tengel/papyri
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
papyri/md/tomcat_configuration.md
tengel e8fb7b288e initial import
2024-03-20 11:40:22 -05:00

1634 lines
63 KiB
Markdown
Raw Permalink Blame History

# Tomcat Configuration
## Contents
- [tomcat.sysvinit](#tomcatsysvinit)
- [custom.properties](#customproperties)
- [httpd\_proxy.conf](#httpd_proxyconf)
- [httpd\_jk.conf](#httpd_jkconf)
- [workers.properties](#workersproperties)
- [uriworkers.properties](#uriworkersproperties)
- [server.xml](#serverxml)
- [References](#references)
Articles in this series
- [Tomcat Mechanics](tomcat_mechanics.md)
- **Tomcat Configuration**
- [Tomcat Packaging](tomcat_packaging.md)
- [Tomcat Logging](tomcat_logging.md)
## tomcat.sysvinit
Advanced SysVinit script:
```
#!/bin/bash
#
# Startup script for Tomcat
#
# chkconfig: 345 82 20
# description: Tomcat is a servlet runner
LOCALDIR=/usr/local
JAVA_HOME=$LOCALDIR/java
CATALINA_HOME=$LOCALDIR/tomcat
CPFILE=$LOCALDIR/etc/custom.properties
XMFILE=$LOCALDIR/etc/server.xml
export LOCALDIR JAVA_HOME CATALINA_HOME
# Configure as needed for the specific apps
JAVA_OPTS="-server -Xms1536m -Xmx1536m -Xmn384m -XX:+UseParallelGC"
export JAVA_OPTS
# Disable NPTL if necessary
#LD_ASSUME_KERNEL=2.4.1
#export LD_ASSUME_KERNEL
# Source various Catalina options as needed
CATALINA_OPTS=""
while read OPTION && [[ "$OPTION" != end ]]
do
# drop leading spaces
option=${OPTION##}
# skip comments
[ "${OPTION#\#}" == "${OPTION}" ] || continue
# skip blank lines
[ -n "${OPTION}" ] || continue
CATALINA_OPTS="$CATALINA_OPTS -D$OPTION"
done < "$CPFILE"
export CATALINA_OPTS
# See how we were called.
case "$1" in
start)
cd $CATALINA_HOME
./bin/startup.sh -config $XMFILE
;;
stop)
cd $CATALINA_HOME
./bin/shutdown.sh -config $XMFILE
;;
restart)
$0 stop
sleep 3
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
```
## custom.properties
For use in the `CPFILE` setting of the initscript:
```
# A way to dynamically include Java properties (-Dfoo=bar)
# from the commandline initscript (see *.sysvinit)
#
java.library.path=/usr/local/lib
java.awt.headless=true
java.util.logging.config.file=/usr/local/etc/logging.properties
```
## httpd\_proxy.conf
Using `mod_proxy_ajp.so` as shipped with Apache:
```
## http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
<IfModule mod_proxy_ajp.c>
## Global variables
ProxyRequests off
ProxyPreserveHost on
## This is a status handler for controlling the balancers
ProxyPass /balancer-manager !
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
## Direct passing
ProxyPass /webapp1 ajp://192.168.66.226:8009/mywebapp1
ProxyPassReverse /webapp1 ajp://192.168.66.226:8009/mywebapp1
## By location directives
<Location "/resources">
Allow from all
ProxyPass ajp://192.168.66.226:8009/resources maxattempts=3
ProxyPassReverse ajp://192.168.66.226:8009/resources maxattempts=3
</Location>
## Load balancer with various options
# Each Tomcat server.xml must have a matching jvmRoute, like so:
# <Engine name="Catalina" defaultHost="localhost" jvmRoute="t226">
# <Engine name="Catalina" defaultHost="localhost" jvmRoute="t227">
# <Engine name="Catalina" defaultHost="localhost" jvmRoute="t228">
#
# Be aware this bug exists in ProxyPassReverse with balancer://
# https://issues.apache.org/bugzilla/show_bug.cgi?id=51982
ProxyPass / balancer://javacluster/
ProxyPassReverse / ajp://192.168.66.226:8009/
ProxyPassReverse / ajp://192.168.66.227:8009/
ProxyPassReverse / ajp://192.168.66.228:8009/
<Proxy balancer://javacluster>
ProxySet lbmethod=byrequests
ProxySet timeout=15
ProxySet nofailover=on
ProxySet stickysession=JSESSIONID
BalancerMember ajp://192.168.66.226:8009 loadfactor=1 keepalive=On route=t226
BalancerMember ajp://192.168.66.227:8009 loadfactor=1 keepalive=On route=t227
# This is a hot standby
BalancerMember ajp://192.168.66.228:8009 status=+H keepalive=On route=t228
</Proxy>
</IfModule>
```
## httpd\_jk.conf
Using `mod_jk.so` compiled from the Tomcat Connector source:
