介绍
HTTP Connector 元素表示一个支持 HTTP/1.1 协议的 Connector 组件。它使 Catalina 除了能够执行 servlet 和 JSP 页面外,还可以充当独立的 Web 服务器。此组件的特定实例侦听服务器上特定 TCP 端口号上的连接。可以将一个或多个这样的连接器配置为单个服务的一部分,每个连接器都转发到关联的 Engine 以执行请求处理并创建响应。
如果要配置用于使用 AJP 协议连接到 Web 服务器的 Connector(例如 Apache 1.3 的 mod_jk 1.2.x 连接器),请参阅 AJP 连接器文档。
每个传入的非异步请求在该请求的持续时间内都需要一个线程。如果收到的并发请求超过了当前可用的请求处理线程所能处理的数量,则会创建额外的线程,直到配置的最大值(maxThread 属性的值)。如果同时收到更多请求,Tomcat 将接受新连接,直到当前连接数达到 maxConnections。连接在 Connector 创建的服务器套接字内排队,直到有线程可用于处理连接。一旦达到maxConnections,操作系统将对进一步的连接进行排队。操作系统提供的连接队列的大小可以由 acceptCount 属性控制。如果操作系统队列已满,则进一步的连接请求可能会被拒绝或可能超时。
Connector 的所有实现都支持以下属性:
allowTrace
一个布尔值,可用于启用或禁用 TRACE HTTP 方法。如果未指定,则此属性设置为 false。
asyncTimeout
异步请求的默认超时时间(以毫秒为单位)。如果未指定,则此属性设置为 Servlet 规范默认值 30000(30 秒)。
continueResponseTiming
何时使用 100 中间响应代码响应包含 Expect:100-Continue 标头的请求。可以使用以下值:
immediately - 将尽快返回中间 100 状态响应
onRead - 只有当 Servlet 读取请求正文时,才会返回中间的 100 状态响应,从而允许 Servlet 在用户代理发送可能较大的请求正文之前检查报头并可能作出响应。
defaultSSLHostConfigName
如果客户端连接未提供 SNI 或如果提供了 SNI 但与任何已配置的 SSLHostConfig 不匹配,则将用于安全连接的默认 SSLHostConfig 的名称(如果此连接器配置为安全连接)。如果未指定,将使用默认值 _default_。提供的值始终转换为小写。
discardFacades
一个布尔值,可用于启用或禁用隔离容器内部请求处理对象的外观对象的回收。如果设置为 true,则将在每次请求后将外观设置为垃圾收集,否则它们将被重用。启用安全管理器时,此设置不起作用。如果未指定,此属性将设置为org.apache.catalina.connector.RECYCLE_FAADES 系统属性的值,如果未设置,则设置为 false。
enableLookups
如果希望调用 request.getRemoteHost() 执行 DNS 查找以返回远程客户端的实际主机名,请设置为 true。
设置为 false 可跳过 DNS 查找并以字符串形式返回IP地址(从而提高性能)。默认情况下,禁用 DNS 查找。
encodedSolidusHandling
设置为 reject 时,包含 %2f 序列的请求路径将被拒绝,并返回400响应。设置为解码时,包含 %2f 序列的请求路径将对该序列进行解码,/ 同时对其他 %nn 序列进行解码。当设置为通过请求路径时,包含 %2f 序列的路径将在 %2f 序列不变的情况下进行处理。如果未指定,则默认值为 reject。如果设置了不推荐使用的系统属性org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH,则可以修改此默认值。
maxHeaderCount
容器允许的请求中的最大标头数。包含超过指定限制的标头的请求将被拒绝。值小于0表示没有限制。如果未指定,则使用默认值100。
maxParameterCount
容器将自动解析的参数和值对(GET加POST)的最大数量。超过此限制的参数和值对将被忽略。值小于0表示没有限制。如果未指定,则使用默认值10000。请注意,FailedRequestFilter 筛选器可用于拒绝达到限制的请求。
maxPostSize
容器表单 URL 参数解析将处理的 POST 的最大大小(以字节为单位)。通过将此属性设置为小于零的值,可以禁用该限制。如果未指定,则此属性设置为 2097152(2 MB)。请注意,FailedRequestFilter 可用于拒绝超过此限制的请求。
maxSavePostSize
在 FORM 或 CLIENT-CERT 身份验证期间容器将保存/缓冲的 POST 的最大大小(以字节为单位)。对于这两种类型的身份验证,POST 将在用户通过身份验证之前保存/缓冲。对于 CLIENT-CERT 身份验证,POST 将在 SSL 握手期间进行缓冲,并在处理请求时清空缓冲区。对于表单身份验证,POST 将在用户重定向到登录表单时保存,并将一直保留到用户成功进行身份验证或与身份验证请求相关联的会话到期为止。通过将此属性设置为 -1,可以禁用该限制。将该属性设置为零将禁用在身份验证期间保存 POST 数据。如果未指定,则此属性设置为 4096 (4KB)。
parseBodyMethods
将使用 application/x-www-form-urlencode 对其请求正文进行逗号分隔的 HTTP 方法列表解析,以获得与POST 相同的请求参数。这在希望支持 PUT 请求的 POST 样式语义的 RESTful 应用程序中很有用。请注意,POST 以外的任何设置都会导致 Tomcat 的行为方式与 Servlet 规范的意图背道而驰。根据 HTTP 规范,此处明确禁止 HTTP 方法跟踪。缺省值为 POST
port
此连接器将在指定的TCP端口号上创建服务器套接字,并等待传入的连接。您的操作系统将只允许一个服务器应用程序侦听特定 IP 地址上的特定端口号。如果使用特殊值 0(零),则 Tomcat 将随机选择一个空闲端口用于此连接器。这通常仅在嵌入式和测试应用程序中有用。
protocol
设置协议以处理传入流量。缺省值是HTTP/1.1,它使用自动切换机制选择基于 Java NIO 的连接器或基于 APR/Native 的连接器。如果 PATH (Windows) 或 LD_LIBRARY_PATH (在大多数 Unix 系统上) 环境变量包含 Tomcat 本地库,并且用于初始化APR 的 AprLifecycleListener 的 useAprConnector 属性设置为 true,则将使用 APR/Native 连接器。如果找不到本地库或未配置该属性,则将使用基于 Java NIO 的连接器。请注意,APR/本地连接器的 HTTPS 设置与 Java 连接器不同。
为了使用显式协议而不是依赖于上述自动切换机制,可以使用下列值:
org.apache.coyote.http11.Http11NioProtocol - 非阻塞 Java NIO 连接器
org.apache.coyote.http11.Http11Nio2Protocol - 非阻塞 Java NIO2 连接器
org.apache.coyote.http11.Http11AprProtocol - APR/本地连接器
也可以使用自定义实现。
请看我们的连接器对比表,对于 http 和 https,两个 Java 连接器的配置是相同的。有关 APR 连接器和 APR 特定 SSL 设置的更多信息,请访问 APR 文档。
proxyName
如果在代理配置中使用此连接器,请配置此属性以指定要为调用 request.getServerName() 返回的服务器名称。有关详细信息,请参阅代理支持。
proxyPort
如果在代理配置中使用此连接器,请配置此属性以指定要为 request.getServerPort() 调用返回的服务器端口。有关更多信息,请参阅代理支持。
redirectPort
如果此连接器支持非 SSL 请求,并且接收到匹配 <security-constraint> 需要 SSL 传输的请求,Catalina 将自动将请求重定向到此处指定的端口号。
scheme
将此属性设置为您希望通过调用 request.getScheme() 返回的协议的名称。例如,对于 SSL 连接器,您可以将此属性设置为 “https”。默认值为 “http”
secure
如果您希望调用 request.isSecure() 以为此连接器接收到的请求返回 true,请将此属性设置为 true。 您可能希望在 SSL 连接器或从 SSL 加速器接收数据的非 SSL 连接器(如加密卡、SSL 设备甚至网络服务器)上使用它。 默认值为 false
sendReasonPhrase
如果您希望在响应中包含原因短语,请将此属性设置为 true。默认值为 false。
URIEncoding
这指定了在 %xx 解码 URL 之后用于解码 URI 字节的字符编码。如果未指定,则将使用 UTF-8,除非 org.apache.catalina.STRICT_SERVLET_COMPLIANCE 系统属性设置为 true,在这种情况下将使用 ISO-8859-1。
useBodyEncodingForURI
这指定了 contentType 中指定的编码是否应该用于 URI 查询参数,而不是使用 URIEncoding。存在此设置是为了与 Tomcat 4.1.x 兼容,其中 contentType 中指定的编码或使用 Request.setCharacterEncoding 方法显式设置的编码也用于来自 URL 的参数。默认值为 false
注意: 1) 此设置仅适用于请求的查询字符串。与 URIEncoding 不同,它不会影响请求 URI 的路径部分。2) 如果请求字符编码未知(不是由浏览器提供,也不是由 SetCharacterEncodingFilter 或使用 Request.setCharacterEncoding 方法的类似过滤器设置),则默认编码始终为 “ISO-8859-1”。 URIEncoding 设置对此默认值没有影响。
useIPVHosts
将此属性设置为 true 可使 Tomcat 使用接收请求的 IP 地址来确定要将请求发送到的主机。默认值为 false。
xpoweredBy
将此属性设置为 true 可使 Tomcat 使用规范中推荐的标头来宣传对 Servlet 规范的支持。默认值为 false。
除了上面列出的通用连接器属性之外,标准的 HTTP 连接器(NIO、NIO2 和 APR/native)都支持以下属性。
acceptCount
The maximum length of the operating system provided queue for incoming connection requests when maxConnections has been reached. The operating system may ignore this setting and use a different size for the queue. When this queue is full, the operating system may actively refuse additional connections or those connections may time out. The default value is 100.
