The directive JkOptions allow you to set many forwarding options which will enable (+)
or disable (-) following option. Without any leading signs, options will be enabled.
The four following options +ForwardURIxxx are mutually exclusive.
Exactly one of them is required, a negative sign prefix is not allowed with them.
The default value is "ForwardURIProxy" since version 1.2.24.
It was "ForwardURICompatUnparsed" in version 1.2.23 and
"ForwardURICompat" until version 1.2.22.
You can turn the default off by switching on one of the other two options.
You should leave this at it's default value, unless you have a very good
reason to change it.
All options are inherited from the global server to virtual hosts.
Options that support enabling (plus options) and disabling (minus options),
are inherited in the following way:
options(vhost) = plus_options(global) - minus_options(global) + plus_options(vhost) - minus_options(vhost)
Using JkOptions ForwardURIProxy, the forwarded URI
will be partially reencoded after processing inside Apache and
before forwarding to Tomcat. This will be compatible with local
URL manipulation by mod_rewrite and with URL encoded session ids.
Using JkOptions ForwardURICompatUnparsed, the forwarded URI
will be unparsed. It's spec compliant and secure.
It will always forward the original request URI, so rewriting
URIs with mod_rewrite and then forwarding the rewritten URI
will not work.
Using JkOptions ForwardURICompat, the forwarded URI will
be decoded by Apache. Encoded characters will be decoded and
explicit path components like ".." will already be resolved.
This is less spec compliant and is not safe if you are using
prefix JkMount. This option will allow to rewrite URIs with
mod_rewrite before forwarding.
Using JkOptions ForwardURIEscaped, the forwarded URI will
be the encoded form of the URI used by ForwardURICompat.
Explicit path components like ".." will already be resolved.
This will not work in combination with URL encoded session IDs,
but it will allow to rewrite URIs with mod_rewrite before forwarding.
JkOptions RejectUnsafeURI will block all
URLs, which contain percent signs '%' or backslashes '\'
Most web apps do not use such URLs. Using the option RejectUnsafeURI, you
can block several well known URL encoding attacks. By default, this option
is not set.
You can also realise such a check with mod_rewrite, which is more powerful
but also slightly more complicated.
JkOptions CollapseSlashesAll will collapse multiple
adjacent slashes in request URLs before looking for mount or unmount
JkOptions CollapseSlashesUnmount will collapse multiple
adjacent slashes in request URLs only before looking for unmount
matches. This is the default value.
JkOptions CollapseSlashesNone will never collapse multiple
adjacent slashes in request URLs before looking for mount or unmount
matches. Using this value might make you vulnerable for attacks
bypassing your unmount rules.
JkOptions ForwardDirectories is used in conjunction with DirectoryIndex
directive of Apache. As such mod_dir should be available to Apache,
statically or dynamically (DSO)
When DirectoryIndex is configured, Apache will create sub-requests for
each of the local-url's specified in the directive, to determine if there is a
local file that matches (this is done by stat-ing the file).
If ForwardDirectories is set to false (default) and Apache doesn't find any
files that match, Apache will serve the content of the directory (if directive
Options specifies Indexes for that directory) or a 403 Forbidden response (if
directive Options doesn't specify Indexes for that directory).
If ForwardDirectories is set to true and Apache doesn't find any files that
match, the request will be forwarded to Tomcat for resolution. This is used in
cases when Apache cannot see the index files on the file system for various
reasons: Tomcat is running on a different machine, the JSP file has been
Note that locally visible files will take precedence over the
ones visible only to Tomcat (i.e. if Apache can see the file, that's the one
that's going to get served). This is important if there is more then one type of
file that Tomcat normally serves - for instance Velocity pages and JSP pages.
Setting JkOptions ForwardLocalAddress, you ask mod_jk to send the local address,
of the Apache HTTP Server instead remote client address. This can be used by the
Tomcat remote address valve for allowing connections only from configured Apache
Setting JkOptions ForwardPhysicalAddress, you ask mod_jk to send the
physical peer TCP IP address as the client address. By default mod_jk
uses the logical address as provided by the web server. For example the module
mod_remoteip sets the logical IP address to the client IP forwarded by proxies
in the X-Forwarded-For header.
JkOptions FlushPackets, you ask mod_jk to flush Apache's connection
buffer after each AJP packet chunk received from Tomcat. This option can have
a strong performance penalty for Apache and Tomcat as writes are performed
more often than would normally be required (ie: at the end of each
JkOptions FlushHeader, you ask mod_jk to flush Apache's connection
buffer after the response headers have been received from Tomcat.
JkOptions DisableReuse, you ask mod_jk to close connections immediately
after their use. Normally mod_jk uses persistent connections and pools idle
connections to reuse them, when new requests have to be sent to Tomcat.
Using this option will have a strong performance penalty for Apache and Tomcat.
Use this only as a last resort in case of unfixable network problems.
If a firewall between Apache and Tomcat silently kills idle connections,
try to use the worker attribute socket_keepalive in combination with an appropriate
TCP keepalive value in your OS.
JkOptions ForwardKeySize, you ask mod_jk, when using ajp13, to forward also the SSL Key Size as
required by Servlet API 2.3.
This flag shouldn't be set when servlet engine is Tomcat 3.2.x (on by default).
JkOptions ForwardSSLCertChain, you ask mod_jk, when using ajp13,
to forward SSL certificate chain (off by default).
Mod_jk only passes the SSL_CLIENT_CERT to the AJP connector. This is not a
problem with self-signed certificates or certificates directly signed by the
root CA certificate. However, there's a large number of certificates signed by
an intermediate CA certificate, where this is a significant problem: A servlet
will not have the possibility to validate the client certificate on its own. The
bug would be fixed by passing on the SSL_CLIENT_CERT_CHAIN to Tomcat via the AJP connector.
This directive exists only since version 1.2.22.
The directive JkEnvVar allows you to forward environment variables
from Apache server to Tomcat engine.
You can add a default value as a second parameter to the directive.
If the default value is not given explicitly, the variable
will only be send, if it is set during runtime.
The variables can be retrieved on the Tomcat side as request attributes
Note that the variables send via JkEnvVar will not be listed
The variables are inherited from the global server to virtual hosts.
JkEnvVar SSL_CLIENT_V_START undefined