```
## See the official site for full descriptions and examples
## http://tomcat.apache.org/connectors-doc/reference/apache.html
# Loading the core mod_jk.so
LoadModule mod_jk.so /usr/local/lib/mod_jk.so
# Logging
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel error
#
# Max format length 63
# JkLogStampFormat "[%a %b %d %H:%M:%S.%Q %Y]"
#
# JkRequestLogFormat "%w %T %s %U%q"
# Shared memory file name. Used by balancer and status workers.
JkShmFile /var/log/httpd/mod_jk.shm
#
# The default value depends on the platform.
# JkShmSize 256
# The directive JkOptions allow you to set many forwarding options which will
# enable (+) or disable (-). See the documentation.
# JkOptions +ForwardURIProxy
# JkOptions +ForwardURICompatUnparsed
# JkOptions +ForwardURICompat
# JkOptions +ForwardURIEscaped
# JkOptions +RejectUnsafeURI
# JkOptions +ForwardDirectories
# JkOptions +ForwardLocalAddress
# JkOptions +FlushPackets
# JkOptions +FlushHeader
# JkOptions +DisableReuse
# JkOptions +ForwardKeySize
# JkOptions +ForwardSSLCertChain
# The name of a worker file for the Tomcat servlet containers.
JkWorkersFile /usr/local/etc/workers.properties
# Enables setting worker properties inside Apache configuration file.
# JkWorkerProperty worker.node1.connect_timeout=60
# Name of the Apache environment variable that can be used to set worker
# names in combination with SetHandler jakarta-servlet.
# JkWorkerIndicator JK_WORKER_NAME
# This directive configures the watchdog thread interval in seconds. (1.2.27+)
# JkWatchdogInterval 60
# Turns on SSL processing and information gathering by mod_jk
# In order to make SSL data available for mod_jk in Apache, you need to set
# SSLOptions +StdEnvVars. For the certificate information you also need to add
# SSLOptions +ExportCertData.
JkExtractSSL On
# JkHTTPSIndicator HTTPS
# JkCERTSIndicator SSL_CLIENT_CERT
# JkCIPHERIndicator SSL_CIPHER
# JkCERTCHAINPrefix SSL_CLIENT_CERT_CHAIN_
# JkSESSIONIndicator SSL_SESSION_ID
# JkKEYSIZEIndicator SSL_CIPHER_USEKEYSIZE
# Adds a name and an optional default value of environment variable that
# should be sent to servlet-engine as a request attribute.
# JkEnvVar SSL_CLIENT_V_START undefined
#
# Environement variables (1.2.28+)
# JkLocalNameIndicator JK_LOCAL_NAME
# JkLocalPortIndicator JK_LOCAL_PORT
# JkRemoteHostIndicator JK_REMOTE_HOST
# JkRemoteAddrIndicator JK_REMOTE_ADDR
# JkRemotePortIndicator JK_REMOTE_PORT (1.2.32+)
# JkRemoteUserIndicator JK_REMOTE_USER
# JkAuthTypeIndicator JK_AUTH_TYPE
# If this directive is set to On in some virtual server, the session
# IDs ;jsessionid=... will be removed for non matched URLs. (1.2.21+)
#
# JkStripSession Off
# File containing multiple mappings from a context to a Tomcat worker.
# JkMountFile /usr/local/etc/uriworkermap.properties
#
# This directive configures the reload check interval in seconds.
# If you set this directive to "0", reload checking is turned off.
# JkMountFileReload 60
# Automount a webapp by name
# JkAutoAlias /usr/local/tomcat/webapps
# A mount point from a context to a Tomcat worker.
JkMount /*.jsp loadbalancer
<VirtualHost *:80>
...
# Copy mounts from global defs
JkMountCopy On
# A mount point for this vhost only
JkMount /foosball/*.jsp node1
#
# Remove a sub-path from the mount
# JkUnMount /foosball/images node1
# Protect web.xml and other sensitive files (think .htaccess)
<Location /foosball/WEB-INF>
Order Deny, Allow
Deny from all
</Location>
# Setting advanced env vars on the fly
# JK_WORKER_NAME (1.2.19+)
# JK_REPLY_TIMEOUT (1.2.27+)
#
# Automatically map all encoded urls
<Location *;jsessionid=>
SetHandler jakarta-servlet
SetEnv JK_WORKER_NAME my_worker
</Location>
#
# Map all subdirs to workers via naming rule
# and exclude static content.
<Location /apps/>
SetHandler jakarta-servlet
SetEnvIf REQUEST_URI ^/apps/([^/]*)/ JK_WORKER_NAME=$1
SetEnvIf REQUEST_URI ^/apps/([^/]*)/ JK_REPLY_TIMEOUT=60
SetEnvIf REQUEST_URI ^/apps/([^/]*)/static no-jk
</Location>
...
</VirtualHost>
```
## workers.properties
For `mod_jk.so` use:
```
## http://tomcat.apache.org/connectors-doc/reference/workers.html
## workers.properties
#
# This file provides jk derived plugins with with the needed information to
# connect to the different tomcat workers.
#
# As a general note, the characters $( and ) are used internally to define
# macros. Do not use them in your own configuration!!!
#
# Whenever you see a set of lines such as:
# x=value
# y=$(x)\something
#
# the final value for y will be value\something
#
# workers.tomcat_home should point to the location where you
# installed tomcat. This is where you have your conf, webapps and lib
# directories.
#
workers.tomcat_home=/usr/local/tomcat
# workers.java_home should point to your Java installation. Normally
# you should have a bin and lib directories beneath it.
#
workers.java_home=/usr/java
# You should configure your environment slash... ps=\ on NT and / on UNIX
# and maybe something different elsewhere.
#
ps=/
# Worker connection pool maintain timeout in seconds. If set to the positive
# value JK will scan all connections for all workers specified in
# worker.list directive and check if connections needs to be recycled.
#
worker.maintain=60
# The workers that your plugins should create and work with
#
worker.list=loadbalancer,node1,status
##############################################################################
#
# worker.<name>.type
#
# Type of the worker (can be one of ajp13, ajp14, lb or status).
# The type of the worker defines the directives that can be applied to the
# worker.
#
#! JNI workers have been deprecated.
#! They will likely not work. Do not use them.
