The HTTP Connector
Table of Contents
Introduction
The HTTP Connector element represents a Connector component that supports the HTTP/1.1 protocol. It enables Catalina to function as a stand-alone web server, in addition to its ability to execute servlets and JSP pages. A particular instance of this component listens for connections on a specific TCP port number on the server. One or more such Connectors can be configured as part of a single Service, each forwarding to the associated Engine to perform request processing and create the response.
If you wish to configure the Connector that is used
for connections to web servers using the AJP protocol (such as the
mod_jk 1.2.x
connector for Apache 1.3), please refer to the
AJP Connector documentation.
Each incoming request requires
a thread for the duration of that request. If more simultaneous requests
are received than can be handled by the currently available request
processing threads, additional threads will be created up to the
configured maximum (the value of the maxThreads
attribute).
If still more simultaneous requests are received, they are stacked up
inside the server socket created by the Connector, up to
the configured maximum (the value of the acceptCount
attribute). Any further simultaneous requests will receive "connection
refused" errors, until resources are available to process them.
Attributes
Common Attributes
All implementations of Connector support the following attributes:
Attribute | Description |
---|---|
allowTrace |
A boolean value which can be used to enable or disable the TRACE HTTP method. If not specified, this attribute is set to false. |
asyncTimeout |
The default timeout for asynchronous requests in milliseconds. If not specified, this attribute is set to the Servlet specification default of 30000 (30 seconds). |
enableLookups |
Set to |
maxHeaderCount |
The maximum number of headers in a request that are allowed by the container. A request that contains more headers than the specified limit will be rejected. A value of less than 0 means no limit. If not specified, a default of 100 is used. |
maxParameterCount |
The maximum number of parameter and value pairs (GET plus POST) which
will be automatically parsed by the container. Parameter and value pairs
beyond this limit will be ignored. A value of less than 0 means no limit.
If not specified, a default of 10000 is used. Note that
|
maxPostSize |
The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The limit can be disabled by setting this attribute to a value less than or equal to 0. If not specified, this attribute is set to 2097152 (2 megabytes). |
maxSavePostSize |
The maximum size in bytes of the POST which will be saved/buffered by the container during FORM or CLIENT-CERT authentication. For both types of authentication, the POST will be saved/buffered before the user is authenticated. For CLIENT-CERT authentication, the POST is buffered for the duration of the SSL handshake and the buffer emptied when the request is processed. For FORM authentication the POST is saved whilst the user is re-directed to the login form and is retained until the user successfully authenticates or the session associated with the authentication request expires. The limit can be disabled by setting this attribute to -1. Setting the attribute to zero will disable the saving of POST data during authentication. If not specified, this attribute is set to 4096 (4 kilobytes). |
parseBodyMethods |
A comma-separated list of HTTP methods for which request
bodies will be parsed for request parameters identically
to POST. This is useful in RESTful applications that want to
support POST-style semantics for PUT requests.
Note that any setting other than |
port |
The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address. If the special value of 0 (zero) is used, then Tomcat will select a free port at random to use for this connector. This is typically only useful in embedded and testing applications. |
protocol |
Sets the protocol to handle incoming traffic. The default value is
|
proxyName |
If this Connector is being used in a proxy
configuration, configure this attribute to specify the server name
to be returned for calls to |
proxyPort |
If this Connector is being used in a proxy
configuration, configure this attribute to specify the server port
to be returned for calls to |
redirectPort |
If this Connector is supporting non-SSL
requests, and a request is received for which a matching
|
scheme |
Set this attribute to the name of the protocol you wish to have
returned by calls to |
secure |
Set this attribute to |
URIEncoding |
This specifies the character encoding used to decode the URI bytes,
after %xx decoding the URL. If not specified, UTF-8 will be used unless
the |
useBodyEncodingForURI |
This specifies if the encoding specified in contentType should be used
for URI query parameters, instead of using the URIEncoding. This
setting is present for compatibility with Tomcat 4.1.x, where the
encoding specified in the contentType, or explicitly set using
Request.setCharacterEncoding method was also used for the parameters from
the URL. The default value is |
useIPVHosts |
Set this attribute to |
xpoweredBy |
Set this attribute to |
Standard Implementation
The standard HTTP connectors (BIO, NIO and APR/native) all support the following attributes in addition to the common Connector attributes listed above.
