<html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>The Apache Tomcat Connectors - Common HowTo - Reverse Proxy HowTo</title><meta name="author" value="Rainer Jung"><meta name="email" value="rjung@apache.org"><link href="../style.css" type="text/css" rel="stylesheet"></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table border="0" width="100%" cellspacing="4"><!--PAGE HEADER--><tr><td colspan="2"><!--TOMCAT LOGO--><a href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="left" alt="Apache Tomcat" border="0"></a><!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt=" :: Apache Software Foundation" border="0"></a></td></tr><!--HEADER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap="true"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li></ul><p><strong>Common HowTo</strong></p><ul><li><a href="../common_howto/quick.html">For the impatient</a></li><li><a href="../common_howto/workers.html">All about workers</a></li><li><a href="../common_howto/timeouts.html">Timeouts</a></li><li><a href="../common_howto/loadbalancers.html">Load Balancing</a></li><li><a href="../common_howto/proxy.html">Reverse Proxy</a></li></ul><p><strong>Webserver HowTo</strong></p><ul><li><a href="../webserver_howto/apache.html">Apache HTTP Server</a></li><li><a href="../webserver_howto/iis.html">IIS</a></li><li><a href="../webserver_howto/nes.html">Netscape/SunOne/Sun</a></li></ul><p><strong>Reference Guide</strong></p><ul><li><a href="../reference/workers.html">workers.properties</a></li><li><a href="../reference/uriworkermap.html">uriworkermap.properties</a></li><li><a href="../reference/status.html">Status Worker</a></li><li><a href="../reference/apache.html">Apache HTTP Server</a></li><li><a href="../reference/iis.html">IIS</a></li></ul><p><strong>AJP Protocol Reference</strong></p><ul><li><a href="../ajp/ajpv13a.html">AJPv13</a></li><li><a href="../ajp/ajpv13ext.html">AJPv13 Extension Proposal</a></li></ul><p><strong>Miscellaneous Documentation</strong></p><ul><li><a href="../miscellaneous/faq.html">Frequently asked questions</a></li><li><a href="../miscellaneous/changelog.html">Changelog</a></li><li><a href="http://issues.apache.org/bugzilla/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=Tomcat+Connectors&long_desc_type=substring&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0=">Current Tomcat Connectors bugs</a></li><li><a href="../miscellaneous/doccontrib.html">Contribute documentation</a></li><li><a href="../miscellaneous/jkstatustasks.html">JK Status Ant Tasks</a></li><li><a href="../miscellaneous/reporttools.html">Reporting Tools</a></li><li><a href="http://tomcat.apache.org/connectors-doc-archive/jk2/index.html">Old JK/JK2 documentation</a></li></ul><p><strong>News</strong></p><ul><li><a href="../news/20140201.html">2014</a></li><li><a href="../news/20120301.html">2012</a></li><li><a href="../news/20110701.html">2011</a></li><li><a href="../news/20100101.html">2010</a></li><li><a href="../news/20090301.html">2009</a></li><li><a href="../news/20081001.html">2008</a></li><li><a href="../news/20070301.html">2007</a></li><li><a href="../news/20060101.html">2006</a></li><li><a href="../news/20050101.html">2005</a></li><li><a href="../news/20041100.html">2004</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left"><table border="0" width="100%" cellspacing="4"><tr><td align="left" valign="top"><h1>The Apache Tomcat Connectors - Common HowTo</h1><h2>Reverse Proxy HowTo</h2></td><td align="right" valign="top" nowrap="true"><small><a href="printer/proxy.html"><img src="../images/printer.gif" border="0" alt="Printer Friendly Version"><br>print-friendly<br>version </a></small></td></tr></table><table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote> <br> <p>The Apache module mod_jk and its ISAPI and NSAPI variants connect a web server to a backend (typically Tomcat) using the AJP protocol. The web server receives an HTTP(S) request and the module forwards the request to the backend. This function is usually called a gateway or a proxy, in the context of HTTP it is called a reverse proxy. </p> </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Typical Problems"><strong>Typical Problems</strong></a></font></td></tr><tr><td><blockquote> <br> <p>A reverse proxy is not totally transparent to the application on the backend. For instance the host name and port the original client (e.g. browser) needs to talk to belong to the web