Tomcat Configuration

From trapsink.com
Jump to: navigation, search
Articles in this series


tomcat.sysvinit

Advanced SysVinit script:

#!/bin/bash
#
# Startup script for Tomcat
#
# chkconfig: 345 82 20
# description: Tomcat is a servlet runner

LOCALDIR=/usr/local
JAVA_HOME=$LOCALDIR/java
CATALINA_HOME=$LOCALDIR/tomcat
CPFILE=$LOCALDIR/etc/custom.properties
XMFILE=$LOCALDIR/etc/server.xml
export LOCALDIR JAVA_HOME CATALINA_HOME

# Configure as needed for the specific apps
JAVA_OPTS="-server -Xms1536m -Xmx1536m -Xmn384m -XX:+UseParallelGC"
export JAVA_OPTS

# Disable NPTL if necessary
#LD_ASSUME_KERNEL=2.4.1
#export LD_ASSUME_KERNEL

# Source various Catalina options as needed
CATALINA_OPTS=""
while read OPTION && [[ "$OPTION" != end ]]
do
  # drop leading spaces
  option=${OPTION##}
  # skip comments
  [ "${OPTION#\#}" == "${OPTION}" ] || continue
  # skip blank lines
  [ -n "${OPTION}" ] || continue
  CATALINA_OPTS="$CATALINA_OPTS -D$OPTION"
done < "$CPFILE"
export CATALINA_OPTS

# See how we were called.
case "$1" in
  start)
	cd $CATALINA_HOME
	./bin/startup.sh -config $XMFILE
	;;
  stop)
	cd $CATALINA_HOME
	./bin/shutdown.sh -config $XMFILE
	;;
  restart)
	$0 stop
	sleep 3
	$0 start
	;;
  *)
	echo "Usage: $0 {start|stop|restart}"
	exit 1
esac

exit 0


custom.properties

For use in the CPFILE setting of the initscript:

# A way to dynamically include Java properties (-Dfoo=bar)
# from the commandline initscript (see *.sysvinit)
#
java.library.path=/usr/local/lib
java.awt.headless=true
java.util.logging.config.file=/usr/local/etc/logging.properties


httpd_proxy.conf

Using mod_proxy_ajp.so as shipped with Apache:

## http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

<IfModule mod_proxy_ajp.c>
  ## Global variables
  ProxyRequests off
  ProxyPreserveHost on

  ## This is a status handler for controlling the balancers
  ProxyPass /balancer-manager !
  <Location /balancer-manager>
    SetHandler balancer-manager
  </Location>

  ## Direct passing
  ProxyPass /webapp1 ajp://192.168.66.226:8009/mywebapp1
  ProxyPassReverse /webapp1 ajp://192.168.66.226:8009/mywebapp1

  ## By location directives
  <Location "/resources">
    Allow from all
    ProxyPass ajp://192.168.66.226:8009/resources maxattempts=3
    ProxyPassReverse ajp://192.168.66.226:8009/resources maxattempts=3
  </Location>

  ## Load balancer with various options
  # Each Tomcat server.xml must have a matching jvmRoute, like so:
  #  <Engine name="Catalina" defaultHost="localhost" jvmRoute="t226">
  #  <Engine name="Catalina" defaultHost="localhost" jvmRoute="t227">
  #  <Engine name="Catalina" defaultHost="localhost" jvmRoute="t228">
  #
  # Be aware this bug exists in ProxyPassReverse with balancer://
  #  https://issues.apache.org/bugzilla/show_bug.cgi?id=51982
  ProxyPass / balancer://javacluster/
  ProxyPassReverse / ajp://192.168.66.226:8009/
  ProxyPassReverse / ajp://192.168.66.227:8009/
  ProxyPassReverse / ajp://192.168.66.228:8009/
  <Proxy balancer://javacluster>
    ProxySet lbmethod=byrequests
    ProxySet timeout=15
    ProxySet nofailover=on
    ProxySet stickysession=JSESSIONID
    BalancerMember ajp://192.168.66.226:8009 loadfactor=1 keepalive=On route=t226
    BalancerMember ajp://192.168.66.227:8009 loadfactor=1 keepalive=On route=t227
    # This is a hot standby
    BalancerMember ajp://192.168.66.228:8009 status=+H keepalive=On route=t228
  </Proxy>
</IfModule>


httpd_jk.conf

Using mod_jk.so compiled from the Tomcat Connector source:

## See the official site for full descriptions and examples
## http://tomcat.apache.org/connectors-doc/reference/apache.html

# Loading the core mod_jk.so
LoadModule mod_jk.so /usr/local/lib/mod_jk.so

# Logging
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel error
#
# Max format length 63
# JkLogStampFormat "[%a %b %d %H:%M:%S.%Q %Y]"
# 
# JkRequestLogFormat "%w %T %s %U%q"

# Shared memory file name. Used by balancer and status workers.
JkShmFile /var/log/httpd/mod_jk.shm
#
# The default value depends on the platform.
# JkShmSize 256

# The directive JkOptions allow you to set many forwarding options which will
# enable (+) or disable (-). See the documentation.
# JkOptions +ForwardURIProxy
# JkOptions +ForwardURICompatUnparsed
# JkOptions +ForwardURICompat
# JkOptions +ForwardURIEscaped
# JkOptions +RejectUnsafeURI
# JkOptions +ForwardDirectories
# JkOptions +ForwardLocalAddress
# JkOptions +FlushPackets
# JkOptions +FlushHeader
# JkOptions +DisableReuse
# JkOptions +ForwardKeySize
# JkOptions +ForwardSSLCertChain

# The name of a worker file for the Tomcat servlet containers. 
JkWorkersFile /usr/local/etc/workers.properties

# Enables setting worker properties inside Apache configuration file.
# JkWorkerProperty worker.node1.connect_timeout=60

# Name of the Apache environment variable that can be used to set worker
# names in combination with SetHandler jakarta-servlet.
# JkWorkerIndicator JK_WORKER_NAME

# This directive configures the watchdog thread interval in seconds. (1.2.27+)
# JkWatchdogInterval 60

# Turns on SSL processing and information gathering by mod_jk
# In order to make SSL data available for mod_jk in Apache, you need to set
# SSLOptions +StdEnvVars. For the certificate information you also need to add
# SSLOptions +ExportCertData.
JkExtractSSL On
# JkHTTPSIndicator HTTPS
# JkCERTSIndicator SSL_CLIENT_CERT
# JkCIPHERIndicator SSL_CIPHER
# JkCERTCHAINPrefix SSL_CLIENT_CERT_CHAIN_
# JkSESSIONIndicator SSL_SESSION_ID
# JkKEYSIZEIndicator SSL_CIPHER_USEKEYSIZE

# Adds a name and an optional default value of environment variable that
# should be sent to servlet-engine as a request attribute.
# JkEnvVar SSL_CLIENT_V_START undefined
#
# Environement variables (1.2.28+)
# JkLocalNameIndicator JK_LOCAL_NAME
# JkLocalPortIndicator JK_LOCAL_PORT
# JkRemoteHostIndicator JK_REMOTE_HOST
# JkRemoteAddrIndicator JK_REMOTE_ADDR
# JkRemotePortIndicator JK_REMOTE_PORT (1.2.32+)
# JkRemoteUserIndicator JK_REMOTE_USER
# JkAuthTypeIndicator JK_AUTH_TYPE

# If this directive is set to On in some virtual server, the session
# IDs ;jsessionid=... will be removed for non matched URLs. (1.2.21+)
#
# JkStripSession Off

# File containing multiple mappings from a context to a Tomcat worker.
# JkMountFile /usr/local/etc/uriworkermap.properties
#
# This directive configures the reload check interval in seconds.
# If you set this directive to "0", reload checking is turned off.
# JkMountFileReload 60

# Automount a webapp by name
# JkAutoAlias /usr/local/tomcat/webapps

# A mount point from a context to a Tomcat worker.
JkMount /*.jsp loadbalancer

<VirtualHost *:80>
  ...