Attribute | Description |
---|---|
acceptCount |
The maximum queue length for incoming connection requests when all possible request processing threads are in use. Any requests received when the queue is full will be refused. The default value is 100. |
acceptorThreadCount |
The number of threads to be used to accept connections. Increase this
value on a multi CPU machine, although you would never really need more
than |
acceptorThreadPriority |
The priority of the acceptor threads. The threads used to accept
new connections. The default value is |
address |
For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server. |
bindOnInit |
Controls when the socket used by the connector is bound. By default it
is bound when the connector is initiated and unbound when the connector is
destroyed. If set to |
compressableMimeType |
The value is a comma separated list of MIME types for which HTTP
compression may be used.
The default value is |
compression |
The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth. The acceptable values for the parameter is "off" (disable compression), "on" (allow compression, which causes text data to be compressed), "force" (forces compression in all cases), or a numerical integer value (which is equivalent to "on", but specifies the minimum amount of data before the output is compressed). If the content-length is not known and compression is set to "on" or more aggressive, the output will also be compressed. If not specified, this attribute is set to "off". Note: There is a tradeoff between using compression (saving
your bandwidth) and using the sendfile feature (saving your CPU cycles).
If the connector supports the sendfile feature, e.g. the NIO connector,
using sendfile will take precedence over compression. The symptoms will
be that static files greater that 48 Kb will be sent uncompressed.
You can turn off sendfile by setting |
compressionMinSize |
If compression is set to "on" then this attribute may be used to specify the minimum amount of data before the output is compressed. If not specified, this attribute is defaults to "2048". |
connectionLinger |
The number of seconds during which the sockets used by this Connector will linger when they are closed. If not specified, the JVM default will be used. |
connectionTimeout |
The number of milliseconds this Connector will wait,
after accepting a connection, for the request URI line to be
presented. Use a value of -1 to indicate no (i.e. infinite) timeout.
The default value is 60000 (i.e. 60 seconds) but note that the standard
server.xml that ships with Tomcat sets this to 20000 (i.e. 20 seconds).
Unless disableUploadTimeout is set to |
connectionUploadTimeout |
Specifies the timeout, in milliseconds, to use while a data upload is
in progress. This only takes effect if
disableUploadTimeout is set to |
disableUploadTimeout |
This flag allows the servlet container to use a different, usually
longer connection timeout during data upload. If not specified, this
attribute is set to |
executor |
A reference to the name in an Executor element. If this attribute is set, and the named executor exists, the connector will use the executor, and all the other thread attributes will be ignored. Note that if a shared executor is not specified for a connector then the connector will use a private, internal executor to provide the thread pool. |
executorTerminationTimeoutMillis |
The time that the private internal executor will wait for request
processing threads to terminate before continuing with the process of
stopping the connector. If not set, the default is |
keepAliveTimeout |
The number of milliseconds this Connector will wait for another HTTP request before closing the connection. The default value is to use the value that has been set for the connectionTimeout attribute. Use a value of -1 to indicate no (i.e. infinite) timeout. |
maxConnections |
The maximum number of connections that the server will accept and
process at any given time. When this number has been reached, the server
will accept, but not process, one further connection. This additional
connection be blocked until the number of connections being processed
falls below maxConnections at which point the server will
start accepting and processing new connections again. Note that once the
limit has been reached, the operating system may still accept connections
based on the Note that for APR/native on Windows, the configured value will be
reduced to the highest multiple of 1024 that is less than or equal to
maxConnections. This is done for performance reasons. |
maxExtensionSize |
Limits the total length of chunk extensions in chunked HTTP requests.