当达到 maxConnections 时,操作系统为传入连接请求提供的队列的最大长度。 操作系统可能会忽略此设置并为队列使用不同的大小。 当此队列已满时,操作系统可能会主动拒绝其他连接,或者这些连接可能会超时。 默认值为 100。
acceptorThreadCount
The number of threads to be used to accept connections. Increase this value on a multi CPU machine, although you would never really need more than 2. Also, with a lot of non keep alive connections, you might want to increase this value as well. Default value is 1.
用于接受连接的线程数。 在多 CPU 机器上增加这个值,虽然你永远不会真正需要超过 2 个。另外,有很多非保持活动连接,你可能也想增加这个值。 默认值为 1。
acceptorThreadPriority
The priority of the acceptor threads. The threads used to accept new connections. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means.
接受者线程的优先级。 用于接受新连接的线程。 默认值为 5(java.lang.Thread.NORM_PRIORITY 常量的值)。 有关此优先级含义的更多详细信息,请参阅 java.lang.Thread 类的 JavaDoc。
address
For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified port. By default, the connector will listen all local addresses. Unless the JVM is configured otherwise using system properties, the Java based connectors (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured with either 0.0.0.0 or ::. The APR/native connector will only listen on IPv4 addresses if configured with 0.0.0.0 and will listen on IPv6 addresses (and optionally IPv4 addresses depending on the setting of ipv6v6only) if configured with ::.
对于具有多个 IP 地址的服务器,此属性指定将用于侦听指定端口的地址。 默认情况下,连接器将侦听所有本地地址。 除非使用系统属性以其他方式配置 JVM,否则当使用 0.0.0.0 或 :: 配置时,基于 Java 的连接器(NIO、NIO2)将同时侦听 IPv4 和 IPv6 地址。 如果配置为 0.0.0.0,APR/本机连接器将仅侦听 IPv4 地址,如果配置为 ::,则将侦听 IPv6 地址(以及可选的 IPv4 地址,具体取决于 ipv6v6only 的设置)。
allowHostHeaderMismatch
By default Tomcat will allow requests that specify a host in the request line but specify a different host in the host header. This check can be enabled by setting this attribute to false. If not specified, the default is true.
默认情况下,Tomcat 将允许在请求行中指定主机但在主机标头中指定不同主机的请求。 可以通过将此属性设置为 false 来启用此检查。 如果未指定,则默认为 true。
allowedTrailerHeaders
By default Tomcat will ignore all trailer headers when processing chunked input. For a header to be processed, it must be added to this comma-separated list of header names.
默认情况下,Tomcat 在处理分块输入时会忽略所有的尾部标头。 对于要处理的标题,必须将其添加到此以逗号分隔的标题名称列表中。
bindOnInit
Controls when the socket used by the connector is bound. By default it is bound when the connector is initiated and unbound when the connector is destroyed. If set to false, the socket will be bound when the connector is started and unbound when it is stopped.
控制连接器使用的套接字何时绑定。 默认情况下,它在连接器启动时绑定,在连接器销毁时解除绑定。 如果设置为 false,则连接器启动时将绑定套接字,并在连接器停止时解除绑定。
clientCertProvider
When client certificate information is presented in a form other than instances of java.security.cert.X509Certificate it needs to be converted before it can be used and this property controls which JSSE provider is used to perform the conversion. For example it is used with the AJP connectors, the HTTP APR connector and with the org.apache.catalina.valves.SSLValve. If not specified, the default provider will be used.
当客户端证书信息以 java.security.cert.X509Certificate 实例以外的形式呈现时,它需要在使用前进行转换,并且此属性控制使用哪个 JSSE 提供程序来执行转换。 例如,它与 AJP 连接器、HTTP APR 连接器和 org.apache.catalina.valves.SSLValve 一起使用。 如果未指定,将使用默认提供程序。
compressibleMimeType
The value is a comma separated list of MIME types for which HTTP compression may be used. The default value is text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml . If you specify a type explicitly, the default is over-ridden.
该值是可以使用 HTTP 压缩的 MIME 类型的逗号分隔列表。 默认值为 text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml 。 如果您明确指定类型,则默认值将被覆盖。
compression
The Connector may use HTTP/1.1 GZIP compression in an attempt to save server bandwidth. The acceptable values for the parameter is "off" (disable compression), "on" (allow compression, which causes text data to be compressed), "force" (forces compression in all cases), or a numerical integer value (which is equivalent to "on", but specifies the minimum amount of data before the output is compressed). If the content-length is not known and compression is set to "on" or more aggressive, the output will also be compressed. If not specified, this attribute is set to "off".
连接器可能会使用 HTTP/1.1 GZIP 压缩来尝试节省服务器带宽。 该参数的可接受值为“off”(禁用压缩)、“on”(允许压缩,这会导致压缩文本数据)、“force”(在所有情况下都强制压缩)或数字整数值(即 等效于“on”,但指定输出被压缩之前的最小数据量)。 如果内容长度未知并且压缩设置为“on”或更激进,则输出也将被压缩。 如果未指定,则此属性设置为“关闭”。
Note: There is a tradeoff between using compression (saving your bandwidth) and using the sendfile feature (saving your CPU cycles). If the connector supports the sendfile feature, e.g. the NIO connector, using sendfile will take precedence over compression. The symptoms will be that static files greater that 48 Kb will be sent uncompressed. You can turn off sendfile by setting useSendfile attribute of the connector, as documented below, or change the sendfile usage threshold in the configuration of the DefaultServlet in the default conf/web.xml or in the web.xml of your web application.
