File: apache.xml

package info (click to toggle)
libapache-mod-jk 1%3A1.2.30-1squeeze2
links: PTS, VCS
area: main
in suites: squeeze-lts
size: 10,056 kB
ctags: 5,973
sloc: ansic: 54,056; xml: 12,930; sh: 9,363; java: 1,921; perl: 1,004; makefile: 275; awk: 59
file content (1064 lines) | stat: -rw-r--r-- 39,063 bytes
parent folder | download | duplicates (2)
<?xml version="1.0"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!DOCTYPE document [
  <!ENTITY project SYSTEM "project.xml">
]>
<document url="apache.html">

    &project; 

    <properties>
        <author email="mturk@apache.org">Mladen Turk</author>
        <title>Configuring Apache</title>
    </properties>

<body>

<section name="Configuration Directives">
<p>
Most of the directives are allowed once in the global part of the Apache httpd
configuration and once in every &lt;VirtualHost&gt; elements. Exceptions from this rule are
explicitly listed in the table below.
</p>
<p>
Most values are inherited from the main server to the virtual hosts.
Since version 1.2.20 they can be overwritten in the virtual hosts.
Exceptions from this rule are again explicitly listed in the table below.
See especially JkMountCopy.
</p>
<warn>
Warning: If Apache httpd and Tomcat are configured to serve content from
the same filing system location then care must be taken to ensure that httpd is
not able to serve inappropriate content such as the contents of the WEB-INF
directory or JSP source code.
</warn>
<p>
This could occur if the httpd DocumentRoot
overlaps with a Tomcat Host's appBase or the docBase of any Context. It could
also occur when using the httpd Alias directive with a Tomcat Host's appBase or
the docBase of any Context.
</p>
<p>
Here are the all directives supported by Apache:
</p>
<attributes name="Directive">
<attribute name="JkWorkersFile" required="false"><p>
The name of a worker file for the Tomcat servlet containers.
<br/>
This directive is only allowed once. It must be put into
the global part of the configuration.
<br/>
If you don't use the JkWorkerProperty directives, then you must
define your workers with a valid JkWorkersFile. There is no default
value.
</p></attribute>
<attribute name="JkWorkerProperty" required="false"><p>
Enables setting worker properties inside Apache configuration file.
The syntax is the same as in the JkWorkersFile (usually workers.properties).
Simply prefix each line with "JkWorkerProperty" to put it directly into
the Apache httpd config files.
<br/>
This directive is allowed multiple times.
It must be put into the global part of the configuration.
<br/>
If you don't use the JkWorkerProperty directives, then you must
define your workers with a valid JkWorkersFile. There is no default
value.
<br/>
This directive is available in jk1.2.7 version and later.
</p></attribute>
<attribute name="JkShmFile" required="false"><p>
Shared memory file name. Used only on unix platforms.
The shm file is used by balancer and status workers.
<br/>
This directive is only allowed once. It must be put into
the global part of the configuration.
<br/>
The default value is logs/jk-runtime-status.
It is highly recommended that the shm file be placed on a local
drive and not an NFS share.
</p>
<p>
The shared memory contains configuration and runtime information for load balancer
workers and their members. It is need in order that all apache children
<ul>
<li>share the same status information for load balancing members (OK, ERROR, ...),</li>
<li>share the information about load taken by the individual workers,</li>
<li>share the information for the parts of the configuration, which are changeable
during runtime by status workers.</li>
</ul>
</p>
</attribute>
<attribute name="JkShmSize" required="false"><p>
Size of the shared memory file name.
<br/>
This directive is only allowed once. It must be put into
the global part of the configuration.
<br/>
The default value depends on the platform. It is usually less than 64KB.
</p></attribute>
<p>Starting with version 1.2.27 the size of the shared memory is determined
automatically, even for large numbers of workers. This attribute is not
needed any longer.</p>
<attribute name="JkMountFile" required="false"><p>
File containing multiple mappings from a context to a Tomcat worker.
It is usually called uriworkermap.properties.
<br/>
For inheritance rules, see: JkMountCopy.
<br/>
There is no default value.
</p></attribute>
<attribute name="JkMountFileReload" required="false"><p>
This directive configures the reload check interval in seconds.
The JkMountFile is checked periodically for changes.
A changed file gets reloaded automatically. If you set
this directive to "0", reload checking is turned off.
<br/>
The default value is 60 seconds.
<br/>
This directive has been added in version 1.2.20 of mod_jk.
</p></attribute>
<attribute name="JkMount" required="false"><p>
A mount point from a context to a Tomcat worker.
<br/>
This directive is allowed multiple times.
It is allowed in the global configuration and in VirtualHost.
You can also use it inside Location with a different syntax.
Inside Location, one omits the first argument (path),
which gets inherited from the Location.
<br/>
By default JkMount entries are not inherited from the global
server to other VirtualHosts or between VirtualHosts.
