Google Git
Sign in
apache / tomcat / HEAD / . / webapps / docs / config / http.xml
blob: a4fd06296213e6498a8af10d062724ec29e0ce22 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
]>
<document url="http.html">
&project;
<properties>
<author email="yoavs@apache.org">Yoav Shapira</author>
<title>The HTTP Connector</title>
</properties>
<body>
<section name="Table of Contents">
<toc/>
</section>
<section name="Introduction">
<p>The <strong>HTTP Connector</strong> element represents a
<strong>Connector</strong> component that supports the HTTP/1.1 protocol.
It enables Catalina to function as a stand-alone web server, in addition
to its ability to execute servlets and JSP pages. A particular instance
of this component listens for connections on a specific TCP port number
on the server. One or more such <strong>Connectors</strong> can be
configured as part of a single <a href="service.html">Service</a>, each
forwarding to the associated <a href="engine.html">Engine</a> to perform
request processing and create the response.</p>
<p>If you wish to configure the <strong>Connector</strong> that is used
for connections to web servers using the AJP protocol (such as the
<code>mod_jk 1.2.x</code> connector for Apache 1.3), please refer to the
<a href="ajp.html">AJP Connector</a> documentation.</p>
<p>Each incoming, non-asynchronous request requires a thread for the duration
of that request. If more simultaneous requests are received than can be
handled by the currently available request processing threads, additional
threads will be created up to the configured maximum (the value of the
<code>maxThreads</code> attribute). If still more simultaneous requests are
received, Tomcat will accept new connections until the current number of
connections reaches <code>maxConnections</code>. Connections are queued inside
the server socket created by the <strong>Connector</strong> until a thread
becomes available to process the connection. Once <code>maxConnections</code>
has been reached the operating system will queue further connections. The size
of the operating system provided connection queue may be controlled by the
<code>acceptCount</code> attribute. If the operating system queue fills,
further connection requests may be refused or may time out.</p>
</section>
<section name="Attributes">
<subsection name="Common Attributes">
<p>All implementations of <strong>Connector</strong>
support the following attributes:</p>
<attributes>
<attribute name="allowBackslash" required="false">
<p>If this is <code>true</code> the '\' character will be permitted as a
path delimiter.</p>
<p>If not specified, the default value of <code>false</code> will be used.</p>
</attribute>
<attribute name="allowTrace" required="false">
<p>A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
7231 section 4.3.8, cookie and authorization headers will be excluded from
the response to the TRACE request. If you wish to include these, you can
implement the <code>doTrace()</code> method for the target Servlet and
gain full control over the response.</p>
</attribute>
<attribute name="asyncTimeout" required="false">
<p>The default timeout for asynchronous requests in milliseconds. If not
specified, this attribute is set to the Servlet specification default of
30000 (30 seconds).</p>
</attribute>
<attribute name="discardFacades" required="false">
<p>A boolean value which can be used to enable or disable the recycling
of the facade objects that isolate the container internal request
processing objects. If set to <code>true</code> the facades will be
set for garbage collection after every request, otherwise they will be
reused. If not specified, this attribute is set to <code>true</code>.</p>
</attribute>
<attribute name="enableLookups" required="false">
<p>Set to <code>true</code> if you want calls to
<code>request.getRemoteHost()</code> to perform DNS lookups in
order to return the actual host name of the remote client. Set
to <code>false</code> to skip the DNS lookup and return the IP
address in String form instead (thereby improving performance).
By default, DNS lookups are disabled.</p>
</attribute>
<attribute name="encodedReverseSolidusHandling" required="false">
<p>When set to <code>reject</code> request paths containing a
<code>%5c</code> sequence will be rejected with a 400 response. When set
to <code>decode</code> request paths containing a <code>%5c</code>
sequence will have that sequence decoded to <code>\</code> at the same
time other <code>%nn</code> sequences are decoded. When set to
<code>passthrough</code> request paths containing a <code>%5c</code>
sequence will be processed with the <code>%5c</code> sequence unchanged.
</p>
<p>When set to <code>decoded</code>, the <strong>allowBackslash</strong>
attribute will be applied after decoding.
</p>
<p>If <code>passthrough</code> is used then it is the application's
responsibility to perform any further <code>%nn</code> decoding required.
Any <code>%25</code> sequences (encoded <code>%</code>) in the request
path with also be processed with the <code>%25</code> sequence unchanged
to avoid potential corruption and/or decoding failure when the path is
subsequently <code>%nn</code> decoded by the application.</p>
<p>If not specified, the default value is <code>decode</code>.</p>
</attribute>
<attribute name="encodedSolidusHandling" required="false">
<p>When set to <code>reject</code> request paths containing a
<code>%2f</code> sequence will be rejected with a 400 response. When set
to <code>decode</code> request paths containing a <code>%2f</code>
sequence will have that sequence decoded to <code>/</code> at the same
time other <code>%nn</code> sequences are decoded. When set to
<code>passthrough</code> request paths containing a <code>%2f</code>
sequence will be processed with the <code>%2f</code> sequence unchanged.
</p>
<p>If <code>passthrough</code> is used then it is the application's
responsibility to perform any further <code>%nn</code> decoding required.
Any <code>%25</code> sequences (encoded <code>%</code>) in the request
path with also be processed with the <code>%25</code> sequence unchanged
to avoid potential corruption and/or decoding failure when the path is
subsequently <code>%nn</code> decoded by the application.</p>
<p>If not specified the default value is <code>reject</code>.</p>
</attribute>
<attribute name="enforceEncodingInGetWriter" required="false">
<p>If this is <code>true</code> then
a call to <code>Response.getWriter()</code> if no character encoding
has been specified will result in subsequent calls to
<code>Response.getCharacterEncoding()</code> returning
<code>ISO-8859-1</code> and the <code>Content-Type</code> response header
will include a <code>charset=ISO-8859-1</code> component. (SRV.15.2.22.1)</p>
<p>If not specified, the default specification compliant value of
<code>true</code> will be used.</p>
</attribute>
<attribute name="maxCookieCount" required="false">
<p>The maximum number of cookies that are permitted for a request. A value
of less than zero means no limit. If not specified, a default value of 200
will be used.</p>
</attribute>
<attribute name="maxParameterCount" required="false">
<p>The maximum total number of request parameters (including uploaded
files) obtained from the query string and, for POST requests, the request
body if the content type is
<code>application/x-www-form-urlencoded</code> or
<code>multipart/form-data</code>. Requests that exceed this limit will be
rejected. A value of less than 0 means no limit. If not specified, a
default of 1000 is used.</p>
</attribute>
<attribute name="maxPartCount" required="false">
<p>The maximum total number of parts permitted in a request where the
content type is <code>multipart/form-data</code>. This limit is in
addition to <code>maxParameterCount</code>. Requests that exceed this
limit will be rejected. A value of less than 0 means no limit. If not
specified, a default of 50 is used.</p>
<p>The nature of multipart requests and the associated Servlet API
requirements for processing them is such that they can place a significant
demand on memory. Applications utilising multipart requests need to ensure
sufficient memory is available to avoid a potential denial of service. As
a guide, the memory required is <code>maxPartHeaderSize</code> x
<code>maxPartCount</code> x <code>maxConnections</code> x 2 (due to the
implementation). For the defaults that is <code>512 x 50 x 8192 x 2</code>
which is 400MB.</p>
</attribute>
<attribute name="maxPartHeaderSize" required="false">
<p>The maximum number of header bytes permitted per part in a request
where the content type is <code>multipart/form-data</code>. Requests that
exceed this limit will be rejected. A value of less than 0 means no limit.
If not specified, a default of 512 is used.</p>
</attribute>
<attribute name="maxPostSize" required="false">
<p>This is the maximum number of request body bytes that will be converted
into request parameters by Tomcat. This limit only applies in specific
circumstances and is <strong>not</strong> a general limit on request body
size for POST requests. The limit only applies when Tomcat is processing
the request body for parameters as per section 3.1.1
(<code>application/x-www-form-urlencoded</code>) or section 3.2
(<code>multipart/form-data</code>) of the Servlet specification. In the
<code>multipart/form-data</code> case, the limit only applies to the data
used to generate the parameters that are made available through the
<code>getParameter()</code> family of methods.</p>
<p>The limit can be disabled by setting this attribute to a value less
than zero. Requests that exceed this limit will be rejected. If not
specified, this attribute is set to 2097152 (2 MiB).</p>
</attribute>
<attribute name="maxSavePostSize" required="false">
<p>The maximum size in bytes of the request body which will be
saved/buffered by the container during FORM or CLIENT-CERT authentication
or during HTTP/1.1 upgrade. For both types of authentication, the request
body will be saved/buffered before the user is authenticated. For
CLIENT-CERT authentication, the request body is buffered for the duration
of the SSL handshake and the buffer emptied when the request is processed.