注意:在使用压缩(节省带宽)和使用发送文件功能(节省 CPU 周期)之间存在权衡。 如果连接器支持发送文件功能,例如 NIO 连接器,使用 sendfile 将优先于压缩。 症状是大于 48 Kb 的静态文件将在未压缩的情况下发送。 您可以通过设置连接器的 useSendfile 属性来关闭发送文件,如下所述,或者在默认 conf/web.xml 或 Web 应用程序的 web.xml 中的 DefaultServlet 配置中更改发送文件使用阈值。
compressionMinSize
If compression is set to "on" then this attribute may be used to specify the minimum amount of data before the output is compressed. If not specified, this attribute is defaults to "2048". Units are in bytes.
如果压缩设置为“on”,则此属性可用于指定压缩输出之前的最小数据量。 如果未指定,则此属性默认为“2048”。 单位为字节。
connectionLinger
The number of seconds during which the sockets used by this Connector will linger when they are closed. The default value is -1 which disables socket linger.
此连接器使用的套接字在关闭时将停留的秒数。 默认值为 -1,禁用套接字延迟。
connectionTimeout
The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented. Use a value of -1 to indicate no (i.e. infinite) timeout. The default value is 60000 (i.e. 60 seconds) but note that the standard server.xml that ships with Tomcat sets this to 20000 (i.e. 20 seconds). Unless disableUploadTimeout is set to false, this timeout will also be used when reading the request body (if any).
此连接器在接受连接后等待显示请求 URI 行的毫秒数。 使用值 -1 表示没有(即无限)超时。 默认值为 60000(即 60 秒),但请注意,Tomcat 附带的标准 server.xml 将其设置为 20000(即 20 秒)。 除非 disableUploadTimeout 设置为 false,否则在读取请求正文(如果有)时也会使用此超时。
connectionUploadTimeout
Specifies the timeout, in milliseconds, to use while a data upload is in progress. This only takes effect if disableUploadTimeout is set to false.
指定在进行数据上传时使用的超时(以毫秒为单位)。 这仅在 disableUploadTimeout 设置为 false 时生效。
disableUploadTimeout
This flag allows the servlet container to use a different, usually longer connection timeout during data upload. If not specified, this attribute is set to true which disables this longer timeout.
该标志允许 servlet 容器在数据上传期间使用不同的、通常更长的连接超时。 如果未指定,则此属性设置为 true 以禁用此更长的超时。
executor
A reference to the name in an Executor element. If this attribute is set, and the named executor exists, the connector will use the executor, and all the other thread attributes will be ignored. Note that if a shared executor is not specified for a connector then the connector will use a private, internal executor to provide the thread pool.
对 Executor 元素中名称的引用。 如果设置了此属性,并且指定的执行程序存在,则连接器将使用执行程序,并且将忽略所有其他线程属性。 请注意,如果未为连接器指定共享执行器,则连接器将使用私有的内部执行器来提供线程池。
executorTerminationTimeoutMillis
The time that the private internal executor will wait for request processing threads to terminate before continuing with the process of stopping the connector. If not set, the default is 5000 (5 seconds).
在继续停止连接器的过程之前,私有内部执行器将等待请求处理线程终止的时间。 如果未设置,默认值为 5000(5 秒)。
keepAliveTimeout
The number of milliseconds this Connector will wait for another HTTP request before closing the connection. The default value is to use the value that has been set for the connectionTimeout attribute. Use a value of -1 to indicate no (i.e. infinite) timeout.
此连接器在关闭连接之前等待另一个 HTTP 请求的毫秒数。 默认值是使用已为 connectionTimeout 属性设置的值。 使用值 -1 表示没有(即无限)超时。
maxConnections
The maximum number of connections that the server will accept and process at any given time. When this number has been reached, the server will accept, but not process, one further connection. This additional connection be blocked until the number of connections being processed falls below maxConnections at which point the server will start accepting and processing new connections again. Note that once the limit has been reached, the operating system may still accept connections based on the acceptCount setting. The default value varies by connector type. For NIO and NIO2 the default is 10000. For APR/native, the default is 8192.
服务器在任何给定时间将接受和处理的最大连接数。 当达到此数目时,服务器将接受但不处理进一步的连接。 这个额外的连接被阻塞,直到正在处理的连接数低于 maxConnections,此时服务器将再次开始接受和处理新连接。 请注意,一旦达到限制,操作系统可能仍会根据 acceptCount 设置接受连接。 默认值因连接器类型而异。 对于 NIO 和 NIO2,默认值为 10000。对于 APR/native,默认值为 8192。
For NIO/NIO2 only, setting the value to -1, will disable the maxConnections feature and connections will not be counted.
仅对于 NIO/NIO2,将值设置为 -1,将禁用 maxConnections 功能并且不会计算连接数。
maxCookieCount
The maximum number of cookies that are permitted for a request. A value of less than zero means no limit. If not specified, a default value of 200 will be used.
请求允许的最大 cookie 数。 小于零的值意味着没有限制。 如果未指定,将使用默认值 200。
maxExtensionSize
Limits the total length of chunk extensions in chunked HTTP requests. If the value is -1, no limit will be imposed. If not specified, the default value of 8192 will be used.
限制分块 HTTP 请求中块扩展的总长度。 如果值为 -1,则不会施加任何限制。 如果未指定,将使用默认值 8192。
maxHttpHeaderSize
The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB).
请求和响应 HTTP 标头的最大大小,以字节为单位。 如果未指定,则此属性设置为 8192 (8 KB)。
maxKeepAliveRequests
The maximum number of HTTP requests which can be pipelined until the connection is closed by the server. Setting this attribute to 1 will disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and pipelining. Setting this to -1 will allow an unlimited amount of pipelined or keep-alive HTTP requests. If not specified, this attribute is set to 100.
在服务器关闭连接之前可以进行流水线处理的最大 HTTP 请求数。 将此属性设置为 1 将禁用 HTTP/1.0 保持活动,以及 HTTP/1.1 保持活动和流水线。 将此设置为 -1 将允许无限量的流水线或保持活动的 HTTP 请求。 如果未指定,则此属性设置为 100。
maxSwallowSize
The maximum number of request body bytes (excluding transfer encoding overhead) that will be swallowed by Tomcat for an aborted upload. An aborted upload is when Tomcat knows that the request body is going to be ignored but the client still sends it. If Tomcat does not swallow the body the client is unlikely to see the response. If not specified the default of 2097152 (2 megabytes) will be used. A value of less than zero indicates that no limit should be enforced.
Tomcat 将因上传中止而吞下的最大请求正文字节数(不包括传输编码开销)。 中止上传是指 Tomcat 知道请求正文将被忽略但客户端仍会发送它。 如果 Tomcat 没有吞下身体,客户端就不太可能看到响应。 如果未指定,将使用默认值 2097152(2 兆字节)。 小于零的值表示不应强制执行任何限制。
maxThreads
The maximum number of request processing threads to be created by this Connector, which therefore determines the maximum number of simultaneous requests that can be handled. If not specified, this attribute is set to 200. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. Note that if an executor is configured any value set for this attribute will be recorded correctly but it will be reported (e.g. via JMX) as -1 to make clear that it is not used.
此连接器要创建的最大请求处理线程数,因此决定了可以处理的最大并发请求数。 如果未指定,则此属性设置为 200。如果执行程序与此连接器关联,则忽略此属性,因为连接器将使用执行程序而不是内部线程池执行任务。 请注意,如果配置了执行程序,则为此属性设置的任何值都将被正确记录,但会报告(例如,通过 JMX)为 -1,以明确未使用它。
maxTrailerSize
Limits the total length of trailing headers in the last chunk of a chunked HTTP request. If the value is -1, no limit will be imposed. If not specified, the default value of 8192 will be used.
