The HTTP Connector

Introduction

The HTTP Connector element represents a Connector component that supports the HTTP/1.1 protocol. It enables Catalina to function as a stand-alone web server, in addition to its ability to execute servlets and JSP pages. A particular instance of this component listens for connections on a specific TCP port number on the server. One or more such Connectors can be configured as part of a single Service, each forwarding to the associated Engine to perform request processing and create the response.

If you wish to configure the Connector that is used for connections to web servers using the AJP protocol (such as the mod_jk 1.2.x connector for Apache 1.3), see here instead.

Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the configured maximum (the value of the maxThreads attribute). If still more simultaneous requests are received, they are stacked up inside the server socket created by the Connector, up to the configured maximum (the value of the acceptCount attribute. Any further simultaneous requests will receive "connection refused" errors, until resources are available to process them.

Attributes

Common Attributes

All implementations of Connector support the following attributes:

Attribute Description
allowTrace
A boolean value which can be used to enable or disable the TRACE HTTP method. If not specified, this attribute is set to false.

enableLookups
Set to true if you want calls to request.getRemoteHost() to perform DNS lookups in order to return the actual host name of the remote client. Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are enabled.

maxPostSize
The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The limit can be disabled by setting this attribute to a value less than or equal to 0. If not specified, this attribute is set to 2097152 (2 megabytes).

maxSavePostSize
The maximum size in bytes of the POST which will be saved/buffered by the container during FORM or CLIENT-CERT authentication. For both types of authentication, the POST will be saved/buffered before the user is authenticated. For CLIENT-CERT authentication, the POST is buffered for the duration of the SSL handshake and the buffer emptied when the request is processed. For FORM authentication the POST is saved whilst the user is re-directed to the login form and is retained until the user successfully authenticates or the session associated with the authentication request expires. The limit can be disabled by setting this attribute to -1. Setting the attribute to zero will disable the saving of POST data during authentication and the buffering during SSL handshake. If not specified, this attribute is set to 4096 (4 kilobytes).

protocol
Sets the protocol to handle incoming traffic. The default value is HTTP/1.1 and configures the org.apache.coyote.http11.Http11Protocol. This is the blocking Java connector.
If the PATH(Windows) or LD_LIBRARY_PATH(on most unix system) environment variables contain the Tomcat native library, the APR connector will automatically be configured. Please be advised that the APR connector has different settings for HTTPS than the default Java connector.
Other values for this attribute are, but not limited to:
org.apache.coyote.http11.Http11Protocol - same as HTTP/1.1
org.apache.coyote.http11.Http11NioProtocol - non blocking Java connector, not supported in JBossWeb
org.apache.coyote.http11.Http11AprProtocol - the APR connector.
Take a look at our Connector Comparison chart. The configuration for both Java connectors are identical, both for http and https.
For more information on the APR connector and APR specific SSL settings please visit the APR documentation

proxyName
If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to request.getServerName(). See Proxy Support for more information.

proxyPort
If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to request.getServerPort(). See Proxy Support for more information.

redirectPort
If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.

SSLEnabled
Use this attribute to enable SSL traffic on a connector. To turn on SSL handshake/encryption/decryption on a connector set this value to true. The default value is false. When turning this value true you will want to set the scheme and the secure attributes as well to pass the correct request.getScheme() and request.isSecure() values to the servlets See SSL Support for more information.

scheme
Set this attribute to the name of the protocol you wish to have returned by calls to request.getScheme(). For example, you would set this attribute to "https" for an SSL Connector. The default value is "http".

secure
Set this attribute to true if you wish to have calls to request.isSecure() to return true for requests received by this Connector. You would want this on an SSL Connector or a non SSL connector that is receiving data from a SSL accelerator, like a crypto card, a SSL appliance or even a webserver. The default value is false.

URIEncoding
This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 will be used.

useBodyEncodingForURI
This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding specified in the contentType, or explicitely set using Request.setCharacterEncoding method was also used for the parameters from the URL. The default value is false.

useIPVHosts
Set this attribute to true to cause JBoss Web to use the IP address that the request was recieved on to determine the Host to send the request to. The default value is false.

xpoweredBy
Set this attribute to true to cause JBoss Web to advertise support for the Servlet specification using the header recommended in the specification. The default value is false.