  # Copy mounts from global defs
  JkMountCopy On

  # A mount point for this vhost only
  JkMount /foosball/*.jsp node1
  #
  # Remove a sub-path from the mount
  # JkUnMount /foosball/images node1

# Protect web.xml and other sensitive files (think .htaccess)
  <Location /foosball/WEB-INF>
    Order Deny, Allow
    Deny from all
  </Location>

# Setting advanced env vars on the fly
# JK_WORKER_NAME (1.2.19+)
# JK_REPLY_TIMEOUT (1.2.27+)
#
# Automatically map all encoded urls
  <Location *;jsessionid=>
    SetHandler jakarta-servlet
    SetEnv JK_WORKER_NAME my_worker
  </Location>
#
# Map all subdirs to workers via naming rule
# and exclude static content.
  <Location /apps/>
    SetHandler jakarta-servlet
    SetEnvIf REQUEST_URI ^/apps/([^/]*)/ JK_WORKER_NAME=$1
    SetEnvIf REQUEST_URI ^/apps/([^/]*)/ JK_REPLY_TIMEOUT=60
    SetEnvIf REQUEST_URI ^/apps/([^/]*)/static no-jk
  </Location>

  ...
</VirtualHost>


workers.properties

For mod_jk.so use:

## http://tomcat.apache.org/connectors-doc/reference/workers.html
## workers.properties
#
# This file provides jk derived plugins with with the needed information to
# connect to the different tomcat workers.
#
# As a general note, the characters $( and ) are used internally to define
# macros. Do not use them in your own configuration!!!
#
# Whenever you see a set of lines such as:
# x=value
# y=$(x)\something
#
# the final value for y will be value\something
#

# workers.tomcat_home should point to the location where you
# installed tomcat. This is where you have your conf, webapps and lib
# directories.
#
workers.tomcat_home=/usr/local/tomcat

# workers.java_home should point to your Java installation. Normally
# you should have a bin and lib directories beneath it.
#
workers.java_home=/usr/java

# You should configure your environment slash... ps=\ on NT and / on UNIX
# and maybe something different elsewhere.
#
ps=/

# Worker connection pool maintain timeout in seconds. If set to the positive
# value JK will scan all connections for all workers specified in
# worker.list directive and check if connections needs to be recycled.
#
worker.maintain=60

# The workers that your plugins should create and work with
#
worker.list=loadbalancer,node1,status

##############################################################################
#
# worker.<name>.type
#
# Type of the worker (can be one of ajp13, ajp14, lb or status).
# The type of the worker defines the directives that can be applied to the
# worker.
#
#! JNI workers have been deprecated.
#! They will likely not work. Do not use them.


##############################################################################
# The loadbalancer (type lb) workers perform wighted round-robin
# load balancing with sticky sessions.
# Note:
#  ----> If a worker dies, the load balancer will check its state
#        once in a while. Until then all work is redirected to peer
#        workers.
#
worker.loadbalancer.type=lb

# A comma separated list of workers that the load balancer need to manage.
#  (1.2.7+)
#
worker.loadbalancer.balance_workers=node1

# Specifies whether requests with SESSION ID's should be routed back to the
# same Tomcat worker. If sticky_session is set to True or 1 sessions are
# sticky, otherwise sticky_session is set to False.
#
worker.loadbalancer.sticky_session=true

# Specifies whether requests with SESSION ID's for workers that are in error
# state should be rejected. If sticky_session_force is set to True or 1 and
# the worker that matches that SESSION ID is in error state, client will
# recieve 500 (Server Error). If set to False or 0 failover on another
# worker will be issued with loosing client session. This directive is
# used only when you set sticky_session=True.  (1.2.9+)
#
worker.loadbalancer.sticky_session_force=false

# Specifies what method load balancer is using for electing best worker.
#  (1.2.9+)
# If method is set to R[equest] balancer will use number of requests to find
#  the best worker.
# If method is set to S[ession] the balancer will use number of sessions to
#  find the best worker. (1.2.20+)
# If set to T[raffic] balancer will use the network traffic
#  between JK and Tomcat to find the best worker.
# If set to B[usyness] the balancer will pick the worker with the lowest
#  current load, based on how many requests the worker is currently serving.
#
worker.loadbalancer.method=Request

# Specifies what lock method the load balancer will use for synchronizing
# shared memory runtime data. If lock is set to O[ptimistic] balancer will
# not use shared memory lock to find the best worker. If set to P[essimistic]
# balancer will use shared memory lock. The balancer will work more accurately
# in case of Pessimistic locking, but can slow down the average response time.
#  (1.2.13+)
#
worker.loadbalancer.lock=Optimistic

# If the load balancer can not get a valid member worker or in case of
# failover, it will try again a number of times given by retries. Before each
# retry, it will make a pause define by retry_interval directive.  (1.2.16+)
#
worker.loadbalancer.retries=2

# Space delimited list of uri maps the worker should handle. It is only used'
# if the worker is included in worker.list.
#
#worker.loadbalancer.mount=

# Set a default secret word for all defined workers.  (1.2.12+)
# Use request.secret="secret key word" in your Tomcat AJP Connector
# configuration.
# If you set a secret on a load balancer, all its members will inherit this
# secret.
#
#worker.loadbalancer.secret=

# If you use a reply_timeout for the members of a load balancer worker, and
# you want to tolerate a few requests taking longer than reply_timeout, you
# can set this attribute to some positive value.
#
# Long running requests will still time out after reply_timeout milliseconds
# waiting for data, but the corresponding member worker will only be put into
# an error state, if more than max_reply_timeouts requests have timed out. More
# precisely, the counter for those bad requests will be divided by two,
# whenever the load balancer does its internal maintenance (by default every
# 60 seconds). (1.2.24+)
#
#worker.loadbalancer.max_reply_timeouts=0

# The recover time is the time in seconds the load balancer will not try to
# use a worker, after it went into error state.
#
#worker.loadbalancer.recover_time=60

# Setting a member of a load balancer into an error state is quite serious.
# E.g. it means that if you need stickyness, all access to the sessions of
# the respective node is blocked.  (1.2.28+)
#
#worker.loadbalancer.error_escalation_time= recover_time / 2

# The name of the cookie that contains the routing identifier needed for
# session stickyness.  (1.2.27+)
#
#worker.loadbalancer.session_cookie=JSESSIONID

