Tomcat Proxies
Last modified: March 26, 2024
Overview
- This document only applies to Tomcat 8.5.
- If you are running a server that uses AlmaLinux, Rocky Linux™, or Ubuntu®, you can only install Tomcat in container-based packages that use EasyApache 4’s containers. For more information about using Tomcat on these operating systems, read our Tomcat via Containers documentation.
- You must possess
root-level access to create an Apache Tomcat® proxy.
This document explains how to configure a proxy for Tomcat in EasyApache 4.
EasyApache 4 proxy requirements
The following examples are not comprehensive. Many methods exist to proxy from Apache® to Tomcat.
To configure a proxy for EasyApache 4, create a virtual host include file for any domain for which you wish to proxy an application to Tomcat. Add your include file to the appropriate location in the /etc/apache2/ directory. For more information about Apache include files and their locations, read our Modify Apache Virtual Hosts with Include Files documentation.
After you create or edit an Apache include userdata file, you must rebuild the httpd.conf file and restart Apache for the changes to take effect.
To rebuild the httpd.conf file, run the following script:
/usr/local/cpanel/scripts/rebuildhttpdconfTo restart Apache, run the following script:
/usr/local/cpanel/scripts/restartsrv_httpdFind your Tomcat Apache JServ Protocol (AJP) port
When you assign Tomcat access to a cPanel user, the script assigns two ports to the user. These port assignments reside in the /etc/cpanel/cpuser_port_authority.json file and the user’s /home/username/ea-tomcat85/conf/server.xml files, where username represents the cPanel account username.
- The
/home/username/ea-tomcat85/conf/server.xmlfile contains the port on which the Apache JServ Protocol (AJP) support module listens. You must use this port to configure a Tomcat proxy. For more information about AJP, read Apache’s AJP documentation. - The
/etc/cpanel/cpuser_port_authority.jsonfile contains the port on which HTTP listens as well as the port on which AJP listens.
Set up a URI proxy
To set up a URI proxy using AJP, your entry might resemble the following example:
/docs represents the Tomcat application and 11111 represents the user’s AJP port number.
|
|
In the above example, if you navigated to http://example.com/docs, the server would proxy the response to the docs Tomcat application.
Set up a subdomain proxy
To set up a subdomain proxy, your entry might resemble the following example:
/store represents the Tomcat application and 11111 represents the user’s AJP port number.
|
|
In the above example, if you navigated to http://store.example.com, the server would proxy the response to the store Tomcat application.
Mimic EasyApache 3 Tomcat proxy behavior in EasyApache 4
You can mimic EasyApache 3’s proxy behavior in a private instance and run applications from the user’s document root.
-
We strongly recommend that you do not mimic EasyApache 3’s behavior. If you create a proxy for Tomcat to a user’s document root, a malicious user could bypass the Apache access permissions for the files located in that directory. If you choose to perform this action, you must limit your Tomcat ports to only the users that require access.
-
We also strongly recommend that you disable listening on any ports that you do not intend to use. For example, if you will only use HTTP, we recommend that you disable the AJP port. Or, if you will only proxy to AJP, we recommend that you disable the HTTP port.
To configure this behavior, perform the following steps:
- Add a
Hostentry to the~/ea-tomcat85/conf/server.xmlfile. - Create an include file to act as a proxy for the appropriate domain with the
mod_proxy_ajpApache module.
Your include file would resemble the following example, where 11111 represents the user’s AJP port:
|
|
This method ensures that the application functions similarly to EasyApache 3, except it now runs as the user.