限制分块 HTTP 请求的最后一个块中的尾随标头的总长度。 如果值为 -1,则不会施加任何限制。 如果未指定,将使用默认值 8192。
minSpareThreads
The minimum number of threads always kept running. This includes both active and idle threads. If not specified, the default of 10 is used. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. Note that if an executor is configured any value set for this attribute will be recorded correctly but it will be reported (e.g. via JMX) as -1 to make clear that it is not used.
最小线程数始终保持运行。 这包括活动线程和空闲线程。 如果未指定,则使用默认值 10。 如果执行器与此连接器相关联,则忽略此属性,因为连接器将使用执行器而不是内部线程池执行任务。 请注意,如果配置了执行程序,则为此属性设置的任何值都将被正确记录,但会报告(例如,通过 JMX)为 -1,以明确未使用它。
noCompressionStrongETag
This flag configures whether resources with a strong ETag will be considered for compression. If true, resources with a strong ETag will not be compressed. The default value is true.
此标志配置是否将考虑压缩具有强 ETag 的资源。 如果为 true,则不会压缩具有强 ETag 的资源。 默认值是true。
This attribute is deprecated. It will be removed in Tomcat 10 onwards where it will be hard-coded to true.
此属性已弃用。 它将在 Tomcat 10 中删除,在那里它将被硬编码为 true。
noCompressionUserAgents
The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients for which compression should not be used, because these clients, although they do advertise support for the feature, have a broken implementation. The default value is an empty String (regexp matching disabled).
该值是一个正则表达式(使用 java.util.regex),与不应使用压缩的 HTTP 客户端的用户代理标头匹配,因为这些客户端虽然宣传了对该功能的支持,但其实现已损坏。 默认值为空字符串(禁用正则表达式匹配)。
processorCache
The protocol handler caches Processor objects to speed up performance. This setting dictates how many of these objects get cached. -1 means unlimited, default is 200. If not using Servlet 3.0 asynchronous processing, a good default is to use the same as the maxThreads setting. If using Servlet 3.0 asynchronous processing, a good default is to use the larger of maxThreads and the maximum number of expected concurrent requests (synchronous and asynchronous).
协议处理程序缓存 Processor 对象以提高性能。 此设置决定了这些对象中有多少被缓存。 -1 表示无限制,默认为 200。如果不使用 Servlet 3.0 异步处理,一个好的默认是使用与 maxThreads 设置相同的。 如果使用 Servlet 3.0 异步处理,一个好的默认值是使用 maxThreads 和最大预期并发请求数(同步和异步)中的较大者。
rejectIllegalHeader
If an HTTP request is received that contains an illegal header name or value (e.g. the header name is not a token) this setting determines if the request will be rejected with a 400 response (true) or if the illegal header be ignored (false). The default value is false which will cause the request to be processed but the illegal header will be ignored.
如果收到包含非法标头名称或值(例如标头名称不是令牌)的 HTTP 请求,此设置将确定请求将被拒绝并返回 400 响应 (true) 或是否忽略非法标头 (false) . 默认值为 false,这将导致处理请求,但将忽略非法标头。
rejectIllegalHeaderName
This attribute is deprecated. It will be removed in Tomcat 10 onwards. It is now an alias for rejectIllegalHeader.
此属性已弃用。 它将在 Tomcat 10 中删除。 它现在是rejectIllegalHeader 的别名。
relaxedPathChars
The HTTP/1.1 specification requires that certain characters are %nn encoded when used in URI paths. Unfortunately, many user agents including all the major browsers are not compliant with this specification and use these characters in unencoded form. To prevent Tomcat rejecting such requests, this attribute may be used to specify the additional characters to allow. If not specified, no additional characters will be allowed. The value may be any combination of the following characters: " < > [ ] ^ ` { | } . Any other characters present in the value will be ignored.
HTTP/1.1 规范要求某些字符在 URI 路径中使用时进行 %nn 编码。 不幸的是,包括所有主要浏览器在内的许多用户代理都不符合此规范并以未编码的形式使用这些字符。 为防止 Tomcat 拒绝此类请求,该属性可用于指定要允许的附加字符。 如果未指定,则不允许添加任何字符。 该值可以是以下字符的任意组合:" < > [ ] ^ ` { | } 。值中存在的任何其他字符都将被忽略。
relaxedQueryChars
The HTTP/1.1 specification requires that certain characters are %nn encoded when used in URI query strings. Unfortunately, many user agents including all the major browsers are not compliant with this specification and use these characters in unencoded form. To prevent Tomcat rejecting such requests, this attribute may be used to specify the additional characters to allow. If not specified, no additional characters will be allowed. The value may be any combination of the following characters: " < > [ ] ^ ` { | } . Any other characters present in the value will be ignored.
HTTP/1.1 规范要求某些字符在 URI 查询字符串中使用时进行 %nn 编码。 不幸的是,包括所有主要浏览器在内的许多用户代理都不符合此规范并以未编码的形式使用这些字符。 为防止 Tomcat 拒绝此类请求,该属性可用于指定要允许的附加字符。 如果未指定,则不允许添加任何字符。 该值可以是以下字符的任意组合:" < > [ ] ^ ` { | } 。值中存在的任何其他字符都将被忽略。
restrictedUserAgents
The value is a regular expression (using java.util.regex) matching the user-agent header of HTTP clients for which HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients advertise support for these features. The default value is an empty String (regexp matching disabled).
该值是一个正则表达式(使用 java.util.regex),匹配不应使用 HTTP/1.1 或 HTTP/1.0 保持活动的 HTTP 客户端的用户代理标头,即使客户端宣传对这些功能的支持。 默认值为空字符串(禁用正则表达式匹配)。
server
Overrides the Server header for the http response. If set, the value for this attribute overrides any Server header set by a web application. If not set, any value specified by the application is used. If the application does not specify a value then no Server header is set.
覆盖 http 响应的服务器标头。 如果设置,此属性的值将覆盖由 Web 应用程序设置的任何服务器标头。 如果未设置,则使用应用程序指定的任何值。 如果应用程序未指定值,则不会设置服务器标头。
serverRemoveAppProvidedValues
If true, any Server header set by a web application will be removed. Note that if server is set, this attribute is effectively ignored. If not set, the default value of false will be used.
如果为 true,则 Web 应用程序设置的任何服务器标头都将被删除。 请注意,如果设置了服务器,则该属性将被有效地忽略。 如果未设置,将使用默认值 false。
SSLEnabled
Use this attribute to enable SSL traffic on a connector. To turn on SSL handshake/encryption/decryption on a connector set this value to true. The default value is false. When turning this value true you will want to set the scheme and the secure attributes as well to pass the correct request.getScheme() and request.isSecure() values to the servlets See SSL Support for more information.
使用此属性在连接器上启用 SSL 流量。 要在连接器上打开 SSL 握手/加密/解密,请将此值设置为 true。 默认值为假。 将此值设为 true 时,您还需要设置方案和安全属性,以将正确的 request.getScheme() 和 request.isSecure() 值传递给 servlet,请参阅 SSL 支持以获取更多信息。
tcpNoDelay
If set to true, the TCP_NO_DELAY option will be set on the server socket, which improves performance under most circumstances. This is set to true by default.
如果设置为 true,将在服务器套接字上设置 TCP_NO_DELAY 选项,这会在大多数情况下提高性能。 默认情况下设置为 true。
threadPriority
The priority of the request processing threads within the JVM. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means. If an executor is associated with this connector, this attribute is ignored as the connector will execute tasks using the executor rather than an internal thread pool. Note that if an executor is configured any value set for this attribute will be recorded correctly but it will be reported (e.g. via JMX) as -1 to make clear that it is not used.
