JkWorkersFile specify the location where mod_jk will find the workers definitions. Take a look at Workers documentation for detailed description. JkWorkersFile /etc/httpd/conf/workers.properties

JkLogFile specify the location where mod_jk is going to place its log file.

Since JK 1.2.3 for Apache 2.x and JK 1.2.16 for Apache 1.3 this can also be used for piped logging:

JkLogLevel set the log level between :

• info log will contain standard mod_jk activity (default).
• warn log will contain non fatal error reports.
• error log will contain also error reports.
• debug log will contain all information on mod_jk activity
• trace log will contain all tracing information on mod_jk activity

info should be your default selection for normal operations.

JkLogStampFormat will configure the date/time format found on mod_jk log file. Using the strftime() format string it's set by
default to "[%a %b %d %H:%M:%S %Y]"

JkRequestLogFormat will configure the format of mod_jk individual request logging. Request logging is configured and enabled on a per virtual host basis. To enable request logging for a virtual host just add a JkRequestLogFormat config. The syntax of the format string is similar to the Apache LogFormat command, here is a list of the available request log format options:

Bytes sent, excluding HTTP headers (CLF format) Bytes sent, excluding HTTP headers The request protocol The request method The canonical Port of the server serving the request The query string (prepended with a ? if a query string exists, otherwise an empty string) First line of request Request HTTP status code Request duration, elapsed time to handle request in seconds '.' micro seconds The URL path requested, not including any query string. The canonical ServerName of the server serving the request The server name according to the UseCanonicalName setting Tomcat worker name Real worker name JkRequestLogFormat "%w %V %T"

You can also log mod_jk information using the Apache standard module mod_log_config. The module sets several notes in the Apache httpd notes table. Most of them are are only useful in combination with a load balancer worker.

Name of the worker selected by the URI mapping Type of the worker selected by the URI mapping Actual worker name selected by the URI mapping (usually a member of the load balancer).
Before version 1.2.26 only available if JkRequestLogFormat is set. Request duration in seconds and microseconds.
Before version 1.2.26 only available if JkRequestLogFormat is set. Load-Balancer: Name of the first worker tried Load-Balancer: Type of the first worker tried Load-Balancer: Access count for the first worker tried Load-Balancer: Bytes read for the first worker tried Load-Balancer: Bytes transferred for the first worker tried Load-Balancer: Error count for the first worker tried Load-Balancer: Busy count for the first worker tried Load-Balancer: Activation state for the first worker tried Load-Balancer: Error state for the first worker tried Load-Balancer: Name of the last worker tried Load-Balancer: Type of the last worker tried Load-Balancer: Access count for the last worker tried Load-Balancer: Bytes read for the last worker tried Load-Balancer: Bytes transferred for the last worker tried Load-Balancer: Error count for the last worker tried Load-Balancer: Busy count for the last worker tried Load-Balancer: Activation state for the last worker tried Load-Balancer: Error state for the last worker tried LogFormat "%h %l %u %t \"%r\" %>s %b %{JK_WORKER_NAME}n %{JK_LB_FIRST_NAME}n \ %{JK_LB_FIRST_BUSY}n %{JK_LB_LAST_NAME}n %{JK_LB_LAST_BUSY}n" mod_jk_log CustomLog logs/access_log mod_jk_log

The directive JkOptions allow you to set many forwarding options which will enable (+) or disable (-) following option. Without any leading signs, options will be enabled.

The four following options +ForwardURIxxx are mutually exclusive. Exactly one of them is required, a negative sign prefix is not allowed with them. The default value is "ForwardURIProxy" since version 1.2.24. It was "ForwardURICompatUnparsed" in version 1.2.23 and "ForwardURICompat" until version 1.2.22. You can turn the default off by switching on one of the other two options. You should leave this at it's default value, unless you have a very good reason to change it.