If the value is |
maxHttpHeaderSize |
The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB). |
maxKeepAliveRequests |
The maximum number of HTTP requests which can be pipelined until the connection is closed by the server. Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests. If not specified, this attribute is set to 100. |
maxThreads |
The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled. If not specified, this attribute is set to 200. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. |
maxTrailerSize |
Limits the total length of trailing headers in the last chunk of
a chunked HTTP request. If the value is |
minSpareThreads |
The minimum number of threads always kept running. If not specified,
the default of |
noCompressionUserAgents |
The value is a regular expression (using |
processorCache |
The protocol handler caches Processor objects to speed up performance.
This setting dictates how many of these objects get cached.
|
restrictedUserAgents |
The value is a regular expression (using |
server |
Overrides the Server header for the http response. If set, the value
for this attribute overrides the Tomcat default and any Server header set
by a web application. If not set, any value specified by the application
is used. If the application does not specify a value then
|
socketBuffer |
The size (in bytes) of the buffer to be provided for socket output buffering. -1 can be specified to disable the use of a buffer. By default, a buffers of 9000 bytes will be used. |
SSLEnabled |
Use this attribute to enable SSL traffic on a connector.
To turn on SSL handshake/encryption/decryption on a connector
set this value to |
tcpNoDelay |
If set to |
threadPriority |
The priority of the request processing threads within the JVM.
The default value is |
Java TCP socket attributes
The BIO and NIO implementation support the following Java TCP socket attributes in addition to the common Connector and HTTP attributes listed above.
Attribute | Description |
---|---|
socket.rxBufSize |
(int)The socket receive buffer (SO_RCVBUF) size in bytes. JVM default used if not set. |
socket.txBufSize |
(int)The socket send buffer (SO_SNDBUF) size in bytes. JVM default used if not set. |
socket.tcpNoDelay |
(bool)This is equivalent to standard attribute tcpNoDelay. |
socket.soKeepAlive |
(bool)Boolean value for the socket's keep alive setting (SO_KEEPALIVE). JVM default used if not set. |
socket.ooBInline |
(bool)Boolean value for the socket OOBINLINE setting. JVM default used if not set. |
socket.soReuseAddress |
(bool)Boolean value for the sockets reuse address option (SO_REUSEADDR). JVM default used if not set. |
socket.soLingerOn |
(bool)Boolean value for the sockets so linger option (SO_LINGER).
A value for the standard attribute connectionLinger
that is >=0 is equivalent to setting this to |
socket.soLingerTime |
(int)Value in seconds for the sockets so linger option (SO_LINGER).
This is equivalent to standard attribute
connectionLinger.
Both this attribute and |
socket.soTimeout |
This is equivalent to standard attribute connectionTimeout. |
socket.performanceConnectionTime |
(int)The first value for the performance settings. See Socket Performance Options All three performance attributes must be set else the JVM defaults will be used for all three. |
socket.performanceLatency |
(int)The second value for the performance settings. See Socket Performance Options All three performance attributes must be set else the JVM defaults will be used for all three. |
socket.performanceBandwidth |
(int)The third value for the performance settings. See Socket Performance Options All three performance attributes must be set else the JVM defaults will be used for all three. |
socket.unlockTimeout |
(int) The timeout for a socket unlock. When a connector is stopped, it will try to release the acceptor thread by opening a connector to itself.
The default value is |
BIO specific configuration
The following attributes are specific to the BIO connector.
Attribute | Description |
---|---|
disableKeepAlivePercentage |
The percentage of processing threads that have to be in use before
HTTP keep-alives are disabled to improve scalability. Values less than
|
NIO specific configuration
The following attributes are specific to the NIO connector.
Attribute | Description |
---|---|
pollerThreadCount |
(int)The number of threads to be used to run for the polling events.