For FORM authentication the POST is saved whilst the user is re-directed
to the login form and is retained until the user successfully
authenticates or the session associated with the authentication request
expires. For HTTP/1.1 upgrade, the request body is buffered for the
duration of the upgrade process. The limit can be disabled by setting this
attribute to -1. Setting the attribute to zero will disable the saving of
the request body data during authentication and HTTP/1.1 upgrade. If not
specified, this attribute is set to 4096 (4 kilobytes).</p>
</attribute>
<attribute name="parseBodyMethods" required="false">
<p>A comma-separated list of HTTP methods for which request
bodies using <code>application/x-www-form-urlencoded</code> will be parsed
for request parameters identically to POST. This is useful in RESTful
applications that want to support POST-style semantics for PUT requests.
Note that any setting other than <code>POST</code> causes Tomcat
to behave in a way that goes against the intent of the servlet
specification.
The HTTP method TRACE is specifically forbidden here in accordance
with the HTTP specification.
The default is <code>POST</code></p>
</attribute>
<attribute name="port" required="true">
<p>The TCP port number on which this <strong>Connector</strong>
will create a server socket and await incoming connections. Your
operating system will allow only one server application to listen
to a particular port number on a particular IP address. If the special
value of 0 (zero) is used, then Tomcat will select a free port at random
to use for this connector. This is typically only useful in embedded and
testing applications.</p>
</attribute>
<attribute name="protocol" required="false">
<p>Sets the protocol to handle incoming traffic. The default value is
<code>HTTP/1.1</code> which uses a Java NIO based connector.<br/>
To use an explicit protocol, the following values may be used:<br/>
<code>org.apache.coyote.http11.Http11NioProtocol</code> -
non blocking Java NIO connector<br/>
Custom implementations may also be used.<br/>
</p>
</attribute>
<attribute name="proxyName" required="false">
<p>If this <strong>Connector</strong> is being used in a proxy
configuration, configure this attribute to specify the server name
to be returned for calls to <code>request.getServerName()</code>.
See <a href="#Proxy_Support">Proxy Support</a> for more
information.</p>
</attribute>
<attribute name="proxyPort" required="false">
<p>If this <strong>Connector</strong> is being used in a proxy
configuration, configure this attribute to specify the server port
to be returned for calls to <code>request.getServerPort()</code>.
See <a href="#Proxy_Support">Proxy Support</a> for more
information.</p>
</attribute>
<attribute name="redirectPort" required="false">
<p>If this <strong>Connector</strong> is supporting non-SSL
requests, and a request is received for which a matching
<code>&lt;security-constraint&gt;</code> requires SSL transport,
Catalina will automatically redirect the request to the port
number specified here.</p>
</attribute>
<attribute name="rejectSuspiciousURIs" required="false">
<p>Should this <strong>Connector</strong> reject a requests if the URI
matches one of the suspicious URIs patterns identified by the Servlet 6.0
specification? The default value is <code>false</code>.</p>
</attribute>
<attribute name="scheme" required="false">
<p>Set this attribute to the name of the protocol you wish to have
returned by calls to <code>request.getScheme()</code>. For
example, you would set this attribute to "<code>https</code>"
for an SSL Connector. The default value is "<code>http</code>".
</p>
</attribute>
<attribute name="secure" required="false">
<p>Set this attribute to <code>true</code> if you wish to have
calls to <code>request.isSecure()</code> to return <code>true</code>
for requests received by this Connector. You would want this on an
SSL Connector or a non SSL connector that is receiving data from a
SSL accelerator, like a crypto card, an SSL appliance or even a webserver.
The default value is <code>false</code>.</p>
</attribute>
<attribute name="URIEncoding" required="false">
<p>This specifies the character encoding used to decode the URI bytes,
after %xx decoding the URL. The default value is <code>UTF-8</code>.</p>
</attribute>
<attribute name="useBodyEncodingForURI" required="false">
<p>This specifies if the encoding specified in contentType should be used
for URI query parameters, instead of using the URIEncoding. This
setting is present for compatibility with Tomcat 4.1.x, where the
encoding specified in the contentType, or explicitly set using
Request.setCharacterEncoding method was also used for the parameters from
the URL. The default value is <code>false</code>.
</p>
<p><strong>Notes:</strong> 1) This setting is applied only to the
query string of a request. Unlike <code>URIEncoding</code> it does not
affect the path portion of a request URI. 2) If request character
encoding is not known (is not provided by a browser and is not set by
<code>SetCharacterEncodingFilter</code> or a similar filter using
Request.setCharacterEncoding method), the default encoding is always
"ISO-8859-1". The <code>URIEncoding</code> setting has no effect on
this default.
</p>
</attribute>
<attribute name="useIPVHosts" required="false">
<p>Set this attribute to <code>true</code> to cause Tomcat to use
the IP address that the request was received on to determine the Host
to send the request to. The default value is <code>false</code>.</p>
</attribute>
<attribute name="xpoweredBy" required="false">
<p>Set this attribute to <code>true</code> to cause Tomcat to advertise
support for the Servlet specification using the header recommended in the
specification. The default value is <code>false</code>.</p>
</attribute>
</attributes>
</subsection>
<subsection name="Standard Implementation">
<p>The standard HTTP connector supports the following
attributes in addition to the common Connector attributes listed above.</p>
<attributes>
<attribute name="acceptCount" required="false">
<p>The maximum length of the operating system provided queue for incoming
connection requests when <code>maxConnections</code> has been reached. The
operating system may ignore this setting and use a different size for the
queue. When this queue is full, the operating system may actively refuse
additional connections or those connections may time out. The default
value is 100.</p>
</attribute>
<attribute name="acceptorThreadPriority" required="false">
<p>The priority of the acceptor thread. The thread used to accept
new connections. The default value is <code>5</code> (the value of the
<code>java.lang.Thread.NORM_PRIORITY</code> constant). See the JavaDoc
for the <code>java.lang.Thread</code> class for more details on what
this priority means.</p>
</attribute>
<attribute name="address" required="false">
<p>For servers with more than one IP address, this attribute specifies
which address will be used for listening on the specified port. By
default, the connector will listen all local addresses. Unless the JVM is
configured otherwise using system properties, the NIO connector
will listen on both IPv4 and IPv6 addresses when configured
with either <code>0.0.0.0</code> or <code>::</code>.</p>
</attribute>
<attribute name="allowedTrailerHeaders" required="false">
<p>By default Tomcat will ignore all trailer headers when processing
chunked input. For a header to be processed, it must be added to this
comma-separated list of header names.</p>
</attribute>
<attribute name="bindOnInit" required="false">
<p>Controls when the socket used by the connector is bound. If set to
<code>true</code> it is bound when the connector is initiated and unbound
when the connector is destroyed. If set to <code>false</code>, the socket
will be bound when the connector is started and unbound when it is
stopped. If not specified, the default is <code>true</code>.</p>
</attribute>
<attribute name="clientCertProvider" required="false">
<p>When client certificate information is presented in a form other than
instances of <code>java.security.cert.X509Certificate</code> it needs to
be converted before it can be used and this property controls which JSSE
provider is used to perform the conversion.</p>
</attribute>
<attribute name="compressibleMimeType" required="false">
<p>The value is a comma separated list of MIME types for which HTTP
compression may be used.
The default value is
<code>
text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml
</code>.
If you specify a type explicitly, the default is over-ridden.</p>
</attribute>
<attribute name="compression" required="false">
<p>The <strong>Connector</strong> may use HTTP/1.1 GZIP compression in
an attempt to save server bandwidth. The acceptable values for the
parameter is "off" (disable compression), "on" (allow compression, which
causes text data to be compressed), "force" (forces compression in all
cases), or a numerical integer value (which is equivalent to "on", but
specifies the minimum amount of data before the output is compressed). If
the content-length is not known and compression is set to "on" or more
aggressive, the output will also be compressed. If not specified, this
attribute is set to "off".</p>
<p><em>Note</em>: There is a tradeoff between using compression (saving
your bandwidth) and using the sendfile feature (saving your CPU cycles).
If the connector supports the sendfile feature, e.g. the NIO connector,
using sendfile will take precedence over compression. The symptoms will
be that static files greater that 48 KiB will be sent uncompressed.