# The name of the path parameter that contains the routing identifier
# needed for session stickyness. (1.2.27+)
#
#worker.loadbalancer.session_path=;jsessionid


##############################################################################
# Defining a worker named node1 and of type ajp13
# Note that the name and the type do not have to match.
#
worker.node1.port=8009
worker.node1.host=localhost
worker.node1.type=ajp13

# Socket timeout in seconds used for communication channel between JK and
# remote host. If remote host does not respond inside that timeout the JK
# will generate an error, and retry again. If set to value zero (default)
# the JK will wait for infinite on all socket operations.
#
worker.node1.socket_timeout=30

# Socket connect timeout in milliseconds used for the communication channel
# between JK and remote host. If the remote host does not respond inside
# the timeout specified, JK will generate an error, and retry again. 
#
# Note that socket_timeout is in seconds, and socket_connect_timeout in
# milliseconds, so in absolute terms the default socket_connect_timeout is
# equal to socket_timeout. (1.2.27+)
#
#worker.node1.socket_connect_timeout=socket_timeout*1000

# This directive should be used when you have a firewall between your
# webserver and the Tomcat engine, who tend to drop inactive connections.
# This flag will told Operating System to send KEEP_ALIVE message on inactive
# connections (interval depend on global OS settings, generally 120ms),
# and thus prevent the firewall to cut the connection. To enable keepalive
# set this property value to True.
#
worker.node1.socket_keepalive=False

# This flag determines, under which conditions established connections are
# probed to ensure they are still working. The probe is done with an empty
# AJP13 packet (CPing) and expects to receive an appropriate answer (CPong)
# within some timeout. The value of the flag can be any combination of the
# following flags (multiple values are combined without any separators):
#
# C (connect): If set, the connection will be probed once after connecting
#  to the backend. The timeout can be set by connect_timeout. If it is not
#  set, the value of ping_timeout will be used instead.
# P (prepost): If set, the connection will be probed before sending each
#  request to the backend. The timeout can be set by prepost_timeout. If it
#  is not set, the value of ping_timeout will be used instead.
# I (interval): If set, the connection will be probed during the regular
#  internal maintenance cycle, but only if it is idle longer than
#  connection_ping_interval. The timeout can be set by ping_timeout.
# A If set, all of the above probes will be used.
# (1.2.27+)
#
#worker.node1.ping_mode=

# Timeout in milliseconds used when waiting for the CPong answer of a CPing
# connection probe. The activation of the probes is done via ping_mode. The
# timeouts for ping_mode connect and prepost can be overwritten individually
# via connect_timeout and prepost_timeout. (1.2.27+)
#
#worker.node1.ping_timeout=10000

# When using interval connection probing, connections idle for longer than
# this interval in seconds are probed by CPing packets whether they still
# work. (1.2.27+)
#
#worker.node1.connection_ping_interval=0 / (ping_timeout/1000)*10

# This defines the number of connections made to the AJP backend that are
# maintained as a connection pool. It will limit the number of those
# connection that each web server child process can made.
#
# Do not use connection_pool_size with values higher then 1 on Apache 2.x
# prefork or Apache 1.3.x!
#
worker.node1.connection_pool_size=1

# Minimum size of the connection pool that will be maintained.
# This property is used only when the connection_pool_size is specified. Its
# default value is (connection_pool_size+1)/2. (1.2.16+)
#
# Do not use connection_pool_minsize with values higher then 1 on Apache
# 2.x prefork or Apache 1.3.x!
#
#worker.node1.connection_pool_minsize=(pool+1)/2

# Cache timeout property should be used with connection_pool_size to specify
# how long JK should keep an inactive socket in cache before closing it. This
# property should be used to reduce the number of threads on the Tomcat
# WebServer. The default value zero disables the closing (infinite timeout).
#
worker.node1.connection_pool_timeout=60

# Timeout the worker will wait for a free socket in cache before giving up.
#  (1.2.27+)
#
#worker.node1.connection_acquire_timeout=retries * retry_interval

# Specifies the load balance factor when used with
# a load balancing worker.
# Note:
#  ----> lbfactor must be > 0
#  ----> Low lbfactor means less work done by the worker.
#
worker.node1.lbfactor=1

# Connect timeout property told webserver to send a PING request on ajp13
# connection after connection is established. The parameter is the delay
# in milliseconds to wait for the PONG reply. (1.2.6+)
#
worker.node1.connect_timeout=5000

# Prepost timeout property told webserver to send a PING request on ajp13
# connection before forwarding to it a request. The parameter is the delay
# in milliseconds to wait for the PONG reply. (1.2.6+)
#
worker.node1.prepost_timeout=5000

# Reply_timeout property told webserver to wait some time for reply to a
# forwarded request before considering the remote tomcat is dead and
# eventually switch to another tomcat in a cluster group. By default
# webserver will wait forever which could be an issue for you. The parameter
# is the number of milliseconds to wait for reply, so adjust it carefully
# if you have long running servlets. (1.2.6+)
#
worker.node1.reply_timeout=600000

# The number of retries that the worker will try in case of error returned
# from remote Tomcat. If the number of retries set is greater then two
# (the default value), on each retry after default an extra wait of 100ms
# will be inserted.
#
worker.node1.retries=2

# The amount of time in milliseconds the worker sleeps before doing any
# retry. (1.2.27+)
#
#worker.node1.retry_interval=100

# The recover time is the time in seconds the load balancer will not try to
# use a worker, after it went into error state. Only after this time has
# passed, a worker in error state will be marked as in recovering, so that
# it will be tried for new requests.
#
worker.node1.recover_time=60

# Recovery options property told webserver how to handle recovery when it
# detect that tomcat failed. By default, webserver will forward the request
# to another tomcat in LB mode (or to another ajp thread in ajp13 mode).
#  (1.2.6+)
# 0 (full recovery)
# 1 (don't recover if tomcat failed after getting the request)
# 2 (don't recover if tomcat failed after sending the headers to client)
# 3 (don't recover if tomcat failed getting the request or after sending
#    the headers to client).
# 4 (the connection between the webserver and tomcat will be closed if
#    the client connection to the webserver is terminated during the
#    request/response cycle) (1.2.16+)
# 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2
#    are set) (1.2.24+)
# 16: always recover requests for HTTP method GET (even if Bits 1 or 2
#     are set) (1.2.24+)
#
worker.node1.recovery_options=4

# Set this value to the HTTP status code that will cause a worker to fail
# if returned from Servlet container. Use this directive to deal with cases
# when the servlet container can temporary return non-200 responses for a
# short amount of time, e.g during redeployment. (1.2.20+)
#
#worker.node1.fail_on_status=503

# This attribute sets the maximal AJP packet size in Bytes. The maximum value
# is 65536. If you change it from the default, you must also change the
# packetSize attribute of your AJP connector on the Tomcat side! (1.2.19+)
#
#worker.node1.max_packet_size=8192

# Space delimited list of uri maps the worker should handle. It is only used'
# if the worker is included in worker.list.
#
#worker.node1.mount=