server and not to the backend, so the reverse proxy talks to a different host name and port. When the application on the backend returns content including self-referential URLs using its own backend address and port, the client will usually not be able to use these URLs. </p> <p>Another example is the client IP address, which for the web server is the source IP of the incoming connection, whereas for the backend the connection always comes from the web server. This can be a problem, when the client IP is used by the backend application e.g. for security reasons. </p> </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="AJP as a Solution"><strong>AJP as a Solution</strong></a></font></td></tr><tr><td><blockquote> <br> <p>Most of these problems are automatically handled by the AJP protocol and the AJP connectors of the backend. The AJP protocol transports this communication metadata and the backend connector presents this metadata whenever the application asks for it using Servlet API methods. </p> <p>The following list contains the communication metadata handled by AJP and the ServletRequest/HttpServletRequest API calls which can be used to retrieve them: <ul> <li>local name: <b class="code">getLocalName()</b>. This is also equal to <b class="code">getServerName()</b>, unless a <b class="code">Host</b> header is contained in the request. In this case the server name is taken from that header. </li> <li>local IP address: <b class="code">getLocalAddr()</b>. The local IP address was initially not supported. It is available when using mod_jk 1.2.41 with Apache or IIS (not for the NSAPI plugin) together with Tomcat version at least 6.0.42, 7.0.55 or 8.0.11. For older versions, <b class="code">getLocalAddr()</b> will incorrectly return the same result as <b class="code">getLocalName()</b>. As a workaround you can forward the local IP address by setting <b class="code">JkEnvVar SERVER_ADDR</b> and then either using <b class="code">request.getAttribute("SERVER_ADDR")</b> instead of <b class="code">getLocalAddr()</b> or wrapping the request using a filter and overriding <b class="code">getLocalAddr()</b> with <b class="code">request.getAttribute("SERVER_ADDR")</b>. </li> <li>local port: <b class="code">getLocalPort()</b>. This is also equal to <b class="code">getServerPort()</b>, unless a <b class="code">Host</b> header is contained in the request. In this case the server port is taken from that header if it contains an explicit port, or is equal to the default port of the scheme used. </li> <li>client address: <b class="code">getRemoteAddr()</b> </li> <li>client port: <b class="code">getRemotePort()</b>. The remote port was initially not supported. It is available when using mod_jk 1.2.32 with Apache or IIS (not for the NSAPI plugin) together with Tomcat version at least 5.5.28, 6.0.20 or 7.0.0. For older versions, <b class="code">getRemotePort()</b> will incorrectly return 0 or -1. As a workaround you can forward the remote port by setting <b class="code">JkEnvVar REMOTE_PORT</b> and then either using <b class="code">request.getAttribute("REMOTE_PORT")</b> instead of <b class="code">getRemotePort()</b> or wrapping the request using a filter and overriding <b class="code">getRemotePort()</b> with <b class="code">request.getAttribute("REMOTE_PORT")</b>. </li> <li>client host: <b class="code">getRemoteHost()</b> </li> <li>authentication type: <b class="code">getAuthType()</b> </li> <li>remote user: <b class="code">getRemoteUser()</b>, if <b class="code">tomcatAuthentication="false"</b> </li> <li>protocol: <b class="code">getProtocol()</b> </li> <li>HTTP method: <b class="code">getMethod()</b> </li> <li>URI: <b class="code">getRequestURI()</b> </li> <li>HTTPS used: <b class="code">isSecure()</b>, <b class="code">getScheme()</b> </li> <li>query string: <b class="code">getQueryString()</b> </li> </ul> The following additional SSL-related data will be made available by Apache and forwarded by mod_jk only if you set <b class="code">SSLOptions +StdEnvVars</b>. For the certificate information you also need to set <b class="code">SSLOptions +ExportCertData</b>. <ul> <li>SSL cipher: <b class="code">getAttribute(javax.servlet.request.cipher_suite)</b> </li> <li>SSL key size: <b class="code">getAttribute(javax.servlet.request.key_size)</b>. Can be disabled using <b class="code">JkOptions -ForwardKeySize</b>. </li> <li>SSL client certificate: <b