HTTP Connectors
Tomcat comes with a preconfigured HTTP connector that can handle incoming HTTP requests from a browser, because of this Tomcat can act as a standalone Web server, it can handle both HTTP and HTTPS requests. Tomcat can be tied with both Apache and IIS, I will not be explaining IIS so I point you to the Tomcat Apache web site.
The Java-based HTTP/1.1 Connector is the default connector configured in Tomcat, there are additional connectors that can make use of high performance IO features of the Java NIO library and a native version of the HTTP Connector written in C/C++ and coded to APR (Apache Portable Runtime). Both of the additional Connectors are new and hopefully will be come the standard connector.
HTTP Connectors
HTTP connectors are Java classes that implement the HTTP protocol, by default the Connector listens on port 8080 but this can be changed. There are a number of HTTP Connectors available
- Java-based HTTP/1.1 (Coyote) Connector
- Java-based High performance NIO HTTP Connector
- Native code-optimized APR HTTP Connector
The Coyote Connector is the most mature of the three and is a extremely stable Connector. The high performance Connector provides non-blocking IO and Comet support but this Connector still has a number of bugs. If your systems are heavily loaded then you might want to use the APR HTTP Connector it is the newest of the three Connectors but is the most optimized.
The Connector is setup in the server.xml file and can have many attributes
Connector Attributes | ||
| Attribute | Description | Default value |
| acceptCount | This is the maximum queue length for incoming connection requests when all possible request processing threads are in use, any requests when the queue is full will be refused . | |
| address | The IP address that Tomcat binds to, if not specified then all addresses are bound. | All addresses are bound |
| allowTrace | This enables the TRACE HTTP method if set to true | false |
| compressibleMimeTypes | This is a comma-separated list of MIME types for which HTTP compressions can be used | text/html, text/xml, text/plain |
| compression | The Connector can use GZIP compression to get better bandwidth from the server | false |
| connectionLinger | This set the number of milliseconds the socket connection stays around for after it has been closed | 0 |
| connectionTimeout | This is the number of milliseconds that this Connector waits for after accepting a connection before requesting , default value is | 60,000 milliseconds (60 seconds) |
| disableUploadTimeout | Enables a separate timeout to be set for data uploads during a servlet execution | false |
| emptySessionPath | Session path is used for cookies is all "/" | false |
| enableLookups | all calls to request.getremote() will perform a DNS lookup | false |
| maxHttpHeaderSize | controls the maximum size of the request and response headers | 4KB |
| maxPostSize | specifies the maximum size in bytes of the POST that can be handled by the container, setting this to 0 will disable this feature | 2MB |
| maxSavePostSize | specifies the maximum size in bytes of the POST that can be handled by the container during a client-cert or authentication operation, setting this to -1 will disable this feature | 4KB |
| maxSpareThreads | controls the maximum number of unused threads that are allowed to exist before Tomcat starts stopping the unused ones. | 50 |
| minSpareThreads | specifies the minimum number of threads that are started when a Connector is initialized | 4 |
| maxThreads | specifies the maximum number of threads that are created for this Connector | 200 |
| noCompressUserAgents | comma-separated list that matches the HTTPUserAgent value of Web Browsers that have a broken support for HTTP/1.1 compression | n/a |
| port | The port number the Connector will create on the server socket | 8080 |
| protocol | specifies the HTTP protocol to use, by default it loads org.apache.coyote.http11.Http11Protocol | HTTP/1.1 |
| implementation | This is the default Java-based blocking Connector | org.apache.coyote.http11.Http11Protocol |
| proxyName | used when Tomcat is running behind a proxy | n/a |
| proxyPort | used in proxy conditions | n/a |
| redirectPort | If the incoming request requests a SSL resource, Catalina will redirect this request to this port | 8443 |
| restrictUserAgents | comma-separated list that matches the HTTPUserAgent value of Web Browsers that have a broken support for HTTP/1.1 keepalive behavior | n/a |
| scheme | set to the name of the protocol | HTTP |
| secure | set to true for SSL Connectors | false |
| server | specifies the server header when sending the HTTP response | Apache-Coyote/1.1 |
| socketBuffer | specifies the size in bytes of the buffer to be used for socket output buffering , setting this to -1 turns off buffering | 9KB |
| tcpNoDelay | when set to true it enables the TCP_NO_DELAY network socket option | true |
| threadPriority | specifies the Java thread priority for request handling threads created in the Java JVM | java.lang.Thread#NORM_PRIORITY |