Default value is |
pollerThreadPriority |
(int)The priority of the poller threads.
The default value is |
selectorTimeout |
(int)The time in milliseconds to timeout on a select() for the
poller. This value is important, since connection clean up is done on
the same thread, so do not set this value to an extremely high one. The
default value is |
useComet |
(bool)Whether to allow comet servlets or not. Default value is
|
useSendfile |
(bool)Use this attribute to enable or disable sendfile capability.
The default value is |
socket.directBuffer |
(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers. Default is |
socket.appReadBufSize |
(int)Each connection that is opened up in Tomcat get associated with
a read ByteBuffer. This attribute controls the size of this buffer. By
default this read buffer is sized at |
socket.appWriteBufSize |
(int)Each connection that is opened up in Tomcat get associated with
a write ByteBuffer. This attribute controls the size of this buffer. By
default this write buffer is sized at |
socket.bufferPool |
(int)The NIO connector uses a class called NioChannel that holds
elements linked to a socket. To reduce garbage collection, the NIO
connector caches these channel objects. This value specifies the size of
this cache. The default value is |
socket.bufferPoolSize |
(int)The NioChannel pool can also be size based, not used object
based. The size is calculated as follows: |
socket.processorCache |
(int)Tomcat will cache SocketProcessor objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is |
socket.keyCache |
(int)Tomcat will cache KeyAttachment objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is |
socket.eventCache |
(int)Tomcat will cache PollerEvent objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is |
selectorPool.maxSelectors |
(int)The max selectors to be used in the pool, to reduce selector
contention. Use this option when the command line
|
selectorPool.maxSpareSelectors |
(int)The max spare selectors to be used in the pool, to reduce
selector contention. When a selector is returned to the pool, the system
can decide to keep it or let it be GC'd. Use this option when the
command line |
command-line-options |
The following command line options are available for the NIO
connector: |
oomParachute |
(int)The NIO connector implements an OutOfMemoryError strategy called
parachute. It holds a chunk of data as a byte array. In case of an OOM,
this chunk of data is released and the error is reported. This will give
the VM enough room to clean up. The |
APR/native specific configuration
The following attributes are specific to the APR/native connector.
Attribute | Description |
---|---|
deferAccept |
Sets the |
pollerSize |
Amount of sockets that the poller responsible for polling kept alive connections can hold at a given time. Extra connections will be closed right away. The default value is 8192, corresponding to 8192 keep-alive connections. This is a synonym for maxConnections. |
pollerThreadCount |
Number of threads used to poll kept alive connections. On Windows the default is chosen so that the sockets managed by each thread is less than 1024. For Linux the default is 1. Changing the default on Windows is likely to have a negative performance impact. |
pollTime |
Duration of a poll call in microseconds. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made. The default value is 2000 (2ms). |
sendfileSize |
Amount of sockets that the poller responsible for sending static files asynchronously can hold at a given time. Extra connections will be closed right away without any data being sent (resulting in a zero length file on the client side). Note that in most cases, sendfile is a call that will return right away (being taken care of "synchronously" by the kernel), and the sendfile poller will not be used, so the amount of static files which can be sent concurrently is much larger than the specified amount. The default value is 1024. |
sendfileThreadCount |
Number of threads used service sendfile sockets. On Windows the default is chosen so that the sockets managed by each thread is less than 1024. For Linux the default is 1. Changing the default on Windows is likely to have a negative performance impact. |
threadPriority |
(int)The priority of the acceptor and poller threads.
The default value is |
useComet |
(bool)Whether to allow comet servlets or not. Default value is
|
useSendfile |
(bool)Use this attribute to enable or disable sendfile capability.
The default value is |
Nested Components
None at this time.
Special Features
HTTP/1.1 and HTTP/1.0 Support
This Connector supports all of the required features of the HTTP/1.1 protocol, as described in RFC 2616, including persistent connections, pipelining, expectations and chunked encoding. If the client (typically a browser) supports only HTTP/1.0, the Connector will gracefully fall back to supporting this protocol as well. No special configuration is required to enable this support. The Connector also supports HTTP/1.0 keep-alive.