For the complete inheritance rules, see: JkMountCopy.
</p></attribute>
<attribute name="JkUnMount" required="false"><p>
An exclusion mount point from a context to a Tomcat worker.
All exclusion mounts are checked after mapping a request
to a tomcat worker. If the request maps also to an exclusion,
it will not be forwarded to tomcat, and instead be served locally.
<br/>
This directive is allowed multiple times.
It is allowed in the global configuration and in VirtualHost.
You can also use it inside Location with a different syntax.
Inside Location, one omits the first argument (path),
which gets inherited from the Location.
For inheritance rules, see: JkMountCopy.
<br/>
This directive is available in jk1.2.7 version and later.
</p></attribute>
<attribute name="JkAutoAlias" required="false"><p>
Automatically Alias webapp context directories into the Apache
document space.
<br/>
Care should be taken to ensure that only static content is served via httpd as a
result of using this directive. Any static content served by httpd will bypass any
security constraints defined in the application's web.xml.
<br/>
For inheritance rules, see: JkMountCopy.
<br/>
There is no default value.
</p></attribute>
<attribute name="JkMountCopy" required="false"><p>
If this directive is set to "On" in some virtual server,
the mounts from the global server will be copied to this
virtual server, more precisely all mounts defined by JkMount
or JkUnMount. The Mounts defined by JkMountFile and JkAutoAlias
will only be inherited, if the VirtualHost does not define
it's own JkMountFile or JkAutoAlias.
<br/>
If you want all vhost to inherit mounts from the main server,
you can set JkMountCopy to 'All' in the main server.
<br/>
This directive is only allowed inside VirtualHost (with value "On")
and in the global server (with value "All").
<br/>
The default is Off, so no mounts will be inherited from the global
server to any VirtualHost.
<br/>
Starting with version 1.2.26 you can also set it to "All" in the
global virtual server. This will switch the default to On.
</p></attribute>
<attribute name="JkWorkerIndicator" required="false"><p>
Name of the Apache environment variable that can be used to set worker names
in combination with SetHandler jakarta-servlet.
<br/>
This directive is only allowed once per virtual server.
It is allowed in the global configuration and in VirtualHost.
<br/>
The default value is JK_WORKER_NAME.
</p></attribute>
<attribute name="JkWatchdogInterval" required="false"><p>
This directive configures the watchdog thread interval in seconds.
The workers are maintained periodically by a background thread
running periodically every watchdog_interval seconds. Worker maintenance
checks for idle connections, corrects load status and is able
to detect backend health status.
<br/>
The maintenance only happens, if since the last maintenance at
least <a href="workers.html"><code>worker.maintain</code></a>
seconds have passed. So setting the JkWatchdogInterval
much smaller than <code>worker.maintain</code> is not useful.
<br/>
The default value is 0 seconds, meaning the watchdog thread
will not be created, and the maintenance is done in combination
with normal requests instead.
<br/>
This directive is only allowed once. It must be put into
the global part of the configuration.
<br/>
This directive has been added in version 1.2.27 of mod_jk.
It is available only for httpd 2.x and above using APR libraries
including thread support.
</p></attribute>
<attribute name="JkLogFile" required="false"><p>
Full or server relative path to the Tomcat Connector module log file.
It will also work with pipe, by using a value of the form "| ...".
<br/>
The default value is logs/mod_jk.log.
<br/>
Pipes are supported for Apache 1.3 only since version 1.2.16.
The default value exists only since version 1.2.20.
</p></attribute>
<attribute name="JkLogLevel" required="false"><p>
The Tomcat Connector module log level, can be debug, info, warn
error or trace.
<br/>
The default value is info.
</p></attribute>
<attribute name="JkLogStampFormat" required="false"><p>
The Tomcat Connector module <b>date</b> log format, using an
extended strftime syntax.
This format will be used for the time stamps in the JkLogFile.
The maximum length of the format is 63 characters.
<br/>
Starting with version 1.2.24 of mod_jk you can also use %Q
for adding milliseconds to the log and %q for microseconds. 
These conversion specifiers are an extension to strftime.
They will only work on platforms with a gettimeofday() function.
You can use %Q and %q only once in the pattern and also not both
together in the same pattern.
<br/>
The default value is "[%a %b %d %H:%M:%S %Y] " and beginning
with version 1.2.24 on platforms with a gettimeofday()
function it is "[%a %b %d %H:%M:%S.%Q %Y] ".
</p></attribute>
<attribute name="JkRequestLogFormat" required="false"><p>
Request log format string. See detailed description below.
<br/>
There is no default value. Without defining a value, the request logging
is turned off.
</p></attribute>
<attribute name="JkExtractSSL" required="false"><p>
Turns on SSL processing and information gathering by mod_jk
<br/>
The default value is On.
</p></attribute>
<attribute name="JkHTTPSIndicator" required="false"><p>
Name of the Apache environment variable that contains SSL indication.