##############################################################################
# The loadbalancer (type lb) workers perform wighted round-robin
# load balancing with sticky sessions.
# Note:
# ----> If a worker dies, the load balancer will check its state
# once in a while. Until then all work is redirected to peer
# workers.
#
worker.loadbalancer.type=lb
# A comma separated list of workers that the load balancer need to manage.
# (1.2.7+)
#
worker.loadbalancer.balance_workers=node1
# Specifies whether requests with SESSION ID's should be routed back to the
# same Tomcat worker. If sticky_session is set to True or 1 sessions are
# sticky, otherwise sticky_session is set to False.
#
worker.loadbalancer.sticky_session=true
# Specifies whether requests with SESSION ID's for workers that are in error
# state should be rejected. If sticky_session_force is set to True or 1 and
# the worker that matches that SESSION ID is in error state, client will
# recieve 500 (Server Error). If set to False or 0 failover on another
# worker will be issued with loosing client session. This directive is
# used only when you set sticky_session=True. (1.2.9+)
#
worker.loadbalancer.sticky_session_force=false
# Specifies what method load balancer is using for electing best worker.
# (1.2.9+)
# If method is set to R[equest] balancer will use number of requests to find
# the best worker.
# If method is set to S[ession] the balancer will use number of sessions to
# find the best worker. (1.2.20+)
# If set to T[raffic] balancer will use the network traffic
# between JK and Tomcat to find the best worker.
# If set to B[usyness] the balancer will pick the worker with the lowest
# current load, based on how many requests the worker is currently serving.
#
worker.loadbalancer.method=Request
# Specifies what lock method the load balancer will use for synchronizing
# shared memory runtime data. If lock is set to O[ptimistic] balancer will
# not use shared memory lock to find the best worker. If set to P[essimistic]
# balancer will use shared memory lock. The balancer will work more accurately
# in case of Pessimistic locking, but can slow down the average response time.
# (1.2.13+)
#
worker.loadbalancer.lock=Optimistic
# If the load balancer can not get a valid member worker or in case of
# failover, it will try again a number of times given by retries. Before each
# retry, it will make a pause define by retry_interval directive. (1.2.16+)
#
worker.loadbalancer.retries=2
# Space delimited list of uri maps the worker should handle. It is only used'
# if the worker is included in worker.list.
#
#worker.loadbalancer.mount=
# Set a default secret word for all defined workers. (1.2.12+)
# Use request.secret="secret key word" in your Tomcat AJP Connector
# configuration.
# If you set a secret on a load balancer, all its members will inherit this
# secret.
#
#worker.loadbalancer.secret=
# If you use a reply_timeout for the members of a load balancer worker, and
# you want to tolerate a few requests taking longer than reply_timeout, you
# can set this attribute to some positive value.
#
# Long running requests will still time out after reply_timeout milliseconds
# waiting for data, but the corresponding member worker will only be put into
# an error state, if more than max_reply_timeouts requests have timed out. More
# precisely, the counter for those bad requests will be divided by two,
# whenever the load balancer does its internal maintenance (by default every
# 60 seconds). (1.2.24+)
#
#worker.loadbalancer.max_reply_timeouts=0
# The recover time is the time in seconds the load balancer will not try to
# use a worker, after it went into error state.
#
#worker.loadbalancer.recover_time=60
# Setting a member of a load balancer into an error state is quite serious.
# E.g. it means that if you need stickyness, all access to the sessions of
# the respective node is blocked. (1.2.28+)
#
#worker.loadbalancer.error_escalation_time= recover_time / 2
# The name of the cookie that contains the routing identifier needed for
# session stickyness. (1.2.27+)
#
#worker.loadbalancer.session_cookie=JSESSIONID
# The name of the path parameter that contains the routing identifier
# needed for session stickyness. (1.2.27+)
#
#worker.loadbalancer.session_path=;jsessionid
##############################################################################
# Defining a worker named node1 and of type ajp13
# Note that the name and the type do not have to match.
#
worker.node1.port=8009
worker.node1.host=localhost
worker.node1.type=ajp13
# Socket timeout in seconds used for communication channel between JK and
# remote host. If remote host does not respond inside that timeout the JK
# will generate an error, and retry again. If set to value zero (default)
# the JK will wait for infinite on all socket operations.
#
worker.node1.socket_timeout=30
# Socket connect timeout in milliseconds used for the communication channel
# between JK and remote host. If the remote host does not respond inside
# the timeout specified, JK will generate an error, and retry again.
#
# Note that socket_timeout is in seconds, and socket_connect_timeout in
# milliseconds, so in absolute terms the default socket_connect_timeout is
# equal to socket_timeout. (1.2.27+)
#
#worker.node1.socket_connect_timeout=socket_timeout*1000
# This directive should be used when you have a firewall between your
# webserver and the Tomcat engine, who tend to drop inactive connections.
# This flag will told Operating System to send KEEP_ALIVE message on inactive
# connections (interval depend on global OS settings, generally 120ms),
# and thus prevent the firewall to cut the connection. To enable keepalive
# set this property value to True.
#
worker.node1.socket_keepalive=False
# This flag determines, under which conditions established connections are
# probed to ensure they are still working. The probe is done with an empty
# AJP13 packet (CPing) and expects to receive an appropriate answer (CPong)
# within some timeout. The value of the flag can be any combination of the
# following flags (multiple values are combined without any separators):
#
# C (connect): If set, the connection will be probed once after connecting
# to the backend. The timeout can be set by connect_timeout. If it is not
# set, the value of ping_timeout will be used instead.
# P (prepost): If set, the connection will be probed before sending each
# request to the backend. The timeout can be set by prepost_timeout. If it
# is not set, the value of ping_timeout will be used instead.
# I (interval): If set, the connection will be probed during the regular
# internal maintenance cycle, but only if it is idle longer than
# connection_ping_interval. The timeout can be set by ping_timeout.
# A If set, all of the above probes will be used.
# (1.2.27+)
#
#worker.node1.ping_mode=
# Timeout in milliseconds used when waiting for the CPong answer of a CPing
# connection probe. The activation of the probes is done via ping_mode. The
# timeouts for ping_mode connect and prepost can be overwritten individually
# via connect_timeout and prepost_timeout. (1.2.27+)
#
#worker.node1.ping_timeout=10000
# When using interval connection probing, connections idle for longer than
# this interval in seconds are probed by CPing packets whether they still
# work. (1.2.27+)
#
#worker.node1.connection_ping_interval=0 / (ping_timeout/1000)*10
# This defines the number of connections made to the AJP backend that are
# maintained as a connection pool. It will limit the number of those
# connection that each web server child process can made.
#
# Do not use connection_pool_size with values higher then 1 on Apache 2.x
# prefork or Apache 1.3.x!
#
worker.node1.connection_pool_size=1
# Minimum size of the connection pool that will be maintained.
# This property is used only when the connection_pool_size is specified. Its
# default value is (connection_pool_size+1)/2. (1.2.16+)
#
# Do not use connection_pool_minsize with values higher then 1 on Apache
# 2.x prefork or Apache 1.3.x!
#
#worker.node1.connection_pool_minsize=(pool+1)/2
# Cache timeout property should be used with connection_pool_size to specify
# how long JK should keep an inactive socket in cache before closing it. This
# property should be used to reduce the number of threads on the Tomcat
# WebServer. The default value zero disables the closing (infinite timeout).
#
worker.node1.connection_pool_timeout=60
# Timeout the worker will wait for a free socket in cache before giving up.
# (1.2.27+)
#
#worker.node1.connection_acquire_timeout=retries * retry_interval
# Specifies the load balance factor when used with
# a load balancing worker.
# Note:
# ----> lbfactor must be > 0
# ----> Low lbfactor means less work done by the worker.
#
worker.node1.lbfactor=1
# Connect timeout property told webserver to send a PING request on ajp13
# connection after connection is established. The parameter is the delay
# in milliseconds to wait for the PONG reply. (1.2.6+)
#
worker.node1.connect_timeout=5000
# Prepost timeout property told webserver to send a PING request on ajp13
# connection before forwarding to it a request. The parameter is the delay
# in milliseconds to wait for the PONG reply. (1.2.6+)
#
worker.node1.prepost_timeout=5000
# Reply_timeout property told webserver to wait some time for reply to a
# forwarded request before considering the remote tomcat is dead and
# eventually switch to another tomcat in a cluster group. By default
# webserver will wait forever which could be an issue for you. The parameter
# is the number of milliseconds to wait for reply, so adjust it carefully
# if you have long running servlets. (1.2.6+)
#
worker.node1.reply_timeout=600000
# The number of retries that the worker will try in case of error returned
# from remote Tomcat. If the number of retries set is greater then two
# (the default value), on each retry after default an extra wait of 100ms
# will be inserted.
#
worker.node1.retries=2
# The amount of time in milliseconds the worker sleeps before doing any
# retry. (1.2.27+)
#
#worker.node1.retry_interval=100
