tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Apache reverse proxy to tomcat application server
Date Thu, 19 Aug 2010 19:33:24 GMT wrote:
> Hi List,
> I'm running mod_jk on a apache 2.2.14 connecting to a second host, running
> tomcat 5 server with a third party application.
> This application is configured to display some company internal
> information when accessing the page directly without any subdirectory:
> like: http://<servername>/
> A second application part is located under address
> http://<servername>/application -> please note, this is not a directory,
> this is a servlet-mapping made by tomcat (and we can't change the tomcat
> setup as we would loose support for it)
> My problem is now, that I only what to grant access to
> http://<servername>/application for external customers through the apache
> mod_jk setup.
> But of some reason do I have trouble implementing this.
> The stuff only works if I configure mod_jk to JkMount /* - but with that,
> also the page ttp://<servername>/ is access-able.
> I've also tried it with Rewrite rules (to make sure everything else than
> http://<servername/application is redirected to this address), etc. but
> nothing was/is working.
Apart from the help Rainer is giving you, I have a suggestion about your setup.
But first a question : you seem to be proxying just about everything from Apache httpd to

Tomcat.  Do you need Apache httpd then ? why not just have Tomcat listen on port 80  and 
handle everything itself ?

If you have some reason anyway to have Apachje httpd in front, then here is the suggestion

- remove all JkMount directives.
- instead, configure Apache httpd as follows :

<Location />
# here is the stuff that you want only internal users to see.
# Let's say that all these users have IP addresses in the 192.168.* range
Order Allow,Deny
Allow from
Deny from all
# the following is the same as a "JkMount *" for everything in this location
SetHandler jakarta-servlet
... any other Apache directives ..

<Location /application>
# This is the stuff that everyone can see, so we override the above for this location
Order Allow,Deny
Allow from all
# the following is the same as a "JkMount *" for everything in this location
SetHandler jakarta-servlet
.. any other Apache directives ..

That's it.

Instead of the allow/deny stuff above, you can use any Apache-level 
authentication/authorization/access control you want, inside of each Location.
AAA will happen *before* the call is forwarded to Tomcat.
You can also exclude some URLs inside each location, from being forwarded by mod_jk to 
Tomcat, by using something like
   SetEnvIf REQUEST_URI "\.(css|gif|jpg|js)$" no-jk
for example, to have all your images, stylesheets, javascript,.. served directly by Apache

(if you want, and if it makes sense in your context).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message