<br/>
The default value is "HTTPS".
</p></attribute>
<attribute name="JkCERTSIndicator" required="false"><p>
Name of the Apache environment variable that contains SSL client certificates.
<br/>
The default value is "SSL_CLIENT_CERT".
</p></attribute>
<attribute name="JkCIPHERIndicator" required="false"><p>
Name of the Apache environment variable that contains SSL client cipher.
<br/>
The default value is "SSL_CIPHER".
</p></attribute>
<attribute name="JkCERTCHAINPrefix" required="false"><p>
Name of the Apache environment (prefix) that contains SSL client chain certificates.
<br/>
The default value is "SSL_CLIENT_CERT_CHAIN_".
</p></attribute>
<attribute name="JkSESSIONIndicator" required="false"><p>
Name of the Apache environment variable that contains SSL session.
<br/>
The default value is "SSL_SESSION_ID".
</p></attribute>
<attribute name="JkKEYSIZEIndicator" required="false"><p>
Name of the Apache environment variable that contains SSL key size in use.
<br/>
The default value is "SSL_CIPHER_USEKEYSIZE".
</p></attribute>
<attribute name="JkLocalNameIndicator" required="false"><p>
Name of the Apache environment variable which can be used to overwrite
the forwarded local name.
Use this only if you need to adjust the data (see the
<a href="../generic_howto/proxy.html">proxy</a> documentation).
<br/>
The default value is "JK_LOCAL_NAME".
<br/>
This directive has been added in version 1.2.28 of mod_jk.
</p></attribute>
<attribute name="JkLocalPortIndicator" required="false"><p>
Name of the Apache environment variable which can be used to overwrite
the forwarded local port.
Use this only if you need to adjust the data (see the
<a href="../generic_howto/proxy.html">proxy</a> documentation).
<br/>
The default value is "JK_LOCAL_PORT".
<br/>
This directive has been added in version 1.2.28 of mod_jk.
</p></attribute>
<attribute name="JkRemoteHostIndicator" required="false"><p>
Name of the Apache environment variable which can be used to overwrite
the forwarded remote (client) host name.
Use this only if you need to adjust the data (see the
<a href="../generic_howto/proxy.html">proxy</a> documentation).
<br/>
The default value is "JK_REMOTE_HOST".
<br/>
This directive has been added in version 1.2.28 of mod_jk.
</p></attribute>
<attribute name="JkRemoteAddrIndicator" required="false"><p>
Name of the Apache environment variable which can be used to overwrite
the forwarded remote (client) IP address.
Use this only if you need to adjust the data (see the
<a href="../generic_howto/proxy.html">proxy</a> documentation).
<br/>
The default value is "JK_REMOTE_ADDR".
<br/>
This directive has been added in version 1.2.28 of mod_jk.
</p></attribute>
<attribute name="JkRemoteUserIndicator" required="false"><p>
Name of the Apache environment variable which can be used to overwrite
the forwarded user name.
Use this only if you need to adjust the data (see the
<a href="../generic_howto/proxy.html">proxy</a> documentation).
<br/>
The default value is "JK_REMOTE_USER".
<br/>
This directive has been added in version 1.2.28 of mod_jk.
</p></attribute>
<attribute name="JkAuthTypeIndicator" required="false"><p>
Name of the Apache environment variable which can be used to overwrite
the forwarded authentication type.
Use this only if you need to adjust the data (see the
<a href="../generic_howto/proxy.html">proxy</a> documentation).
<br/>
The default value is "JK_AUTH_TYPE".
<br/>
This directive has been added in version 1.2.28 of mod_jk.
</p></attribute>
<attribute name="JkOptions" required="false"><p>
Set one of more options to configure the mod_jk module. See below for
details about this directive.
<br/>
This directive can be used multiple times per virtual server.
<br/>
The default value is "ForwardURIProxy" since version 1.2.24.
It was "ForwardURICompatUnparsed" in version 1.2.23 and
"ForwardURICompat" until version 1.2.22.
</p></attribute>
<attribute name="JkEnvVar" required="false"><p>
Adds a name and an optional default value of environment variable
that should be sent to servlet-engine as a request attribute.
If the default value is not given explicitly, the variable
will only be send, if it is set during runtime.
<br/>
The default is empty, so no additional variables will be sent.
<br/>
This directive can be used multiple times per virtual server.
The settings will be merged between the global server and any
virtual server.
<br/>
You can retrieve the variables on Tomcat as request attributes
via request.getAttribute(attributeName). Note that the variables
send via JkEnvVar will not be listed in request.getAttributeNames().
<br/>
Empty default values are supported since version 1.2.20.
Not sending variables with empty defaults and empty runtime value
has been introduced in version 1.2.21.
</p></attribute>
<attribute name="JkStripSession" required="false"><p>
If this directive is set to On in some virtual server,
the session IDs <code>;jsessionid=...</code> will be
removed for non matched URLs.
<br/>
This directive is only allowed inside VirtualHost.
<br/>
The default is Off.
<br/>
This directive has been introduced in version 1.2.21.
<br/>With version 1.2.27 and later this directive can have optional
session ID identifier. If not specified it defaults to
<code>;jsessionid</code>.
</p>
</attribute>