# The recover time is the time in seconds the load balancer will not try to
# use a worker, after it went into error state. Only after this time has
# passed, a worker in error state will be marked as in recovering, so that
# it will be tried for new requests.
#
worker.node1.recover_time=60
# Recovery options property told webserver how to handle recovery when it
# detect that tomcat failed. By default, webserver will forward the request
# to another tomcat in LB mode (or to another ajp thread in ajp13 mode).
# (1.2.6+)
# 0 (full recovery)
# 1 (don't recover if tomcat failed after getting the request)
# 2 (don't recover if tomcat failed after sending the headers to client)
# 3 (don't recover if tomcat failed getting the request or after sending
# the headers to client).
# 4 (the connection between the webserver and tomcat will be closed if
# the client connection to the webserver is terminated during the
# request/response cycle) (1.2.16+)
# 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2
# are set) (1.2.24+)
# 16: always recover requests for HTTP method GET (even if Bits 1 or 2
# are set) (1.2.24+)
#
worker.node1.recovery_options=4
# Set this value to the HTTP status code that will cause a worker to fail
# if returned from Servlet container. Use this directive to deal with cases
# when the servlet container can temporary return non-200 responses for a
# short amount of time, e.g during redeployment. (1.2.20+)
#
#worker.node1.fail_on_status=503
# This attribute sets the maximal AJP packet size in Bytes. The maximum value
# is 65536. If you change it from the default, you must also change the
# packetSize attribute of your AJP connector on the Tomcat side! (1.2.19+)
#
#worker.node1.max_packet_size=8192
# Space delimited list of uri maps the worker should handle. It is only used'
# if the worker is included in worker.list.
#
#worker.node1.mount=
# You can set a secret keyword on the Tomcat AJP Connector. Then only requests
# from workers with the same secret keyword will be accepted. (1.2.12+)
# Use request.useSecret="true" and request.secret="secret key word" at your
# tomcat ajp Connector configuration.
#
#worker.node1.secret=
# Using this directive, a balanced worker of a load balancer can be configured
# as disabled or stopped. A disabled worker only gets requests, which belong
# to sessions for that worker. A stopped worker does not get any requests.
# Users will loose their sessions, unless session replication via clustering
# is used.
#
# Use d or D to disable and s or S to stop. If this directive is not present
# the deprecated directives "disabled" or "stopped" are used.
#
worker.node1.activation=Active
# Normally the name of a balanced worker in a load balancer is equal to the
# jvmRoute of the corresponding Tomcat instance. If you want to include a
# worker corresponding to a Tomcat instance into several load balancers with
# different balancing configuration (e.g. disabled, stopped) you can use this
# attribute. (1.2.20+)
#
#worker.node1.route=
# Express preferences between the balanced workers of an lb worker. A load
# balancer will never choose some balanced worker in case there is another
# usable worker with lower distance. (1.2.16+)
#
worker.node1.distance=0
# Domain directive can be used only when the worker is a member of the load
# balancer. Workers that share the same domain name are treated as single
# worker. If sticky_session is used, then the domain name is used as session
# route.
#
# This directive is used for large system with more then 6 Tomcats, to be
# able to cluster the Tomcats in two groups and thus lowering the session
# replication transfer between them. (1.2.8+)
#
#worker.node1.domain=
# Set to the preferred failover worker. If worker matching SESSION ID is
# in error state then the redirect worker will be used instead. It will be
# used even if being disabled, thus offering hot standby. (1.2.9+)
#
#worker.node1.redirect=
# This directive allows to copy configurations between workers in a
# hierarchical way. If worker castor sets:
# worker.castor.reference=worker.pollux
# then it inherits all properties of pollux, except for the ones that are
# explicitly set for castor
#
#worker.node1.reference=
##############################################################################
# http://tomcat.apache.org/connectors-doc/reference/status.html
# The status worker does not communicate with Tomcat. Instead it is
# responsible for the load balancer management.
#
worker.status.type=status
# Specifies the url for cascading stylesheet to use.
#
#worker.status.css=
# A status worker with read_only=True will not allow any operations, that
# change the runtime state or configuration of the other workers. These are
# edit/update/reset/recover. (1.2.20+)
#
worker.status.read_only=True
# It is a list of users which gets compared to the user name authenticated
# by the web server. If the name is not contained in this list, access is
# denied. Per default the list is empty and then access is allowed to anybody.
# (1.2.20+)
#
#worker.status.user=
# By default, the user names are matched case sensitively.
#
#worker.status.user_case_insensitive=False
# For every load balancer worker, the status worker shows a summary of the
# state of its members. There are three such states, "good", "bad" and
# "degraded". (1.2.20+)
#
#worker.status.good=a.o,a.n,a.b,a.r
# By default, members are assumed to be "bad", if their activation is
# "stopped" or their runtime state is "error". (1.2.20+)
#
#worker.status.bad=s,e
# The prefix, which will be used by the status worker when producing
# properties output (mime=prop). Each property key will be prefixed by this
# value. (1.2.20+)
#
#worker.status.prefix=worker
# This directive can be used to customise the XML output from the status
# worker. If set to - no namespace will be used. (1.2.20+)
#
#worker.status.ns=jk:
# This directive can be used to customise the XML output from the status
# worker. If set to - no xmlns will be used. (1.2.20+)
#
#worker.status.xmlns=xmlns:jk="http://tomcat.apache.org"
# This directive can be used to customise the XML output from the status
# worker. This value will be inserted to the output xml after the xml
# header. (1.2.20+)
#
#worker.status.doctype=
```
## uriworkers.properties
For `mod_jk.so` use:
```
## http://tomcat.apache.org/connectors-doc/reference/uriworkermap.html
#
# Inside the URI pattern three special characters can be used, '*', '?' and
# '|'. The character '*' is a wildchar that matches any number of arbitrary
# characters in the URI, '?' matches exactly one character. Each URI pattern
# has to start with the character '/', or with '*' or with '?', optionally
# prefixed by any combination of the modifiers '!' and '-'
# Mapping the URI /myapp1 and everything under /myapp1/:
/myapp1/*=myworker
# Exclude the subdirectory static:
!/myapp/static|/*=myworker
# Exclude some suffixes:
!*.html=myworker
# Mapping the webapps /myapp1 and /myapp2:
/myapp1|/*=myworker1
/myapp2|/*=myworker2
# Exclude the all subdirectories static for all workers:
!/*/static|/*=*
# Exclude some suffixes for all workers:
!*.html=*
# We are not in maintenance.
# The maintenance rule got defined somewhere else.
-/*=maintenance
##############################################################################
# Rule extensions were added in version 1.2.27 and are not available in
# earlier versions. (reply_timeout, active/disable/stopped, fail_on_status,
# use_server_errors)
# This is an extension example, setting a reply_timeout of 1 minute
# only for this mapping.
/myapp=myworker;reply_timeout=60000
# This is an example using multiple extensions
/myapp=myloadbalancer;reply_timeout=60000;stopped=member1
# Use web server error page for all errors
/myapp=myworker;use_server_errors=400
# Use web server error page only for technical errors
/myotherapp=myworker;use_server_errors=500
```
## server.xml
The Tomcat connector endpoint:
```
<!-- This is a subset of the existing server.xml -->
<!-- The below are examples of a 6.0 Tomcat server -->
<!-- Define a HTTP Connector on port 8080 -->
<!-- http://tomcat.apache.org/tomcat-5.5-doc/config/http.html -->
<!-- http://tomcat.apache.org/tomcat-6.0-doc/config/http.html -->
<!-- http://tomcat.apache.org/tomcat-7.0-doc/config/http.html -->
<Connector port="8080" protocol="HTTP/1.1" allowTrace="false"
emptySessionPath="false" enableLookups="false"
maxPostSize="2097152" maxSavePostSize="4096"
SSLEnabled="false" scheme="http" secure="false"
redirectPort="8443" URIEncoding="ISO-8859-1"
useIPVHosts="false" useBodyEncodingForURI="false"
xpoweredBy="false" acceptCount="100" address="192.168.1.2"
compressableMimeType="text/html,text/xml,text/plain"
compression="off" connectionLinger="-1"
connectionTimeout="60000" bufferSize="2048"
keepAliveTimeout="60000" disableUploadTimeout="true"
maxHttpHeaderSize="8192" maxKeepAliveRequests="100"
maxThreads="200" noCompressionUserAgents=""
restrictedUserAgents="" socketBuffer="9000"
tcpNoDelay="true" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!-- http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html -->
<!-- http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html -->
<!-- http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html -->
<Connector port="8009" protocol="AJP/1.3" allowTrace="false"
emptySessionPath="false" enableLookups="false"
maxPostSize="2097152" maxSavePostSize="4096" redirectPort="443"
scheme="http" secure="false" URIEncoding="ISO-8859-1"
useBodyEncodingForURI="false" xpoweredBy="false"
useIPVHosts="false" address="127.0.0.1" backlog="10"
bufferSize="-1" connectionTimeout="60000"
keepAliveTimeout="60000" maxThreads="200" packetSize="8192"
request.secret="" request.useSecret="false"
request.shutdownEnabled="false" tcpNoDelay="true"
tomcatAuthentication="true" />
<!-- The below is not exhaustive, see the official documentation -->
<!-- Common Attributes -->
<!--
allowTrace
A boolean value which can be used to enable or disable the TRACE HTTP
method. If not specified, this attribute is set to false.