# You can set a secret keyword on the Tomcat AJP Connector. Then only requests
# from workers with the same secret keyword will be accepted. (1.2.12+)
# Use request.useSecret="true" and request.secret="secret key word" at your
# tomcat ajp Connector configuration.
#
#worker.node1.secret=

# Using this directive, a balanced worker of a load balancer can be configured
# as disabled or stopped. A disabled worker only gets requests, which belong
# to sessions for that worker. A stopped worker does not get any requests.
# Users will loose their sessions, unless session replication via clustering
# is used.
#
# Use d or D to disable and s or S to stop. If this directive is not present
# the deprecated directives "disabled" or "stopped" are used.
#
worker.node1.activation=Active

# Normally the name of a balanced worker in a load balancer is equal to the
# jvmRoute of the corresponding Tomcat instance. If you want to include a
# worker corresponding to a Tomcat instance into several load balancers with
# different balancing configuration (e.g. disabled, stopped) you can use this
# attribute. (1.2.20+)
#
#worker.node1.route=

# Express preferences between the balanced workers of an lb worker. A load
# balancer will never choose some balanced worker in case there is another
# usable worker with lower distance. (1.2.16+)
#
worker.node1.distance=0

# Domain directive can be used only when the worker is a member of the load
# balancer. Workers that share the same domain name are treated as single
# worker. If sticky_session is used, then the domain name is used as session
# route.
#
# This directive is used for large system with more then 6 Tomcats, to be
# able to cluster the Tomcats in two groups and thus lowering the session
# replication transfer between them. (1.2.8+)
#
#worker.node1.domain=

# Set to the preferred failover worker. If worker matching SESSION ID is
# in error state then the redirect worker will be used instead. It will be
# used even if being disabled, thus offering hot standby. (1.2.9+)
#
#worker.node1.redirect=

# This directive allows to copy configurations between workers in a
# hierarchical way. If worker castor sets:
#   worker.castor.reference=worker.pollux
# then it inherits all properties of pollux, except for the ones that are
# explicitly set for castor
#
#worker.node1.reference=


##############################################################################
# http://tomcat.apache.org/connectors-doc/reference/status.html
# The status worker does not communicate with Tomcat. Instead it is
# responsible for the load balancer management.
#
worker.status.type=status

# Specifies the url for cascading stylesheet to use.
#
#worker.status.css=

# A status worker with read_only=True will not allow any operations, that
# change the runtime state or configuration of the other workers. These are
# edit/update/reset/recover. (1.2.20+)
#
worker.status.read_only=True

# It is a list of users which gets compared to the user name authenticated
# by the web server. If the name is not contained in this list, access is
# denied. Per default the list is empty and then access is allowed to anybody.
#  (1.2.20+)
#
#worker.status.user=

# By default, the user names are matched case sensitively.
#
#worker.status.user_case_insensitive=False

# For every load balancer worker, the status worker shows a summary of the
# state of its members. There are three such states, "good", "bad" and
# "degraded". (1.2.20+)
#
#worker.status.good=a.o,a.n,a.b,a.r

# By default, members are assumed to be "bad", if their activation is
# "stopped" or their runtime state is "error". (1.2.20+)
#
#worker.status.bad=s,e

# The prefix, which will be used by the status worker when producing
# properties output (mime=prop). Each property key will be prefixed by this
# value. (1.2.20+)
#
#worker.status.prefix=worker

# This directive can be used to customise the XML output from the status
# worker. If set to - no namespace will be used. (1.2.20+)
#
#worker.status.ns=jk:

# This directive can be used to customise the XML output from the status
# worker. If set to - no xmlns will be used. (1.2.20+)
#
#worker.status.xmlns=xmlns:jk="http://tomcat.apache.org"

# This directive can be used to customise the XML output from the status
# worker. This value will be inserted to the output xml after the xml
# header. (1.2.20+)
#
#worker.status.doctype=


uriworkers.properties

For mod_jk.so use:

## http://tomcat.apache.org/connectors-doc/reference/uriworkermap.html
#
# Inside the URI pattern three special characters can be used, '*', '?' and
# '|'. The character '*' is a wildchar that matches any number of arbitrary
# characters in the URI, '?' matches exactly one character. Each URI pattern
# has to start with the character '/', or with '*' or with '?', optionally
# prefixed by any combination of the modifiers '!' and '-'

# Mapping the URI /myapp1 and everything under /myapp1/:
/myapp1/*=myworker
# Exclude the subdirectory static:
!/myapp/static|/*=myworker
# Exclude some suffixes:
!*.html=myworker

# Mapping the webapps /myapp1 and /myapp2:
/myapp1|/*=myworker1
/myapp2|/*=myworker2
# Exclude the all subdirectories static for all workers:
!/*/static|/*=*
# Exclude some suffixes for all workers:
!*.html=*

# We are not in maintenance.
# The maintenance rule got defined somewhere else.
-/*=maintenance


##############################################################################
# Rule extensions were added in version 1.2.27 and are not available in
# earlier versions. (reply_timeout, active/disable/stopped, fail_on_status,
# use_server_errors)

# This is an extension example, setting a reply_timeout of 1 minute
# only for this mapping.
/myapp=myworker;reply_timeout=60000

# This is an example using multiple extensions
/myapp=myloadbalancer;reply_timeout=60000;stopped=member1

# Use web server error page for all errors
/myapp=myworker;use_server_errors=400

# Use web server error page only for technical errors
/myotherapp=myworker;use_server_errors=500


server.xml

The Tomcat connector endpoint:

<!-- This is a subset of the existing server.xml -->
<!-- The below are examples of a 6.0 Tomcat server -->

    <!-- Define a HTTP Connector on port 8080 -->
    <!-- http://tomcat.apache.org/tomcat-5.5-doc/config/http.html -->
    <!-- http://tomcat.apache.org/tomcat-6.0-doc/config/http.html -->
    <!-- http://tomcat.apache.org/tomcat-7.0-doc/config/http.html -->
    <Connector port="8080" protocol="HTTP/1.1" allowTrace="false"
               emptySessionPath="false" enableLookups="false"
               maxPostSize="2097152" maxSavePostSize="4096"
               SSLEnabled="false" scheme="http" secure="false" 
               redirectPort="8443" URIEncoding="ISO-8859-1"
               useIPVHosts="false" useBodyEncodingForURI="false"
               xpoweredBy="false" acceptCount="100" address="192.168.1.2"
               compressableMimeType="text/html,text/xml,text/plain"
               compression="off" connectionLinger="-1"
               connectionTimeout="60000" bufferSize="2048"
               keepAliveTimeout="60000" disableUploadTimeout="true"
               maxHttpHeaderSize="8192" maxKeepAliveRequests="100"
               maxThreads="200" noCompressionUserAgents=""
               restrictedUserAgents="" socketBuffer="9000"
               tcpNoDelay="true" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!-- http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html -->
    <!-- http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html -->
    <!-- http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html -->
    <Connector port="8009" protocol="AJP/1.3" allowTrace="false"
               emptySessionPath="false" enableLookups="false"
               maxPostSize="2097152" maxSavePostSize="4096" redirectPort="443"
               scheme="http" secure="false" URIEncoding="ISO-8859-1"
               useBodyEncodingForURI="false" xpoweredBy="false"
               useIPVHosts="false" address="127.0.0.1" backlog="10"
               bufferSize="-1" connectionTimeout="60000"
               keepAliveTimeout="60000" maxThreads="200" packetSize="8192"
               request.secret="" request.useSecret="false"
               request.shutdownEnabled="false" tcpNoDelay="true"
               tomcatAuthentication="true" />

