25 June 2004 - 20:19Apache, Tomcat, and JK2. Install/Configure

I needed a servlet container to start learning about JSP’s and Servlets, and the only two that I had heard of at the time were Bea WebLogic and Apache Tomcat. Since I run FreeBSD and trust Apache, I decided to go with Tomcat.

NOTE: As far as I know, the JK2 connector is no longer supported. I would now recommend a setup using Glassfish and Apache with mod_proxy_balancer. In the future I will be writing articles for that system.

Intro

One thing that is very important to me when it comes to software is security and stability. Since Tomcat is from Apache, I know that both are high on their priority lists along with performance. In terms of stability I can only say that I haven’t had any issues, since I haven’t any Servlets available to test. That’s part of a future project.

In terms of security there are several features. First, Tomcat is written in java and therefore is not susceptible to various buffer overflow attacks such as in other servers written in C. By default Tomcat runs on port 8080 and runs as a non privileged user. Usually, software must run as root to listen on a port below 1025. This allows for another layer of security.

Problems

For me, this is a good start, but it’s not quite enough. I had a couple of problems. First, I like the features and performance of Apache’s HTTP server and do not want to switch servers. Second, I do not like the idea of using thegillis.net:8080 in links, and I am even less thrilled that this gives users access to all Tomcat default Servlets and requires another port in the firewall to be opened. NOT acceptable.

Solution

After exploring the various solutions, I discovered the JK2 connector. This Apache module allows specific URL patterns described by the httpd.conf file to be passed to Tomcat for processing. This allows you to shield Tomcat from direct access to the internet, allow your intranet to access special admin/manager pages directly through tomcat, and keep Apache for the front end HTTP server.

The installation of the JK2 connector was quite easy, but the configuration was not. After installing the mod_jk2 connector and loading it in the httpd.conf file with the LoadModule directive, there are still two more files that need to be created/modified in order to even get Apache and Tomcat to even talk to each other correctly.

(TomcatHome)/conf/jk2.properties

On my setup, this file is blank. There are several options for communication between Apache and Tomcat and the defaults are request, container, and channelSocket. channelSocket uses TCP/IP communication to Tomcat, and the default options for channelSocket are correct for the default tomcat installation. Some of the other options such as SHM files work but are more difficult to setup because both this config file and the next must match options. Other JK2 connection options can be found here and the connection docs can be found here.

(PREFIX)/conf/workers2.properties

This file is in a very strange place and I was unsure how to change the default location. In my case on a FreeBSD system (PREFIX) is /usr/local by default. The folder and file do not exist and need to be created. This file is more complicated and can not be left blank. This is my file:

# In production uncomment it out
[logger.apache2]
level=INFO

[shm]
file=${serverRoot}/jk2log/shm.file
size=1048576

# Example socket channel, override port and host.
[channel.socket:localhost:8009]
port=8009
host=127.0.0.1

# define the worker
[ajp13:localhost:8009]
channel=channel.socket:localhost:8009

# [uri:www.customer2.net/ServletName/*]
# worker=ajp13:localhost:8009

There is also an example of one way to pass off requests to Tomcat, but there is another way in the httpd.conf file.

httpd.conf

Now, the apache config file can contain entries to specify what links to pass off to Tomcat. On my site, I have linked two folders to Tomcat using:

<Location "/jsp-examples/">
   JkUriSet worker ajp13:localhost:8009
</Location>

<Location "/tomcat-docs/">
   JkUriSet worker ajp13:localhost:8009
</Location>

Now when a request is made to /tomcat-docs/*, it will be passed to Tomcat for processing. It is also important to note that the folder tomcat-docs does not exist in the data folder of apache.

NOTE: In some places I have seen examples of people moving their webapps folder to be the same folder as the apache data folder. I strongly DO NOT recommend this. The WEB-INF in Servlets should NEVER be made public and although Tomcat restricts access to this folder, Apache HTTP server does not. If you take this approach, make sure you block access to the WEB-INF folder or sensitive server data could be leaked.