</attributes>
</section>

<section name="Configuration Directives Types">
<p>
We'll discuss here the mod_jk directive types.
</p>

<subsection name="Define workers">
<p>
<b>JkWorkersFile</b> specify the location where mod_jk will find the workers definitions.
Take a look at <a href="workers.html">Workers documentation</a> for detailed description.

<source>
  JkWorkersFile     /etc/httpd/conf/workers.properties
</source>

<br/>
<br/>
</p>

</subsection>

<subsection name="Logging">
<p>
<b>JkLogFile</b> specify the location where mod_jk is going to place its log file.
</p>

<source>
  JkLogFile     /var/log/httpd/mod_jk.log
</source>

<p>
Since JK 1.2.3 for Apache 2.x and JK 1.2.16 for Apache 1.3 this can also
be used for piped logging:
</p>

<source>
  JkLogFile     "|/usr/bin/rotatelogs /var/log/httpd/mod_jk.log 86400"
</source>

<p>
<b>JkLogLevel</b>
set the log level between :
</p>

<ul>
<li>
<b>info</b> log will contain standard mod_jk activity (default).
</li>
<li>
<b>warn</b> log will contain non fatal error reports.
</li>
<li>
<b>error</b> log will contain also error reports.
</li>
<li>
<b>debug</b> log will contain all information on mod_jk activity
</li>
<li>
<b>trace</b> log will contain all tracing information on mod_jk activity
</li>
</ul>

<source>  
  JkLogLevel    info
</source>

<p>
<code>info</code> should be your default selection for normal operations.
<br/>
<br/>
</p>

<p>
<b>JkLogStampFormat</b> will configure the date/time format found on mod_jk log file. 
Using the strftime() format string it's set by<br />
default to <b>"[%a %b %d %H:%M:%S %Y]"</b>
</p>

<source>
  JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
</source>

<p>
<br/>
<br/>
</p>

<p>
<b>JkRequestLogFormat</b> will configure the format of mod_jk individual request logging. 
Request logging is configured and enabled on a per virtual host basis. 
To enable request logging for a virtual host just add a JkRequestLogFormat config. 
The syntax of the format string is similar to the Apache LogFormat command, 
here is a list of the available request log format options:
</p>

<p>
<attributes name="Options">
  <attribute name="%b" required="false">Bytes sent, excluding HTTP headers (CLF format)</attribute>
  <attribute name="%B" required="false">Bytes sent, excluding HTTP headers</attribute>
  <attribute name="%H" required="false">The request protocol</attribute>
  <attribute name="%m" required="false">The request method</attribute>
  <attribute name="%p" required="false">The canonical Port of the server serving the request</attribute>
  <attribute name="%q" required="false">The query string (prepended with a ? if a query string exists, otherwise an empty string)</attribute>
  <attribute name="%r" required="false">First line of request</attribute>
  <attribute name="%s" required="false">Request HTTP status code</attribute>
  <attribute name="%T" required="false">Request duration, elapsed time to handle request in seconds '.' micro seconds</attribute>
  <attribute name="%U" required="false">The URL path requested, not including any query string.</attribute>
  <attribute name="%v" required="false">The canonical ServerName of the server serving the request</attribute>
  <attribute name="%V" required="false">The server name according to the UseCanonicalName setting</attribute>
  <attribute name="%w" required="false">Tomcat worker name</attribute>
  <attribute name="%R" required="false">Real worker name</attribute>
</attributes>

<source>
  JkRequestLogFormat     "%w %V %T"
</source>

<br/>
<br/>
</p>

<p>
You can also log mod_jk information using the Apache standard module <b>mod_log_config</b>.
The module sets several notes in the Apache httpd notes table.
Most of them are are only useful in combination with a load balancer worker.
</p>