JVM 中请求处理线程的优先级。 默认值为 5(java.lang.Thread.NORM_PRIORITY 常量的值)。 有关此优先级含义的更多详细信息,请参阅 java.lang.Thread 类的 JavaDoc。 如果执行器与此连接器相关联,则忽略此属性,因为连接器将使用执行器而不是内部线程池执行任务。 请注意,如果配置了执行程序,则为此属性设置的任何值都将被正确记录,但会报告(例如,通过 JMX)为 -1,以明确未使用它。
useKeepAliveResponseHeader
(bool) Use this attribute to enable or disable the addition of the Keep-Alive HTTP response header as described in this Internet-Draft. The default value is true.
(bool) 使用此属性启用或禁用添加 Keep-Alive HTTP 响应标头,如本 Internet 草案中所述。 默认值是true。
除了上面列出的通用连接器和 HTTP 属性之外,NIO 和 NIO2 实现还支持以下 Java TCP 套接字属性。
socket.rxBufSize
(int)The socket receive buffer (SO_RCVBUF) size in bytes. JVM default used if not set.
socket.txBufSize
(int)The socket send buffer (SO_SNDBUF) size in bytes. JVM default used if not set. Care should be taken if explicitly setting this value. Very poor performance has been observed on some JVMs with values less than ~8k.
socket.tcpNoDelay
(bool)This is equivalent to standard attribute tcpNoDelay.
socket.soKeepAlive
(bool)Boolean value for the socket's keep alive setting (SO_KEEPALIVE). JVM default used if not set.
socket.ooBInline
(bool)Boolean value for the socket OOBINLINE setting. JVM default used if not set.
socket.soReuseAddress
(bool)Boolean value for the sockets reuse address option (SO_REUSEADDR). JVM default used if not set.
socket.soLingerOn
(bool)Boolean value for the sockets so linger option (SO_LINGER). A value for the standard attribute connectionLinger that is >=0 is equivalent to setting this to true. A value for the standard attribute connectionLinger that is <0 is equivalent to setting this to false. Both this attribute and soLingerTime must be set else the JVM defaults will be used for both.
socket.soLingerTime
(int)Value in seconds for the sockets so linger option (SO_LINGER). This is equivalent to standard attribute connectionLinger. Both this attribute and soLingerOn must be set else the JVM defaults will be used for both.
socket.soTimeout
This is equivalent to standard attribute connectionTimeout.
socket.performanceConnectionTime
(int)The first value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three.
socket.performanceLatency
(int)The second value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three.
socket.performanceBandwidth
(int)The third value for the performance settings. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three.
socket.unlockTimeout
(int) The timeout for a socket unlock. When a connector is stopped, it will try to release the acceptor thread by opening a connector to itself. The default value is 250 and the value is in milliseconds
以下属性特定于 NIO 连接器。
pollerThreadCount
(int)The number of threads to be used to run for the polling events. Default value is 1 per processor but not more than 2.
When accepting a socket, the operating system holds a global lock. So the benefit of going above 2 threads diminishes rapidly. Having more than one thread is for system that need to accept connections very rapidly. However usually just increasing acceptCount will solve that problem. Increasing this value may also be beneficial when a large amount of send file operations are going on.
pollerThreadPriority
(int)The priority of the poller threads. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means.
selectorTimeout
(int)The time in milliseconds to timeout on a select() for the poller. This value is important, since connection clean up is done on the same thread, so do not set this value to an extremely high one. The default value is 1000 milliseconds.
useSendfile
(bool)Use this attribute to enable or disable sendfile capability. The default value is true. Note that the use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.
socket.directBuffer
(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Sun's JDK that would be something like -XX:MaxDirectMemorySize=256m.
socket.directSslBuffer
(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers for the SSL buffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Oracle's JDK that would be something like -XX:MaxDirectMemorySize=256m.
socket.appReadBufSize
(int)Each connection that is opened up in Tomcat get associated with a read ByteBuffer. This attribute controls the size of this buffer. By default this read buffer is sized at 8192 bytes. For lower concurrency, you can increase this to buffer more data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.
socket.appWriteBufSize
(int)Each connection that is opened up in Tomcat get associated with a write ByteBuffer. This attribute controls the size of this buffer. By default this write buffer is sized at 8192 bytes. For low concurrency you can increase this to buffer more response data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.
The default value here is pretty low, you should up it if you are not dealing with tens of thousands concurrent connections.
socket.bufferPool
(int)The NIO connector uses a class called NioChannel that holds elements linked to a socket. To reduce garbage collection, the NIO connector caches these channel objects. This value specifies the size of this cache. The default value is 500, and represents that the cache will hold 500 NioChannel objects. Other values are -1 for unlimited cache and 0 for no cache.
socket.bufferPoolSize
(int)The NioChannel pool can also be size based, not used object based. The size is calculated as follows:
NioChannel buffer size = read buffer size + write buffer size
SecureNioChannel buffer size = application read buffer size + application write buffer size + network read buffer size + network write buffer size
The value is in bytes, the default value is 1024*1024*100 (100MB).
socket.processorCache
(int)Tomcat will cache SocketProcessor objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.
socket.keyCache
(int)Tomcat will cache KeyAttachment objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.
socket.eventCache
(int)Tomcat will cache PollerEvent objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.
selectorPool.maxSelectors
(int)The max selectors to be used in the pool, to reduce selector contention. Use this option when the command line org.apache.tomcat.util.net.NioSelectorShared value is set to false. Default value is 200.
selectorPool.maxSpareSelectors
(int)The max spare selectors to be used in the pool, to reduce selector contention. When a selector is returned to the pool, the system can decide to keep it or let it be GC'd. Use this option when the command line org.apache.tomcat.util.net.NioSelectorShared value is set to false. Default value is -1 (unlimited).
useInheritedChannel
(bool)Defines if this connector should inherit an inetd/systemd network socket. Only one connector can inherit a network socket. This can option can be used to automatically start Tomcat once a connection request is made to the systemd super daemon's port. The default value is false. See the JavaDoc for the java.nio.channels.spi.SelectorProvider class for more details.
command-line-options
The following command line options are available for the NIO connector:
-Dorg.apache.tomcat.util.net.NioSelectorShared=true|false - default is true. Set this value to false if you wish to use a selector for each thread. When you set it to false, you can control the size of the pool of selectors by using the selectorPool.maxSelectors attribute.
以下属性特定于 NIO2 连接器。
useSendfile
(bool)Use this attribute to enable or disable sendfile capability. The default value is true. Note that the use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.
socket.directBuffer
(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Sun's JDK that would be something like -XX:MaxDirectMemorySize=256m.
socket.directSslBuffer
(bool)Boolean value, whether to use direct ByteBuffers or java mapped ByteBuffers for the SSL buffers. If true then java.nio.ByteBuffer.allocateDirect() is used to allocate the buffers, if false then java.nio.ByteBuffer.allocate() is used. The default value is false.
When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. On Oracle's JDK that would be something like -XX:MaxDirectMemorySize=256m.
socket.appReadBufSize
(int)Each connection that is opened up in Tomcat get associated with a read ByteBuffer. This attribute controls the size of this buffer. By default this read buffer is sized at 8192 bytes. For lower concurrency, you can increase this to buffer more data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.
socket.appWriteBufSize
(int)Each connection that is opened up in Tomcat get associated with a write ByteBuffer. This attribute controls the size of this buffer. By default this write buffer is sized at 8192 bytes. For low concurrency you can increase this to buffer more response data. For an extreme amount of keep alive connections, decrease this number or increase your heap size.
The default value here is pretty low, you should up it if you are not dealing with tens of thousands concurrent connections.
socket.bufferPool
(int)The NIO2 connector uses a class called Nio2Channel that holds elements linked to a socket. To reduce garbage collection, the NIO2 connector caches these channel objects. This value specifies the size of this cache. The default value is 500, and represents that the cache will hold 500 Nio2Channel objects. Other values are -1 for unlimited cache and 0 for no cache.
socket.processorCache
(int)Tomcat will cache SocketProcessor objects to reduce garbage collection. The integer value specifies how many objects to keep in the cache at most. The default is 500. Other values are -1 for unlimited cache and 0 for no cache.
