Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1296
  • Last Modified:

Getting Apache (server in DMZ) to pass all web traffic to Tomcat (server on LAN) - mod_jk?


First, I am not sure if I need to go the mod_jk route?  The WebServer is running in the DMZ and I want it to pass all traffic (including static pages) to the Tomcat App Server located on the LAN.  Assuming the mod_jk route is the way to go, how do I configure both servers so that they talk to each other.  

I have read through every post I could find on the net.  It is still unclear to me how I do this.  I am looking for a detailed response including example configuration files for the Apache and the Tomcat Servers.  Remember, these are two different machines.  

Thanks in advance :)

  • 6
  • 4
1 Solution
grouparmstrongAuthor Commented:
The difference is that they are on two different machines...where should the mod_jk reside?  The tomcat server, the apche server or both?  Which binary of mod_jk can I use for RH ES 3?

That should not matter.
mod_jk module is needed for Apache configuration.
Tomcat has already code that can speak with the mod_jk using the AJP protocol.
You just need to enable Tomcat of using it by having such an entry (see example link):

<Connector className="org.apache.tomcat.service.PoolTcpConnector">
  <Parameter name="handler"  value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
  <Parameter name="port" value="8009"/>

Mod_jk can speak with many Tomcat instance on different machines if needed.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Just as a confirmation to aozarov's comments.

 It's fairly standard to use mod_jk to connect apache to tomcat, and it's fairly standard for production environments to have apache and tomcat on different machines (as well as the database on a different machine.)
I would go as far as to recommend that there is a firewall between them so that the tomcat machine only responds to requests from the IP of the apache machine (which I'm guessing you have if the apache server is in the DMZ).

You have all the links you need above as it's surprising easy to set up.

As far as binaries go, this is probably your best bet http://apache.mirror.positive-internet.com/jakarta/tomcat-connectors/jk/binaries/linux/ with the latest version of mod_jk being 1.2.11
grouparmstrongAuthor Commented:
This  came with my Tomcat default server.xml file :

    <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
    <Connector port="8009"
               enableLookups="false" redirectPort="8443" debug="0"
               protocol="AJP/1.3" />

Do I need to comment this out and put in it's place :

<Connector className="org.apache.tomcat.service.PoolTcpConnector">
  <Parameter name="handler"  value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
  <Parameter name="port" value="8009"/>

No, the one you have is fine.
In the same file (server.xml) don't forget to uncomment:

    <!-- You should set jvmRoute to support load-balancing via JK/JK2 ie :
    <Engine name="Standalone" defaultHost="localhost" debug="0" jvmRoute="jvm1">        

and comment this instead
<Engine name="Catalina" defaultHost="localhost" debug="0">

Also make sure that jvmRoute="jvm1" should  jvmRoute="your_worker_name_as_defined_in_the_Apache__conf/workers.properties"
grouparmstrongAuthor Commented:
You mention workers.properties located in my /etc/httpd/conf


1.  I assume both the App server and the web server must each have a workers.properties file?
2.  What should the web servers workers.properties file contain?  Some of the examples that I've seen reference local directories/files that are unavailable since I am connecting to a remote app server.

For example:

<-- Start workers.properties -->



<-- End workers.properties -->

3.  Where in the above /etc/httpd/conf/workers.properties file would I put jvmRoute="jvm1" should  jvmRoute="your_worker_name_as_defined_in_the_Apache__conf/workers.properties" ... or better, how can you give me an all purpose workers.properties that I can try to cut and paste?

4.  Do I need to manually create a mod_jk.conf since I cannot (I may be wrong) auto generate this file and simply pointto it...being that the app server is reomote?  

5.  Where do I put the IP address of the remote tomcat server?

1.  I assume both the App server and the web server must each have a workers.properties file?
No, there is no need for it the the Tomcat side (this is Apache config file)

In Tomcat server.xml keep jvmRoute="jvm1" as is.

In apache conf/workers.properties have
               # Define jvm1

               # Load-balancing behaviour

               # Status worker for managing load balancer

You need to create the mod-jk.conf file
see this link for the right mod-jk.conf content as well as more up-to-date setup information
Just ignore the Jboss part (the part that talks about jboss-service.xml).
grouparmstrongAuthor Commented:
I ended up using mod_jk2.  Here's is how I got it to work...  

I have two servers, both running Redhat ES v3.  The Web server resides in my DMZ behind eth0 of my firewall.  I use the Apache 2 binary that I get through the RH subscription (ES Extra's).  The App server is on the LAN, behind eth1 of my firewall.  I have tomcat 5 configured to run over 8080.  I have a rule in my firewall that allows traffic over port 8009 to pass from VLAN IP of the webserver to the VLAN IP of the App server.  

Configuring the App server was easy.  I just made sure that the following connector statement was in conf/server.xml:

<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3" />

Configuring the Web server took a little more time.  First, I downloaded a mod_jk2.so binary that I thought was close enough to my OS and put it in the /usr/lib/httpd/modules directory of my Web server.  Second, I created the following workers2.properties file and put in in the same directory as my httpd.conf file:








Next, I modified the httpd.conf file and put the following mod_jk2.so LoadModule statement with all the other LoadModule statements:

LoadModule jk2_module modules/mod_jk2.so

That was it.  After starting Apache and Tomcat, it all worked almost perfectly.  I have 4 Virtual Hosts in my Web server.  Once I loaded the mod_jk2.so module, every virtual host was sent to the App server.  I have no clue how to make it so that only virtual host 2 is sent to the App server.  Everything would be great if I didn't have to run other websites, but I do...  

Here is an snapshot of my Virtual Hosts 2 taken from httpd.conf of the Web server:

# Virtual host 2
 <VirtualHost 192.168.xxx.xxx>
 ServerName www.<domainname>.com
 ServerAdmin admin@<domainname>.com
 DocumentRoot /var/www/<domainname>/htdocs
 ServerSignature Email
 DirectoryIndex index.html index.htm index.php default.htm default.html
 LogLevel debug
 HostNameLookups off

Any ideas?  

see: http://jakarta.apache.org/tomcat/connectors-doc-archive/jk2/jk2/vhosthowto.html (entry "JK directives in httpd.conf")
You need to add the Location mapping (map url to mod_jk) inside the VirtualHost entry.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now