<!-- The below is not exhaustive, see the official documentation -->

<!-- Common Attributes -->
<!--
allowTrace
A boolean value which can be used to enable or disable the TRACE HTTP 
method. If not specified, this attribute is set to false.

asyncTimeout (7.0+)
The default timeout for asynchronous requests in milliseconds. If not 
specified, this attribute is set to 10000 (10 seconds).

emptySessionPath (5.5-6.0)
If set to true, all paths for session cookies will be set to /. This can be 
useful for portlet specification implementations. If not specified, this 
attribute is set to false.
A side effect to setting this to true, is that if Tomcat creates a new 
session it will attempt to use the cookie session id if supplied by the 
client.

enableLookups
Set to true if you want calls to request.getRemoteHost() to perform DNS 
lookups in order to return the actual host name of the remote client. Set to 
false to skip the DNS lookup and return the IP address in String form 
instead (thereby improving performance). By default, DNS lookups are 
enabled.

maxPostSize
The maximum size in bytes of the POST which will be handled by the container 
FORM URL parameter parsing. The limit can be disabled by setting this 
attribute to a value less than or equal to 0. If not specified, this 
attribute is set to 2097152 (2 megabytes).

maxSavePostSize
The maximum size in bytes of the POST which will be saved/buffered by the 
container during FORM or CLIENT-CERT authentication. For both types of 
authentication, the POST will be saved/buffered before the user is 
authenticated. For CLIENT-CERT authentication, the POST is buffered for the 
duration of the SSL handshake and the buffer emptied when the request is 
processed. For FORM authentication the POST is saved whilst the user is 
re-directed to the login form and is retained until the user successfully 
authenticates or the session associated with the authentication request 
expires. The limit can be disabled by setting this attribute to -1. Setting 
the attribute to zero will disable the saving of POST data during 
authentication. If not specified, this attribute is set to 4096 (4 
kilobytes).

parseBodyMethods (7.0+)
A comma-separated list of HTTP methods for which request bodies will be 
parsed for request parameters identically to POST. This is useful in RESTful 
applications that want to support POST-style semantics for PUT requests. 
Note that any setting other than POST causes Tomcat to behave in a way that 
goes against the intent of the servlet specification. The HTTP method TRACE 
is specifically forbidden here in accordance with the HTTP specification. 
The default is POST

port
The TCP port number on which this Connector will create a server socket and 
await incoming connections. Your operating system will allow only one server 
application to listen to a particular port number on a particular IP 
address.

protocol
Sets the protocol to handle incoming traffic. The default value is HTTP/1.1 
and configures the org.apache.coyote.http11.Http11Protocol. This is the 
blocking Java connector.
If the PATH (Windows) or LD_LIBRARY_PATH (on most unix systems) environment 
variables contain the Tomcat native library, the APR connector will 
automatically be configured. Please be advised that the APR connector has 
different settings for HTTPS than the default Java connector.
Other values for this attribute are, but not limited to:
org.apache.coyote.http11.Http11Protocol - same as HTTP/1.1
org.apache.coyote.http11.Http11NioProtocol - non blocking Java connector
org.apache.coyote.http11.Http11AprProtocol - the APR connector.
The configuration for both Java connectors are identical, both for http and 
https.
For more information on the APR connector and APR specific SSL settings 
please visit the APR documentation

proxyName
If this Connector is being used in a proxy configuration, configure this 
attribute to specify the server name to be returned for calls to 
request.getServerName(). See Proxy Support for more information.

proxyPort
If this Connector is being used in a proxy configuration, configure this 
attribute to specify the server port to be returned for calls to 
request.getServerPort(). See Proxy Support for more information.

redirectPort
If this Connector is supporting non-SSL requests, and a request is received 
for which a matching <security-constraint> requires SSL transport, Catalina 
will automatically redirect the request to the port number specified here.

scheme
Set this attribute to the name of the protocol you wish to have returned by 
calls to request.getScheme(). For example, you would set this attribute to 
"https" for an SSL Connector. The default value is "http".

secure
Set this attribute to true if you wish to have calls to request.isSecure() 
to return true for requests received by this Connector. You would want this 
on an SSL Connector or a non SSL connector that is receiving data from a SSL 
accelerator, like a crypto card, a SSL appliance or even a webserver. The 
default value is false.

URIEncoding
This specifies the character encoding used to decode the URI bytes, after 
%xx decoding the URL. If not specified, ISO-8859-1 will be used.

useBodyEncodingForURI
This specifies if the encoding specified in contentType should be used for 
URI query parameters, instead of using the URIEncoding. This setting is 
present for compatibility with Tomcat 4.1.x, where the encoding specified in 
the contentType, or explicitly set using Request.setCharacterEncoding method 
was also used for the parameters from the URL. The default value is false.

useIPVHosts
Set this attribute to true to cause Tomcat to use the IP address that the 
request was received on to determine the Host to send the request to. The 
default value is false.

xpoweredBy
Set this attribute to true to cause Tomcat to advertise support for the 
Servlet specification using the header recommended in the specification. The 
default value is false.
 -->


<!-- HTTP Connector -->
<!--
acceptCount
The maximum queue length for incoming connection requests when all possible 
request processing threads are in use. Any requests received when the queue 
is full will be refused. The default value is 100.

acceptorThreadCount (7.0+)
The number of threads to be used to accept connections. Increase this value 
on a multi CPU machine, although you would never really need more than 2. 
Also, with a lot of non keep alive connections, you might want to increase 
this value as well. Default value is 1.

address
For servers with more than one IP address, this attribute specifies which 
address will be used for listening on the specified port. By default, this 
port will be used on all IP addresses associated with the server.

bindOnInit (7.0+)
Controls when the socket used by the connector is bound. By default it is 
bound when the connector is initiated and unbound when the connector is 
destroyed. If set to false, the socket will be bound when the connector is 
started and unbound when it is stopped.

bufferSize (5.5-6.0)
The size (in bytes) of the buffer to be provided for input streams created 
by this connector. By default, buffers of 2048 bytes will be provided.

compressableMimeType
The value is a comma separated list of MIME types for which HTTP compression 
may be used. The default value is text/html,text/xml,text/plain.

compression
The Connector may use HTTP/1.1 GZIP compression in an attempt to save server 
bandwidth. The acceptable values for the parameter is "off" (disable 
compression), "on" (allow compression, which causes text data to be 
compressed), "force" (forces compression in all cases), or a numerical 
integer value (which is equivalent to "on", but specifies the minimum amount 
of data before the output is compressed). If the content-length is not known 
and compression is set to "on" or more aggressive, the output will also be 
compressed. If not specified, this attribute is set to "off".