以下属性特定于 APR/本机连接器。
deferAccept
Sets the TCP_DEFER_ACCEPT flag on the listening socket for this connector. The default value is true where TCP_DEFER_ACCEPT is supported by the operating system, otherwise it is false.
ipv6v6only
If listening on an IPv6 address on a dual stack system, should the connector only listen on the IPv6 address? If not specified the default is false and the connector will listen on the IPv6 address and the equivalent IPv4 address if present.
pollerThreadCount
Number of threads used to poll kept alive connections. On Windows the default is chosen so that the sockets managed by each thread is less than 1024. For Linux the default is 1. Changing the default on Windows is likely to have a negative performance impact.
pollTime
Duration of a poll call in microseconds. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made. The default value is 2000 (2ms).
sendfileSize
Amount of sockets that the poller responsible for sending static files asynchronously can hold at a given time. Extra connections will be closed right away without any data being sent (resulting in a zero length file on the client side). Note that in most cases, sendfile is a call that will return right away (being taken care of "synchronously" by the kernel), and the sendfile poller will not be used, so the amount of static files which can be sent concurrently is much larger than the specified amount. The default value is 1024.
threadPriority
(int)The priority of the acceptor and poller threads. The default value is 5 (the value of the java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc for the java.lang.Thread class for more details on what this priority means.
useSendfile
(bool)Use this attribute to enable or disable sendfile capability. The default value is true. Note that the use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.
First implemented in Tomcat 9 and back-ported to 8.5, Tomcat now supports Server Name Indication (SNI). This allows multiple SSL configurations to be associated with a single secure connector with the configuration used for any given connection determined by the host name requested by the client. To facilitate this, the SSLHostConfig element was added which can be used to define one of these configurations. Any number of SSLHostConfig may be nested in a Connector. At the same time, support was added for multiple certificates to be associated with a single SSLHostConfig. Each SSL certificate is therefore configured in a Certificate element with in an SSLHostConfig. For further information, see the SSL Support section below.
首先在 Tomcat 9 中实现并向后移植到 8.5,Tomcat 现在支持服务器名称指示 (SNI)。 这允许多个 SSL 配置与单个安全连接器相关联,配置用于由客户端请求的主机名确定的任何给定连接。 为此,添加了 SSLHostConfig 元素,可用于定义这些配置之一。 任何数量的 SSLHostConfig 都可以嵌套在一个连接器中。 同时,增加了对与单个 SSLHostConfig 关联的多个证书的支持。 因此,每个 SSL 证书都在 SSLHostConfig 中的 Certificate 元素中进行配置。 有关更多信息,请参阅下面的 SSL 支持部分。
This Connector supports all of the required features of the HTTP/1.1 protocol, as described in RFCs 7230-7235, including persistent connections, pipelining, expectations and chunked encoding. If the client supports only HTTP/1.0 or HTTP/0.9, the Connector will gracefully fall back to supporting this protocol as well. No special configuration is required to enable this support. The Connector also supports HTTP/1.0 keep-alive.
此连接器支持 HTTP/1.1 协议的所有必需功能,如 RFC 7230-7235 中所述,包括持久连接、流水线、期望和分块编码。 如果客户端只支持 HTTP/1.0 或 HTTP/0.9,连接器也会优雅地回退到支持这个协议。 无需特殊配置即可启用此支持。 连接器还支持 HTTP/1.0 保持活动状态。
RFC 7230 requires that HTTP servers always begin their responses with the highest HTTP version that they claim to support. Therefore, this Connector will always return HTTP/1.1 at the beginning of its responses.
RFC 7230 要求 HTTP 服务器始终以他们声称支持的最高 HTTP 版本开始响应。 因此,此连接器将始终在其响应开始时返回 HTTP/1.1。
HTTP/2 is support is provided for TLS (h2), non-TLS via HTTP upgrade (h2c) and direct HTTP/2 (h2c) connections. To enable HTTP/2 support for an HTTP connector the following UpgradeProtocol element must be nested within the Connector with a className attribute of org.apache.coyote.http2.Http2Protocol.
HTTP/2 支持 TLS (h2)、非 TLS 通过 HTTP 升级 (h2c) 和直接 HTTP/2 (h2c) 连接。 要为 HTTP 连接器启用 HTTP/2 支持,以下 UpgradeProtocol 元素必须嵌套在具有 org.apache.coyote.http2.Http2Protocol 的 className 属性的连接器中。
<Connector ... > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector.
由于 Java 8 的 TLS 实现不支持 ALPN(这是 HTTP/2 over TLS 所必需的),因此您必须使用基于 OpenSSL 的 TLS 实现来启用 HTTP/2 支持。 请参阅连接器的 sslImplementationName 属性。
Additional configuration attributes are available. See the HTTP/2 Upgrade Protocol documentation for details.
其他配置属性可用。 有关详细信息,请参阅 HTTP/2 升级协议文档。
The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request.
当 Tomcat 在代理服务器后面运行时,可以使用 proxyName 和 proxyPort 属性。 这些属性修改返回给调用 request.getServerName() 和 request.getServerPort() 方法的 Web 应用程序的值,这些方法通常用于构造重定向的绝对 URL。 如果不配置这些属性,返回的值将反映接收来自代理服务器的连接的服务器名称和端口,而不是客户端将原始请求定向到的服务器名称和端口。
For more information, see the Proxy Support How-To.
有关更多信息,请参阅代理支持方法。
You can enable SSL support for a particular instance of this Connector by setting the SSLEnabled attribute to true.
您可以通过将 SSLEnabled 属性设置为 true 来为此连接器的特定实例启用 SSL 支持。
You will also need to set the scheme and secure attributes to the values https and true respectively, to pass correct information to the servlets.
您还需要将 scheme 和 secure 属性分别设置为值 https 和 true,以将正确的信息传递给 servlet。
The NIO and NIO2 connectors use either the JSSE Java SSL implementation or an OpenSSL implementation, whereas the APR/native connector uses OpenSSL only. Prior to Tomcat 8.5, different configuration attributes were used for JSSE and OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common configuration attributes are used for both JSSE and OpenSSL. Also if using the JSSE OpenSSL implementation, configuration can be set using either the JSSE or APR attributes (note: but not both types within the same configuration). This is to aid simpler switching between connector implementations for SSL connectors.
NIO 和 NIO2 连接器使用 JSSE Java SSL 实现或 OpenSSL 实现,而 APR/本机连接器仅使用 OpenSSL。在 Tomcat 8.5 之前,JSSE 和 OpenSSL 使用不同的配置属性。从 Tomcat 8.5 开始,JSSE 和 OpenSSL 都尽可能使用通用的配置属性。此外,如果使用 JSSE OpenSSL 实现,则可以使用 JSSE 或 APR 属性设置配置(注意:但不能在同一配置中同时使用这两种类型)。这是为了帮助在 SSL 连接器的连接器实现之间更简单地切换。
Each secure connector must define at least one SSLHostConfig. The names of the SSLHostConfig elements must be unique and one of them must match the defaultSSLHostConfigName attribute of the Connector.
每个安全连接器必须至少定义一个 SSLHostConfig。 SSLHostConfig 元素的名称必须是唯一的,并且其中之一必须与连接器的 defaultSSLHostConfigName 属性匹配。
Each SSLHostConfig must in turn define at least one Certificate. The types of the Certificates must be unique.
每个 SSLHostConfig 必须依次定义至少一个证书。证书的类型必须是唯一的。
As of Tomcat 8.5, the majority of the SSL configuration attributes in the Connector are deprecated. If specified, they will be used to configure a SSLHostConfig and Certificate for the defaultSSLHostConfigName. Note that if an explicit SSLHostConfig element also exists for the defaultSSLHostConfigName then that will be treated as a configuration error. It is expected that Tomcat 10 will drop support for the SSL configuration attributes in the Connector.