You can turn off sendfile by setting <code>useSendfile</code> attribute
of the connector, as documented below, or change the sendfile usage
threshold in the configuration of the
<a href="../default-servlet.html">DefaultServlet</a> in the default
<code>conf/web.xml</code> or in the <code>web.xml</code> of your web
application.
</p>
</attribute>
<attribute name="compressionMinSize" required="false">
<p>If <strong>compression</strong> is set to "on" then this attribute
may be used to specify the minimum amount of data before the output is
compressed. If not specified, this attribute is defaults to "2048".
Units are in bytes.</p>
</attribute>
<attribute name="connectionLinger" required="false">
<p>The number of seconds during which the sockets used by this
<strong>Connector</strong> will linger when they are closed. The default
value is <code>-1</code> which disables socket linger.</p>
</attribute>
<attribute name="connectionTimeout" required="false">
<p>The number of milliseconds this <strong>Connector</strong> will wait,
after accepting a connection, for the request URI line to be
presented. Use a value of -1 to indicate no (i.e. infinite) timeout.
The default value is 60000 (i.e. 60 seconds) but note that the standard
server.xml that ships with Tomcat sets this to 20000 (i.e. 20 seconds).
Unless <strong>disableUploadTimeout</strong> is set to <code>false</code>,
this timeout will also be used when reading the request body (if any).</p>
</attribute>
<attribute name="connectionUploadTimeout" required="false">
<p>Specifies the timeout, in milliseconds, to use while a data upload is
in progress. If not specified the default
value is 300000 (i.e. 300 seconds). This only takes effect if
<strong>disableUploadTimeout</strong> is set to <code>false</code>.
</p>
</attribute>
<attribute name="continueResponseTiming" required="false">
<p>When to respond with a <code>100</code> intermediate response code to a
request containing an <code>Expect: 100-continue</code> header.
The following values may used:
<ul>
<li><code>immediately</code> - an intermediate 100 status response
will be returned as soon as practical</li>
<li><code>onRead</code> - an intermediate 100 status
response will be returned only when the Servlet reads the request body,
allowing the servlet to inspect the headers and possibly respond
before the user agent sends a possibly large request body.</li>
</ul>
</p>
</attribute>
<attribute name="defaultSSLHostConfigName" required="false">
<p>The name of the default <strong>SSLHostConfig</strong> that will be
used for secure connections (if this connector is configured for secure
connections) if the client connection does not provide SNI or if the SNI
is provided but does not match any configured
<strong>SSLHostConfig</strong>. If not specified the default value of
<code>_default_</code> will be used. Provided values are always converted
to lower case.</p>
</attribute>
<attribute name="disableUploadTimeout" required="false">
<p>This flag allows the servlet container to use a different, usually
longer connection timeout during data upload. If not specified, this
attribute is set to <code>true</code> which disables this longer timeout.
</p>
</attribute>
<attribute name="executor" required="false">
<p>A reference to the name in an <a href="executor.html">Executor</a>
element. If this attribute is set, and the named executor exists, the
connector will use the executor, and all the other thread attributes will
be ignored. Note that if a shared executor is not specified for a
connector then the connector will use a private, internal executor to
provide the thread pool.</p>
</attribute>
<attribute name="executorTerminationTimeoutMillis" required="false">
<p>The time that the private internal executor will wait for request
processing threads to terminate before continuing with the process of
stopping the connector. If not set, the default is <code>5000</code> (5
seconds).</p>
</attribute>
<attribute name="keepAliveTimeout" required="false">
<p>The number of milliseconds this <strong>Connector</strong> will wait
for another HTTP request before closing the connection. The default value
is to use the value that has been set for the
<strong>connectionTimeout</strong> attribute.
Use a value of -1 to indicate no (i.e. infinite) timeout.</p>
</attribute>
<attribute name="maxConnections" required="false">
<p>The maximum number of connections that the server will accept and
process at any given time. When this number has been reached, the server
will accept, but not process, one further connection. This additional
connection be blocked until the number of connections being processed
falls below <strong>maxConnections</strong> at which point the server will
start accepting and processing new connections again. Note that once the
limit has been reached, the operating system may still accept connections
based on the <code>acceptCount</code> setting. The default value
is <code>8192</code>.</p>
<p>For NIO only, setting the value to -1, will disable the
maxConnections feature and connections will not be counted.</p>
</attribute>
<attribute name="maxExtensionSize" required="false">
<p>Limits the total length of chunk extensions in chunked HTTP requests.
If the value is <code>-1</code>, no limit will be imposed. If not
specified, the default value of <code>8192</code> will be used.</p>
</attribute>
<attribute name="maxHeaderCount" required="false">
<p>The maximum number of headers in a request that are allowed by the
container. A request that contains more headers than the specified limit
will be rejected. A value of less than 0 means no limit.
If not specified, a default of 100 is used.</p>
</attribute>
<attribute name="maxHttpHeaderSize" required="false">
<p>Provides the default value for
<strong>maxHttpRequestHeaderSize</strong> and
<strong>maxHttpResponseHeaderSize</strong>. If not specified, this
attribute is set to 8192 (8 KiB).</p>
</attribute>
<attribute name="maxHttpRequestHeaderSize" required="false">
<p>The maximum permitted size of the request line and headers associated
with an HTTP request, specified in bytes. This is compared to the number
of bytes received so includes line terminators and whitespace as well as
the request line, header names and header values. If not specified, this
attribute is set to the value of the <code>maxHttpHeaderSize</code>
attribute.</p>
<p>If you see "Request header is too large" errors you can increase this,
but be aware that Tomcat will allocate the full amount you specify for
every request. For example, if you specify a maxHttpRequestHeaderSize of
1 MB and your application handles 100 concurrent requests, you will see
100 MB of heap consumed by request headers.</p>
</attribute>
<attribute name="maxHttpResponseHeaderSize" required="false">
<p>The maximum permitted size of the response line and headers associated
with an HTTP response, specified in bytes. This is compared to the number
of bytes written so includes line terminators and whitespace as well as
the status line, header names and header values. If not specified, this
attribute is set to the value of the <code>maxHttpHeaderSize</code>
attribute.</p>
</attribute>
<attribute name="maxKeepAliveRequests" required="false">
<p>The maximum number of HTTP requests which can be pipelined until
the connection is closed by the server. Setting this attribute to 1 will
disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and
pipelining. Setting this to -1 will allow an unlimited amount of
pipelined or keep-alive HTTP requests.
If not specified, this attribute is set to 100.</p>
</attribute>
<attribute name="maxQueueSize" required="false">
<p>(int) The maximum number of runnable tasks that can queue up awaiting
execution before they are rejected. The default value is
<code>Integer.MAX_VALUE</code></p>
</attribute>
<attribute name="maxSwallowSize" required="false">
<p>The maximum number of request body bytes (excluding transfer encoding
overhead) that will be swallowed by Tomcat for an aborted upload. An
aborted upload is when Tomcat knows that the request body is going to be
ignored but the client still sends it. If Tomcat does not swallow the body
the client is unlikely to see the response. If not specified the default
of 2097152 (2 MiB) will be used. A value of less than zero indicates
that no limit should be enforced.</p>
</attribute>
<attribute name="maxThreads" required="false">
<p>The maximum number of request processing threads to be created
by this <strong>Connector</strong>, which therefore determines the
maximum number of simultaneous requests that can be handled. If
not specified, this attribute is set to 200. If an executor is associated
with this connector, this attribute is ignored as the connector will
execute tasks using the executor rather than an internal thread pool. Note
that if an executor is configured any value set for this attribute will be
recorded correctly but it will be reported (e.g. via JMX) as
<code>-1</code> to make clear that it is not used.</p>
</attribute>
<attribute name="maxTrailerSize" required="false">
<p>Limits the total length of trailing headers in the last chunk of
a chunked HTTP request. This must be a positive integer value.
If not specified, the default value of <code>8192</code> will be
used.</p>
</attribute>
<attribute name="minSpareThreads" required="false">
<p>The minimum number of threads always kept running. This includes both
active and idle threads. If not specified, the default of <code>10</code>
is used. If an executor is associated with this connector, this attribute
is ignored as the connector will execute tasks using the executor rather
than an internal thread pool. Note that if an executor is configured any
value set for this attribute will be recorded correctly but it will be
reported (e.g. via JMX) as <code>-1</code> to make clear that it is not
used.</p>
</attribute>
<attribute name="noCompressionUserAgents" required="false">
<p>The value is a regular expression (using <code>java.util.regex</code>)
matching the <code>user-agent</code> header of HTTP clients for which
compression should not be used,
because these clients, although they do advertise support for the
feature, have a broken implementation.