<p>
<attributes name="Note">
  <attribute name="JK_WORKER_NAME" required="false">Name of the worker selected by the URI mapping</attribute>
  <attribute name="JK_WORKER_TYPE" required="false">Type of the worker selected by the URI mapping</attribute>
  <attribute name="JK_WORKER_ROUTE" required="false">Actual worker name selected by the URI mapping (usually a member of the load balancer).<br/>
                                                         Before version 1.2.26 only available if JkRequestLogFormat is set.</attribute>
  <attribute name="JK_REQUEST_DURATION" required="false">Request duration in seconds and microseconds.<br/>
                                                         Before version 1.2.26 only available if JkRequestLogFormat is set.</attribute>
  <attribute name="JK_LB_FIRST_NAME" required="false">Load-Balancer: Name of the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_TYPE" required="false">Load-Balancer: Type of the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_ACCESSED" required="false">Load-Balancer: Access count for the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_READ" required="false">Load-Balancer: Bytes read for the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_TRANSFERRED" required="false">Load-Balancer: Bytes transferred for the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_ERRORS" required="false">Load-Balancer: Error count for the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_BUSY" required="false">Load-Balancer: Busy count for the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_ACTIVATION" required="false">Load-Balancer: Activation state for the first worker tried</attribute>
  <attribute name="JK_LB_FIRST_STATE" required="false">Load-Balancer: Error state for the first worker tried</attribute>
  <attribute name="JK_LB_LAST_NAME" required="false">Load-Balancer: Name of the last worker tried</attribute>
  <attribute name="JK_LB_LAST_TYPE" required="false">Load-Balancer: Type of the last worker tried</attribute>
  <attribute name="JK_LB_LAST_ACCESSED" required="false">Load-Balancer: Access count for the last worker tried</attribute>
  <attribute name="JK_LB_LAST_READ" required="false">Load-Balancer: Bytes read for the last worker tried</attribute>
  <attribute name="JK_LB_LAST_TRANSFERRED" required="false">Load-Balancer: Bytes transferred for the last worker tried</attribute>
  <attribute name="JK_LB_LAST_ERRORS" required="false">Load-Balancer: Error count for the last worker tried</attribute>
  <attribute name="JK_LB_LAST_BUSY" required="false">Load-Balancer: Busy count for the last worker tried</attribute>
  <attribute name="JK_LB_LAST_ACTIVATION" required="false">Load-Balancer: Activation state for the last worker tried</attribute>
  <attribute name="JK_LB_LAST_STATE" required="false">Load-Balancer: Error state for the last worker tried</attribute>
</attributes>

<source>
  LogFormat     "%h %l %u %t \"%r\" %>s %b %{JK_WORKER_NAME}n %{JK_LB_FIRST_NAME}n \
                 %{JK_LB_FIRST_BUSY}n %{JK_LB_LAST_NAME}n %{JK_LB_LAST_BUSY}n" mod_jk_log
  CustomLog     logs/access_log     mod_jk_log
</source>

<br/>
<br/>
</p>

</subsection>

<subsection name="Forwarding">
<p>
The directive JkOptions allow you to set many forwarding options which will enable (+)
or disable (-) following option. Without any leading signs, options will be enabled.
<br/>
<br/>
</p>

<p>
The four following options <b>+ForwardURIxxx</b> are mutually exclusive.
Exactly one of them is required, a negative sign prefix is not allowed with them.
The default value is "ForwardURIProxy" since version 1.2.24.
It was "ForwardURICompatUnparsed" in version 1.2.23 and
"ForwardURICompat" until version 1.2.22.
You can turn the default off by switching on one of the other two options.
You should leave this at it's default value, unless you have a very good
reason to change it.
<br/>
<br/>
</p>

<p>
All options are inherited from the global server to virtual hosts.
Options that support enabling (plus options) and disabling (minus options),
are inherited in the following way:
<br/>
<br/>
options(vhost) = plus_options(global) - minus_options(global) + plus_options(vhost) - minus_options(vhost)
<br/>
<br/>
</p>

<p>
Using JkOptions <b>ForwardURIProxy</b>, the forwarded URI
will be partially reencoded after processing inside Apache httpd and
before forwarding to Tomcat. This will be compatible with local
URL manipulation by mod_rewrite and with URL encoded session ids.

<source>
  JkOptions     +ForwardURIProxy
</source>

<br/>
<br/>
</p>

<p>
Using JkOptions <b>ForwardURICompatUnparsed</b>, the forwarded URI
will be unparsed. It's spec compliant and secure.
It will always forward the original request URI, so rewriting
URIs with mod_rewrite and then forwarding the rewritten URI
will not work.

