tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat)>
Subject Re: Tomcat behind IIS on windows 2012
Date Mon, 05 Mar 2018 15:52:00 GMT
On 05.03.2018 14:21, Mark Thomas wrote:
> On 02/03/18 20:59, wrote:
>> If I want to have IIS act as an intermediary between Tomcat and the
>> outside world, if I've understood it correctly, there seem to be two
>> choices.
>> Either add something called HttpPlatformHandler into IIS
>> or, use the Apache Tomcat Connectors
> That is the Itanium build. Are you sure that is the version you want?
> Also, 1.2.30 is 8+ years old. The latest version is 1.2.42 (with 1.2.43
> currently being voted on for release). Get the latest version from:
>> Is either considered best practice, to be preferred over the other?
> I've never used HttpPlatformHandler so it is hard to comment. This
> community is more likely to be able to support the ISAPI redirector (the
> IIS component of Tomcat Connectors).
> Generally it looks as if the pros/cons of HTTP proxy vs AJP proxy would
> apply. Which usually boils down to:
> - if you want to proxy over a TLS connection use an HTTP proxy
> - else if you want to expose client info to the back-end easily use AJP
> - else choose whichever you are more familiar / comfortable with

A difference may also be, if you intend/plan/foresee to have some day multiple Tomcats 
sharing the load between them, as a cluster.  The Isapi/AJP redirector can work as a 
load-balancer in such a case.  The HttpPlatformHandler (which I have also never 
used/looked at) may also be able to do that, or not.

A little graphic often helps :

browser <--(1)--> webserver front-end <--(3)--> Tomcat + <Connector>(4)
                     + proxy/redirector
                       module (2)
In the absolute :
(1) can be a HTTP or HTTPS connection
(2) can be Apache httpd, IIS, or any webserver
(3) can be a HTTP, HTTPS or AJP connection
        (AJP is a different protocol than HTTP/S, but it can carry the same information
         back and forth, only in a different format. AJP is not encrypted.)
(4) the <Connector> that you configure in Tomcat, must match the protocol used for (3)

To connect the front-end webserver with a Tomcat back-end via AJP, you MUST use a specific
proxy/redirector module at the front-end level :
- if the front-end is IIS, you must use the "Isapi redirector" (available from the Tomcat

website under "Connectors")
- if the front-end is Apache httpd, you can use either mod_proxy_ajp (available from the 
Apache httpd website) or mod_jk (available from the Tomcat website)

To connect the front-end webserver with a Tomcat back-end via either HTTP or HTTPS,
you can use any front-end proxy module capable of doing HTTP or HTTPS.
Under IIS, this could be HttpPlatformHandler (I guess).
Under Apache httpd, this could be mod_proxy_http.

Performance-wise, there is probably nowadays not a very big difference between the various

options.  The AJP connection is probably a bit more tricky to set up and configure, but it

provides a number of options which the HTTP(S) connection do not provide (or not as readily).
An AJP connection is not encrypted, which means that in theory someone could listen in the

middle and know what is being exchanged.  But if the connection between the front-end and

the back-end is relatively private (such as when both run on the same host), it probably 
does not matter.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message