The default value is an empty String (regexp matching disabled).</p>
</attribute>
<attribute name="processorCache" required="false">
<p>The protocol handler caches Processor objects to speed up performance.
This setting dictates how many of these objects get cached.
<code>-1</code> means unlimited, default is <code>200</code>.
<code>0</code> means no request processor reuse. This has a very
significant impact on performance and garbage collection depending on
the workload, but provides additional security guarantees by avoiding
reuse of all request processing objects.
If not using Servlet 3.0 asynchronous processing, an appropriate value
is to use the same as the maxThreads setting. If using Servlet 3.0
asynchronous processing, an appropriate value is to use the larger
of maxThreads and the maximum number of expected concurrent requests
(synchronous and asynchronous).</p>
</attribute>
<attribute name="relaxedPathChars" required="false">
<p>The <a href="https://tools.ietf.org/rfc/rfc7230.txt">HTTP/1.1
specification</a> requires that certain characters are %nn encoded when
used in URI paths. Unfortunately, many user agents including all the major
browsers are not compliant with this specification and use these
characters in unencoded form. To prevent Tomcat rejecting such requests,
this attribute may be used to specify the additional characters to allow.
If not specified, no additional characters will be allowed. The value may
be any combination of the following characters:
<code>&quot; &lt; &gt; [ \ ] ^ ` { | }</code> . Any other characters
present in the value will be ignored.</p>
</attribute>
<attribute name="relaxedQueryChars" required="false">
<p>The <a href="https://tools.ietf.org/rfc/rfc7230.txt">HTTP/1.1
specification</a> requires that certain characters are %nn encoded when
used in URI query strings. Unfortunately, many user agents including all
the major browsers are not compliant with this specification and use these
characters in unencoded form. To prevent Tomcat rejecting such requests,
this attribute may be used to specify the additional characters to allow.
If not specified, no additional characters will be allowed. The value may
be any combination of the following characters:
<code>&quot; &lt; &gt; [ \ ] ^ ` { | }</code> . Any other characters
present in the value will be ignored.</p>
</attribute>
<attribute name="restrictedUserAgents" required="false">
<p>The value is a regular expression (using <code>java.util.regex</code>)
matching the <code>user-agent</code> header of HTTP clients for which
HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients
advertise support for these features.
The default value is an empty String (regexp matching disabled).</p>
</attribute>
<attribute name="server" required="false">
<p>Overrides the Server header for the http response. If set, the value
for this attribute overrides any Server header set by a web application.
If not set, any value specified by the application is used. If the
application does not specify a value then no Server header is set.</p>
</attribute>
<attribute name="serverRemoveAppProvidedValues" required="false">
<p>If <code>true</code>, any Server header set by a web
application will be removed. Note that if <strong>server</strong> is set,
this attribute is effectively ignored. If not set, the default value of
<code>false</code> will be used.</p>
</attribute>
<attribute name="SSLEnabled" required="false">
<p>Use this attribute to enable SSL traffic on a connector.
To turn on SSL handshake/encryption/decryption on a connector
set this value to <code>true</code>.
The default value is <code>false</code>.
When turning this value <code>true</code> you will want to set the
<code>scheme</code> and the <code>secure</code> attributes as well
to pass the correct <code>request.getScheme()</code> and
<code>request.isSecure()</code> values to the servlets
See <a href="#SSL_Support">SSL Support</a> for more information.
</p>
</attribute>
<attribute name="tcpNoDelay" required="false">
<p>If set to <code>true</code>, the TCP_NO_DELAY option will be
set on the server socket, which improves performance under most
circumstances. This is set to <code>true</code> by default.</p>
</attribute>
<attribute name="threadPriority" required="false">
<p>The priority of the request processing threads within the JVM.
The default value is <code>5</code> (the value of the
<code>java.lang.Thread.NORM_PRIORITY</code> constant). See the JavaDoc
for the <code>java.lang.Thread</code> class for more details on what
this priority means. If an executor is associated
with this connector, this attribute is ignored as the connector will
execute tasks using the executor rather than an internal thread pool. Note
that if an executor is configured any value set for this attribute will be
recorded correctly but it will be reported (e.g. via JMX) as
<code>-1</code> to make clear that it is not used.</p>
</attribute>
<attribute name="threadsMaxIdleTime" required="false">
<p>The amount of time in milliseconds that threads will be kept alive by
the thread pool, if there are more than <code>minSpareThreads</code>
threads in the executor. If not specified, the default of
<code>60000</code> milliseconds is used. If an executor is associated
with this connector, this attribute
is ignored as the connector will execute tasks using the executor rather
than an internal thread pool. Note that if an executor is configured any
value set for this attribute will be recorded correctly but it will be
reported (e.g. via JMX) as <code>-1</code> to make clear that it is not
used.</p>
</attribute>
<attribute name="throwOnFailure" required="false">
<p>If the Connector experiences an Exception during a Lifecycle transition
should the Exception be rethrown or logged? If not specified, the default
of <code>false</code> will be used. Note that the default can be changed
by the <code>org.apache.catalina.startup.EXIT_ON_INIT_FAILURE</code>
system property.</p>
</attribute>
<attribute name="useAsyncIO" required="false">
<p>(bool) Use this attribute to enable or disable usage of the
asynchronous IO API. The default value is <code>true</code>.</p>
</attribute>
<attribute name="useKeepAliveResponseHeader" required="false">
<p>(bool) Use this attribute to enable or disable the addition of the
<code>Keep-Alive</code> HTTP response header as described in
<a href="https://tools.ietf.org/html/draft-thomson-hybi-http-timeout-03">this
Internet-Draft</a>. The default value is <code>true</code>.</p>
</attribute>
<attribute name="useVirtualThreads" required="false">
<p>(bool) Use this attribute to enable or disable usage of virtual threads
with the internal executor. If an executor is associated with this
connector, this attribute is ignored. The default value is
<code>false</code>.</p>
</attribute>
</attributes>
</subsection>
<subsection name="Java TCP socket attributes">
<p>The NIO implementation supports the following Java TCP
socket attributes in addition to the common Connector and HTTP attributes
listed above.</p>
<attributes>
<attribute name="socket.rxBufSize" required="false">
<p>(int)The socket receive buffer (SO_RCVBUF) size in bytes. JVM default
used if not set.</p>
</attribute>
<attribute name="socket.txBufSize" required="false">
<p>(int)The socket send buffer (SO_SNDBUF) size in bytes. JVM default
used if not set. Care should be taken if explicitly setting this value.
Very poor performance has been observed on some JVMs with values less
than ~8k.</p>
</attribute>
<attribute name="socket.tcpNoDelay" required="false">
<p>(bool)This is equivalent to standard attribute
<strong>tcpNoDelay</strong>.</p>
</attribute>
<attribute name="socket.soKeepAlive" required="false">
<p>(bool)Boolean value for the socket's keep alive setting
(SO_KEEPALIVE). JVM default used if not set.</p>
</attribute>
<attribute name="socket.ooBInline" required="false">
<p>(bool)Boolean value for the socket OOBINLINE setting. JVM default
used if not set.</p>
</attribute>
<attribute name="socket.soReuseAddress" required="false">
<p>(bool)Boolean value for the sockets reuse address option
(SO_REUSEADDR). JVM default used if not set.</p>
</attribute>
<attribute name="socket.soLingerOn" required="false">
<p>(bool)Boolean value for the sockets so linger option (SO_LINGER).
A value for the standard attribute <strong>connectionLinger</strong>
that is &gt;=0 is equivalent to setting this to <code>true</code>.
A value for the standard attribute <strong>connectionLinger</strong>
that is &lt;0 is equivalent to setting this to <code>false</code>.
Both this attribute and <code>soLingerTime</code> must be set else the
JVM defaults will be used for both.</p>
</attribute>
<attribute name="socket.soLingerTime" required="false">
<p>(int)Value in seconds for the sockets so linger option (SO_LINGER).
This is equivalent to standard attribute
<strong>connectionLinger</strong>.
Both this attribute and <code>soLingerOn</code> must be set else the
JVM defaults will be used for both.</p>
</attribute>
<attribute name="socket.soTimeout" required="false">
<p>This is equivalent to standard attribute
<strong>connectionTimeout</strong>.</p>
</attribute>
<attribute name="socket.performanceConnectionTime" required="false">
<p>(int)The first value for the performance settings. See
<a href="https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/net/Socket.html#setPerformancePreferences(int,int,int)">Socket Performance Options</a>.