Standard Implementation

HTTP supports the following additional attributes (in addition to the common attributes listed above):

Attribute Description
acceptCount
The maximum queue length for incoming connection requests when all possible request processing threads are in use. Any requests received when the queue is full will be refused. The default value is 10.

address
For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server.

bufferSize
The size (in bytes) of the buffer to be provided for input streams created by this connector. By default, buffers of 2048 bytes will be provided.

compressableMimeType
The value is a comma separated list of MIME types for which HTTP compression may be used. The default value is text/html,text/xml,text/plain.

compression
The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth. The acceptable values for the parameter is "off" (disable compression), "on" (allow compression, which causes text data to be compressed), "force" (forces compression in all cases), or a numerical integer value (which is equivalent to "on", but specifies the minimum amount of data before the output is compressed). If the content-length is not known and compression is set to "on" or more aggressive, the output will also be compressed. If not specified, this attribute is set to "off".

connectionLinger
The number of milliseconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 (socket linger is disabled).

connectionTimeout
The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented. The default value is 60000 (i.e. 60 seconds).

executor
A reference to the name in an Executor element. If this attribute is enabled, and the named executor exists, the connector will use the executor, and all the other thread attributes will be ignored.

keepAliveTimeout
The number of milliseconds this Connector will wait for another HTTP request before closing the connection. The default value is to use the value that has been set for the connectionTimeout attribute.

disableUploadTimeout
This flag allows the servlet container to use a different, longer connection timeout while a servlet is being executed, which in the end allows either the servlet a longer amount of time to complete its execution, or a longer timeout during data upload. If not specified, this attribute is set to "true".

maxHttpHeaderSize
The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).

maxKeepAliveRequests
The maximum number of HTTP requests which can be pipelined until the connection is closed by the server. Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests. If not specified, this attribute is set to 100.

maxThreads
The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled. If not specified, this attribute is set to 200. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool.

noCompressionUserAgents
The value is a comma separated list of regular expressions matching user-agents of HTTP clients for which compression should not be used, because these clients, although they do advertise support for the feature, have a broken implementation. The default value is an empty String (regexp matching disabled).

port
The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address.

restrictedUserAgents
The value is a comma separated list of regular expressions matching user-agents of HTTP clients for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features. The default value is an empty String (regexp matching disabled).

server
The Server header for the http response. Unless your paranoid, you won't need this feature.

socketBuffer
The size (in bytes) of the buffer to be provided for socket output buffering. -1 can be specified to disable the use of a buffer. By default, a buffers of 9000 bytes will be used.

tcpNoDelay
If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances. This is set to true by default.

threadPriority
The priority of the request processing threads within the JVM. The default value is java.lang.Thread#NORM_PRIORITY. See the JavaDoc for the java.lang.Thread class for more details on what this priority means.

Nested Components

None at this time.

Special Features

HTTP/1.1 and HTTP/1.0 Support

This Connector supports all of the required features of the HTTP/1.1 protocol, as described in RFC 2616, including persistent connections, pipelining, expectations and chunked encoding. If the client (typically a browser) supports only HTTP/1.0, the Connector will gracefully fall back to supporting this protocol as well. No special configuration is required to enable this support. The Connector also supports HTTP/1.0 keep-alive.

RFC 2616 requires that HTTP servers always begin their responses with the highest HTTP version that they claim to support. Therefore, this Connector will always return HTTP/1.1 at the beginning of its responses.

Proxy Support

The proxyName and proxyPort attributes can be used when JBoss Web is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request.

For more information, see the Proxy Support HOW-TO.

SSL Support

You can enable SSL support for a particular instance of this Connector by setting the secure attribute to true. In addition, you may need to configure the following attributes:

Attribute Description
algorithm
The certificate encoding algorithm to be used. This defaults to the Sun implementation (SunX509). For IBM JVMs you should use the value IbmX509. For other vendors, consult the JVM documentation for the correct value.

clientAuth
Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication. See the SSL HowTo for an example.

keystoreFile
The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file ".keystore" in the operating system home directory of the user that is running JBoss Web. If your keystoreType doesn't need a file use "" (empty string) for this parameter.

keystorePass
The password used to access the server certificate from the specified keystore file. The default value is "changeit".

keystoreProvider
The name of the keystore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports the keystoreType is used.

keystoreType
The type of keystore file to be used for the server certificate. If not specified, the default value is "JKS".

sslProtocol
The version of the SSL protocol to use. If not specified, the default is "TLS".

ciphers
A comma seperated list of the encryption ciphers that may be used. If not specified, then any available cipher may be used.

keyAlias
The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.

truststoreFile
The TrustStore file to use to validate client certificates.

truststorePass
The password to access the TrustStore. This defaults to the value of keystorePass.

truststoreProvider
The name of the truststore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports the truststoreType is used.

truststoreType
Add this element if your are using a different format for the TrustStore then you are using for the KeyStore.

allowUnsafeLegacyRenegotiation
Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's request. If not specified, a default of false is used.