asyncTimeout (7.0+)
The default timeout for asynchronous requests in milliseconds. If not
specified, this attribute is set to 10000 (10 seconds).
emptySessionPath (5.5-6.0)
If set to true, all paths for session cookies will be set to /. This can be
useful for portlet specification implementations. If not specified, this
attribute is set to false.
A side effect to setting this to true, is that if Tomcat creates a new
session it will attempt to use the cookie session id if supplied by the
client.
enableLookups
Set to true if you want calls to request.getRemoteHost() to perform DNS
lookups in order to return the actual host name of the remote client. Set to
false to skip the DNS lookup and return the IP address in String form
instead (thereby improving performance). By default, DNS lookups are
enabled.
maxPostSize
The maximum size in bytes of the POST which will be handled by the container
FORM URL parameter parsing. The limit can be disabled by setting this
attribute to a value less than or equal to 0. If not specified, this
attribute is set to 2097152 (2 megabytes).
maxSavePostSize
The maximum size in bytes of the POST which will be saved/buffered by the
container during FORM or CLIENT-CERT authentication. For both types of
authentication, the POST will be saved/buffered before the user is
authenticated. For CLIENT-CERT authentication, the POST is buffered for the
duration of the SSL handshake and the buffer emptied when the request is
processed. For FORM authentication the POST is saved whilst the user is
re-directed to the login form and is retained until the user successfully
authenticates or the session associated with the authentication request
expires. The limit can be disabled by setting this attribute to -1. Setting
the attribute to zero will disable the saving of POST data during
authentication. If not specified, this attribute is set to 4096 (4
kilobytes).
parseBodyMethods (7.0+)
A comma-separated list of HTTP methods for which request bodies will be
parsed for request parameters identically to POST. This is useful in RESTful
applications that want to support POST-style semantics for PUT requests.
Note that any setting other than POST causes Tomcat to behave in a way that
goes against the intent of the servlet specification. The HTTP method TRACE
is specifically forbidden here in accordance with the HTTP specification.
The default is POST
port
The TCP port number on which this Connector will create a server socket and
await incoming connections. Your operating system will allow only one server
application to listen to a particular port number on a particular IP
address.
protocol
Sets the protocol to handle incoming traffic. The default value is HTTP/1.1
and configures the org.apache.coyote.http11.Http11Protocol. This is the
blocking Java connector.
If the PATH (Windows) or LD_LIBRARY_PATH (on most unix systems) environment
variables contain the Tomcat native library, the APR connector will
automatically be configured. Please be advised that the APR connector has
different settings for HTTPS than the default Java connector.
Other values for this attribute are, but not limited to:
org.apache.coyote.http11.Http11Protocol - same as HTTP/1.1
org.apache.coyote.http11.Http11NioProtocol - non blocking Java connector
org.apache.coyote.http11.Http11AprProtocol - the APR connector.
The configuration for both Java connectors are identical, both for http and
https.
For more information on the APR connector and APR specific SSL settings
please visit the APR documentation
proxyName
If this Connector is being used in a proxy configuration, configure this
attribute to specify the server name to be returned for calls to
request.getServerName(). See Proxy Support for more information.
proxyPort
If this Connector is being used in a proxy configuration, configure this
attribute to specify the server port to be returned for calls to
request.getServerPort(). See Proxy Support for more information.
redirectPort
If this Connector is supporting non-SSL requests, and a request is received
for which a matching <security-constraint> requires SSL transport, Catalina
will automatically redirect the request to the port number specified here.
scheme
Set this attribute to the name of the protocol you wish to have returned by
calls to request.getScheme(). For example, you would set this attribute to
"https" for an SSL Connector. The default value is "http".
secure
Set this attribute to true if you wish to have calls to request.isSecure()
to return true for requests received by this Connector. You would want this
on an SSL Connector or a non SSL connector that is receiving data from a SSL
accelerator, like a crypto card, a SSL appliance or even a webserver. The
default value is false.
URIEncoding
This specifies the character encoding used to decode the URI bytes, after
%xx decoding the URL. If not specified, ISO-8859-1 will be used.
useBodyEncodingForURI
This specifies if the encoding specified in contentType should be used for
URI query parameters, instead of using the URIEncoding. This setting is
present for compatibility with Tomcat 4.1.x, where the encoding specified in
the contentType, or explicitly set using Request.setCharacterEncoding method
was also used for the parameters from the URL. The default value is false.
useIPVHosts
Set this attribute to true to cause Tomcat to use the IP address that the
request was received on to determine the Host to send the request to. The
default value is false.
xpoweredBy
Set this attribute to true to cause Tomcat to advertise support for the
Servlet specification using the header recommended in the specification. The
default value is false.
-->
<!-- HTTP Connector -->
<!--
acceptCount
The maximum queue length for incoming connection requests when all possible
request processing threads are in use. Any requests received when the queue
is full will be refused. The default value is 100.
acceptorThreadCount (7.0+)
The number of threads to be used to accept connections. Increase this value
on a multi CPU machine, although you would never really need more than 2.
Also, with a lot of non keep alive connections, you might want to increase
this value as well. Default value is 1.
address
For servers with more than one IP address, this attribute specifies which
address will be used for listening on the specified port. By default, this
port will be used on all IP addresses associated with the server.
bindOnInit (7.0+)
Controls when the socket used by the connector is bound. By default it is
bound when the connector is initiated and unbound when the connector is
destroyed. If set to false, the socket will be bound when the connector is
started and unbound when it is stopped.
bufferSize (5.5-6.0)
The size (in bytes) of the buffer to be provided for input streams created
by this connector. By default, buffers of 2048 bytes will be provided.
compressableMimeType
The value is a comma separated list of MIME types for which HTTP compression
may be used. The default value is text/html,text/xml,text/plain.
compression
The Connector may use HTTP/1.1 GZIP compression in an attempt to save server
bandwidth. The acceptable values for the parameter is "off" (disable
compression), "on" (allow compression, which causes text data to be
compressed), "force" (forces compression in all cases), or a numerical
integer value (which is equivalent to "on", but specifies the minimum amount
of data before the output is compressed). If the content-length is not known
and compression is set to "on" or more aggressive, the output will also be
compressed. If not specified, this attribute is set to "off".