从 Tomcat 8.5 开始,连接器中的大多数 SSL 配置属性都已弃用。如果指定,它们将用于为 defaultSSLHostConfigName 配置 SSLHostConfig 和证书。请注意,如果 defaultSSLHostConfigName 也存在显式 SSLHostConfig 元素,那么这将被视为配置错误。预计 Tomcat 10 将不再支持连接器中的 SSL 配置属性。
In addition to the standard TLS related request attributes defined in section 3.10 of the Servlet specification, Tomcat supports a number of additional TLS related attributes. The full list may be found in the SSLSupport Javadoc.
除了 Servlet 规范第 3.10 节中定义的标准 TLS 相关请求属性之外,Tomcat 还支持许多其他 TLS 相关属性。完整列表可以在 SSLSupport Javadoc 中找到。
For more information, see the SSL Configuration How-To.
有关更多信息,请参阅 SSL 配置方法。
certificateRevocationListFile
Name of the file that contains the concatenated certificate revocation lists for the certificate authorities. The format is PEM-encoded. If not defined, client certificates will not be checked against a certificate revocation list (unless an OpenSSL based connector is used and certificateRevocationListPath is defined). Relative paths will be resolved against $CATALINA_BASE. JSSE based connectors may also specify a URL for this attribute.
certificateRevocationListPath
OpenSSL only.
Name of the directory that contains the certificate revocation lists for the certificate authorities. The format is PEM-encoded. Relative paths will be resolved against $CATALINA_BASE.
certificateVerification
Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
certificateVerificationDepth
The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used.
caCertificateFile
OpenSSL only.
Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded.
caCertificatePath
OpenSSL only.
Name of the directory that contains the certificates for the trusted certificate authorities. The format is PEM-encoded.
ciphers
The ciphers to enable using the OpenSSL syntax. (See the OpenSSL documentation for the list of ciphers supported and the syntax). Alternatively, a comma separated list of ciphers using the standard OpenSSL cipher names or the standard JSSE cipher names may be used.
When converting from OpenSSL syntax to JSSE ciphers for JSSE based connectors, the behaviour of the OpenSSL syntax parsing is kept aligned with the behaviour of the OpenSSL 1.1.0 development branch.
Only the ciphers that are supported by the SSL implementation will be used.
If not specified, a default (using the OpenSSL notation) of HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA will be used.
Note that, by default, the order in which ciphers are defined is treated as an order of preference. See honorCipherOrder.
disableCompression
OpenSSL only.
Configures if compression is disabled. The default is true. If the OpenSSL version used does not support disabling compression then the default for that OpenSSL version will be used.
disableSessionTickets
OpenSSL only.
Disables use of TLS session tickets (RFC 5077) if set to true. Default is false. Note that when TLS session tickets are in use, the full peer certificate chain will only be available on the first connection. Subsequent connections (that use a ticket to estrablish the TLS session) will only have the peer certificate, not the full chain.
honorCipherOrder
Set to true to enforce the server's cipher order (from the ciphers setting) instead of allowing the client to choose the cipher. The default is false. Use of this feature requires Java 8 or later.
hostName
The name of the SSL Host. This should either be the fully qualified domain name (e.g. tomcat.apache.org) or a wild card domain name (e.g. *.apache.org). If not specified, the default value of _default_ will be used. Provided values are always converted to lower case.
insecureRenegotiation
OpenSSL only.
Configures if insecure renegotiation is allowed. The default is false. If the OpenSSL version used does not support configuring if insecure renegotiation is allowed then the default for that OpenSSL version will be used.
keyManagerAlgorithm
JSSE only.
The KeyManager algorithm to be used. This defaults to KeyManagerFactory.getDefaultAlgorithm() which returns SunX509 for Sun JVMs. IBM JVMs return IbmX509. For other vendors, consult the JVM documentation for the default value.
protocols
The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
TLSv1.3
all
Each token in the list can be prefixed with a plus sign ("+") or a minus sign ("-"). A plus sign adds the protocol, a minus sign removes it form the current list. The list is built starting from an empty list.
The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.
Note that TLSv1.3 is only supported for JSSE when using a JVM that implements TLSv1.3.
Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.
Note that SSLv2 and SSLv3 are inherently unsafe.
If not specified, the default value of all will be used.
revocationEnabled
JSSE only.
Should the JSSE provider enable certificate revocation checks? If certificateRevocationListFile is set then this attribute is ignored and revocation checks are always enabled. This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. If not specified, a default of false is used.
sessionCacheSize
The number of SSL sessions to maintain in the session cache. Specify -1 to use the implementation default. Values of zero and above are passed to the implementation. Zero is used to specify an unlimited cache size and is not recommended. If not specified, a default of -1 is used.
sessionTimeout
The time, in seconds, after the creation of an SSL session that it will timeout. Specify -1 to use the implementation default. Values of zero and above are passed to the implementation. Zero is used to specify an unlimited timeout and is not recommended. If not specified, a default of 86400 (24 hours) is used.
sslProtocol
JSSE only.
The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance e.g. Oracle Java 7. Note: There is overlap between this attribute and protocols.
trustManagerClassName
JSSE only.
The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implement javax.net.ssl.X509TrustManager. If this attribute is set, the trust store attributes may be ignored.
truststoreAlgorithm
JSSE only.
The algorithm to use for truststore. If not specified, the default value returned by javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm() is used.
truststoreFile
JSSE only.
The trust store file to use to validate client certificates. The default is the value of the javax.net.ssl.trustStore system property. If neither this attribute nor the default system property is set, no trust store will be configured. Relative paths will be resolved against $CATALINA_BASE. A URL may also be used for this attribute.
truststorePassword
JSSE only.
The password to access the trust store. The default is the value of the javax.net.ssl.trustStorePassword system property. If that property is null, no trust store password will be configured. If an invalid trust store password is specified, a warning will be logged and an attempt will be made to access the trust store without a password which will skip validation of the trust store contents.
truststoreProvider
JSSE only.
The name of the truststore provider to be used for the server certificate. The default is the value of the javax.net.ssl.trustStoreProvider system property. If that property is null, the value of keystoreProvider is used as the default. If neither this attribute, the default system property nor keystoreProvider is set, the list of registered providers is traversed in preference order and the first provider that supports the truststoreType is used.
truststoreType
JSSE only.
The type of key store used for the trust store. The default is the value of the javax.net.ssl.trustStoreType system property. If that property is null, a single certificate has been configured for this TLS virtual host and that certificate has a keystoreType that is not PKCS12 then the default will be the keystoreType of the single certificate. If none of these identify a default, the default will be JKS. See the notes on key store types below.
certificateFile
Name of the file that contains the server certificate. The format is PEM-encoded. Relative paths will be resolved against $CATALINA_BASE.
In addition to the certificate, the file can also contain as optional elements DH parameters and/or an EC curve name for ephemeral keys, as generated by openssl dhparam and openssl ecparam, respectively. The output of the respective OpenSSL command can simply be concatenated to the certificate file.
certificateChainFile
Name of the file that contains the certificate chain associated with the server certificate used. The format is PEM-encoded. Relative paths will be resolved against $CATALINA_BASE.
The certificate chain used for Tomcat should not include the server certificate as its first element.
Note that when using more than one certificate for different types, they all must use the same certificate chain.
certificateKeyAlias
JSSE only.
The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used.
certificateKeyFile
Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of certificateFile and in this case both certificate and private key have to be in this file (NOT RECOMMENDED). Relative paths will be resolved against $CATALINA_BASE.
certificateKeyPassword
The password used to access the private key associated with the server certificate from the specified file.