<source>
  JkOptions     +ForwardURICompatUnparsed
</source>

<br/>
<br/>
</p>

<p>
Using JkOptions <b>ForwardURICompat</b>, the forwarded URI will
be decoded by Apache httpd. Encoded characters will be decoded and
explicit path components like ".." will already be resolved.
This is less spec compliant and is <b>not safe</b> if you are using
prefix JkMount. This option will allow to rewrite URIs with
mod_rewrite before forwarding.

<source>
  JkOptions     +ForwardURICompat
</source>

<br/>
<br/>
</p>

<p>
Using JkOptions <b>ForwardURIEscaped</b>, the forwarded URI will
be the encoded form of the URI used by ForwardURICompat.
Explicit path components like ".." will already be resolved.
This will not work in combination with URL encoded session IDs,
but it will allow to rewrite URIs with mod_rewrite before forwarding.

<source>
  JkOptions     +ForwardURIEscaped
</source>

<br/>
<br/>
</p>

<p>
JkOptions <b>RejectUnsafeURI</b> will block all
URLs, which contain percent signs '%' or backslashes '\'
after decoding.
<br/>
<br/>
</p>
<p>
Most web apps do not use such URLs. Using the option RejectUnsafeURI, you
can block several well known URL encoding attacks. By default, this option
is not set.
</p>
<p>
You can also realise such a check with mod_rewrite, which is more powerful
but also slightly more complicated.

<source>  
  JkOptions     +RejectUnsafeURI
</source>

<br/>
<br/>
</p>

<p>
JkOptions <b>ForwardDirectories</b> is used in conjunction with <b>DirectoryIndex</b>
directive of Apache web server. As such mod_dir should be available to Apache,
statically or dynamically (DSO)
<br/>
<br/>
</p>

<p>
When DirectoryIndex is configured, Apache will create sub-requests for
each of the local-url's specified in the directive, to determine if there is a
local file that matches (this is done by stat-ing the file).
</p>

<p>
If ForwardDirectories is set to false (default) and Apache doesn't find any
files that match, Apache will serve the content of the directory (if directive
Options specifies Indexes for that directory) or a <code>403 Forbidden</code> response (if
directive Options doesn't specify Indexes for that directory).
</p>

<p>
If ForwardDirectories is set to true and Apache doesn't find any files that
match, the request will be forwarded to Tomcat for resolution. This is used in
cases when Apache cannot see the index files on the file system for various
reasons: Tomcat is running on a different machine, the JSP file has been
precompiled etc. 
</p>

<p>Note that locally visible files will take precedence over the
ones visible only to Tomcat (i.e. if Apache can see the file, that's the one
that's going to get served). This is important if there is more then one type of
file that Tomcat normally serves - for instance Velocity pages and JSP pages.

<source>  
  JkOptions     +ForwardDirectories
</source>
<br/>
<br/>
</p>

<p>
JkOptions <b>ForwardLocalAddress</b>, you ask mod_jk to send the local address,
of the Apache web server instead remote client address. This can be used by
Tomcat remote address valve for allowing connections only from registered Apache
web servers.

<source>  
  JkOptions     +ForwardLocalAddress
</source>

<br/>
<br/>
</p>

<p>
JkOptions <b>FlushPackets</b>, you ask mod_jk to flush Apache's connection
buffer after each AJP packet chunk received from Tomcat. This option can have
a strong performance penalty for Apache and Tomcat as writes are performed
more often than would normally be required (ie: at the end of each
response).

<source>  
  JkOptions     +FlushPackets
</source>

<br/>
<br/>
</p>

<p>
JkOptions <b>FlushHeader</b>, you ask mod_jk to flush Apache's connection
buffer after the response headers have been  received from Tomcat.

<source>  
  JkOptions     +FlushHeader
</source>

<br/>
<br/>
</p>

<p>
JkOptions <b>DisableReuse</b>, you ask mod_jk to close connections immediately
after their use. Normally mod_jk uses persistent connections and pools idle
connections to reuse them, when new requests have to be sent to Tomcat.
</p>

<p>
Using this option will have a strong performance penalty for Apache and Tomcat.
Use this only as a last resort in case of unfixable network problems.
If a firewall between Apache and Tomcat silently kills idle connections,
try to use the worker attribute socket_keepalive in combination with an appropriate
TCP keepalive value in your OS.

<source>  
  JkOptions     +DisableReuse
</source>

<br/>
<br/>
</p>

<p>
JkOptions <b>ForwardKeySize</b>,  you ask mod_jk, when using ajp13, to forward also the SSL Key Size  as 
required by Servlet API 2.3.
This flag shouldn't be set when servlet engine is Tomcat 3.2.x (on by default).