Note: There is a tradeoff between using compression (saving your bandwidth)
and using the sendfile feature (saving your CPU cycles). If the connector
supports the sendfile feature, e.g. the NIO connector, using sendfile will
take precedence over compression. The symptoms will be that static files
greater that 48 Kb will be sent uncompressed. You can turn off sendfile by
setting useSendfile attribute of the connector, as documented below, or
change the sendfile usage threshold in the configuration of the
DefaultServlet in the default conf/web.xml or in the web.xml of your web
application.
compressionMinSize (7.0+)
If compression is set to "on" then this attribute may be used to specify the
minimum amount of data before the output is compressed. If not specified,
this attribute is defaults to "2048".
connectionLinger
The number of milliseconds during which the sockets used by this Connector
will linger when they are closed. The default value is -1 (socket linger is
disabled).
connectionTimeout
The number of milliseconds this Connector will wait, after accepting a
connection, for the request URI line to be presented. The default value is
60000 (i.e. 60 seconds).
disableUploadTimeout
This flag allows the servlet container to use a different, longer connection
timeout while a servlet is being executed, which in the end allows either
the servlet a longer amount of time to complete its execution, or a longer
timeout during data upload. If not specified, this attribute is set to
"true".
executor (6.0+)
A reference to the name in an Executor element. If this attribute is
enabled, and the named executor exists, the connector will use the executor,
and all the other thread attributes will be ignored.
keepAliveTimeout (6.0+)
The number of milliseconds this Connector will wait for another HTTP request
before closing the connection. The default value is to use the value that
has been set for the connectionTimeout attribute.
maxConnections (7.0+)
The maximum number of connections that the server will accept and process at
any given time. When this number has been reached, the server will not
accept any more connections until the number of connections falls below this
value. The operating system may still accept connections based on the
acceptCount setting. Default value varies by connector type. For BIO the
default is the value of maxThreads. For NIO the default is 10000. For
APR/native, the default is 8192.
Note that for APR/native on Windows, the configured value will be reduced to
the highest multiple of 1024 that is less than or equal to maxConnections.
This is done for performance reasons.
maxHttpHeaderSize
The maximum size of the request and response HTTP header, specified in
bytes. If not specified, this attribute is set to 8192 (8 KB).
maxKeepAliveRequests
The maximum number of HTTP requests which can be pipelined until the
connection is closed by the server. Setting this attribute to 1 will disable
HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting
this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP
requests. If not specified, this attribute is set to 100.
maxSpareThreads (-5.5)
The maximum number of unused request processing threads that will be allowed
to exist until the thread pool starts stopping the unnecessary threads. The
default value is 50.
maxThreads
The maximum number of request processing threads to be created by this
Connector, which therefore determines the maximum number of simultaneous
requests that can be handled. If not specified, this attribute is set to
200. If an executor is associated with this connector, this attribute is
ignored as the connector will execute tasks using the executor rather than
an internal thread pool.
maxTrailerSize (7.0+)
Limits the total length of trailing headers in the last chunk of a chunked
HTTP request. If the value is -1, no limit will be imposed. If not
specified, the default value of 8192 will be used.
minSpareThreads (5.5, 7.0+)
The number of request processing threads that will be created when this
Connector is first started. The connector will also make sure it has the
specified number of idle processing threads available. This attribute should
be set to a value smaller than that set for maxThreads. The default value is
4.
noCompressionUserAgents
The value is a comma separated list of regular expressions matching
user-agents of HTTP clients for which compression should not be used,
because these clients, although they do advertise support for the feature,
have a broken implementation. The default value is an empty String (regexp
matching disabled).
processorCache (7.0+)
The protocol handler caches Processor objects to speed up performance. This
setting dictates how many of these objects get cached. -1 means unlimited,
default is 200. If not using Servlet 3.0 asynchronous processing, a good
default is to use the same as the maxThreads setting. If using Servlet 3.0
asynchronous processing, a good default is to use the larger of maxThreads
and the maximum number of expected concurrent requests (synchronous and
asynchronous).
restrictedUserAgents
The value is a comma separated list of regular expressions matching
user-agents of HTTP clients for which HTTP/1.1 or HTTP/1.0 keep alive should
not be used, even if the clients advertise support for these features. The
default value is an empty String (regexp matching disabled).
server
Overrides the Server header for the http response. If set, the value for
this attribute overrides the Tomcat default and any Server header set by a
web application. If not set, any value specified by the application is used.
If the application does not specify a value then Apache-Coyote/1.1 is used.
Unless you are paranoid, you won't need this feature.
socketBuffer
The size (in bytes) of the buffer to be provided for socket output
buffering. -1 can be specified to disable the use of a buffer. By default, a
buffers of 9000 bytes will be used.
SSLEnabled (6.0+)
Use this attribute to enable SSL traffic on a connector. To turn on SSL
handshake/encryption/decryption on a connector set this value to true. The
default value is false. When turning this value true you will want to set
the scheme and the secure attributes as well to pass the correct
request.getScheme() and request.isSecure() values to the servlets See SSL
Support for more information.
tcpNoDelay
If set to true, the TCP_NO_DELAY option will be set on the server socket,
which improves performance under most circumstances. This is set to true by
default.
threadPriority
The priority of the request processing threads within the JVM. The default
value is java.lang.Thread#NORM_PRIORITY. See the JavaDoc for the
java.lang.Thread class for more details on what this priority means.
-->
<!-- AJP/1.3 Connector -->
<!--
acceptCount (7.0+)
The maximum queue length for incoming connection requests when all possible
request processing threads are in use. Any requests received when the queue
is full will be refused. The default value is 100.
acceptorThreadCount (7.0+)
The number of threads to be used to accept connections. Increase this value
on a multi CPU machine, although you would never really need more than 2.
Also, with a lot of non keep alive connections, you might want to increase
this value as well. Default value is 1.
address
For servers with more than one IP address, this attribute specifies which
address will be used for listening on the specified port. By default, this
port will be used on all IP addresses associated with the server. A value of
127.0.0.1 indicates that the Connector will only listen on the loopback
interface.
backlog
The maximum queue length for incoming connection requests when all possible
request processing threads are in use. Any requests received when the queue
is full will be refused. The default value is 100.
bindOnInit (7.0+)
Controls when the socket used by the connector is bound. By default it is
bound when the connector is initiated and unbound when the connector is
destroyed. If set to false, the socket will be bound when the connector is
started and unbound when it is stopped.
bufferSize (5.5-6.0)
The size of the output buffer to use. If less than or equal to zero, then
output buffering is disabled. The default value is -1 (i.e. buffering
disabled)
clientCertProvider (6.0+)
When client certificate information is presented in a form other than
instances of java.security.cert.X509Certificate it needs to be converted
before it can be used and this property controls which JSSE provider is used
to perform the conversion. For example it is used with the AJP connectors,
the HTTP APR connector and with the org.apache.catalina.valves.SSLValve.If
not specified, the default provider will be used.
connectionLinger (7.0+)
The number of milliseconds during which the sockets used by this Connector
will linger when they are closed. The default value -1 which disables this
option.
connectionTimeout
The number of milliseconds this Connector will wait, after accepting a
connection, for the request URI line to be presented. The default value is
infinite (i.e. no timeout).
deferAccept (6.0)
Sets the TCP_DEFER_ACCEPT flag on the listening socket for this connector.
