Skip to main content
Advertisement

Comparing Three Apache+Tomcat Integration Methods

There are three main ways to integrate Apache HTTPD with Tomcat: mod_jk, mod_proxy_ajp, and mod_proxy_http. Understanding how each works and its trade-offs is essential for choosing the right approach.

Integration Overview

[Client]
     ↓ HTTP/HTTPS
[Apache HTTPD :80/:443]
     ↓ (varies by integration method)
     ├── mod_jk         → AJP :8009 → [Tomcat]
     ├── mod_proxy_ajp  → AJP :8009 → [Tomcat]
     └── mod_proxy_http → HTTP :8080 → [Tomcat]

Comparison of All Three Methods

Itemmod_jkmod_proxy_ajpmod_proxy_http
ProtocolAJP (binary)AJP (binary)HTTP/1.1 (text)
Module originSeparate project (tomcat-connectors)Apache built-inApache built-in
Setup complexityHigh (requires compilation)Low (included by default)Low (included by default)
Config filesSeparate workers.propertieshttpd.conf/VirtualHosthttpd.conf/VirtualHost
Load balancingBuilt-in (lbmethod)Apache built-in balancerApache built-in balancer
Sticky sessionsjvmRoute-basedSupportedSupported
Security concernGhostcat CVE-2020-1938Ghostcat CVE-2020-1938None
Current statusLegacy (abandoned)Maintained** Modern standard**
Recommended for new use⚠️ Legacy only

mod_jk — Legacy Method

mod_jk is a separate module maintained by the Apache Tomcat Connectors project that communicates with Tomcat via the AJP protocol. It was widely used in the early 2000s, but migration to mod_proxy_http is now recommended.

Architecture:

Apache (mod_jk.so loaded)
    ↓ AJP binary protocol
Tomcat :8009 (AJP connector)

When to use:

  • Maintaining existing mod_jk-based systems
  • Complex load balancing configurations built around workers.properties

mod_proxy_ajp — The Middle Ground

mod_proxy_ajp applies Apache's built-in proxy module to the AJP protocol. Configuration is simpler than mod_jk, but it still uses AJP, so Ghostcat vulnerability mitigation is required.

Architecture:

Apache (mod_proxy + mod_proxy_ajp)
    ↓ AJP binary
Tomcat :8009 (secretRequired=true required)

When to use:

  • Legacy environments in the process of migrating from mod_jk to mod_proxy
  • Systems where AJP is already enabled

mod_proxy_http — Modern Standard

mod_proxy_http communicates with Tomcat using standard HTTP/1.1. Configuration is simple, there is no Ghostcat vulnerability, and SSL termination and header management are straightforward.

Architecture:

Apache (mod_proxy + mod_proxy_http)
    ↓ HTTP/1.1 text
Tomcat :8080 (HTTP connector, address=127.0.0.1)

When to use:

  • New projects (always choose this)
  • Migrating legacy systems from mod_jk to HTTP proxy

Port Configuration

External firewall:
  Allow: 80 (HTTP), 443 (HTTPS)
  Block: 8080 (Tomcat HTTP), 8009 (Tomcat AJP)

Internal server:
  Apache :80/:443 → Tomcat :8080 (mod_proxy_http)
  Apache :80/:443 → Tomcat :8009 (mod_jk / mod_proxy_ajp)

Restricting Tomcat Listen Address (server.xml)

<!-- HTTP connector: listen locally only -->
<Connector port="8080" protocol="HTTP/1.1"
           address="127.0.0.1"
           connectionTimeout="20000"/>

<!-- AJP connector (if used): local only, secret required -->
<Connector protocol="AJP/1.3"
           address="127.0.0.1"
           port="8009"
           secretRequired="true"
           secret="ChangeThisSecret!"/>

Enabling Required Modules

# mod_proxy_http (recommended)
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
sudo a2enmod headers
sudo a2enmod rewrite

# mod_proxy_ajp (if using AJP)
sudo a2enmod proxy_ajp

# Reload
sudo systemctl reload apache2
sudo apache2ctl configtest

Decision Guide

New project?
    → mod_proxy_http ✅

Currently using mod_jk?
    → Can keep short-term, plan migration to mod_proxy_http long-term

Currently using mod_proxy_ajp?
    → Verify Tomcat secretRequired, then maintain or migrate to mod_proxy_http

Security audit / compliance requirement?
    → Fully disable AJP + use mod_proxy_http

Summary

MethodStatusRecommendation
mod_jkLegacy (abandoned)Existing system maintenance only
mod_proxy_ajpMaintainedIntermediate step during legacy migration
mod_proxy_httpActively developedRecommended for both new and migration
Advertisement
Advertisement