Nginx + Tomcat Integration Architecture Design
Combining Nginx and Tomcat maximizes the strengths of each. Nginx handles static file serving and SSL termination while Tomcat focuses on Java business logic processing. This chapter covers the integration architecture patterns and port configurations used in production.
Why Combine Nginx + Tomcat?
| Limitation Alone | Solved with Nginx + Tomcat |
|---|---|
| Tomcat alone: slow static files, cumbersome SSL management | Nginx handles static files + SSL |
| Nginx alone: can't run Java apps | Tomcat handles Servlets/JSP/Spring |
| Tomcat alone: weak under massive concurrent connections | Nginx receives connections and distributes to Tomcat |
Basic Integration Architecture
Simple Reverse Proxy Pattern
[Client]
↓ HTTPS :443 / HTTP :80
[Nginx] ← SSL termination, static files, compression, access control
↓ HTTP :8080 (internal network)
[Tomcat] ← Java Servlets, JSP, Spring MVC, REST API
↓
[DB / Internal Services]
Flow description:
- Client → Nginx:443 (HTTPS)
- Nginx: decrypts SSL; responds directly to static file requests
- Nginx: proxies dynamic requests to Tomcat:8080
- Tomcat: processes business logic and returns response
- Nginx: adds cache/security headers and delivers to client
Static/Dynamic Split Serving Pattern
[Client]
↓
[Nginx :443]
├── /static/*, *.css, *.js, *.png → Nginx direct serving (filesystem)
├── /api/* → Tomcat :8080 (REST API)
└── /* → Tomcat :8080 (Spring MVC)
This pattern avoids wasting Tomcat threads on static files, dramatically improving throughput.
Port Configuration
Standard Port Layout
| Server | Port | Protocol | Description |
|---|---|---|---|
| Nginx | 80 | HTTP | Redirect to HTTPS |
| Nginx | 443 | HTTPS | Main serving port |
| Tomcat | 8080 | HTTP | Nginx → Tomcat internal communication |
| Tomcat | 8009 | AJP | Apache integration (optional) |
| Tomcat | 8005 | TCP | Tomcat shutdown command port |
Firewall rules:
- External allow: 80, 443 (Nginx)
- External block: 8080, 8009, 8005 (internal only)
Security principle: Never expose Tomcat ports (8080) externally. Only Nginx opens external ports; Tomcat communicates only from
localhostor an internal network.
Restrict Tomcat Listen Address
<!-- server.xml — listen on localhost only -->
<Connector port="8080" protocol="HTTP/1.1"
address="127.0.0.1"
connectionTimeout="20000"
redirectPort="8443"/>
Integration Method Comparison
| Method | Description | Pros | Cons |
|---|---|---|---|
| HTTP proxy | proxy_pass http://tomcat:8080 | Simple config, versatile | HTTP overhead |
| AJP proxy | ngx_http_ajp_module | Binary efficiency | Not in Nginx by default, Ghostcat risk |
| UNIX socket | proxy_pass http://unix:/tmp/tomcat.sock | High-speed IPC | Same server required |
Modern recommendation: HTTP proxy (proxy_pass http://). Simplest configuration and works across all environments.
Multiple Tomcat Instance Configuration
One Nginx load-balancing across multiple Tomcat instances:
[Nginx :443]
↓ upstream round-robin
├── Tomcat-1 :8080
├── Tomcat-2 :8081
└── Tomcat-3 :8082
This pattern is covered in detail in Ch8 (Load Balancing). This chapter focuses on single Tomcat integration.
Actual Server Directory Structure
/var/www/
├── myapp/ ← Static files (served directly by Nginx)
│ ├── index.html
│ ├── static/
│ │ ├── css/
│ │ ├── js/
│ │ └── images/
│ └── uploads/
/opt/tomcat/latest/
├── webapps/
│ └── ROOT/
└── logs/
/etc/nginx/
├── nginx.conf
└── sites-available/
└── myapp.conf ← Integration configuration
Configuration File Overview
# /etc/nginx/sites-available/myapp.conf (overview)
upstream tomcat_backend {
server 127.0.0.1:8080;
}
server {
listen 443 ssl;
server_name example.com;
# Static files — served directly by Nginx
location /static/ {
root /var/www/myapp;
expires 1y;
}
# Dynamic requests — proxied to Tomcat
location / {
proxy_pass http://tomcat_backend;
# ... header settings ...
}
}
Summary
| Item | Recommended Setting |
|---|---|
| External public ports | 80 (redirect to HTTPS), 443 (HTTPS) |
| Tomcat listen address | address="127.0.0.1" (local only) |
| Integration method | HTTP proxy (proxy_pass http://) |
| Static files | Nginx direct serving (filesystem) |
| Dynamic requests | Proxy to Tomcat |