All three performance attributes must be set else the JVM defaults will
be used for all three.</p>
</attribute>
<attribute name="socket.performanceLatency" required="false">
<p>(int)The second value for the performance settings. See
<a href="https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/net/Socket.html#setPerformancePreferences(int,int,int)">Socket Performance Options</a>.
All three performance attributes must be set else the JVM defaults will
be used for all three.</p>
</attribute>
<attribute name="socket.performanceBandwidth" required="false">
<p>(int)The third value for the performance settings. See
<a href="https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/net/Socket.html#setPerformancePreferences(int,int,int)">Socket Performance Options</a>.
All three performance attributes must be set else the JVM defaults will
be used for all three.</p>
</attribute>
<attribute name="socket.unlockTimeout" required="false">
<p>(int) The timeout for a socket unlock. When a connector is stopped,
it will try to release the acceptor thread by opening a connector to
itself. The default value is <code>250</code> and the value is in
milliseconds. This vaoue must be positive. Negative or zero values will
be ignored.</p>
</attribute>
</attributes>
</subsection>
<subsection name="NIO specific configuration">
<p>The following attributes are specific to the NIO connector.</p>
<attributes>
<attribute name="pollerThreadPriority" required="false">
<p>(int)The priority of the poller threads.
The default value is <code>5</code> (the value of the
<code>java.lang.Thread.NORM_PRIORITY</code> constant). See the JavaDoc
for the <code>java.lang.Thread</code> class for more details on what
this priority means.</p>
</attribute>
<attribute name="selectorTimeout" required="false">
<p>(int)The time in milliseconds to timeout on a select() for the
poller. This value is important, since connection clean up is done on
the same thread, so do not set this value to an extremely high one. The
default value is <code>1000</code> milliseconds.</p>
</attribute>
<attribute name="useSendfile" required="false">
<p>(bool)Use this attribute to enable or disable sendfile capability.
The default value is <code>true</code>. Note that the use of sendfile
will disable any compression that Tomcat may otherwise have performed on
the response.</p>
</attribute>
<attribute name="socket.directBuffer" required="false">
<p>(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers. If <code>true</code> then
<code>java.nio.ByteBuffer.allocateDirect()</code> is used to allocate
the buffers, if <code>false</code> then
<code>java.nio.ByteBuffer.allocate()</code> is used. The default value
is <code>false</code>.<br/>
When you are using direct buffers, make sure you allocate the
appropriate amount of memory for the direct memory space. On Sun's JDK
that would be something like <code>-XX:MaxDirectMemorySize=256m</code>.
</p>
</attribute>
<attribute name="socket.directSslBuffer" required="false">
<p>(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers for the SSL buffers. If <code>true</code> then
<code>java.nio.ByteBuffer.allocateDirect()</code> is used to allocate
the buffers, if <code>false</code> then
<code>java.nio.ByteBuffer.allocate()</code> is used. The default value
is <code>false</code>.<br/>
When you are using direct buffers, make sure you allocate the
appropriate amount of memory for the direct memory space. On Oracle's JDK
that would be something like <code>-XX:MaxDirectMemorySize=256m</code>.
</p>
</attribute>
<attribute name="socket.appReadBufSize" required="false">
<p>(int)Each connection that is opened up in Tomcat get associated with
a read ByteBuffer. This attribute controls the size of this buffer. By
default this read buffer is sized at <code>8192</code> bytes. For lower
concurrency, you can increase this to buffer more data. For an extreme
amount of keep alive connections, decrease this number or increase your
heap size.</p>
</attribute>
<attribute name="socket.appWriteBufSize" required="false">
<p>(int)Each connection that is opened up in Tomcat get associated with
a write ByteBuffer. This attribute controls the size of this buffer. By
default this write buffer is sized at <code>8192</code> bytes. For low
concurrency you can increase this to buffer more response data. For an
extreme amount of keep alive connections, decrease this number or
increase your heap size.<br/>
The default value here is pretty low, you should up it if you are not
dealing with tens of thousands concurrent connections.</p>
</attribute>
<attribute name="socket.bufferPool" required="false">
<p>(int)The NIOx connector uses a class called NioXChannel that holds
elements linked to a socket. To reduce garbage collection, the NIOx
connector caches these channel objects. This value specifies the size of
this cache. The default value is <code>-2</code>. Special values are
<code>-1</code> for unlimited cache, <code>0</code> for no cache,
and <code>-2</code> for a value computed using the bufferPoolSize
attribute.</p>
</attribute>
<attribute name="socket.bufferPoolSize" required="false">
<p>(int)The NioXChannel pool can also be size based, not used object
based. If bufferPool is not -2, then this value will not be used.<br/>
The value is in bytes except for special values. Special values are
<code>-1</code> for unlimited cache, <code>0</code> for no cache,
and <code>-2</code> for a value computed as follows:<br/>
NioXChannel
<code>buffer size = read buffer size + write buffer size</code><br/>
SecureNioXChannel <code>buffer size = application read buffer size +
application write buffer size + twice the max SNI parse size</code>.
If the maximum memory as reported by the runtime is greater than
1GB, then the pool size value is the memory divided by the buffer
size. Otherwise, it will be 0.
</p>
</attribute>
<attribute name="socket.processorCache" required="false">
<p>(int)Tomcat will cache SocketProcessor objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is <code>0</code>. Special values are
<code>-1</code> for unlimited cache and <code>0</code> for no cache.</p>
</attribute>
<attribute name="socket.eventCache" required="false">
<p>(int)Tomcat will cache PollerEvent objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is <code>0</code>. Special values are
<code>-1</code> for unlimited cache and <code>0</code> for no cache.</p>
</attribute>
<attribute name="unixDomainSocketPath" required="false">
<p>Where supported, the path to a Unix Domain Socket that this
<strong>Connector</strong> will create and await incoming connections.
When this is specified, the otherwise mandatory <code>port</code>
attribute may be omitted.
See <a href="#Unix_Domain_Socket_Support">Unix Domain Socket Support</a>
for more information.</p>
</attribute>
<attribute name="unixDomainSocketPathPermissions" required="false">
<p>Where supported, the posix permissions that will be applied to the
to the Unix Domain Socket specified with
<code>unixDomainSocketPath</code> above. The
permissions are specified as a string of nine characters, in three sets
of three: (r)ead, (w)rite and e(x)ecute for owner, group and others
respectively. If a permission is not granted, a hyphen is used. If
unspecified, the permissions default to <code>rw-rw-rw-</code>.</p>
</attribute>
<attribute name="useInheritedChannel" required="false">
<p>(bool)Defines if this connector should inherit an inetd/systemd network socket.
Only one connector can inherit a network socket. This can option can be
used to automatically start Tomcat once a connection request is made to
the systemd super daemon's port.