For more information, see the SSL Configuration HOW-TO.

Attribute	Description
`allowTrace`	A boolean value which can be used to enable or disable the TRACE HTTP method. If not specified, this attribute is set to false.
`enableLookups`	Set to `true` if you want calls to `request.getRemoteHost()` to perform DNS lookups in order to return the actual host name of the remote client. Set to `false` to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are enabled.
`maxPostSize`	The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The limit can be disabled by setting this attribute to a value less than or equal to 0. If not specified, this attribute is set to 2097152 (2 megabytes).
`maxSavePostSize`	The maximum size in bytes of the POST which will be saved/buffered by the container during FORM or CLIENT-CERT authentication. For both types of authentication, the POST will be saved/buffered before the user is authenticated. For CLIENT-CERT authentication, the POST is buffered for the duration of the SSL handshake and the buffer emptied when the request is processed. For FORM authentication the POST is saved whilst the user is re-directed to the login form and is retained until the user successfully authenticates or the session associated with the authentication request expires. The limit can be disabled by setting this attribute to -1. Setting the attribute to zero will disable the saving of POST data during authentication and the buffering during SSL handshake. If not specified, this attribute is set to 4096 (4 kilobytes).
`protocol`	Sets the protocol to handle incoming traffic. The default value is `HTTP/1.1` and configures the `org.apache.coyote.http11.Http11Protocol`. This is the blocking Java connector. If the `PATH(Windows)` or `LD_LIBRARY_PATH(on most unix system)` environment variables contain the Tomcat native library, the APR connector will automatically be configured. Please be advised that the APR connector has different settings for HTTPS than the default Java connector. Other values for this attribute are, but not limited to: `org.apache.coyote.http11.Http11Protocol` - same as HTTP/1.1 `org.apache.coyote.http11.Http11NioProtocol` - non blocking Java connector, not supported in JBossWeb `org.apache.coyote.http11.Http11AprProtocol` - the APR connector. Take a look at our Connector Comparison chart. The configuration for both Java connectors are identical, both for http and https. For more information on the APR connector and APR specific SSL settings please visit the APR documentation
`proxyName`	If this Connector is being used in a proxy configuration, configure this attribute to specify the server name to be returned for calls to `request.getServerName()`. See Proxy Support for more information.
`proxyPort`	If this Connector is being used in a proxy configuration, configure this attribute to specify the server port to be returned for calls to `request.getServerPort()`. See Proxy Support for more information.
`redirectPort`	If this Connector is supporting non-SSL requests, and a request is received for which a matching `<security-constraint>` requires SSL transport, Catalina will automatically redirect the request to the port number specified here.
`SSLEnabled`	Use this attribute to enable SSL traffic on a connector. To turn on SSL handshake/encryption/decryption on a connector set this value to `true`. The default value is `false`. When turning this value `true` you will want to set the `scheme` and the `secure` attributes as well to pass the correct `request.getScheme()` and `request.isSecure()` values to the servlets See SSL Support for more information.
`scheme`	Set this attribute to the name of the protocol you wish to have returned by calls to `request.getScheme()`. For example, you would set this attribute to "`https`" for an SSL Connector. The default value is "`http`".
`secure`	Set this attribute to `true` if you wish to have calls to `request.isSecure()` to return `true` for requests received by this Connector. You would want this on an SSL Connector or a non SSL connector that is receiving data from a SSL accelerator, like a crypto card, a SSL appliance or even a webserver. The default value is `false`.
`URIEncoding`	This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 will be used.
`useBodyEncodingForURI`	This specifies if the encoding specified in contentType should be used for URI query parameters, instead of using the URIEncoding. This setting is present for compatibility with Tomcat 4.1.x, where the encoding specified in the contentType, or explicitely set using Request.setCharacterEncoding method was also used for the parameters from the URL. The default value is `false`.
`useIPVHosts`	Set this attribute to `true` to cause JBoss Web to use the IP address that the request was recieved on to determine the Host to send the request to. The default value is `false`.
`xpoweredBy`	Set this attribute to `true` to cause JBoss Web to advertise support for the Servlet specification using the header recommended in the specification. The default value is `false`.