class="code">getAttribute(javax.servlet.request.X509Certificate)</b>. If you want the whole certificate chain, then you need to also set <b class="code">JkOptions ForwardSSLCertChain</b>. It is likely, that in this case you also need to adjust the maximal AJP packet size using the worker attribute <a href="../reference/workers.html">max_packet_size</a>. </li> <li>SSL session ID: <b class="code">getAttribute(javax.servlet.request.ssl_session)</b>. This is for Tomcat, it has not yet been standardized. </li> </ul> </p> </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Fine Tuning"><strong>Fine Tuning</strong></a></font></td></tr><tr><td><blockquote> <br> <p>In some situations this is not enough though. Assume there is another less clever reverse proxy in front of your web server, for instance an HTTP load balancer or similar device which also serves as an SSL accelerator. </p> <p>Then you are sure that all your clients use HTTPS, but your web server doesn't know about that. All it can see is requests coming from the accelerator using plain HTTP. </p> <p>Another example would be a simple reverse proxy in front of your web server, so that the client IP address that your web server sees is always the IP address of this reverse proxy, and not of the original client. Often such reverse proxies generate an additional HTTP header, like <b class="code">X-Forwareded-for</b> which contains the original client IP address (or a list of IP addresses, if there are more cascading reverse proxies in front). It would be nice, if we could use the content of such a header as the client IP address to pass to the backend. </p> <p>So we might need to manipulate some of the data that AJP sends to the backend. When using mod_jk inside Apache httpd you can use several httpd environment variables to let mod_jk know, which data it should forward. These environment variables can be set by the httpd directives SetEnv or SetEnvIf, but also in a very flexible way using mod_rewrite (since httpd 2.x it can not only test against environment variables, but also set them). </p> <p>The following list contains all environment variables mod_jk checks, before sending data to the backend: <ul> <li>JK_LOCAL_NAME: the local name </li> <li>JK_LOCAL_PORT: the local port </li> <li>JK_REMOTE_HOST: the client host </li> <li>JK_REMOTE_ADDR: the client address </li> <li>JK_AUTH_TYPE: the authentication type </li> <li>JK_REMOTE_USER: the remote user </li> <li>HTTPS: On (case-insensitive) to indicate, that HTTPS is used </li> <li>SSL_CIPHER: the SSL cipher </li> <li>SSL_CIPHER_USEKEYSIZE: the SSL key size </li> <li>SSL_CLIENT_CERT: the SSL client certificate </li> <li>SSL_CLIENT_CERT_CHAIN_: prefix of variable names, containing the client cerificate chain </li> <li>SSL_SESSION_ID: the SSL session ID </li> </ul> </p> <p>Remember: in general you don't need to set them. The module retrieves the data automatically from the web server. Only in case you want to change this data, you can overwrite it by using these variables. </p> <p>Some of these variables might also be used by other web server modules. All variables whose name does not begin with "JK" are set directly by Apache httpd. If you want to change the data, but do not want to negatively influence the behaviour of other modules, you can change the names of all variables mod_jk uses to private ones. For the details see the <a href="../reference/apache.html">Apache reference</a> page. </p> <p>All variables, that are not SSL-related have only been introduced in version 1.2.27. </p> <p>In addition there are two special shortcuts to influence the client IP address that is forwarded. Using <b class="code">JkOptions ForwardLocalAddress</b> you can forward the local IP address of the web server as the client IP address. This can be useful, e.g. when using the Tomcat remote address valve for allowing connections only from registered Apache web servers. Using <b class="code">JkOptions ForwardPhysicalAddress</b> you always forward the physical peer IP address as the client address. By default mod_jk uses the logical address as provided by the web server. For example the module mod_remoteip sets the logical IP address to the client IP forwarded by proxies in the <b class="code">X-Forwarded-For</b> header. </p> </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Tomcat AJP Connector Settings"><strong>Tomcat AJP Connector Settings</strong></a></font></td></tr><tr><td><blockquote> <br> <p>As