The default value is <code>false</code>. See the JavaDoc
for the <code>java.nio.channels.spi.SelectorProvider</code> class for
more details.</p>
</attribute>
</attributes>
</subsection>
</section>
<section name="Nested Components">
<p>Tomcat supports Server Name Indication (SNI). This allows multiple SSL
configurations to be associated with a single secure connector with the
configuration used for any given connection determined by the host name
requested by the client. To facilitate this, the
<strong>SSLHostConfig</strong> element was added which can be used to define
one of these configurations. Any number of <strong>SSLHostConfig</strong> may
be nested in a <strong>Connector</strong>. At the same time, support was added
for multiple certificates to be associated with a single
<strong>SSLHostConfig</strong>. Each SSL certificate is therefore configured
in a <strong>Certificate</strong> element within an
<strong>SSLHostConfig</strong>. For further information, see the SSL Support
section below.</p>
<p>When OpenSSL is providing the TLS implementation, one or more
<strong>OpenSSLConfCmd</strong> elements may be nested inside a
<strong>OpenSSLConf</strong> element to configure OpenSSL via OpenSSL's
<code>SSL_CONF</code> API. A single <strong>OpenSSLConf</strong> element may
be nested in a <strong>SSLHostConfig</strong> element. For further
information, see the SSL Support section below</p>
</section>
<section name="Special Features">
<subsection name="HTTP/1.1 and HTTP/1.0 Support">
<p>This <strong>Connector</strong> supports all of the required features
of the HTTP/1.1 protocol, as described in RFCs 7230-7235, including persistent
connections, pipelining, expectations and chunked encoding. If the client
supports only HTTP/1.0 or HTTP/0.9, the
<strong>Connector</strong> will gracefully fall back to supporting this
protocol as well. No special configuration is required to enable this
support. The <strong>Connector</strong> also supports HTTP/1.0
keep-alive.</p>
<p>RFC 7230 requires that HTTP servers always begin their responses with
the highest HTTP version that they claim to support. Therefore, this
<strong>Connector</strong> will always return <code>HTTP/1.1</code> at
the beginning of its responses.</p>
</subsection>
<subsection name="HTTP/2 Support">
<p>HTTP/2 support is provided for TLS (h2), non-TLS via HTTP upgrade (h2c)
and direct HTTP/2 (h2c) connections. To enable HTTP/2 support for an HTTP
connector the following <strong>UpgradeProtocol</strong> element must be
nested within the <strong>Connector</strong> with a
<strong>className</strong> attribute of
<code>org.apache.coyote.http2.Http2Protocol</code>.</p>
<source><![CDATA[<Connector ... >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>]]></source>
<p>Additional configuration attributes are available. See the
<a href="http2.html">HTTP/2 Upgrade Protocol</a> documentation for details.</p>
</subsection>
<subsection name="Proxy Support">
<p>The <code>proxyName</code> and <code>proxyPort</code> attributes can
be used when Tomcat is run behind a proxy server. These attributes
modify the values returned to web applications that call the
<code>request.getServerName()</code> and <code>request.getServerPort()</code>
methods, which are often used to construct absolute URLs for redirects.
Without configuring these attributes, the values returned would reflect
the server name and port on which the connection from the proxy server
was received, rather than the server name and port to whom the client
directed the original request.</p>
<p>For more information, see the
<a href="../proxy-howto.html">Proxy Support How-To</a>.</p>
</subsection>
<subsection name="Unix Domain Socket Support">
<p>When the <code>unixDomainSocketPath</code> attribute is used, connectors
that support Unix Domain Sockets will bind to the socket at the given path.
</p>
<p>For users of Java 16 and higher, support is provided within the NIO
connectors.
</p>
<p>The socket path is created with read and write permissions for all
users. To protect this socket, place it in a directory with suitable
permissions appropriately configured to restrict access as required.
Alternatively, on platforms that support posix permissions, the
permissions on the socket can be set directly with the
<code>unixDomainSocketPathPermissions</code> option.
</p>
<p>Tomcat will automatically remove the socket on server shutdown. If the
socket already exists startup will fail. Care must be taken by the
administrator to remove the socket after verifying that the socket isn't
already being used by an existing Tomcat process.</p>
<p>The Unix Domain Socket can be accessed using the
<code>--unix-socket</code> option of the <code>curl</code> command line
client, and the Unix Domain Socket support in Apache HTTP server's
<code>mod_proxy</code> module.
</p>
</subsection>
<subsection name="SSL Support">
<p>You can enable SSL support for a particular instance of this
<strong>Connector</strong> by setting the <code>SSLEnabled</code> attribute to
<code>true</code>.</p>
<p>You will also need to set the <code>scheme</code> and <code>secure</code>
attributes to the values <code>https</code> and <code>true</code>
respectively, to pass correct information to the servlets.</p>
<p>The NIO connector use either the JSSE Java SSL implementation or
an OpenSSL implementation. As far as possible, common configuration attributes
are used for both JSSE and OpenSSL.</p>
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
<strong>SSLHostConfig</strong> elements must be unique and one of them must
match the <code>defaultSSLHostConfigName</code> attribute of the
<strong>Connector</strong>.</p>
<p>Each <strong>SSLHostConfig</strong> must in turn define at least one
<strong>Certificate</strong>. The types of the <strong>Certificate</strong>s
must be unique.</p>
<p>In addition to the standard TLS related request attributes defined in
section 3.10 of the Servlet specification, Tomcat supports a number of
additional TLS related attributes. The full list may be found in the <a
href="http://tomcat.apache.org/tomcat-11.0-doc/api/index.html">SSLSupport
Javadoc</a>.</p>
<p>For more information, see the
<a href="../ssl-howto.html">SSL Configuration How-To</a>.</p>
</subsection>
<subsection name="SSL Support - SSLHostConfig">
<p></p>
<attributes>
<attribute name="certificateRevocationListFile" required="false">
<p>Name of the file that contains the concatenated certificate revocation
lists for the certificate authorities. The format is PEM-encoded. If not
defined, client certificates will not be checked against a certificate
revocation list (unless an OpenSSL based connector is used and
<strong>certificateRevocationListPath</strong> is defined). Relative paths
will be resolved against <code>$CATALINA_BASE</code>. JSSE based
connectors may also specify a URL for this attribute.</p>
</attribute>
<attribute name="certificateRevocationListPath" required="false">
<p>OpenSSL only.</p>
<p>Name of the directory that contains the certificate revocation lists
for the certificate authorities. The format is PEM-encoded. Relative paths
will be resolved against <code>$CATALINA_BASE</code>.</p>
</attribute>
<attribute name="certificateVerification" required="false">
<p>Set to <code>required</code> if you want the SSL stack to require a
valid certificate chain from the client before accepting a connection.
Set to <code>optional</code> if you want the SSL stack to request a client
Certificate, but not fail if one isn't presented. Set to
<code>optionalNoCA</code> if you want client certificates to be optional
and you don't want Tomcat to check them against the list of trusted CAs.
If the TLS provider doesn't support this option (OpenSSL does, JSSE does
not) it is treated as if <code>optional</code> was specified. If
<code>optionalNoCA</code> is configured then OCSP will also be disabled.
<code>none</code> value (which is the default) will not require a
certificate chain unless the client requests a resource protected by a
security constraint that uses <code>CLIENT-CERT</code> authentication.</p>
</attribute>
<attribute name="certificateVerificationDepth" required="false">
<p>The maximum number of intermediate certificates that will be allowed
when validating client certificates. If not specified, the default value
of 10 will be used.</p>
</attribute>
<attribute name="caCertificateFile" required="false">
<p>OpenSSL only.</p>
<p>Name of the file that contains the concatenated certificates for the
trusted certificate authorities. The format is PEM-encoded.</p>
</attribute>
<attribute name="caCertificatePath" required="false">
<p>OpenSSL only.</p>
<p>Name of the directory that contains the certificates for the trusted
certificate authorities. The format is PEM-encoded.</p>
</attribute>
<attribute name="ciphers" required="false">
<p>The ciphers to enable using the OpenSSL syntax. (See the OpenSSL
documentation for the list of ciphers supported and the syntax).
Alternatively, a comma separated list of ciphers using the standard
OpenSSL cipher names or the standard JSSE cipher names may be used.</p>
<p>Different versions of OpenSSL may interpret the same cipher string
differently. For example, the <code>CCM8</code> ciphers were moved from
<code>HIGH</code> to <code>MEDIUM</code> in OpenSSL 3.2. Regardless of
the OpenSSL or JSSE version used, Tomcat converts the provided cipher
value to a list of ciphers in a manner consistent with the latest OpenSSL
development branch. This list of ciphers is then passed to the SSL
implementation.</p>
<p>Only the ciphers that are supported by the SSL implementation will be
used. Any ciphers in the list derived from a non-default cipher string
that are not supported by the SSL implementation will be logged in a
<code>WARNING</code> message when the Connector starts. The warning can be
avoided by providing an explicit list of ciphers that are supported by the
configured SSL implementation.</p>
<p>If not specified, a default (using the OpenSSL notation) of
<code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA</code> will be
used.</p>
<p>Note that, by default, the order in which ciphers are defined is
treated as an order of preference. See <code>honorCipherOrder</code>.</p>
</attribute>
<attribute name="disableCompression" required="false">
<p>OpenSSL only.</p>
<p>Configures if compression is disabled. The default is
<code>true</code>. If the OpenSSL version used does not support disabling
compression then the default for that OpenSSL version will be used.</p>
</attribute>
<attribute name="disableSessionTickets" required="false">
<p>OpenSSL only.</p>
<p>Disables use of TLS session tickets (RFC 5077) if set to
<code>true</code>. Default is <code>false</code>. Note that when TLS
session tickets are in use, the full peer certificate chain will only be
available on the first connection. Subsequent connections (that use a
ticket to estrablish the TLS session) will only have the peer certificate,
not the full chain.</p>
</attribute>
<attribute name="groups" required="false">
<p>JSSE only.</p>
<p>Allows only allowing certain named groups. The value should be a case
sensitive comma separated list of the names of the groups.</p>
<p>. If not specified, the default named groups of the provider will be
used, and any named groups specified by the client will be passed to it.
