xdocs/webserver_howto/iis.xml

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE document [ <!ENTITY project SYSTEM "project.xml"> ]> <document url="iis.html"> &project; <copyright> Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. </copyright> <properties> <title>ISAPI redirector for Micrsoft IIS HowTo</title> <author email="hgomez@apache.org">Henri Gomez</author> <author email="shachor@il.ibm.com">Gal Shachor</author> <author email="yoavs@apache.org">Yoav Shapira</author> </properties> <body> <section name="Introduction"> This document explains how to set up the ISAPI redirector for IIS to cooperate with Tomcat. Normally IIS can not execute Servlets and Java Server Pages (JSPs). Configuring IIS to use the ISAPI redirector plugin will let IIS send servlet and JSP requests to Tomcat (and this way, serve them to clients). It is recommended that you also read the <a href="../common_howto/workers.html">Workers HowTo</a> document to learn how to setup the working entities between your web server and Tomcat Engines. For more detailed configuration information consult the Reference Guide for <a href="../reference/workers.html">workers.properties</a>, <a href="../reference/uriworkermap.html">uriworkermap</a> and <a href="../reference/iis.html">IIS</a>. <subsection name="Document Conventions and Assumptions"> ${tomcat_home} is the root directory of tomcat. Your Tomcat installation should have the following subdirectories: <ul> <li> ${tomcat_home}\conf - Where you can place various configuration files </li> <li> ${tomcat_home}\webapps - Containing example applications </li> <li> ${tomcat_home}\bin - Where you place web server plugins </li> </ul> In all the examples in this document ${tomcat_home} will be c:\tomcat. A worker is defined to be a tomcat process that accepts work from the IIS server. </subsection> <subsection name="Supported Configuration"> The IIS to Tomcat redirector is supported for: <ul> <li>IIS running on any currently supported version of Windows</li> <li>All currently supported versions of Tomcat</li> </ul> The redirector may work with IIS running on older, unsupported versions of Windows and/or Tomcat but such configurations are not supported. </subsection> <subsection name="AJP protocols?"> The redirector uses the AJP protocol to send requests to the Tomcat containers. The AJP version used is ajp13. All current versions Tomcat support the ajp13 protocol. Others servlet engines such as Jetty and JBoss also support the ajp13 protocol. The ajp12 protocol has been deprecated and you should no longer use it. The ajp14 protocol is considered experimental. </subsection> <subsection name="How does it work ?"> <ol> <li> The ISAPI redirector is a Microsoft IIS plugin (filter + extension). IIS loads the redirector plugin and calls its filter function for each in-coming request. </li> <li> The filter then tests the request URL against a list of URI-paths held inside uriworkermap.properties. If the current request matches one of the entries in the list of URI-paths, the filter transfers the request to the extension. </li> <li> The extension collects the request parameters and forwards them to the appropriate worker using the defined protocol like ajp13. </li> <li> The extension collects the response from the worker and returns it to the browser. </li> </ol> </subsection> </section> <section name="Installation"> Pre-built versions of the ISAPI redirector plugin, isapi_redirect.dll, for 32-bit and 64-bit environments are available from the <a href="https://tomcat.apache.org/download-connectors.cgi">Apache Tomcat Connectors Downloads</a> page. You can also build a copy locally from the Tomcat Connectors source distribution. The ISAPI redirector requires three entities: <ul> <li> isapi_redirect.dll - The ISAPI redirector for Microsoft IIS plugin, either obtain a pre-built DLL or build it yourself (see the build section). </li> <li> <a href="../reference/workers.html">workers.properties</a> - A file that describes the host(s) and port(s) used by the workers (Tomcat processes). A sample workers.properties can be found under the conf directory. </li> <li> <a href="../reference/uriworkermap.html">uriworkermap.properties</a> - A file that maps URL-Path patterns to workers. A sample uriworkermap.properties can be found under the conf directory as well. </li> </ul> The installation includes the following parts: <ul> <li> Configuring the ISAPI redirector with a default /examples context and checking that you can serve servlets with IIS. </li> <li> Adding more contexts to the configuration. </li> </ul> <subsection name="Configuring the ISAPI Redirector"> These instructions have been written based on Windows Server 2012 R2 and tested with all supported Windows operating systems up to Windows 11 / Windows Server 2022. These installation instructions have been tested with a default installation of IIS plus ISAPI Extensions and