Note: There is a tradeoff between using compression (saving your bandwidth) 
and using the sendfile feature (saving your CPU cycles). If the connector 
supports the sendfile feature, e.g. the NIO connector, using sendfile will 
take precedence over compression. The symptoms will be that static files 
greater that 48 Kb will be sent uncompressed. You can turn off sendfile by 
setting useSendfile attribute of the connector, as documented below, or 
change the sendfile usage threshold in the configuration of the 
DefaultServlet in the default conf/web.xml or in the web.xml of your web 
application.

compressionMinSize (7.0+)
If compression is set to "on" then this attribute may be used to specify the 
minimum amount of data before the output is compressed. If not specified, 
this attribute is defaults to "2048".

connectionLinger
The number of milliseconds during which the sockets used by this Connector 
will linger when they are closed. The default value is -1 (socket linger is 
disabled).

connectionTimeout
The number of milliseconds this Connector will wait, after accepting a 
connection, for the request URI line to be presented. The default value is 
60000 (i.e. 60 seconds).

disableUploadTimeout
This flag allows the servlet container to use a different, longer connection 
timeout while a servlet is being executed, which in the end allows either 
the servlet a longer amount of time to complete its execution, or a longer 
timeout during data upload. If not specified, this attribute is set to 
"true".

executor (6.0+)
A reference to the name in an Executor element. If this attribute is 
enabled, and the named executor exists, the connector will use the executor, 
and all the other thread attributes will be ignored.

keepAliveTimeout (6.0+)
The number of milliseconds this Connector will wait for another HTTP request 
before closing the connection. The default value is to use the value that 
has been set for the connectionTimeout attribute.

maxConnections (7.0+)
The maximum number of connections that the server will accept and process at 
any given time. When this number has been reached, the server will not 
accept any more connections until the number of connections falls below this 
value. The operating system may still accept connections based on the 
acceptCount setting. Default value varies by connector type. For BIO the 
default is the value of maxThreads. For NIO the default is 10000. For 
APR/native, the default is 8192.

Note that for APR/native on Windows, the configured value will be reduced to 
the highest multiple of 1024 that is less than or equal to maxConnections. 
This is done for performance reasons.

maxHttpHeaderSize
The maximum size of the request and response HTTP header, specified in 
bytes. If not specified, this attribute is set to 8192 (8 KB).

maxKeepAliveRequests
The maximum number of HTTP requests which can be pipelined until the 
connection is closed by the server. Setting this attribute to 1 will disable 
HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting 
this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP 
requests. If not specified, this attribute is set to 100.

maxSpareThreads (-5.5)
The maximum number of unused request processing threads that will be allowed 
to exist until the thread pool starts stopping the unnecessary threads. The 
default value is 50.

maxThreads
The maximum number of request processing threads to be created by this 
Connector, which therefore determines the maximum number of simultaneous 
requests that can be handled. If not specified, this attribute is set to 
200. If an executor is associated with this connector, this attribute is 
ignored as the connector will execute tasks using the executor rather than 
an internal thread pool.

maxTrailerSize (7.0+)
Limits the total length of trailing headers in the last chunk of a chunked 
HTTP request. If the value is -1, no limit will be imposed. If not 
specified, the default value of 8192 will be used.

minSpareThreads (5.5, 7.0+)
The number of request processing threads that will be created when this 
Connector is first started. The connector will also make sure it has the 
specified number of idle processing threads available. This attribute should 
be set to a value smaller than that set for maxThreads. The default value is 
4.

noCompressionUserAgents
The value is a comma separated list of regular expressions matching 
user-agents of HTTP clients for which compression should not be used, 
because these clients, although they do advertise support for the feature, 
have a broken implementation. The default value is an empty String (regexp 
matching disabled).

processorCache (7.0+)
The protocol handler caches Processor objects to speed up performance. This 
setting dictates how many of these objects get cached. -1 means unlimited, 
default is 200. If not using Servlet 3.0 asynchronous processing, a good 
default is to use the same as the maxThreads setting. If using Servlet 3.0 
asynchronous processing, a good default is to use the larger of maxThreads 
and the maximum number of expected concurrent requests (synchronous and 
asynchronous).

restrictedUserAgents
The value is a comma separated list of regular expressions matching 
user-agents of HTTP clients for which HTTP/1.1 or HTTP/1.0 keep alive should 
not be used, even if the clients advertise support for these features. The 
default value is an empty String (regexp matching disabled).

server
Overrides the Server header for the http response. If set, the value for 
this attribute overrides the Tomcat default and any Server header set by a 
web application. If not set, any value specified by the application is used. 
If the application does not specify a value then Apache-Coyote/1.1 is used. 
Unless you are paranoid, you won't need this feature.

socketBuffer
The size (in bytes) of the buffer to be provided for socket output 
buffering. -1 can be specified to disable the use of a buffer. By default, a 
buffers of 9000 bytes will be used.

SSLEnabled (6.0+)
Use this attribute to enable SSL traffic on a connector. To turn on SSL 
handshake/encryption/decryption on a connector set this value to true. The 
default value is false. When turning this value true you will want to set 
the scheme and the secure attributes as well to pass the correct 
request.getScheme() and request.isSecure() values to the servlets See SSL 
Support for more information.

tcpNoDelay
If set to true, the TCP_NO_DELAY option will be set on the server socket, 
which improves performance under most circumstances. This is set to true by 
default.

threadPriority
The priority of the request processing threads within the JVM. The default 
value is java.lang.Thread#NORM_PRIORITY. See the JavaDoc for the 
java.lang.Thread class for more details on what this priority means.
 -->


<!-- AJP/1.3 Connector -->
<!--
acceptCount (7.0+)
The maximum queue length for incoming connection requests when all possible 
request processing threads are in use. Any requests received when the queue 
is full will be refused. The default value is 100.

acceptorThreadCount (7.0+)
The number of threads to be used to accept connections. Increase this value 
on a multi CPU machine, although you would never really need more than 2. 
Also, with a lot of non keep alive connections, you might want to increase 
this value as well. Default value is 1.

address
For servers with more than one IP address, this attribute specifies which 
address will be used for listening on the specified port. By default, this 
port will be used on all IP addresses associated with the server. A value of 
127.0.0.1 indicates that the Connector will only listen on the loopback 
interface.

backlog
The maximum queue length for incoming connection requests when all possible 
request processing threads are in use. Any requests received when the queue 
is full will be refused. The default value is 100.

bindOnInit (7.0+)
Controls when the socket used by the connector is bound. By default it is 
bound when the connector is initiated and unbound when the connector is 
destroyed. If set to false, the socket will be bound when the connector is 
started and unbound when it is stopped.

bufferSize (5.5-6.0)
The size of the output buffer to use. If less than or equal to zero, then 
output buffering is disabled. The default value is -1 (i.e. buffering 
disabled)

clientCertProvider (6.0+)
When client certificate information is presented in a form other than 
instances of java.security.cert.X509Certificate it needs to be converted 
before it can be used and this property controls which JSSE provider is used 
to perform the conversion. For example it is used with the AJP connectors, 
the HTTP APR connector and with the org.apache.catalina.valves.SSLValve.If 
not specified, the default provider will be used.