All options are inherited from the global server to virtual hosts. Options that support enabling (plus options) and disabling (minus options), are inherited in the following way:

options(vhost) = plus_options(global) - minus_options(global) + plus_options(vhost) - minus_options(vhost)

Using JkOptions ForwardURIProxy, the forwarded URI will be partially reencoded after processing inside Apache httpd and before forwarding to Tomcat. This will be compatible with local URL manipulation by mod_rewrite and with URL encoded session ids. JkOptions +ForwardURIProxy

Using JkOptions ForwardURICompatUnparsed, the forwarded URI will be unparsed. It's spec compliant and secure. It will always forward the original request URI, so rewriting URIs with mod_rewrite and then forwarding the rewritten URI will not work. JkOptions +ForwardURICompatUnparsed

Using JkOptions ForwardURICompat, the forwarded URI will be decoded by Apache httpd. Encoded characters will be decoded and explicit path components like ".." will already be resolved. This is less spec compliant and is not safe if you are using prefix JkMount. This option will allow to rewrite URIs with mod_rewrite before forwarding. JkOptions +ForwardURICompat

Using JkOptions ForwardURIEscaped, the forwarded URI will be the encoded form of the URI used by ForwardURICompat. Explicit path components like ".." will already be resolved. This will not work in combination with URL encoded session IDs, but it will allow to rewrite URIs with mod_rewrite before forwarding. JkOptions +ForwardURIEscaped

JkOptions RejectUnsafeURI will block all URLs, which contain percent signs '%' or backslashes '\' after decoding.

Most web apps do not use such URLs. Using the option RejectUnsafeURI, you can block several well known URL encoding attacks. By default, this option is not set.

You can also realise such a check with mod_rewrite, which is more powerful but also slightly more complicated. JkOptions +RejectUnsafeURI

JkOptions ForwardDirectories is used in conjunction with DirectoryIndex directive of Apache web server. As such mod_dir should be available to Apache, statically or dynamically (DSO)

When DirectoryIndex is configured, Apache will create sub-requests for each of the local-url's specified in the directive, to determine if there is a local file that matches (this is done by stat-ing the file).

If ForwardDirectories is set to false (default) and Apache doesn't find any files that match, Apache will serve the content of the directory (if directive Options specifies Indexes for that directory) or a 403 Forbidden response (if directive Options doesn't specify Indexes for that directory).

If ForwardDirectories is set to true and Apache doesn't find any files that match, the request will be forwarded to Tomcat for resolution. This is used in cases when Apache cannot see the index files on the file system for various reasons: Tomcat is running on a different machine, the JSP file has been precompiled etc.

Note that locally visible files will take precedence over the ones visible only to Tomcat (i.e. if Apache can see the file, that's the one that's going to get served). This is important if there is more then one type of file that Tomcat normally serves - for instance Velocity pages and JSP pages. JkOptions +ForwardDirectories

JkOptions ForwardLocalAddress, you ask mod_jk to send the local address, of the Apache web server instead remote client address. This can be used by Tomcat remote address valve for allowing connections only from registered Apache web servers. JkOptions +ForwardLocalAddress

JkOptions FlushPackets, you ask mod_jk to flush Apache's connection buffer after each AJP packet chunk received from Tomcat. This option can have a strong performance penalty for Apache and Tomcat as writes are performed more often than would normally be required (ie: at the end of each response). JkOptions +FlushPackets

JkOptions FlushHeader, you ask mod_jk to flush Apache's connection buffer after the response headers have been received from Tomcat. JkOptions +FlushHeader

JkOptions DisableReuse, you ask mod_jk to close connections immediately after their use. Normally mod_jk uses persistent connections and pools idle connections to reuse them, when new requests have to be sent to Tomcat.

Using this option will have a strong performance penalty for Apache and Tomcat. Use this only as a last resort in case of unfixable network problems. If a firewall between Apache and Tomcat silently kills idle connections, try to use the worker attribute socket_keepalive in combination with an appropriate TCP keepalive value in your OS. JkOptions +DisableReuse

JkOptions ForwardKeySize, you ask mod_jk, when using ajp13, to forward also the SSL Key Size as required by Servlet API 2.3. This flag shouldn't be set when servlet engine is Tomcat 3.2.x (on by default). JkOptions +ForwardKeySize

JkOptions ForwardSSLCertChain, you ask mod_jk, when using ajp13, to forward SSL certificate chain (off by default). Mod_jk only passes the SSL_CLIENT_CERT to the AJP connector. This is not a problem with self-signed certificates or certificates directly signed by the root CA certificate. However, there's a large number of certificates signed by an intermediate CA certificate, where this is a significant problem: A servlet will not have the possibility to validate the client certificate on its own. The bug would be fixed by passing on the SSL_CLIENT_CERT_CHAIN to Tomcat via the AJP connector.
This directive exists only since version 1.2.22. JkOptions +ForwardSSLCertChain

The directive JkEnvVar allows you to forward environment variables from Apache server to Tomcat engine. You can add a default value as a second parameter to the directive. If the default value is not given explicitly, the variable will only be send, if it is set during runtime.
The variables can be retrieved on the Tomcat side as request attributes via request.getAttribute(attributeName). Note that the variables send via JkEnvVar will not be listed in request.getAttributeNames().