RFC 2616 requires that HTTP servers always begin their responses with
the highest HTTP version that they claim to support. Therefore, this
Connector will always return HTTP/1.1
at
the beginning of its responses.
Proxy Support
The proxyName
and proxyPort
attributes can
be used when Tomcat is run behind a proxy server. These attributes
modify the values returned to web applications that call the
request.getServerName()
and request.getServerPort()
methods, which are often used to construct absolute URLs for redirects.
Without configuring these attributes, the values returned would reflect
the server name and port on which the connection from the proxy server
was received, rather than the server name and port to whom the client
directed the original request.
For more information, see the Proxy Support HOW-TO.
SSL Support
You can enable SSL support for a particular instance of this
Connector by setting the SSLEnabled
attribute to
true
.
You will also need to set the scheme
and secure
attributes to the values https
and true
respectively, to pass correct information to the servlets.
The BIO and NIO connectors use the JSSE SSL whereas the APR/native connector uses OpenSSL. Therefore, in addition to using different attributes to configure SSL, the APR/native connector also requires keys and certificates to be provided in a different format.
For more information, see the SSL Configuration HOW-TO.
SSL Support - BIO and NIO
The BIO and NIO connectors use the following attributes to configure SSL:
Attribute | Description |
---|---|
algorithm |
The certificate encoding algorithm to be used. This defaults to
|
allowUnsafeLegacyRenegotiation |
Is unsafe legacy TLS renegotiation allowed which is likely to expose
users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
protocol that allows an attacker to inject arbitrary data into the user's
request. If not specified, a default of |
ciphers |
The comma separated list of encryption ciphers to support for HTTPS
connections. If specified, only the ciphers that are listed and supported
by the SSL implementation will be used. By default, the default ciphers
for the JVM will be used. Note that this usually means that the weak
export grade ciphers will be included in the list of available ciphers.
The ciphers are specified using the JSSE cipher naming convention. The
special value of |
clientAuth |
Set to |
clientCertProvider |
When client certificate information is presented in a form other than
instances of |
crlFile |
The certificate revocation list to be used to verify client certificates. If not defined, client certificates will not be checked against a certificate revocation list. |
keyAlias |
The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used. |
keyPass |
The password used to access the server certificate from the
specified keystore file. The default value is " |
keystoreFile |
The pathname of the keystore file where you have stored the
server certificate to be loaded. By default, the pathname is
the file " |
keystorePass |
The password used to access the specified keystore file. The default
value is the value of the |
keystoreProvider |
The name of the keystore provider to be used for the server
certificate. If not specified, the list of registered providers is
traversed in preference order and the first provider that supports the
|
keystoreType |
The type of keystore file to be used for the server certificate.
If not specified, the default value is " |
sessionCacheSize |
The number of SSL sessions to maintain in the session cache. Use 0 to specify an unlimited cache size. If not specified, a default of 0 is used. |
sessionTimeout |
The time, in seconds, after the creation of an SSL session that it will timeout. Use 0 to specify an unlimited timeout. If not specified, a default of 86400 (24 hours) is used. |
sslEnabledProtocols |
The comma separated list of SSL protocols to support for HTTPS
connections. If specified, only the protocols that are listed and
supported by the SSL implementation will be enabled. If not specified,
the JVM default is used. The permitted values may be obtained from the
JVM documentation for the allowed values for
|
sslImplementationName |
The class name of the SSL implementation to use. If not specified, the
default of |
sslProtocol |
The the SSL protocol(s) to use (a single value may enable multiple
protocols - see the JVM documentation for details). If not specified, the
default is |
trustManagerClassName |
The name of a custom trust manager class to use to validate client
certificates. The class must have a zero argument constructor and must
also implement |
trustMaxCertLength |
The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 5 will be used. |
truststoreAlgorithm |
The algorithm to use for truststore. If not specified, the default
value returned by
|
truststoreFile |
The trust store file to use to validate client certificates. The
default is the value of the |
truststorePass |
The password to access the trust store. The default is the value of the
|
truststoreProvider |
The name of the truststore provider to be used for the server
certificate. The default is the value of the
|
truststoreType |
The type of key store used for the trust store. The default is the
value of the |
SSL Support - APR/Native
When APR/native is enabled, the HTTPS connector will use a socket poller for keep-alive, increasing scalability of the server. It also uses OpenSSL, which may be more optimized than JSSE depending on the processor being used, and can be complemented with many commercial accelerator components. Unlike the HTTP connector, the HTTPS connector cannot use sendfile to optimize static file processing.
