I having a working Tomcat app (Alfresco) on port 8080, which I instead need to run on port 443, forwarded from Apache (Apache is already handling lots of other SSL endpoints on this server).
This works, but I don't quite understand why. My setup is:
- Apache with
mod_jk. The connector handles URLshttps://example.com/alfrescoandhttps://example.com/share, which were previously explicitly on port 8080.worker.propertiesis set up to forward to port 8009 - Tomcat's
server.xmlcontains these connector definitions:
<!-- Question: what is this for? -->
<Connector port="8080" protocol="HTTP/1.1"
URIEncoding="UTF-8" connectionTimeout="20000"
maxHttpHeaderSize="32768" redirectPort="8443"
enableLookups="false" xpoweredBy="false" server="AlfrescoECM"
maxParameterCount="1000"/>
<!-- Alfresco requires an HTTPS connection to Solr on port 8443 -->
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true" maxThreads="150" scheme="https"
...
sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector protocol="AJP/1.3"
port="8009" redirectPort="8443"
maxParameterCount="1000" secretRequired="false" />
If I omit the connector for port 8080 this doesn't work:
INFO [webscripts.connector.RemoteClient] [ajp-nio-127.0.0.1-8009-exec-3] Exception calling (GET) http://localhost:8080/alfresco/s/api/admin/restrictions?guest=true
org.apache.http.conn.HttpHostConnectException: Connect to localhost:8080 [localhost/127.0.0.1] failed: Connection refused
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:156) ~[httpclient-4.5.13.jar:4.5.13]
...
Caused by: java.net.ConnectException: Connection refused
Question: why do I still need a connector for port 8080? Shouldn't this all be handled by AJP?
EDIT
Just done some more debug on this, by running netstat/lsof/fuser to find out exactly what's going on on port 8080. Tomcat/Alfresco is listening on 8080, but lsof marks it as CLOSE_WAIT, so it's unused, and Alfresco should have closed it, but it hasn't.
I normally have Keycloak/Quartus running, and I had to turn to it off to run the test above. If I run with Keycloak, it actually talks to Apache on 8080, so 8080 is used, but not by Alfresco. In fact, Alfresco runs normally when Keycloak is running, despite the fact that Alfresco still thinks it's using 8080.
So, unless I've missed something, the obvious conclusion is that server.xml doesn't require an entry for 8080, and Alfresco is (slightly) broken.
In your case the ajp connector on tomcats port 8009 is only used for end user requests coming from apache acting as a reverse proxy. If you need to handle end user requests on 443 you should define that on apache side only. In case of Alfresco your connectors on ports 8080/8443 are used for inter component requests (ShareUI > Repository, Solr tracker > repository). Don't modify these connectors / keystores if you do not know what you're doing. The other way around: you may config the connectors for 8080/8443 to listen on localhost only to force any end user request thru Apache.