<source>  
  JkOptions     +ForwardKeySize
</source>

<br/>
<br/>
</p>

<p>
JkOptions <b>ForwardSSLCertChain</b>,  you ask mod_jk, when using ajp13,
to forward SSL certificate chain (off by default).
Mod_jk only passes the <code>SSL_CLIENT_CERT</code> to the AJP connector. This is not a
problem with self-signed certificates or certificates directly signed by the
root CA certificate. However, there's a large number of certificates signed by
an intermediate CA certificate, where this is a significant problem: A servlet
will not have the possibility to validate the client certificate on its own. The
bug would be fixed by passing on the <code>SSL_CLIENT_CERT_CHAIN</code> to Tomcat via the AJP connector.
<br/>
This directive exists only since version 1.2.22.
<source>  
  JkOptions     +ForwardSSLCertChain
</source>

<br/>
<br/>
</p>

<p>
The directive <b>JkEnvVar</b> allows you to forward environment variables
from Apache server to Tomcat engine.
You can add a default value as a second parameter to the directive.
If the default value is not given explicitly, the variable
will only be send, if it is set during runtime.
<br/>
The variables can be retrieved on the Tomcat side as request attributes
via request.getAttribute(attributeName).
Note that the variables send via JkEnvVar will not be listed
in request.getAttributeNames().
<br/>
<br/>
The variables are inherited from the global server to virtual hosts.

<source>  
  JkEnvVar     SSL_CLIENT_V_START     undefined
</source>
<br/>
<br/>
</p>

</subsection>

<subsection name="Assigning URLs to Tomcat">
<p>
If you have created a custom or local version of mod_jk.conf-local as noted above, 
you can change settings such as the workers or URL prefix.
</p>
<p>
<b>JkMount</b> directive assign specific URLs to Tomcat. 
In general the structure of a JkMount directive is:
</p>

<source>  
  JkMount [URL prefix] [Worker name]
</source>

<source>
  # send all requests ending in .jsp to worker1
  JkMount /*.jsp worker1
  # send all requests ending /servlet to worker1
  JkMount /*/servlet/ worker1
  # send all requests jsp requests to files located in /otherworker will go worker2
  JkMount /otherworker/*.jsp worker2
</source>

<p>
You can use the JkMount directive at the top level or inside &lt;VirtualHost&gt;
sections of your httpd.conf file.
</p>
<p><b>JkUnMount</b> directive acts as an opposite to JkMount and blocks access
to a particular URL. The purpose is to be able to filter out the particular content
types from mounted context. The following example mounts /servlet/*
context, but all .gif files that belongs to that context are not served.
</p>
<source>
  # send all requests ending with /servlet to worker1
  JkMount /servlet/* worker1
  # do not send requests ending with .gif to worker1
  JkUnMount /servlet/*.gif worker1
</source>
<p>
JkUnMount takes precedence over JkMount directives, meaning that the JK
will first try to mount and then checks, if there is an exclusion defined by a
JkUnMount. A JkUnMount overrides a JkMount only, if the worker names in the
JkMount and in the JkUnMount are the same.
</p>
<p>
The following example will block all .gif files although there is a JkMount for them:
</p>
<source>
  # do not send requests ending with .gif to worker1
  JkUnMount /*.gif worker1
  # The .gif files will not be mounted cause JkUnMount takes
  # precedence over JkMount directive
  JkMount /servlet/*.gif worker1
</source>
<p>
Starting with version 1.2.26 of JK you can apply a JkUnMount to any worker,
by using the star character '*' as the worker name in the JkUnMount.
More complex patterns in JkUnMount worker names are not allowed.
</p>
<source>
  # Mapping the webapps myapp1 and myapp2:
  /myapp1/*=worker1
  /myapp2/*=worker2
  # Exclude the all subdirectories static for all workers:
  !/*/static/*=*
  # Exclude some suffixes for all workers:
  !*.html=*
</source>
<p>
<b>JkAutoAlias</b> directive automatically <b>Alias</b> webapp context directories into
the Apache document space. It enables Apache to serve a static context while Tomcat
serving dynamic context. This directive is used for convenience so that you don't
have to put an apache Alias directive for each application directory inside Tomcat's
webapp directory. For security reasons is is strongly recommended that JkMount
is used to pass all requests to Tomcat by default and JkUnMount is used to
explicitly exclude static content to be served by httpd. It should also be noted
that content served by httpd will bypass any security constraints defined in the
application's web.xml.
</p>
<source>
  # enter the full path to the tomcat webapps directory
  JkAutoAlias /opt/tomtact/webapps
</source>
<p>The following example shows how to serve a dynamic context by
Tomcat and static using Apache. The webapps directory has to
be accessible by apache.</p>