an alternative to using the environment variables described in the previous section (which do only exist when using Apache httpd), you can also configure Tomcat to overwrite some of the communications data forwarded by mod_jk. The AJP connector in Tomcat's <b class="code">server.xml</b> allows to set the <a href="http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html#Attributes">following properties</a>: <ul> <li>proxyName: server name as returned by <b class="code">getServerName()</b> </li> <li>proxyPort: server port as returned by <b class="code">getServerPort()</b> </li> <li>scheme: protocol scheme as returned by <b class="code">getScheme()</b> </li> <li>secure: set to "true", if you wish <b class="code">isSecure()</b> to return "true". </li> </ul> Remember: in general you don't need to set those. AJP automatically handles all cases where the web server running mod_jk knows the right data. </p> </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="URL Handling"><strong>URL Handling</strong></a></font></td></tr><tr><td><blockquote> <br> <table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="URL Rewriting"><strong>URL Rewriting</strong></a></font></td></tr><tr><td><blockquote> <p>Sometimes one want to change path components of the URLs under which an application is available. Especially if a web application is deployed as some context, say <b class="code">/myapp</b>, marketing prefers short URLs, so want the application to be directly available under <b class="code">http://www.mycompany.com/</b>. Although you can deploy the application as the so-called ROOT context, which will be directly available at "/", admins often prefer not to use the ROOT context, e.g. because only one application can be the root context (per host). </p> <p>The procedure to change the URLs in the reverse proxy is tedious, because often an application produces self-referential URLs, which then include the path components which you tried to hide to the outside world. Nevertheless, if you absolutely need to do it, here are the steps. </p> <p>Case A: You need to make the application available at a simple URL, but it is OK, if users proceed using the more complex URLs, as long as they don't have to type them in. That's the easy case, and if this suffices to you, you're lucky. Use a simply RedirectMatch for Apache httpd: </p> <div class="example"><pre> RedirectMatch ^/$ http://www.mycompany.com/myapp/ </pre></div> <p>Your application will then be available under <b class="code">http://www.mycompany.com/</b>, and each visitor will be immediately redirected to the real URL <b class="code">http://www.mycompany.com/myapp/</b> </p> <p>Case B: You need to hide path components for all requests going to the application. Here's the recipe for the case, where you want to hide the first path component <b class="code">/myapp</b>. More complex manipulations are left as an exercise to the reader. First the solution for the case of Apache httpd: </p> <p>1. Use <a href="http://httpd.apache.org/docs/current/mod/mod_rewrite.html"><b class="code">mod_rewrite</b></a> to add <b class="code">/myapp</b> to all requests before forwarding to the backend: </p> <div class="example"><pre> # Don't forget the PT flag! (pass through) RewriteRule ^/(.*) http://www.mycompany.com/myapp/$1 [PT] </pre></div> <p>2. Use <a href="http://httpd.apache.org/docs/current/mod/mod_headers.html"><b class="code">mod_headers</b></a> to rewrite any HTTP redirects your application might return. Such redirects typically contain the path components you want to hide, because by the HTTP standard, redirects always need to include the full URL, and your application is not aware of the fact, that your clients talk to it via some shortened URL. An HTTP redirect is done with a special response header named <b class="code">Location</b>. We rewrite the Location headers of our responses: </p> <div class="example"><pre> # Keep protocol, server and port if present, # but insert our webapp name before the rest of the URL Header edit Location ^([^/]*//[^/]*)?/(.*)$ $1/myapp/$2 </pre></div> <p>3. Use <b class="code">mod_headers</b> again, to rewrite the paths contained in any cookies, your application might set. Such cookie paths again might contain the path components you want to hide. A cookie is set with the HTTP response header named <b class="code">Set-Cookie</b>. We rewrite the Set-Cookie headers of our responses: </p> <div class="example"><pre> # Fix the cookie path Header edit Set-Cookie "^(.