The default value is true where TCP_DEFER_ACCEPT is supported by the
operating system, otherwise it is false.
executor (6.0+)
A reference to the name in an Executor element. If this attribute is
enabled, and the named executor exists, the connector will use the executor,
and all the other thread attributes will be ignored. This attribute is not
supported by the original blocking Java connector.
keepAliveTimeout (6.0+)
The number of milliseconds this Connector will wait for another AJP request
before closing the connection. The default value is to use the value that
has been set for the connectionTimeout attribute.
maxConnections (7.0+)
The maximum number of connections that the server will accept and process at
any given time. When this number has been reached, the server will not
accept any more connections until the number of connections falls below this
value. The operating system may still accept connections based on the
acceptCount setting. Default value varies by connector type. For BIO the
default is the value of maxThreads. For NIO the default is 10000. For
APR/native, the default is 8192.
Note that for APR/native on Windows, the configured value will be reduced to
the highest multiple of 1024 that is less than or equal to maxConnections.
This is done for performance reasons.
minProcessors (deprecated, -5.5)
The minimum number of processors to start at initialization time. If not
specified, this attribute is set to 5.
maxProcessors (deprecated, -5.5)
The maximum number of processors allowed. This should be set to a value that
is greater than or equal to the maximum number of concurrent connections the
remote web server can open to Tomcat simultaneously. For example, if the web
server is Apache 1.x or 2.x Tomcat's maxProcessors should be set to the
value of Apache's maxClients directive.
A maxProcessors value of zero (0) signifies that the number of processors is
unlimited. If not specified, this attribute defaults to 20.
maxSpareThreads (-5.5)
The maximum number of unused request processing threads that will be allowed
to exist until the thread pool starts stopping the unnecessary threads. The
default value is 50.
maxThreads
The maximum number of request processing threads to be created by this
Connector, which therefore determines the maximum number of simultaneous
requests that can be handled. If not specified, this attribute is set to
200.
minSpareThreads (5.5,7.0)
The number of request processing threads that will be created when this
Connector is first started. The connector will also make sure it has the
specified number of idle processing threads available. This attribute should
be set to a value smaller than that set for maxThreads. The default value is
4.
packetSize
This attribute sets the maximum AJP packet size in Bytes. The maximum value
is 65536. It should be the same as the max_packet_size directive configured
for mod_jk. Normally it is not necessary to change the maximum packet size.
Problems with the default value have been reported when sending certificates
or certificate chains. The default value is 8192.
processorCache (7.0+)
The protocol handler caches Processor objects to speed up performance. This
setting dictates how many of these objects get cached. -1 means unlimited,
default is 200. If not using Servlet 3.0 asynchronous processing, a good
default is to use the same as the maxThreads setting. If using Servlet 3.0
asynchronous processing, a good default is to use the larger of maxThreads
and the maximum number of expected concurrent requests (synchronous and
asynchronous).
requiredSecret (7.0+)
Only requests from workers with this secret keyword will be accepted.
request.secret (-6.0)
Only requests from workers with this secret keyword will be accepted.
request.shutdownEnabled (-6.0)
If true and a secret has been configured, a correctly formatted AJP request
(that includes the secret) will shutdown the Tomcat instance associated with
this connector. This is set to false by default.
request.useSecret (-6.0)
If set to true, then a random value for request.secret will be generated. It
is for use with request.shutdownEnabled. This is set to false by default.
tcpNoDelay
If set to true, the TCP_NO_DELAY option will be set on the server socket,
which improves performance under most circumstances. This is set to true by
default.
threadPriority (7.0+)
The priority of the request processing threads within the JVM. The default
value is java.lang.Thread#NORM_PRIORITY. See the JavaDoc for the
java.lang.Thread class for more details on what this priority means.
tomcatAuthentication
If set to true, the authentication will be done in Tomcat. Otherwise, the
authenticated principal will be propagated from the native webserver and
used for authorization in Tomcat. The default value is true.
-->
<!-- SSL Support (Internal) -->
<!--
algorithm
The certificate encoding algorithm to be used. This defaults to
KeyManagerFactory.getDefaultAlgorithm() which returns SunX509 for Sun JVMs.
IBM JVMs return IbmX509. For other vendors, consult the JVM documentation
for the default value.
allowUnsafeLegacyRenegotiation
Is unsafe legacy TLS renegotiation allowed which is likely to expose users
to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that
allows an attacker to inject arbitrary data into the user's request. If not
specified, a default of false is used. This attribute only has an effect if
the JVM does not support RFC 5746 as indicated by the presence of the
pseudo-ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available
JRE/JDK 6 update 22 onwards. Where RFC 5746 is supported the renegotiation -
including support for unsafe legacy renegotiation - is controlled by the JVM
configuration.
ciphers
The comma separated list of encryption ciphers that this socket is allowed
to use. By default, the default ciphers for the JVM will be used. Note that
this usually means that the weak export grade ciphers will be included in
the list of available ciphers. The ciphers are specified using the JSSE
cipher naming convention.
clientAuth
Set to true if you want the SSL stack to require a valid certificate chain
from the client before accepting a connection. Set to want if you want the
SSL stack to request a client Certificate, but not fail if one isn't
presented. A false value (which is the default) will not require a
certificate chain unless the client requests a resource protected by a
security constraint that uses CLIENT-CERT authentication. See the SSL HowTo
for an example.
clientCertProvider (6.0+)
When client certificate information is presented in a form other than
instances of java.security.cert.X509Certificate it needs to be converted
before it can be used and this property controls which JSSE provider is used
to perform the conversion. For example it is used with the AJP connectors,
the HTTP APR connector and with the org.apache.catalina.valves.SSLValve. If
not specified, the default provider will be used.
crlFile (6.0+)
The certificate revocation list file to use to validate client certificates.
keyAlias
The alias used to for the server certificate in the keystore. If not
specified the first key read in the keystore will be used.
keyPass (7.0+)
The password used to access the server certificate from the specified
keystore file. The default value is "changeit".
keystoreFile
The pathname of the keystore file where you have stored the server
certificate to be loaded. By default, the pathname is the file ".keystore"
in the operating system home directory of the user that is running Tomcat.