The HTTPS APR/native connector has the same attributes than the HTTP APR/native connector, but adds OpenSSL specific ones. For the full details on using OpenSSL, please refer to OpenSSL documentations and the many books available for it (see the Official OpenSSL website). The SSL specific attributes for the APR/native connector are:
Attribute | Description |
---|---|
SSLCACertificateFile | |
SSLCACertificatePath | |
SSLCARevocationFile | |
SSLCARevocationPath | |
SSLCertificateChainFile | |
SSLCACertificateFile |
Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded. |
SSLCACertificatePath |
Name of the directory that contains the certificates for the trusted certificate authorities. The format is PEM-encoded. |
SSLCARevocationFile |
Name of the file that contains the concatenated certificate revocation lists for the certificate authorities. The format is PEM-encoded. |
SSLCARevocationPath |
Name of the directory that contains the certificate revocation lists for the certificate authorities. The format is PEM-encoded. |
SSLCertificateChainFile |
Name of the file that contains concatenated certifcates for the certificate authorities which form the certifcate chain for the server certificate. The format is PEM-encoded. |
SSLCertificateFile |
Name of the file that contains the server certificate. The format is PEM-encoded. |
SSLCertificateKeyFile |
Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of "SSLCertificateFile" and in this case both certificate and private key have to be in this file (NOT RECOMMENDED). |
SSLCipherSuite |
Ciphers which may be used for communicating with clients. The default is "ALL", with other acceptable values being a list of ciphers, with ":" used as the delimiter (see OpenSSL documentation for the list of ciphers supported). |
SSLDisableCompression |
Disables compression if set to |
SSLHonorCipherOrder |
Set to |
SSLPassword |
Pass phrase for the encrypted private key. If "SSLPassword" is not provided, the callback function should prompt for the pass phrase. |
SSLProtocol |
Protocol which may be used for communicating with clients. The default
value is |
SSLVerifyClient |
Ask client for certificate. The default is "none", meaning the client will not have the opportunity to submit a certificate. Other acceptable values include "optional", "require" and "optionalNoCA". |
SSLVerifyDepth |
Maximum verification depth for client certificates. The default is "10". |
Connector Comparison
Below is a small chart that shows how the connectors differentiate.
Java Blocking Connector BIO |
Java Nio Blocking Connector NIO |
APR/native Connector APR |
|
---|---|---|---|
Classname | Http11Protocol |
Http11NioProtocol |
Http11AprProtocol |
Tomcat Version | 3.x onwards | 6.x onwards | 5.5.x onwards |
Support Polling | NO | YES | YES |
Polling Size | N/A | maxConnections |
maxConnections |
Read HTTP Request | Blocking | Non Blocking | Blocking |
Read HTTP Body | Blocking | Sim Blocking | Blocking |
Write HTTP Response | Blocking | Sim Blocking | Blocking |
Wait for next Request | Blocking | Non Blocking | Non Blocking |
SSL Support | Java SSL | Java SSL | OpenSSL |
SSL Handshake | Blocking | Non blocking | Blocking |
Max Connections | maxConnections |
maxConnections |
maxConnections |