Skip to content

Tomcat Configuration

Server

<Server port="8005" shutdown="SHUTDOWN">
    <!-- ... -->
</Server>

Description

The top-level element in server.xml, representing the entire Tomcat server instance. There is only one <Server> per Tomcat instance.

  • port="8005": Specifies a dedicated port (8005) for receiving shutdown commands.
  • This port is not used for HTTP traffic but only for controlling the lifecycle of the server.
  • shutdown="SHUTDOWN": Defines the command string that must be sent to the shutdown port to trigger a graceful shutdown.
  • Only when the exact string SHUTDOWN is received will Tomcat initiate the shutdown process.

Example

Running ./shutdown.sh sends the word SHUTDOWN to port 8005. Tomcat listens on this port, checks if the message matches, and then shuts down.

./shutdown.sh

Security Note

Although SHUTDOWN is the default value, it is recommended in production environments to: Change the port to -1 to disable the network shutdown function (it can only be shut down through scripts or process signals). Or modify the shutdown string to a complex value to prevent it from being easily guessed.

<Server port="-1" shutdown="MyComplexShutdownCommand123!">

Warning

If the port is "-1", Tomcat cannot be shut down through network commands. Only the kill command or local scripts can be used.

Listener

<!-- Security listener. Documentation at /docs/config/listeners.html
    <Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

GlobalNamingResources

<!-- Global JNDI resources
    Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>

Resource

<Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />

Service

name

Service name.

<Service name="Catalina">

Connector

监听HTTP请求的端口号,默认为8080

  • protocol 协议类型(如HTTP/1.1, org.apache.coyote.http11.Http11NioProtocol等)
  • connectionTimeout 等待连接超时时间(毫秒)
  • redirectPort 当需要SSL传输时重定向到的端口
  • maxThreads 最大处理请求数量
  • minSpareThreads 最小空闲线程数
  • enableLookups 是否通过DNS查找客户端主机名
  • acceptCount 队列最大长度
  • compression 是否开启压缩
  • scheme & secure 配置代理转发后的协议和安全性
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
-->

<!-- A "Connector" represents an endpoint by which requests are received
    and responses are returned. Documentation at :
    Java HTTP Connector: /docs/config/http.html
    Java AJP  Connector: /docs/config/ajp.html
    APR (HTTP/AJP) Connector: /docs/apr.html
    Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
    <Connector port="8080" protocol="HTTP/1.1" 
            connectionTimeout="20000"
            redirectPort="8443" />

Other Connector

<!-- A "Connector" using the shared thread pool-->
<!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
-->

Another Connector

<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
    This connector uses the NIO implementation. The default
    SSLImplementation will depend on the presence of the APR/native
    library and the useOpenSSL attribute of the
    AprLifecycleListener.
    Either JSSE or OpenSSL style configuration may be used regardless of
    the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
-->

Third Connector

<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
    This connector uses the APR/native implementation which always uses
    OpenSSL for TLS.
    Either JSSE or OpenSSL style configuration may be used. OpenSSL style
    configuration is used below.
-->
<!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
-->

fourth Connector

<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
-->

Engine

Engine name

引擎名称

Engine defaultHost

默认主机名

Cluster

<!--For clustering, please take a look at documentation at:
    /docs/cluster-howto.html  (simple how to)
    /docs/config/cluster.html (reference documentation) -->
    <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
    -->

Realm

用于用户认证和授权。

<!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack -->
    <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
    </Realm>

Host

  • name
  • appBase 应用程序基础目录,默认为webapps
  • unpackWARs 是否自动解压WAR包
  • autoDeploy 是否自动部署
 <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">
Value

Valve可以添加在Host或Engine中,用来实现不同的功能,例如访问日志、单点登录等。

<!-- SingleSignOn valve, share authentication between web applications
    Documentation at: /docs/config/valve.html -->
    <!--
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
    -->

    <!-- Access log processes all example.
        Documentation at: /docs/config/valve.html
        Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
            prefix="localhost_access_log" suffix=".txt"
            pattern="%h %l %u %t &quot;%r&quot; %s %b" />