The variables are inherited from the global server to virtual hosts. JkEnvVar SSL_CLIENT_V_START undefined

If you have created a custom or local version of mod_jk.conf-local as noted above, you can change settings such as the workers or URL prefix.

JkMount directive assign specific URLs to Tomcat. In general the structure of a JkMount directive is:

You can use the JkMount directive at the top level or inside <VirtualHost> sections of your httpd.conf file.

JkUnMount directive acts as an opposite to JkMount and blocks access to a particular URL. The purpose is to be able to filter out the particular content types from mounted context. The following example mounts /servlet/* context, but all .gif files that belongs to that context are not served.

JkUnMount takes precedence over JkMount directives, meaning that the JK will first try to mount and then checks, if there is an exclusion defined by a JkUnMount. A JkUnMount overrides a JkMount only, if the worker names in the JkMount and in the JkUnMount are the same.

The following example will block all .gif files although there is a JkMount for them:

Starting with version 1.2.26 of JK you can apply a JkUnMount to any worker, by using the star character '*' as the worker name in the JkUnMount. More complex patterns in JkUnMount worker names are not allowed.

JkAutoAlias directive automatically Alias webapp context directories into the Apache document space. It enables Apache to serve a static context while Tomcat serving dynamic context. This directive is used for convenience so that you don't have to put an apache Alias directive for each application directory inside Tomcat's webapp directory. For security reasons is is strongly recommended that JkMount is used to pass all requests to Tomcat by default and JkUnMount is used to explicitly exclude static content to be served by httpd. It should also be noted that content served by httpd will bypass any security constraints defined in the application's web.xml.

The following example shows how to serve a dynamic context by Tomcat and static using Apache. The webapps directory has to be accessible by apache.

Note that you can have a single JkAutoAlias directive per virtual host inside your httpd.conf

JkWorkerProperty is a new directive available from JK 1.2.7 version. It is a convenient method for setting directives that are usually set inside workers.propeties file. The parameter for that directive is raw line from workers.properties file.

JkMountFile is a new directive available from JK 1.2.9 version. It is used for dynamic updates of mount points at runtime. When the mount file is changed, JK will reload it's content.

If the mount point uri starts with an exclamation mark '!' it defines an exclusion in the same way JkUnMount does. If the mount point uri starts with minus sign '-' the mount point will only be disabled. A disabled mount can be reenabled by deleting the minus sign and waiting for the JkMountFile to reload. An exclusion can be disabled by prefixing it with a minus sign.

At run time you can change the content of this file. For example removing minus signs will enable the previously disabled uri mappings. You can add any number of new entries at runtime that reflects the newly deployed applications. Apache will reload the file and update the mount points within 60 second interval.

There is no way to delete entries by dynamic reloading, but you can disable or exclude mappings.

Alternatively to the mod_jk specific directives, you can also use SetHandler and environment variables to control, which requests are being forwarded via which worker. This gives you more flexibility, but the results might be more difficult to understand. If you mix both ways of defining the forwards, in general to mod_jk directives will win.

SetHandler jakarta-servlet forces requests to be handled by mod_jk. If you neither specify any workers via JkMount and the related directives, not via the environment variable described below, the first worker in the list of all worker will be chosen. You can use SetHandler for example in Location blocks or with Apache 2.2 also in RewriteRule.

In order to control the worker using SetEnvIf or RewriteRule for more complex rules, you can set the environment variable JK_WORKER_NAME to the name of your chosen target worker. This enables you to decide on the chosen worker in a more flexible way, including dependencies on cookie values. This feature has been added in version 1.2.19 of mod_jk.

In order to use another variable than JK_WORKER_NAME, you can set the name of this variable via the JkWorkerIndicator directive.

You can also define exclusions from mod_jk forwards by setting the environment variable no-jk.

Finally, starting with version 1.2.27 you can use the environment variable JK_REPLY_TIMEOUT to dynamically set a reply timeout.