| URIEncoding | specifies the character encoding used to decode URI bytes | ISO-8859-1 |
| useBodyEncodingForURI | if set to true this attribute causes the URI encoding specified in the contentType to be used for encoding rather than the URLEncoding attribute | false |
| useIPVHosts | if set to true this attribute causes the server to examine the incoming request IP address to direct the request to the corresponding virtual host | false |
| xpoweredBy | if set to true an X-Powered-By header is output in servlet-generated responses returned by the Connector. | false |
When configuring Tomcat to support HTTPS connections it must have its attribute secure set to true and its scheme set to https. The new SSL-related Connector attributes are as follows
Connector Attributes | ||
| Attribute | Description | Default value |
| algorithm | specifies the certificate encoding algorithm to use | Sun X509 |
| ciphers | a comma-separated list of encryption ciphers | |
| clientAuth | If set to true then the client connection would need to present a valid certificate | false |
| keystoreFile | specifies the path to the keystore | |
| keystorePass | password to access the keystore | changeit |
| keystoreType | specifies the keystore type , you can use pkcs11 or pkcs12 | JKS |
| sslProtocol | specifies the SSL protocol version to use | TLS |
Example | ||
| SSL Connector example | maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> | |
I am not going to discuss the advanced NIO connector due to the problems it has and also that I do not implement this particular Connector in any of my Tomcat servers. I thus leave you to search on the internet for any material on this Connector.
APR works well in Windows and Linux environment, it is written using APR and compiled to native code for optimized platform specific performance. It is not a complete Connector, it actually makes use of the standard Java-based connector for most of its operations. It uses three main mechanism to increase performance
- Use of a sendfile() kernel mode call to send large static files directly from the buffer cache
- Use of a single native code keep alive poller to implement connection keep alive for a large number of connections
- Use of the openSSL native code, which has the potential to accelerate SSL implementation for SSL handling (via hardware)
Many of the attributes overlap with the standard HTTP/1.1 Connector, so check out the above
| Native APR Connector example | maxThreads="150" connectionTimeout="20000" redirectPort="8843" /> |
Make sure the APR runtime library has been installed, see Tomcat Installation for more details.
Tomcat can support both CGI and SSI but by default both are disabled, this is because of security reasons. Both CGI and SSI can bypass the security policies defined for programs in the catalina.policy file. Again i point you to the internet for more information on these configurations.
Sometimes a Tomcat server runs behind a proxy server, in this case the hostname and port number of the proxy server must be returned to the client in the HTTP response. You use two attributes proxyName and proxyPort to achieve this
| Apache Setup | ProxyPass /servlets http://hostname:8080/servlets ProxyPassReverse /servlets http://hostname:8080/servlets |
| Tomcat setup | proxyPort="80" /> |
In the table below I describe when you should use a particular Connector
| HTTP/1.1 | Standard Connector used 99% of the time and works straight out of the box |
| NIO | Ajax-style applications requiring long-lasting sessions between client and server |
| Native APR | provides a high performance, scaleable and potentially faster solution. |
Below are some attributes and JVM tuning tips that can be implemented to improve performance
| tcpNoDelay | setting this attribute to true enables the TCP_NO_DELAY network socket option. This improves performance as it disables the Nagle algorithm which is used to concatenate small buffer messages, which decreases the number of packets sent over the network |
| maxKeepAliveRequest | This attribute controls the keep-alive behavior of HTTP requests, enabling persistent connections, it specifies the maximum number of requests that can be pipelined until the connection is closed by the server |
| socketBuffer | specifies the size in bytes of the buffer to be used for socket output buffering |
| enableLookups | setting this attribute to false disables lookups which can impact performance |
| maxThreads maxSpareThreads minSpareThreads (thread pool) | using a thread can improve performance, three attributes can control the number of threads, the more important is probably the minSpareThreads making sure there are enough Threads available. |
| JVM settings | JVM memory settings by default are low, thus you probably will need to increase these on a production server, using the -Xms and -Xmx JVM parameters will set the initial and maximum heap size. |
Source: http://www.datadisk.co.uk/html_docs/java_app/tomcat6/tomcat6_http_connectors.htm