If not specified, the default behaviour for JSSE is to use the certificateKeystorePassword. For OpenSSL the default behaviour is not to use a password.
certificateKeystoreFile
JSSE only.
The pathname of the keystore file where you have stored the server certificate and key to be loaded. By default, the pathname is the file .keystore in the operating system home directory of the user that is running Tomcat. If your keystoreType doesn't need a file use "" (empty string) or NONE for this parameter. Relative paths will be resolved against $CATALINA_BASE. A URI may also be used for this attribute. When using a domain keystore (keystoreType of DKS), this parameter should be the URI to the domain keystore.
certificateKeystorePassword
JSSE only.
The password to use to access the keystore containing the server's private key and certificate. If not specified, a default of changeit will be used.
certificateKeystoreProvider
JSSE only.
The name of the keystore provider to be used for the server certificate. If not specified, the value of the system property javax.net.ssl.keyStoreProvider is used. If neither this attribute nor the system property are set, the list of registered providers is traversed in preference order and the first provider that supports the keystoreType is used.
certificateKeystoreType
JSSE only.
The type of keystore file to be used for the server certificate. If not specified, the value of the system property javax.net.ssl.keyStoreType is used. If neither this attribute nor the system property are set, a default value of "JKS". is used. See the notes on key store types below.
type
The type of certificate. This is used to identify the ciphers that are compatible with the certificate. It must be one of UNDEFINED, RSA, DSA or EC. If only one Certificate is nested within a SSLHostConfig then this attribute is not required and will default to UNDEFINED. If multiple Certificates are nested within a SSLHostConfig then this attribute is required and each Certificate must have a unique type.
When APR/native is enabled, the connectors will default to using OpenSSL through JSSE, which may be more optimized than the JSSE Java implementation depending on the processor being used, and can be complemented with many commercial accelerator components.
The following NIO and NIO2 SSL configuration attributes are not specific to a virtual host and, therefore, must be configured on the connector.
sniParseLimit
In order to implement SNI support, Tomcat has to parse the first TLS message received on a new TLS connection (the client hello) to extract the requested server name. The message needs to be buffered so it can then be passed to the JSSE implementation for normal TLS processing. In theory, this first message could be very large although in practice it is typically a few hundred bytes. This attribute sets the maximum message size that Tomcat will buffer. If a message exceeds this size, the connection will be configured as if no server name was indicated by the client. If not specified a default of 65536 (64k) will be used.
sslImplementationName
The class name of the SSL implementation to use. If not specified and the tomcat-native library is not installed, the default of org.apache.tomcat.util.net.jsse.JSSEImplementation will be used which wraps JVM's default JSSE provider. Note that the JVM can be configured to use a different JSSE provider as the default. Tomcat also bundles a special SSL implementation for JSSE that is backed by OpenSSL. To enable it, the native library should be enabled as if intending to use the APR connector, and Tomcat will automatically enable it and the default value of this attribute becomes org.apache.tomcat.util.net.openssl.OpenSSLImplementation. In that case, the attributes from either JSSE and OpenSSL configuration styles can be used, as long as the two types are not mixed (for example, it is not allowed to define use of a Java keystore and specify a separate pem private key using the OpenSSL attribute).
In addition to the standard key store types (JKS and PKCS12), most Java runtimes support additional key store types such as Windows-ROOT, Windows-My, DKS as well as hardware security modules. Generally, to use these additional keystore types with a TLS Connector in Tomcat:
Set the certificateKeystoreType and/or truststoreType Connector attribute (as appropriate) to the necessary type
If a configuration file is required, set the certificateKeystoreFile and/or truststoreFile Connector attribute (as appropriate) to point to the file
If no configuration file is required then you will almost certainly need to explicitly set the certificateKeystoreFile and/or truststoreFile Connector attribute (as appropriate) to the empty string ("")
If a password is required, set the certificateKeystorePassword and/or truststorePassword Connector attribute (as appropriate) to the required password
If no password is required then you will almost certainly need to explicitly set the certificateKeystorePassword and/or truststorePassword Connector attribute (as appropriate) to the empty string ("")
Variations in key store implementations, combined with the key store manipulation Tomcat does in the background to allow interoperability between JSSE and OpenSSL configuration styles, means that some keystores may need slightly different configuration. Assistance is always available from the Apache Tomcat users mailing list. We aim to document any key stores that vary from the above advice here. Currently there are none we are aware of.
The following NIO and NIO2 SSL configuration attributes have been deprecated in favor of the default SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created..
Attribute Description
algorithm
This is an alias for the keyManagerAlgorithm attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
ciphers
This is an alias for the ciphers attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
clientAuth
This is an alias for the certificateVerification attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
crlFile
This is an alias for the certificateRevocationListFile attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
keyAlias
This is an alias for the certificateKeyAlias attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
keyPass
This is an alias for the certificateKeyPassword attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
keystoreFile
This is an alias for the certificateKeystoreFile attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
keystorePass
This is an alias for the certificateKeystorePassword attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
keystoreProvider
This is an alias for the certificateKeystoreProvider attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
keystoreType
This is an alias for the certificateKeystoreType attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
sessionCacheSize
This is an alias for the sessionCacheSize attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
sessionTimeout
This is an alias for the sessionTimeout attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
sslEnabledProtocols
This is an alias for the protocols attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
sslProtocol
This is an alias for the sslProtocol attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
trustManagerClassName
This is an alias for the trustManagerClassName attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
trustMaxCertLength
This is an alias for the certificateVerificationDepth attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
truststoreAlgorithm
This is an alias for the truststoreAlgorithm attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
truststoreFile
This is an alias for the truststoreFile attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
truststorePass
This is an alias for the truststorePassword attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
truststoreProvider
This is an alias for the truststoreProvider attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
truststoreType
This is an alias for the truststoreType attribute of SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
useServerCipherSuitesOrder
This is an alias for the honorCipherOrder attribute of the SSLHostConfig element with hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
When APR/native is enabled, the HTTPS connector will use a socket poller for keep-alive, increasing scalability of the server. It also uses OpenSSL, which may be more optimized than JSSE depending on the processor being used, and can be complemented with many commercial accelerator components. Unlike the HTTP connector, the HTTPS connector cannot use sendfile to optimize static file processing.
The HTTPS APR/native connector has the same attributes than the HTTP APR/native connector, but adds OpenSSL specific ones. For the full details on using OpenSSL, please refer to OpenSSL documentations and the many books available for it (see the Official OpenSSL website). The SSL specific attributes for the APR/native connector are:
Attribute Description
SSLCACertificateFile
This is an alias for the caCertificateFile attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLCACertificatePath
This is an alias for the caCertificatePath attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLCARevocationFile
This is an alias for the certificateRevocationListFile attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLCARevocationPath
This is an alias for the certificateRevocationListPath attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLCertificateFile
This is an alias for the certificateFile attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
SSLCertificateKeyFile
This is an alias for the certificateKeyFile attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
SSLCipherSuite
This is an alias for the ciphers attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLDisableCompression
This is an alias for the disableCompression attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLHonorCipherOrder
This is an alias for the honorCipherOrder attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLPassword
This is an alias for the certificateKeyPassword attribute of the first Certificate element nested in the SSLHostConfig element with the hostName of _default_. If this Certificate and/or SSLHostConfig element is not explicitly defined, they will be created.
SSLProtocol
This is an alias for the protocols attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLVerifyClient
This is an alias for the certificateVerification attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLVerifyDepth
This is an alias for the certificateVerificationDepth attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
SSLDisableSessionTickets
This is an alias for the disableSessionTickets attribute of the SSLHostConfig element with the hostName of _default_. If this SSLHostConfig element is not explicitly defined, it will be created.
Below is a small chart that shows how the connectors differ.