Filters on a clean, fully patched OS installation with Tomcat 9 installed in C:\Program Files\Apache Software Foundation\Tomcat 9.0. This is referred to as ${tomcat_home} for the remainder of this document. <ol> <li> Create a directory ${tomcat_home}\isapi </li> <li> Allow the IIS process to create the ISAPI redirector log file. Modify the path as necessary if the log file is to be written to a different directory. Enter the following at a command prompt: <source>>icacls "C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi" /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)M </source> On client operating systems with User Account Control (UAC) enabled, the command prompt must be opened using Run as administrator for the above command to complete successfully. </li> <li> Download the appropriate (32-bit or 64-bit) isapi_redirect.dll for your operating system and place it in ${tomcat_home}\isapi </li> <li> Set the premissions for isapi_redirect.dll. On Windows Server 2019 it appears to be necessary to explicitly set the permissions for this dll. Enter the following at a command prompt: <source>>icacls "C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\isapi_redirect.dll" /grant "Everyone":RX </source> </li> <li> Create ${tomcat_home}\isapi\isapi_redirect.properties file to configure the ISAPI redirctor. Configuration can also be performed via registry settings - see below. The contents of this file should be: <source>extension_uri=/jakarta/isapi_redirect.dll log_file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\isapi_redirect.log log_level=info worker_file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\workers.properties worker_mount_file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\uriworkermap.properties </source> Be careful so that Windows does not add a .txt extension to the file. </li> <li> Create ${tomcat_home}\isapi\workers.properties file to configure the Tomcat instances that requests will be passed to. For a single Tomcat instance on the local machine the contents of this file should be: <source>worker.list=tomcat01 worker.tomcat01.type=ajp13 worker.tomcat01.host=localhost worker.tomcat01.port=8009 </source> </li> <li> Create ${tomcat_home}\isapi\uriworkermap.properties file to configure which requests will be passed to Tomcat. To expose the examples web application the contents of this file should be: <source>/examples/*=tomcat01 </source> </li> <li> Using the IIS management console, add a new virtual directory to your IIS web site. In a clean install, this will be the Default Web Site. The name of the virtual directory must be jakarta. Its physical path should be the directory where you placed isapi_redirect.dll. </li> <li> Select the newly created virtual directory in the management console and then double-click Handler Mappings. Select the (currently disabled) ISAPI-dll entry and then click Edit Feature Permissions in the action pane. In the dialog box that opens, select Execute so all three permissions are selected. Click OK and ISAPI-dll should now be in the enabled state. </li> <li> Again using the IIS management console, add the ISAPI redirector as a filter to your web site. Select your web site and then double-click ISAPI Filters. From the action pane, click Add.... For the filter name use tomcat and the executable should be the full path to isapi_redirect.dll. Once configured, click OK. </li> <li> Still using the IIS management console, configure the ISAPI redirector as allowed. Select your server (not the web site) and then double-click on ISAPI and CGI Restrictions. From the action pane, click Add.... Select the isapi_redirect.dll, add a descripion (e.g. tomcat) and select the Allow extension path to execute and then click OK. </li> <li> Restart IIS (stop + start the IIS service). </li> </ol> That's all, you should now start Tomcat and ask IIS to serve you the /examples context. Try <a href="http://localhost/examples/">http://localhost/examples/</a> for example and execute some of the Servlet or JSP examples. If this does not work successfully, refer to the Troubleshooting section below for help on correcting the problem. </subsection> <subsection name="IIS logging"> If the IIS access logs show entries such as /jakarta/isapi_redirect.dll rather than /examples/servlets then this can be corrected via the IIS management console. Select your server (not the web site) and then double-click on Modules. In the Actions pane, click View Ordered List..., select the IsapiFilterModule and move it up until it is above the HttpLoggingModule. </subsection> <subsection name="Registry configuration"> As an alternative to using the isapi_redirector.properties file, the ISAPI redirector may be configured via the registry. To do this, follow these steps: <ol> <li> In the registry, create a new registry key named "HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0" </li> <li> Add