connectionLinger (7.0+)
The number of milliseconds during which the sockets used by this Connector 
will linger when they are closed. The default value -1 which disables this 
option.

connectionTimeout
The number of milliseconds this Connector will wait, after accepting a 
connection, for the request URI line to be presented. The default value is 
infinite (i.e. no timeout).

deferAccept (6.0)
Sets the TCP_DEFER_ACCEPT flag on the listening socket for this connector. 
The default value is true where TCP_DEFER_ACCEPT is supported by the 
operating system, otherwise it is false.

executor (6.0+)
A reference to the name in an Executor element. If this attribute is 
enabled, and the named executor exists, the connector will use the executor, 
and all the other thread attributes will be ignored. This attribute is not 
supported by the original blocking Java connector.

keepAliveTimeout (6.0+)
The number of milliseconds this Connector will wait for another AJP request 
before closing the connection. The default value is to use the value that 
has been set for the connectionTimeout attribute.

maxConnections (7.0+)
The maximum number of connections that the server will accept and process at 
any given time. When this number has been reached, the server will not 
accept any more connections until the number of connections falls below this 
value. The operating system may still accept connections based on the 
acceptCount setting. Default value varies by connector type. For BIO the 
default is the value of maxThreads. For NIO the default is 10000. For 
APR/native, the default is 8192.

Note that for APR/native on Windows, the configured value will be reduced to 
the highest multiple of 1024 that is less than or equal to maxConnections. 
This is done for performance reasons.

minProcessors (deprecated, -5.5)
The minimum number of processors to start at initialization time. If not 
specified, this attribute is set to 5.

maxProcessors (deprecated, -5.5)
The maximum number of processors allowed. This should be set to a value that 
is greater than or equal to the maximum number of concurrent connections the 
remote web server can open to Tomcat simultaneously. For example, if the web 
server is Apache 1.x or 2.x Tomcat's maxProcessors should be set to the 
value of Apache's maxClients directive.

A maxProcessors value of zero (0) signifies that the number of processors is 
unlimited. If not specified, this attribute defaults to 20.

maxSpareThreads (-5.5)
The maximum number of unused request processing threads that will be allowed 
to exist until the thread pool starts stopping the unnecessary threads. The 
default value is 50.

maxThreads
The maximum number of request processing threads to be created by this 
Connector, which therefore determines the maximum number of simultaneous 
requests that can be handled. If not specified, this attribute is set to 
200.

minSpareThreads (5.5,7.0)
The number of request processing threads that will be created when this 
Connector is first started. The connector will also make sure it has the 
specified number of idle processing threads available. This attribute should 
be set to a value smaller than that set for maxThreads. The default value is 
4.

packetSize
This attribute sets the maximum AJP packet size in Bytes. The maximum value 
is 65536. It should be the same as the max_packet_size directive configured 
for mod_jk. Normally it is not necessary to change the maximum packet size. 
Problems with the default value have been reported when sending certificates 
or certificate chains. The default value is 8192.

processorCache (7.0+)
The protocol handler caches Processor objects to speed up performance. This 
setting dictates how many of these objects get cached. -1 means unlimited, 
default is 200. If not using Servlet 3.0 asynchronous processing, a good 
default is to use the same as the maxThreads setting. If using Servlet 3.0 
asynchronous processing, a good default is to use the larger of maxThreads 
and the maximum number of expected concurrent requests (synchronous and 
asynchronous).

requiredSecret (7.0+)
Only requests from workers with this secret keyword will be accepted. 

request.secret (-6.0)
Only requests from workers with this secret keyword will be accepted.

request.shutdownEnabled (-6.0)
If true and a secret has been configured, a correctly formatted AJP request 
(that includes the secret) will shutdown the Tomcat instance associated with 
this connector. This is set to false by default.

request.useSecret (-6.0)
If set to true, then a random value for request.secret will be generated. It 
is for use with request.shutdownEnabled. This is set to false by default.

tcpNoDelay
If set to true, the TCP_NO_DELAY option will be set on the server socket, 
which improves performance under most circumstances. This is set to true by 
default.

threadPriority (7.0+)
The priority of the request processing threads within the JVM. The default 
value is java.lang.Thread#NORM_PRIORITY. See the JavaDoc for the 
java.lang.Thread class for more details on what this priority means. 

tomcatAuthentication
If set to true, the authentication will be done in Tomcat. Otherwise, the 
authenticated principal will be propagated from the native webserver and 
used for authorization in Tomcat. The default value is true.
 -->


<!-- SSL Support (Internal) -->
<!--
algorithm
The certificate encoding algorithm to be used. This defaults to 
KeyManagerFactory.getDefaultAlgorithm() which returns SunX509 for Sun JVMs. 
IBM JVMs return IbmX509. For other vendors, consult the JVM documentation 
for the default value.

allowUnsafeLegacyRenegotiation
Is unsafe legacy TLS renegotiation allowed which is likely to expose users 
to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that 
allows an attacker to inject arbitrary data into the user's request. If not 
specified, a default of false is used. This attribute only has an effect if 
the JVM does not support RFC 5746 as indicated by the presence of the 
pseudo-ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available 
JRE/JDK 6 update 22 onwards. Where RFC 5746 is supported the renegotiation - 
including support for unsafe legacy renegotiation - is controlled by the JVM 
configuration.

ciphers
The comma separated list of encryption ciphers that this socket is allowed 
to use. By default, the default ciphers for the JVM will be used. Note that 
this usually means that the weak export grade ciphers will be included in 
the list of available ciphers. The ciphers are specified using the JSSE 
cipher naming convention.

clientAuth
Set to true if you want the SSL stack to require a valid certificate chain 
from the client before accepting a connection. Set to want if you want the 
SSL stack to request a client Certificate, but not fail if one isn't 
presented. A false value (which is the default) will not require a 
certificate chain unless the client requests a resource protected by a 
security constraint that uses CLIENT-CERT authentication. See the SSL HowTo 
for an example.

clientCertProvider (6.0+)
When client certificate information is presented in a form other than 
instances of java.security.cert.X509Certificate it needs to be converted 
before it can be used and this property controls which JSSE provider is used 
to perform the conversion. For example it is used with the AJP connectors, 
the HTTP APR connector and with the org.apache.catalina.valves.SSLValve. If 
not specified, the default provider will be used.

crlFile (6.0+)
The certificate revocation list file to use to validate client certificates.

keyAlias
The alias used to for the server certificate in the keystore. If not 
specified the first key read in the keystore will be used.

keyPass (7.0+)
The password used to access the server certificate from the specified 
keystore file. The default value is "changeit".

keystoreFile
The pathname of the keystore file where you have stored the server 
certificate to be loaded. By default, the pathname is the file ".keystore" 
in the operating system home directory of the user that is running Tomcat. 
If your keystoreType doesn't need a file use "" (empty string) for this 
parameter.

keystorePass
The password used to access the server certificate from the specified 
keystore file. The default value is "changeit". (value of keyPass, 7.0+)

keystoreProvider (6.0+)
The name of the keystore provider to be used for the server certificate. If 
not specified, the list of registered providers is traversed in preference 
order and the first provider that supports the keystoreType is used.