<source>
  # enter the full path to the tomcat webapps directory
  JkAutoAlias /opt/tomtact/webapps

  # Mount 'servlets-examples' directory. It's physical location
  # is assumed to be in the /opt/tomtact/webapps/servlets-examples
  # ajp13w is a worker defined in the workers.properties
  JkMount /servlets-examples/* ajp13w

  # Unmount desired static content from servlets-examples webapp.
  # This content will be served by the httpd directly.
  JkUnMount /servlets-examples/*.gif ajp13w
  JkUnMount /servlets-examples/*.jpg ajp13w
</source>
<p>Note that you can have a single JkAutoAlias directive per virtual
host inside your httpd.conf
</p>
<p>
<b>JkWorkerProperty</b> is a new directive available from JK 1.2.7
version. It is a convenient method for setting directives that are
usually set inside <b>workers.propeties</b> file. The parameter for
that directive is raw line from workers.properties file.
</p>
<source>
  # Just like workers.properties but exact line is prefixed
  # with JkWorkerProperty

  # Minimal jk configuration
  JkWorkerProperty worker.list=ajp13w
  JkWorkerProperty worker.ajp13w.type=ajp13
  JkWorkerProperty worker.ajp13w.host=localhost
  JkWorkerProperty worker.ajp13w.port=8009   
</source>
<p>
<b>JkMountFile</b> is a new directive available from JK 1.2.9
version. It is used for dynamic updates of mount points at runtime.
When the mount file is changed, JK will reload it's content.
</p>
<source>
  # Load mount points

  JkMountFile conf/uriworkermap.properties
</source>
<p>If the mount point uri starts with an exclamation mark '!'
it defines an exclusion in the same way JkUnMount does.
If the mount point uri starts with minus sign '-'
the mount point will only be disabled. A disabled mount can be reenabled
by deleting the minus sign and waiting for the JkMountFile to reload.
An exclusion can be disabled by prefixing it with a minus sign.
</p>
<source>
  # Sample uriworkermap.properties file

  /servlets-examples/*=ajp13w
  # Do not map .jpeg files
  !/servlets-examples/*.jpeg=ajp13w
  # Make jsp examples initially disabled  
  -/jsp-examples/*=ajp13w
</source>
<p>At run time you can change the content of this file. For example
removing minus signs will enable the previously disabled uri mappings.
You can add any number of new entries at runtime that reflects the newly deployed
applications. Apache will reload the file and update the mount
points within 60 second interval.
</p>
<p>
There is no way to delete entries by dynamic reloading, but you can disable or
exclude mappings.
<br/>
<br/>
</p>

</subsection>

<subsection name="Using SetHandler and Environment Variables">
<p>
Alternatively to the mod_jk specific directives, you can also use
SetHandler and environment variables to control, which requests
are being forwarded via which worker. This gives you more flexibility,
but the results might be more difficult to understand. If you mix both
ways of defining the forwards, in general to mod_jk directives will win.
</p>
<p>
<b>SetHandler jakarta-servlet</b> forces requests to be handled by mod_jk.
If you neither specify any workers via JkMount and the related directives,
not via the environment variable described below,
the first worker in the list of all worker will be chosen. You can use SetHandler
for example in Location blocks or with Apache 2.2 also in RewriteRule.
</p>
<p>
In order to control the worker using <b>SetEnvIf</b> or <b>RewriteRule</b>
for more complex rules, you can set the environment variable <b>JK_WORKER_NAME</b>
to the name of your chosen target worker. This enables you to decide on
the chosen worker in a more flexible way, including dependencies on cookie values.
This feature has been added in version 1.2.19 of mod_jk.
</p>
<p>
In order to use another variable than <b>JK_WORKER_NAME</b>, you can set the name
of this variable via the <b>JkWorkerIndicator</b> directive.
</p>
<p>
You can also define exclusions from mod_jk forwards by setting the environment
variable <b>no-jk</b>.
</p>
<source>
  # Automatically map all encoded urls
  &lt;Location *;jsessionid=&gt;
    SetHandler jakarta-servlet
    SetEnv JK_WORKER_NAME my_worker
  &lt;/Location&gt;

  # Map all subdirs to workers via naming rule
  # and exclude static content.
  &lt;Location /apps/&gt;
    SetHandler jakarta-servlet
    SetEnvIf REQUEST_URI ^/apps/([^/]*)/ JK_WORKER_NAME=$1
    SetEnvIf REQUEST_URI ^/apps/([^/]*)/static no-jk
  &lt;/Location&gt;
</source>
<p>
Finally, starting with version 1.2.27 you can use the environment variable
<b>JK_REPLY_TIMEOUT</b> to dynamically set a reply timeout.
</p>
</subsection>
 </section>
</body>
</document>