</p>
</attribute>
<attribute name="honorCipherOrder" required="false">
<p>Set to <code>true</code> to enforce the server's cipher order
(from the <code>ciphers</code> setting) instead of allowing
the client to choose the cipher. The default is <code>false</code>.</p>
</attribute>
<attribute name="hostName" required="false">
<p>The name of the SSL Host. This should either be the fully qualified
domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
name (e.g. <code>*.apache.org</code>). If not specified, the default value
of <code>_default_</code> will be used. Provided values are always
converted to lower case.</p>
</attribute>
<attribute name="insecureRenegotiation" required="false">
<p>OpenSSL only.</p>
<p>Configures if insecure renegotiation is allowed. The default is
<code>false</code>. If the OpenSSL version used does not support
configuring if insecure renegotiation is allowed then the default for that
OpenSSL version will be used.</p>
</attribute>
<attribute name="keyManagerAlgorithm" required="false">
<p>JSSE only.</p>
<p>The <code>KeyManager</code> algorithm to be used. This defaults to
<code>KeyManagerFactory.getDefaultAlgorithm()</code> which returns
<code>SunX509</code> for Sun JVMs. IBM JVMs return
<code>IbmX509</code>. For other vendors, consult the JVM
documentation for the default value.</p>
</attribute>
<attribute name="protocols" required="false">
<p>The names of the protocols to support when communicating with clients.
This should be a list of any combination of the following:
</p>
<ul><li>SSLv2Hello</li><li>SSLv3</li><li>TLSv1</li><li>TLSv1.1</li>
<li>TLSv1.2</li><li>TLSv1.3</li><li>all</li></ul>
<p>Each token in the list can be prefixed with a plus sign ("+")
or a minus sign ("-"). A plus sign adds the protocol, a minus sign
removes it form the current list. The list is built starting from
an empty list.</p>
<p>The token <code>all</code> is an alias for
<code>SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3</code>.</p>
<p>Note that <code>TLSv1.3</code> is only supported for JSSE when using a
JVM that implements <code>TLSv1.3</code>.</p>
<p>Note that <code>SSLv2Hello</code> will be ignored for OpenSSL based
secure connectors. If more than one protocol is specified for an OpenSSL
based secure connector it will always support <code>SSLv2Hello</code>. If a
single protocol is specified it will not support
<code>SSLv2Hello</code>.</p>
<p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently
unsafe.</p>
<p>If not specified, the default value of <code>all</code> will be
used.</p>
</attribute>
<attribute name="revocationEnabled" required="false">
<p>JSSE only.</p>
<p>Should the JSSE provider enable certificate revocation checks? If
<strong>certificateRevocationListFile</strong> is set then this attribute
is ignored and revocation checks are always enabled. This attribute is
intended to enable revocation checks that have been configured for the
current JSSE provider via other means. If not specified, a default of
<code>false</code> is used.</p>
</attribute>
<attribute name="sessionCacheSize" required="false">
<p>The number of SSL sessions to maintain in the session cache. Specify
<code>-1</code> to use the implementation default. Values of zero and
above are passed to the implementation. Zero is used to specify an
unlimited cache size and is not recommended. If not specified, a default
of <code>-1</code> is used.</p>
</attribute>
<attribute name="sessionTimeout" required="false">
<p>The time, in seconds, after the creation of an SSL session that it will
timeout. Specify <code>-1</code> to use the implementation default. Values
of zero and above are passed to the implementation. Zero is used to
specify an unlimited timeout and is not recommended. If not specified, a
default of 86400 (24 hours) is used.</p>
</attribute>
<attribute name="sslProtocol" required="false">
<p>JSSE only.</p>
<p>The SSL protocol(s) to use (a single value may enable multiple
protocols - see the JVM documentation for details). If not specified, the
default is <code>TLS</code>. The permitted values may be obtained from the
JVM documentation for the allowed values for algorithm when creating an
<code>SSLContext</code> instance e.g.
<a href="https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#sslcontext-algorithms">
Oracle Java 11</a>. Note: There is overlap between this attribute and
<code>protocols</code>.</p>
</attribute>
<attribute name="trustManagerClassName" required="false">
<p>JSSE only.</p>
<p>The name of a custom trust manager class to use to validate client
certificates. The class must have a zero argument constructor and must
also implement <code>javax.net.ssl.X509TrustManager</code>. If this
attribute is set, the trust store attributes may be ignored.</p>
</attribute>
<attribute name="truststoreAlgorithm" required="false">
<p>JSSE only.</p>
<p>The algorithm to use for truststore. If not specified, the default
value returned by
<code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code> is
used.</p>
</attribute>
<attribute name="truststoreFile" required="false">
<p>JSSE only.</p>
<p>The trust store file to use to validate client certificates. The
default is the value of the <code>javax.net.ssl.trustStore</code> system
property. If neither this attribute nor the default system property is
set, no trust store will be configured. Relative paths
will be resolved against <code>$CATALINA_BASE</code>. A URL may also be
used for this attribute.</p>
</attribute>
<attribute name="truststorePassword" required="false">
<p>JSSE only.</p>
<p>The password to access the trust store. The default is the value of the
<code>javax.net.ssl.trustStorePassword</code> system property. If that
property is null, no trust store password will be configured. If an
invalid trust store password is specified, a warning will be logged and an
attempt will be made to access the trust store without a password which
will skip validation of the trust store contents.</p>
</attribute>
<attribute name="truststoreProvider" required="false">
<p>JSSE only.</p>
<p>The name of the truststore provider to be used for the server
certificate. The default is the value of the
<code>javax.net.ssl.trustStoreProvider</code> system property. If
that property is null and a single certificate has been configured for
this TLS virtual host then default will be the value of
<code>keystoreProvider</code> of the single certificate. If none of these
identify a default, the list of registered providers is traversed in
preference order and the first provider that supports the
<code>truststoreType</code> is used.
</p>
</attribute>
<attribute name="truststoreType" required="false">
<p>JSSE only.</p>
<p>The type of key store used for the trust store. The default is the
value of the <code>javax.net.ssl.trustStoreType</code> system property. If
that property is null, a single certificate has been configured for this
TLS virtual host and that certificate has a <code>keystoreType</code> that
is not <code>PKCS12</code> then the default will be the
<code>keystoreType</code> of the single certificate. If none of these
identify a default, the default will be <code>JKS</code>. See the notes on
<a href="#Key_store_types">key store types</a> below.</p>
</attribute>
</attributes>
</subsection>
<subsection name="SSL Support - Certificate">
<p></p>
<attributes>
<attribute name="certificateFile" required="false">
<p>Name of the file that contains the server certificate. The format is
PEM-encoded. Relative paths will be resolved against
<code>$CATALINA_BASE</code>.</p>
<p>In addition to the certificate, the file can also contain as optional
elements DH parameters and/or an EC curve name for ephemeral keys, as
generated by <code>openssl dhparam</code> and <code>openssl ecparam</code>,
respectively. The output of the respective OpenSSL command can simply
be concatenated to the certificate file.</p>
<p>This attribute is required unless
<strong>certificateKeystoreFile</strong> is specified.</p>
</attribute>
<attribute name="certificateChainFile" required="false">
<p>Name of the file that contains the certificate chain associated with
the server certificate used. The format is
PEM-encoded. Relative paths will be resolved against
<code>$CATALINA_BASE</code>.</p>
<p>The certificate chain used for Tomcat should not include the server
certificate as its first element.</p>
<p>Note that when using more than one certificate for different types,
they all must use the same certificate chain.</p>
</attribute>
<attribute name="certificateKeyAlias" required="false">
<p>JSSE only.</p>
<p>The alias used for the server key and certificate in the keystore. If
not specified, the first key read from the keystore will be used. The
order in which keys are read from the keystore is implementation
dependent. It may not be the case that keys are read from the keystore in
the same order as they were added. If more than one key is present in the
keystore it is strongly recommended that a keyAlias is configured to
ensure that the correct key is used.</p>
</attribute>
<attribute name="certificateKeyFile" required="false">
<p>Name of the file that contains the server private key. The format is
PEM-encoded. The default value is the value of
<strong>certificateFile</strong> and in this case both certificate and
private key have to be in this file (NOT RECOMMENDED). Relative paths will
be resolved against <code>$CATALINA_BASE</code>.</p>
</attribute>
<attribute name="certificateKeyPassword" required="false">
<p>The password used to access the private key associated with the server
certificate from the specified file.</p>
<p>If not specified, the default behaviour for JSSE is to use the
<strong>certificateKeystorePassword</strong>. For OpenSSL the default
behaviour is not to use a password, but OpenSSL will prompt for one,
if required.</p>
</attribute>
<attribute name="certificateKeyPasswordFile" required="false">
<p>The password file used to access the private key associated with the server
certificate from the specified file. This attribute takes precedence over
<strong>certificateKeyPassword</strong>.</p>
<p>If not specified, the default behaviour for JSSE is to use the
<strong>certificateKeystorePasswordFile</strong>. For OpenSSL the default
behaviour is not to use a password (file), but OpenSSL will prompt for one,
if required.</p>
</attribute>
<attribute name="certificateKeystoreFile" required="false">
<p>JSSE only.</p>
<p>The pathname of the keystore file where you have stored the server
certificate and key to be loaded. By default, the pathname is the file
<code>.keystore</code> in the operating system home directory of the user
that is running Tomcat. If your <code>keystoreType</code> doesn't need a
file use <code>""</code> (empty string) or <code>NONE</code> for this
parameter. Relative paths will be resolved against
<code>$CATALINA_BASE</code>. A URI may also be used for this attribute.