keystoreType
The type of keystore file to be used for the server certificate. If not 
specified, the default value is "JKS".

sessionCacheSize (6.0+)
The number of SSL sessions to maintain in the session cache. Use 0 to 
specify an unlimited cache size. If not specified, a default of 0 is used.

sessionTimeout (6.0+)
The time, in seconds, after the creation of an SSL session that it will 
timeout. Use 0 to specify an unlimited timeout. If not specified, a default 
of 86400 (24 hours) is used.

sslEnabledProtocols (7.0+)
The list of SSL protocols to use. If not specified, the JVM default is used.

sslImplemenationName (7.0+)
The class name of the SSL implementation to use. If not specified, the 
default of org.apache.tomcat.util.net.jsse.JSSEImplementation will be used 
which wraps JVM's default JSSE provider. Note that the JVM can be configured 
to use a different JSSE provider as the default.

sslProtocol
The version of the SSL protocol to use. If not specified, the default is 
"TLS".

trustManagerClassName (6.0+)
The name of a custom trust manager class to use to validate client 
certificates. The class must have a zero argument constructor and must also 
implement javax.net.ssl.X509TrustManager. If this attribute is set, the 
trust store attributes may be ignored.

trustMaxCertLength (7.0+)
The maximum number of intermediate certificates that will be allowed when 
validating client certificates. If not specified, the default value of 5 
will be used.

truststoreAlgorithm (7.0+)
The algorithm to use for truststore. If not specified, the default value 
returned by javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm() is used.

truststoreFile
The trust store file to use to validate client certificates. The default is 
the value of the javax.net.ssl.trustStore system property. If neither this 
attribute nor the default system property is set, no trust store will be 
configured.

truststorePass
The password to access the trust store. The default is the value of the 
javax.net.ssl.trustStorePassword system property. If that property is null, 
the value of keystorePass is used as the default. If an invalid trust store 
password is specified, a warning will be logged and an attempt will be made 
to access the trust store without a password which will skip validation of 
the trust store contents. If the trust store password is defined as "" then 
no password will be used to access the store which will also skip validation 
of the trust store contents.

truststoreProvider (6.0+)
The name of the truststore provider to be used for the server certificate. 
The default is the value of the javax.net.ssl.trustStoreProvider system 
property. If that property is null, the value of keystoreProvider is used as 
the default. If neither this attribute, the default system property nor 
keystoreProvideris set, the list of registered providers is traversed in 
preference order and the first provider that supports the truststoreType is 
used.

truststoreType
The type of key store used for the trust store. The default is the value of 
the javax.net.ssl.trustStoreType system property. If that property is null, 
the value of keystoreType is used as the default.
 -->


<!-- APR/native Support (7.0+) -->
<!--
deferAccept
Sets the TCP_DEFER_ACCEPT flag on the listening socket for this connector. 
The default value is true where TCP_DEFER_ACCEPT is supported by the 
operating system, otherwise it is false.

pollerSize
Amount of sockets that the poller responsible for polling kept alive 
connections can hold at a given time. Extra connections will be closed right 
away. The default value is 8192, corresponding to 8192 keep-alive 
connections. This is a synonym for maxConnections.

pollerThreadCount
Number of threads used to poll kept alive connections. On Windows the 
default is chosen so that the sockets managed by each thread is less than 
1024. For Linux the default is 1. Changing the default on Windows is likely 
to have a negative performance impact.

pollTime
Duration of a poll call in microseconds. Lowering this value will slightly 
decrease latency of connections being kept alive in some cases, but will use 
more CPU as more poll calls are being made. The default value is 2000 (2ms).

sendfileSize
Amount of sockets that the poller responsible for sending static files 
asynchronously can hold at a given time. Extra connections will be closed 
right away without any data being sent (resulting in a zero length file on 
the client side). Note that in most cases, sendfile is a call that will 
return right away (being taken care of "synchronously" by the kernel), and 
the sendfile poller will not be used, so the amount of static files which 
can be sent concurrently is much larger than the specified amount. The 
default value is 1024.

sendfileThreadCount
Number of threads used service sendfile sockets. On Windows the default is 
chosen so that the sockets managed by each thread is less than 1024. For 
Linux the default is 1. Changing the default on Windows is likely to have a 
negative performance impact.

threadPriority
(int)The priority of the acceptor and poller threads. The default value is 
java.lang.Thread#NORM_PRIORITY. See the JavaDoc for the java.lang.Thread 
class for more details on what this priority means.

useComet
(bool)Whether to allow comet servlets or not. Default value is true.

useSendfile
(bool)Use this attribute to enable or disable sendfile capability. The 
default value is true.
 -->


<!-- APR/native SSL Support (7.0+) -->
<!--
SSLCACertificateFile
See the mod_ssl documentation.

SSLCACertificatePath
See the mod_ssl documentation.

SSLCARevocationFile
See the mod_ssl documentation.

SSLCARevocationPath
See the mod_ssl documentation.

SSLCertificateChainFile
See the mod_ssl documentation.

SSLCACertificateFile
Name of the file that contains the concatenated certificates for the trusted 
certificate authorities. The format is PEM-encoded.

SSLCACertificatePath
Name of the directory that contains the certificates for the trusted 
certificate authorities. The format is PEM-encoded.

SSLCARevocationFile
Name of the file that contains the concatenated certificate revocation lists 
for the certificate authorities. The format is PEM-encoded.

SSLCARevocationPath
Name of the directory that contains the certificate revocation lists for the 
certificate authorities. The format is PEM-encoded.

SSLCertificateChainFile
Name of the file that contains concatenated certifcates for the certificate 
authorities which form the certifcate chain for the server certificate. The 
format is PEM-encoded.

SSLCertificateFile
Name of the file that contains the server certificate. The format is 
PEM-encoded.

SSLCertificateKeyFile
Name of the file that contains the server private key. The format is 
PEM-encoded. The default value is the value of "SSLCertificateFile" and in 
this case both certificate and private key have to be in this file (NOT 
RECOMMENDED).

SSLCipherSuite
Ciphers which may be used for communicating with clients. The default is 
"ALL", with other acceptable values being a list of ciphers, with ":" used 
as the delimiter (see OpenSSL documentation for the list of ciphers 
supported).

SSLPassword
Pass phrase for the encrypted private key. If "SSLPassword" is not provided, 
the callback function should prompt for the pass phrase.

SSLProtocol
Protocol which may be used for communicating with clients. The default value 
is all, with other acceptable values being SSLv2, SSLv3, TLSv1 and 
SSLv2+SSLv3. Starting with version 1.1.21 of the Tomcat native library any 
combination of the three protocols concatenated with a plus sign will be 
supported. Note that the protocol SSLv2 is inherently unsafe.

SSLVerifyClient
Ask client for certificate. The default is "none", meaning the client will 
not have the opportunity to submit a certificate. Other acceptable values 
include "optional", "require" and "optionalNoCA".

SSLVerifyDepth
Maximum verification depth for client certificates. The default is "10".
 -->


References

Tomcat Configuration

Java Resources

Version Of Tomcat In JBoss AS

Advanced BASH Scripting Guide