If your keystoreType doesn't need a file use "" (empty string) for this
parameter.
keystorePass
The password used to access the server certificate from the specified
keystore file. The default value is "changeit". (value of keyPass, 7.0+)
keystoreProvider (6.0+)
The name of the keystore provider to be used for the server certificate. If
not specified, the list of registered providers is traversed in preference
order and the first provider that supports the keystoreType is used.
keystoreType
The type of keystore file to be used for the server certificate. If not
specified, the default value is "JKS".
sessionCacheSize (6.0+)
The number of SSL sessions to maintain in the session cache. Use 0 to
specify an unlimited cache size. If not specified, a default of 0 is used.
sessionTimeout (6.0+)
The time, in seconds, after the creation of an SSL session that it will
timeout. Use 0 to specify an unlimited timeout. If not specified, a default
of 86400 (24 hours) is used.
sslEnabledProtocols (7.0+)
The list of SSL protocols to use. If not specified, the JVM default is used.
sslImplemenationName (7.0+)
The class name of the SSL implementation to use. If not specified, the
default of org.apache.tomcat.util.net.jsse.JSSEImplementation will be used
which wraps JVM's default JSSE provider. Note that the JVM can be configured
to use a different JSSE provider as the default.
sslProtocol
The version of the SSL protocol to use. If not specified, the default is
"TLS".
trustManagerClassName (6.0+)
The name of a custom trust manager class to use to validate client
certificates. The class must have a zero argument constructor and must also
implement javax.net.ssl.X509TrustManager. If this attribute is set, the
trust store attributes may be ignored.
trustMaxCertLength (7.0+)
The maximum number of intermediate certificates that will be allowed when
validating client certificates. If not specified, the default value of 5
will be used.
truststoreAlgorithm (7.0+)
The algorithm to use for truststore. If not specified, the default value
returned by javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm() is used.
truststoreFile
The trust store file to use to validate client certificates. The default is
the value of the javax.net.ssl.trustStore system property. If neither this
attribute nor the default system property is set, no trust store will be
configured.
truststorePass
The password to access the trust store. The default is the value of the
javax.net.ssl.trustStorePassword system property. If that property is null,
the value of keystorePass is used as the default. If an invalid trust store
password is specified, a warning will be logged and an attempt will be made
to access the trust store without a password which will skip validation of
the trust store contents. If the trust store password is defined as "" then
no password will be used to access the store which will also skip validation
of the trust store contents.
truststoreProvider (6.0+)
The name of the truststore provider to be used for the server certificate.
The default is the value of the javax.net.ssl.trustStoreProvider system
property. If that property is null, the value of keystoreProvider is used as
the default. If neither this attribute, the default system property nor
keystoreProvideris set, the list of registered providers is traversed in
preference order and the first provider that supports the truststoreType is
used.
truststoreType
The type of key store used for the trust store. The default is the value of
the javax.net.ssl.trustStoreType system property. If that property is null,
the value of keystoreType is used as the default.
-->
<!-- APR/native Support (7.0+) -->
<!--
deferAccept
Sets the TCP_DEFER_ACCEPT flag on the listening socket for this connector.
The default value is true where TCP_DEFER_ACCEPT is supported by the
operating system, otherwise it is false.
pollerSize
Amount of sockets that the poller responsible for polling kept alive
connections can hold at a given time. Extra connections will be closed right
away. The default value is 8192, corresponding to 8192 keep-alive
connections. This is a synonym for maxConnections.
pollerThreadCount
Number of threads used to poll kept alive connections. On Windows the
default is chosen so that the sockets managed by each thread is less than
1024. For Linux the default is 1. Changing the default on Windows is likely
to have a negative performance impact.
pollTime
Duration of a poll call in microseconds. Lowering this value will slightly
decrease latency of connections being kept alive in some cases, but will use
more CPU as more poll calls are being made. The default value is 2000 (2ms).
sendfileSize
Amount of sockets that the poller responsible for sending static files
asynchronously can hold at a given time. Extra connections will be closed
right away without any data being sent (resulting in a zero length file on
the client side). Note that in most cases, sendfile is a call that will
return right away (being taken care of "synchronously" by the kernel), and
the sendfile poller will not be used, so the amount of static files which
can be sent concurrently is much larger than the specified amount. The
default value is 1024.
sendfileThreadCount
Number of threads used service sendfile sockets. On Windows the default is
chosen so that the sockets managed by each thread is less than 1024. For
Linux the default is 1. Changing the default on Windows is likely to have a
negative performance impact.
threadPriority
(int)The priority of the acceptor and poller threads. The default value is
java.lang.Thread#NORM_PRIORITY. See the JavaDoc for the java.lang.Thread
class for more details on what this priority means.
useComet
(bool)Whether to allow comet servlets or not. Default value is true.
useSendfile
(bool)Use this attribute to enable or disable sendfile capability. The
default value is true.
-->
<!-- APR/native SSL Support (7.0+) -->
<!--
SSLCACertificateFile
See the mod_ssl documentation.
SSLCACertificatePath
See the mod_ssl documentation.
SSLCARevocationFile
See the mod_ssl documentation.
SSLCARevocationPath
See the mod_ssl documentation.
SSLCertificateChainFile
See the mod_ssl documentation.
SSLCACertificateFile
Name of the file that contains the concatenated certificates for the trusted
certificate authorities. The format is PEM-encoded.
SSLCACertificatePath
Name of the directory that contains the certificates for the trusted
certificate authorities. The format is PEM-encoded.
SSLCARevocationFile
Name of the file that contains the concatenated certificate revocation lists
for the certificate authorities. The format is PEM-encoded.
SSLCARevocationPath
Name of the directory that contains the certificate revocation lists for the
certificate authorities. The format is PEM-encoded.
SSLCertificateChainFile
Name of the file that contains concatenated certifcates for the certificate
authorities which form the certifcate chain for the server certificate. The
format is PEM-encoded.
SSLCertificateFile
Name of the file that contains the server certificate. The format is
PEM-encoded.
SSLCertificateKeyFile
Name of the file that contains the server private key. The format is
PEM-encoded. The default value is the value of "SSLCertificateFile" and in
this case both certificate and private key have to be in this file (NOT
RECOMMENDED).
SSLCipherSuite
Ciphers which may be used for communicating with clients. The default is
"ALL", with other acceptable values being a list of ciphers, with ":" used
as the delimiter (see OpenSSL documentation for the list of ciphers
supported).
SSLPassword
Pass phrase for the encrypted private key. If "SSLPassword" is not provided,
the callback function should prompt for the pass phrase.
SSLProtocol
Protocol which may be used for communicating with clients. The default value
is all, with other acceptable values being SSLv2, SSLv3, TLSv1 and
SSLv2+SSLv3. Starting with version 1.1.21 of the Tomcat native library any
combination of the three protocols concatenated with a plus sign will be
supported. Note that the protocol SSLv2 is inherently unsafe.
SSLVerifyClient
Ask client for certificate. The default is "none", meaning the client will
not have the opportunity to submit a certificate. Other acceptable values
include "optional", "require" and "optionalNoCA".
SSLVerifyDepth
Maximum verification depth for client certificates. The default is "10".
-->
```
## References
**Tomcat Configuration**
- <http://tomcat.apache.org/tomcat-5.5-doc/config/http.html>
- <http://tomcat.apache.org/tomcat-6.0-doc/config/http.html>
- <http://tomcat.apache.org/tomcat-7.0-doc/config/http.html>
- <http://tomcat.apache.org/tomcat-8.0-doc/config/http.html>
- <http://tomcat.apache.org/connectors-doc/reference/workers.html>
**Java Resources**
- <http://visualvm.java.net/index.html>
- <https://code.google.com/p/psi-probe/>
- <http://www.oracle.com/technetwork/java/index.html>
**Version Of Tomcat In JBoss AS**
- <http://community.jboss.org/wiki/VersionOfTomcatInJBossAS>
**Advanced BASH Scripting Guide**
- <http://tldp.org/LDP/abs/html/index.html>
Reference in a new issue View git blame Copy permalink