How to configure Apache to proxy Tomcat using AJP

apache-2.4fedoramod-proxymod-proxy-ajptomcat8

I have a fresh install of Fedora 23 (Workstation) with fresh installs of Apache 2.4 and Tomcat 8.

I'm attempting a very simple setup: A single instance of Apache will proxy all traffic for a single instance of Tomcat.

In Apache's httpd.conf I've set ServerName localhost. It includes the proxy configuration file conf.modules.d/00-proxy.conf. In that file,
mod_proxy and mod_proxy_ajp are enabled with configuration

ProxyRequests Off
<Proxy *>
    Order deny,allow
    Deny from all
    Allow from localhost
</Proxy>
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

According to my understanding, this tells Apache to relay all requests to whatever is listening on local port 8009 via AJP, allowing only requests from localhost and keeping everything relative to the respective root directories.

In Tomcat's /etc/tomcat/server.xml, I have

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

which, according to my understanding, tells Tomcat to listen on port 8009 for anything being sent via AJP. Given the Apache configuration, this should be every request Apache receives.

The problem

Accessing localhost returns a 403 Forbidden error. If I connect to Tomcat directly with localhost:8080, the connection is fine and I get index.jsp. Apache's error log gives

AH01630: client denied by server configuration: proxy:ajp://localhost:8009/favicon.ico

indicating that Apache is disallowing access to Tomcat's /tomcat/webapps/ROOT/ directory because of a permissions conflict. I tried adding

<Directory "/var/lib/tomcat/webapps/ROOT">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

to httpd.conf, but it didn't change the 403 Forbidden error after restarting Apache.

This is a very common setup, and none of the many, many guides I've read indicate needing to change Apache's access permissions or the OS filesystem permissions. This is a clean install, and I've done very little with the installation that I haven't noted here.

What do I not understand?

Best Answer

You should modify your connector like these.

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>

<Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />

you can follow this link also : https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp

Related Topic