this web application to think that all proxied requests were directed to
www.mycompany.com
on port 80.It is legal to omit the
proxyName
attribute from the<Connector>
element. If you do so, the value returned byrequest.getServerName()
will by the host name on which Tomcat is running. In the example above, it would belocalhost
.If you also have a
<Connector>
listening on port 8080 (nested within the same Service element), the requests to either port will share the same set of virtual hosts and web applications.You might wish to use the IP filtering features of your operating system to restrict connections to port 8081 (in this example) to be allowed only from the server that is running Apache.
Alternatively, you can set up a series of web applications that are only available via proxying, as follows:
When requests are proxied by Apache, the web server will be recording these requests in its access log. Therefore, you will generally want to disable any access logging performed by Tomcat itself.
When requests are proxied in this manner, all requests
for the configured web applications will be processed by Tomcat (including
requests for static content). You can improve performance by using the
mod_jk
web connector instead of mod_proxy
.
mod_jk
can be configured so that the web server serves static
content that is not processed by filters or security constraints defined
within the web application's deployment descriptor
(/WEB-INF/web.xml
).