When using a domain keystore (<code>keystoreType</code> of
<code>DKS</code>), this parameter should be the URI to the domain
keystore.</p>
<p>This attribute is required unless
<strong>certificateFile</strong> is specified.</p>
</attribute>
<attribute name="certificateKeystorePassword" required="false">
<p>JSSE only.</p>
<p>The password to use to access the keystore containing the server&apos;s
private key and certificate.</p>
</attribute>
<attribute name="certificateKeystorePasswordFile" required="false">
<p>JSSE only.</p>
<p>The password file to use to access the keystore containing the server&apos;s
private key and certificate. This attribute takes precedence over
<strong>certificateKeystorePassword</strong>.</p>
</attribute>
<attribute name="certificateKeystoreProvider" required="false">
<p>JSSE only.</p>
<p>The name of the keystore provider to be used for the server
certificate. If not specified, the value of the system property
<code>javax.net.ssl.keyStoreProvider</code> is used. If neither this
attribute nor the system property are set, the list of registered
providers is traversed in preference order and the first provider that
supports the <code>keystoreType</code> is used.
</p>
</attribute>
<attribute name="certificateKeystoreType" required="false">
<p>JSSE only.</p>
<p>The type of keystore file to be used for the server certificate.
If not specified, the value of the system property
<code>javax.net.ssl.keyStoreType</code> is used. If neither this attribute
nor the system property are set, a default value of "<code>JKS</code>". is
used. See the notes on <a href="#Key_store_types">key store types</a>
below.</p>
</attribute>
<attribute name="type" required="false">
<p>The type of certificate. This is used to identify the ciphers that are
compatible with the certificate. It must be one of <code>UNDEFINED</code>,
<code>RSA</code>, <code>DSA</code>, <code>EC</code> or <code>MLDSA</code>.
If only one
<strong>Certificate</strong> is nested within a <code>SSLHostConfig</code>
then this attribute is not required and will default to
<code>UNDEFINED</code>. If multiple <strong>Certificate</strong>s are
nested within a <code>SSLHostConfig</code> then this attribute is required
and each <strong>Certificate</strong> must have a unique type.</p>
</attribute>
</attributes>
</subsection>
<subsection name="SSL Support - Connector - NIO">
<p>When APR/native is enabled, the connectors will default to using
OpenSSL through JSSE, which may be more optimized than the JSSE Java
implementation depending on the processor being used,
and can be complemented with many commercial accelerator components.</p>
<p>When OpenSSL FFM support is enabled, the connectors will default to using
OpenSSL through JSSE, which is equivalent but uses the Java FFM API from
Java 22 to access OpenSSL.</p>
<p>The following NIO SSL configuration attributes are not specific to
a virtual host and, therefore, must be configured on the connector.</p>
<attributes>
<attribute name="sniParseLimit" required="false">
<p>In order to implement SNI support, Tomcat has to parse the first TLS
message received on a new TLS connection (the client hello) to extract the
requested server name. The message needs to be buffered so it can then be
passed to the JSSE implementation for normal TLS processing. In theory,
this first message could be very large although in practice it is
typically a few hundred bytes. This attribute sets the maximum message
size that Tomcat will buffer. If a message exceeds this size, the
connection will be configured as if no server name was indicated by the
client. If not specified a default of <code>65536</code> (64k) will be
used.</p>
</attribute>
<attribute name="sslImplementationName" required="false">
<p>The class name of the SSL implementation to use. If not specified and
the tomcat-native library is not installed, the
default of <code>org.apache.tomcat.util.net.jsse.JSSEImplementation</code>
will be used which wraps JVM&apos;s default JSSE provider. Note that the
JVM can be configured to use a different JSSE provider as the default.
Tomcat also bundles a special SSL implementation for JSSE that is backed
by OpenSSL. To enable it, the native library should be enabled and Tomcat
will automatically enable it and the default value of this attribute
becomes
<code>org.apache.tomcat.util.net.openssl.OpenSSLImplementation</code>.
The FFM API from Java 22 may also be used to enable OpenSSL support, in
which case the default value of the attribute becomes
<code>org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation</code>.
In that case, the attributes from either JSSE and OpenSSL
configuration styles can be used, as long as the two types are not mixed
(for example, it is not allowed to define use of a Java keystore and
specify a separate pem private key using the OpenSSL attribute).</p>
</attribute>
</attributes>
</subsection>
<subsection name="SSL Support - OpenSSL's SSL_CONF API">
<p>When OpenSSL is providing the TLS implementation, one or more
<strong>OpenSSLConfCmd</strong> elements may be nested inside a
<strong>OpenSSLConf</strong> element to configure OpenSSL via OpenSSL's
<code>SSL_CONF</code> API. A single <strong>OpenSSLConf</strong> element may
be nested in a <strong>SSLHostConfig</strong> element.</p>
<p>The set of configuration file commands available depends on the OpenSSL
version being used. For a list of supported command names and values, see the
section Supported configuration file commands in the <a
href="https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS"
>SSL_CONF_cmd(3)</a> manual page for OpenSSL. Some of the configuration file
commands can be used as alternatives to <strong>SSLHostConfig</strong>
attributes. It is recommended that configuration file commands are only used
where the feature cannot be configured using <strong>SSLHostConfig</strong>
attributes.</p>
<p>The <strong>OpenSSLConf</strong> element does not support any
attributes.</p>
<p>The <strong>OpenSSLConfCmd</strong> element supports the following
attributes.</p>
<attributes>
<attribute name="name" required="true">
<p>The name of the configuration file command.</p>
</attribute>
<attribute name="value" required="false">
<p>The value to use for the configuration file command.</p>
</attribute>
</attributes>
</subsection>
<subsection name="Key store types">
<p>In addition to the standard key store types (JKS and PKCS12), most Java
runtimes support additional key store types such as Windows-ROOT,
Windows-My, DKS as well as hardware security modules. Generally, to use
these additional keystore types with a TLS Connector in Tomcat:</p>
<ul>
<li>Set the certificateKeystoreType and/or truststoreType Connector
attribute (as appropriate) to the necessary type</li>
<li>If a configuration file is required, set the certificateKeystoreFile
and/or truststoreFile Connector attribute (as appropriate) to point to
the file</li>
<li>If no configuration file is required then you will almost certainly
need to explicitly set the certificateKeystoreFile and/or
truststoreFile Connector attribute (as appropriate) to the empty
string ("")</li>
<li>If a password is required, set the certificateKeystorePassword and/or
truststorePassword Connector attribute (as appropriate) to the
required password</li>
<li>If no password is required then you will almost certainly need to
explicitly set the certificateKeystorePassword and/or
truststorePassword Connector attribute (as appropriate) to the empty
string ("")</li>
</ul>
<p>Variations in key store implementations, combined with the key store
manipulation Tomcat does in the background to allow interoperability between
JSSE and OpenSSL configuration styles, means that some keystores may need
slightly different configuration. Assistance is always available from the
<a href="http://tomcat.apache.org/lists.html#tomcat-users">Apache Tomcat
users mailing list</a>. We aim to document any key stores that vary from the
above advice here. Currently there are none we are aware of.</p>
</subsection>
</section>
</body>
</document>