Nginx + AJP Integration (ngx_http_ajp_module)
Nginx does not support AJP by default. You need to compile a third-party ngx_http_ajp_module or use OpenResty. While HTTP proxy is recommended for modern environments, Nginx + AJP may be needed for legacy system maintenance or special situations.
When AJP Integration is Needed
| Situation | Recommended Approach |
|---|---|
| New projects | HTTP proxy (proxy_pass http://) ← Recommended |
| Replacing legacy Apache+AJP with Nginx | Nginx + AJP (short-term transition) |
| Extreme performance with minimal binary overhead | Nginx + AJP |
| Keeping Apache HTTPD | Apache + AJP (covered in Ch6) |
Practical perspective: The complexity of Nginx + AJP far outweighs the marginal performance benefit over HTTP proxy. Use
proxy_pass http://for new systems.
Installing ngx_http_ajp_module
Method 1: Recompile Nginx with Module
NGINX_VER=1.26.0
cd /tmp
wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz
tar -xzf nginx-${NGINX_VER}.tar.gz
git clone https://github.com/yaoweibin/nginx_ajp_module.git
cd nginx-${NGINX_VER}
# Check current compile options
nginx -V 2>&1 | grep configure
# Add AJP module to existing options
./configure \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--add-module=/tmp/nginx_ajp_module
make
sudo make install
Method 2: Use OpenResty
# Ubuntu
wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/openresty.list
sudo apt update
sudo apt install openresty
Enable Tomcat AJP Connector
<!-- server.xml -->
<Connector protocol="AJP/1.3"
address="127.0.0.1"
port="8009"
redirectPort="8443"
secretRequired="true"
secret="NginxAjpSecret2024!"
maxThreads="200"
connectionTimeout="20000"/>
Nginx AJP Configuration
upstream tomcat_ajp {
server 127.0.0.1:8009;
keepalive 32;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
ajp_pass tomcat_ajp;
ajp_set_header Host $host;
ajp_set_header X-Real-IP $remote_addr;
ajp_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ajp_set_header X-Forwarded-Proto $scheme;
ajp_connect_timeout 10s;
ajp_send_timeout 60s;
ajp_read_timeout 60s;
ajp_buffer_size 16k;
ajp_buffers 4 64k;
}
}
Migrating from AJP to HTTP Proxy
# Old AJP approach
location / {
ajp_pass 127.0.0.1:8009;
ajp_set_header Host $host;
}
# Recommended HTTP proxy replacement
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
}
AJP Security Checklist
# 1. Block AJP port in firewall
sudo ufw deny 8009
# 2. Verify Tomcat AJP listen address is localhost
grep -i "ajp" /opt/tomcat/latest/conf/server.xml
# 3. Verify secretRequired is true
# address="127.0.0.1" and secretRequired="true" must be present
# 4. Verify Ghostcat patch version
/opt/tomcat/latest/bin/version.sh | grep "Server version"
# Must be Apache Tomcat/9.0.31 or later
Summary
| Item | Setting |
|---|---|
| Module | ngx_http_ajp_module (third-party, requires compilation) |
| Tomcat | AJP connector + secretRequired="true" + address="127.0.0.1" |
| Proxy directive | ajp_pass (HTTP: proxy_pass) |
| Security | Block AJP port (8009) in firewall |
| Recommendation | Use HTTP proxy for new systems |