*; Path=/)(.*)" $1/myapp/$2 </pre></div> <p>3. Some applications might contain hard coded absolute links. In this case check, whether you find a configuration item for your web framework to configure the base URL. If not, your only chance is to parse all response content bodies and do search and replace. This is fragile and very resource intensive. If you really need to do this, you can use <a href="http://apache.webthing.com/mod_proxy_html/"><b class="code">mod_proxy_html</b></a>, <a href="http://httpd.apache.org/docs/current/mod/mod_substitute.html"><b class="code">mod_substitute</b></a> or <a href="http://blogs.sun.com/basant/entry/using_mod_sed_to_filter"><b class="code">mod_sed</b></a> for this task. </p> <p>If you are using Microsoft IIS as a web server, the ISAPI plugin provides a way of doing the first step with a builtin feature. You define a mapping file for simple prefix changes like this: </p> <div class="example"><pre> # Add a context prefix to all requests ... /=/myapp/ # ... or change some prefix ... /oldapp/=/myapp/ </pre></div> <p>and then put the name of the file in the <b class="code">rewrite_rule_file</b> entry of the registry or your <b class="code">isapi_redirect.properties</b> file. In your <b class="code">uriworkermap.properties</b> file, you still need to map the URLs as they are before rewriting! </p> <p>More complex rewrites can be done using the same file, but with regular expressions. A leading tilde sign '<b class="code">~</b>', indicates, that you are using a regular expression: </p> <div class="example"><pre> # Use a regular expression rewrite ~/oldapps([0-9]*)/=/newapps$1/ </pre></div> <p>There is no support for Steps 2 (rewriting redirect responses) or 3 (rewriting cookie paths). </p> </blockquote></td></tr></table> <table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="URL Encoding"><strong>URL Encoding</strong></a></font></td></tr><tr><td><blockquote> <p>Some types of problems are triggered by the use of encoded URLs (see <a href="http://en.wikipedia.org/wiki/Percent-encoding">percent encoding</a>). For the same location there exist a lot of different URLs which are equivalent. The reverse proxy needs to inspect the URL in order to apply its own authentication rules and to decide, to which backend it should send the request (or whether it should handle it itself). Therefore the request URL first is normalized: percent encoded characters are decoded, <b class="code">/./</b> is replaced by <b class="code">/</b>, <b class="code">/XXX/../</b> is replaced by <b class="code">/</b> and similar manipulations of the URL are done. After that, the web server might apply rewrite rules to further change the URL in less obvious ways. Finally there is no more way to put the resulting URL in an encoding, which is "similar" to the one which was used for the original URL. </p> <p> For historical reasons, there have been several alternatives, how mod_jk and the ISAPI plugin encoded the resulting URL before sending it to the backend. They could be chosen via <b class="code">JkOptions</b> (Apache httpd) or <b class="code">uri_select</b> (ISAPI). None of those historical encodings are recommended, because they have either negative functionality implications or pose a security risk. The default encoding since version 1.2.24 is <b class="code">ForwardURIProxy</b> (Apache httpd) or <b class="code">proxy</b> (ISAPI) and it is strongly recommended to keep the default and remove all old explicit settings. </p> </blockquote></td></tr></table> </blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2" width="100%"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Request Attributes"><strong>Request Attributes</strong></a></font></td></tr><tr><td><blockquote> <br> <p> You can also add more attributes to any request you are forwarding when using Apache httpd. For this use the <b class="code">JkEnvVar</b> directive (for details see the <a href="../reference/apache.html">Apache reference</a> page). Such request attributes can be retrieved on the Tomcat side via request.getAttribute(attributeName). Note that their names will not be listed in request.getAttributeNames()! </p> </blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font color="#525D76" size="-1"><em> Copyright © 1999-2015, Apache Software Foundation </em></font></div></td></tr></table></body></html>