Running Tomcat Behind a Proxy ServerRunning Tomcat Behind a Proxy Server[Thanks to Michael Godin (MBARI) and Greg Keith and Ernie Joynt (NOAA) for the following documentation.]
If you are using Tomcat on port 8080 (for example) and Apache on the default port 80, you can use the Apache proxy module to hide the Tomcat port in the URLs used to connect to THREDDS. This may be critical if your server is behind a firewall that only allows port 80 access. It is also important if THREDDS is running on a machine that is completely behind a firewall, but you have a server running Apache that can talk to the machine.
You will need to edit the Apache httpd.conf file (on Linux, it is stored in /etc/httpd/conf/).
Find the lines that start with "<IfModule mod_proxy.c>" and end with "</IfModule>". These lines may need to be uncommented. Between these lines, make sure the following line exists and is uncommented:
ProxyRequests On
Then add the following lines:
ProxyPreserveHost On
<Location /thredds>
ProxyPass http://myhost.mydomain:8080/thredds
ProxyPassReverse http://myhost.mydomain:8080/thredds
</Location>
<Proxy http://myhost.mydomain:8080/thredds>
AllowOverride None
Order allow,deny
Allow from All
</Proxy>
You of course need to replace "http://myhost.mydomain:8080/thredds" with the full URL of the THREDDS web application.
The section between <Proxy... And </Proxy> can usually be omitted, but in some cases a server is sufficiently locked down that you need to explicitly allow access to resources. It can also be edited to restrict access to registered users via Apache authentication mechanisms.
You can also add additional proxy directives to mask the THREDDS URL and port in any TDS-generated file access pages. The above ProxyPass and ProxyPassReverse directives mask the machine name and port using mod_proxy during an initial THREDDS URL request, but leave this information visible on the data access page generated by TDS.
If you add the following directives BEFORE the directives above, Apache will use mod_proxy_ajp in addition to the mod_proxy directives, so that any TDS-generated access pages will use the same URL as shown in the initial THREDDS request (example shown for Apache 2.2):
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /thredds ajp://localhost:8009/thredds ProxyPassReverse /thredds ajp://localhost:8009/thredds
This also requires uncommenting the AJP connector (port 8009) in the Tomcat server.xml file.
Finally, on the server command line (as a super/admin user), execute:
apachectl graceful
In my configuration, I initially failed to add the line
"ProxyPreserveHost On", which caused me many headaches as links
generated by THREDDS kept directing the client back to port 8080 (which
was blocked by a firewall).
Sounds like mod_jk is more powerful than mod_proxy. If anyone has experience using mod_jk and could contribute some text here, please let us know at thredds@unidata.ucar.edu.
Tomcat Tuning free online chapter in Tomcat: The Definitive Guide (2007) has some timing comparisions between Tomcat and Apache http. You might be surprised at the results.
This document is maintained by Unidata and was last updated on Dec 23, 2008.
Send comments to thredds@unidata.ucar.edu or support-thredds@unidata.ucar.edu.