Attribute	Description
`acceptCount`	The maximum queue length for incoming connection requests when all possible request processing threads are in use. Any requests received when the queue is full will be refused. The default value is 10.
`address`	For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, this port will be used on all IP addresses associated with the server.
`bufferSize`	The size (in bytes) of the buffer to be provided for input streams created by this connector. By default, buffers of 2048 bytes will be provided.
`compressableMimeType`	The value is a comma separated list of MIME types for which HTTP compression may be used. The default value is `text/html,text/xml,text/plain`.
`compression`	The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth. The acceptable values for the parameter is "off" (disable compression), "on" (allow compression, which causes text data to be compressed), "force" (forces compression in all cases), or a numerical integer value (which is equivalent to "on", but specifies the minimum amount of data before the output is compressed). If the content-length is not known and compression is set to "on" or more aggressive, the output will also be compressed. If not specified, this attribute is set to "off".
`connectionLinger`	The number of milliseconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 (socket linger is disabled).
`connectionTimeout`	The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented. The default value is 60000 (i.e. 60 seconds).
`executor`	A reference to the name in an Executor element. If this attribute is enabled, and the named executor exists, the connector will use the executor, and all the other thread attributes will be ignored.
`keepAliveTimeout`	The number of milliseconds this Connector will wait for another HTTP request before closing the connection. The default value is to use the value that has been set for the connectionTimeout attribute.
`disableUploadTimeout`	This flag allows the servlet container to use a different, longer connection timeout while a servlet is being executed, which in the end allows either the servlet a longer amount of time to complete its execution, or a longer timeout during data upload. If not specified, this attribute is set to "true".
`maxHttpHeaderSize`	The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).
`maxKeepAliveRequests`	The maximum number of HTTP requests which can be pipelined until the connection is closed by the server. Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests. If not specified, this attribute is set to 100.
`maxThreads`	The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled. If not specified, this attribute is set to 200. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool.
`noCompressionUserAgents`	The value is a comma separated list of regular expressions matching user-agents of HTTP clients for which compression should not be used, because these clients, although they do advertise support for the feature, have a broken implementation. The default value is an empty String (regexp matching disabled).
`port`	The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address.
`restrictedUserAgents`	The value is a comma separated list of regular expressions matching user-agents of HTTP clients for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features. The default value is an empty String (regexp matching disabled).
`server`	The Server header for the http response. Unless your paranoid, you won't need this feature.
`socketBuffer`	The size (in bytes) of the buffer to be provided for socket output buffering. -1 can be specified to disable the use of a buffer. By default, a buffers of 9000 bytes will be used.
`tcpNoDelay`	If set to `true`, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances. This is set to `true` by default.
`threadPriority`	The priority of the request processing threads within the JVM. The default value is `java.lang.Thread#NORM_PRIORITY`. See the JavaDoc for the java.lang.Thread class for more details on what this priority means.

Attribute	Description
`algorithm`	The certificate encoding algorithm to be used. This defaults to the Sun implementation (`SunX509`). For IBM JVMs you should use the value `IbmX509`. For other vendors, consult the JVM documentation for the correct value.
`clientAuth`	Set to `true` if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to `want` if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A `false` value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses `CLIENT-CERT` authentication. See the SSL HowTo for an example.
`keystoreFile`	The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file "`.keystore`" in the operating system home directory of the user that is running JBoss Web. If your `keystoreType` doesn't need a file use `""` (empty string) for this parameter.
`keystorePass`	The password used to access the server certificate from the specified keystore file. The default value is "`changeit`".
`keystoreProvider`	The name of the keystore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports the `keystoreType` is used.
`keystoreType`	The type of keystore file to be used for the server certificate. If not specified, the default value is "`JKS`".
`sslProtocol`	The version of the SSL protocol to use. If not specified, the default is "`TLS`".
`ciphers`	A comma seperated list of the encryption ciphers that may be used. If not specified, then any available cipher may be used.
`keyAlias`	The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.
`truststoreFile`	The TrustStore file to use to validate client certificates.
`truststorePass`	The password to access the TrustStore. This defaults to the value of `keystorePass`.
`truststoreProvider`	The name of the truststore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports the `truststoreType` is used.
`truststoreType`	Add this element if your are using a different format for the TrustStore then you are using for the KeyStore.
`allowUnsafeLegacyRenegotiation`	Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's request. If not specified, a default of `false` is used.