a string value with the name extension_uri and a value of /jakarta/isapi_redirect.dll </li> <li> Add a string value with the name log_file and a value pointing to where you want your log file to be (for example c:\tomcat\logs\isapi.log). </li> <li> Add a string value with the name log_level and a value for your log level (can be debug, info, error or emerg). </li> <li> Add a string value with the name worker_file and a value which is the full path to your workers.properties file (for example c:\tomcat\conf\workers.properties) </li> <li> Add a string value with the name worker_mount_file and a value which is the full path to your uriworkermap.properties file (for example c:\tomcat\conf\uriworkermap.properties) </li> </ol> </subsection> <subsection name="64 Bit notes"> In a 64-bit environment the IIS Application Pool should have "Enable 32-bit Applications" set to "False". To check this, select Application Pools in the IIS management console, then right-click on the pool you are using and select Set Application Pool Defaults.... Enable 32-bit Applications may be found in the General section. If this is not configured correctly, the redirector will not be called and IIS will return an HTTP code 404. You must use the 64-bit version of the ISAPI redirector on 64-bit operating systems. If you attempt to use the 32-bit version, you will get an HTTP code 500 for every request because the library is not loadable into a 64-bit IIS. </subsection> <subsection name="Adding additional Contexts"> The examples context is useful for verifying your installation, but you will also need to add your own contexts. Adding a new context requires two operations: <ol> <li> Adding the context to Tomcat (not discussed here). </li> <li> Adding the context to the ISAPI redirector. </li> </ol> Adding a context to the ISAPI redirector is simple, all you need to do is to edit your uriworkermap.properties and to add a line that looks like: <source>/context/*=worker_name </source> Workers and their name are defined in workers.properties. As an example, if you want to add a context named "shop", to be served by the worker named "tomcat01" the line that you should add to uriworkermap.properties will be: <source>/shop/*=tomcat01 </source> After saving uriworkermap.properties restart IIS and it will serve the new context. The above should be all you need for IIS to pass through to Tomcat any request for any URI which corresponds to a Tomcat context (webapp). </subsection> <subsection name="Advanced Context Configuration"> If your website is very busy (more than 100 requests/second, or more than 100 simultaneous client connections), it might sometimes be desirable to have IIS serve static content (html, gif, jpeg etc.) directly, even if these files are part of a context served by Tomcat. Allowing IIS to serve such files directly may avoid the small overhead consisting of passing the request to Tomcat via the redirector, and may free up Tomcat somewhat, by using it only to process requests that only Tomcat can handle (e.g. requests to JSP pages and java servlets). For example, consider the html and gif files in the examples context: you could serve these files directly with IIS; there is no need to serve them from the Tomcat process. <warn>However, you should be very careful when you implement the following configuration style, because by doing so you are in fact providing a "back-door" to IIS, and allowing it to serve files out of a Tomcat context without Tomcat's knowledge, thus bypassing any security restrictions which Tomcat itself and the Tomcat context (webapp) may place on those files.</warn> Making IIS serve static files that are part of the Tomcat contexts requires the following: <ol> <li> Configuring IIS to know about the Tomcat contexts </li> <li> Configuring the redirector to leave the static files for IIS </li> </ol> Adding a Tomcat context to IIS requires the addition of a new IIS virtual directory that covers the Tomcat context. For example adding a /example IIS virtual directory that covers the c:\tomcat\webapps\examples directory. Configuring the redirector is somewhat harder, you will need to specify the exact URL-Path pattern(s) which you want Tomcat to handle (usually only JSP files and servlets). This requires a change to the uriworkermap.properties: <source>For the examples context it requires to replace the following line /examples/*=tomcat01 with the following two lines /examples/*.jsp=tomcat01 /examples/servlet/*=tomcat01 </source> As you can see the second configuration is more explicit, it actually instruct the redirector to redirect only requests to resources under /examples/servlet/ and resources under /examples/ whose name ends with .jsp. You can even be more explicit and provide lines such as: <source>/example/servlets/chat=tomcat01 </source> that instructs the redirector to redirect all requests whose URL-path matches the leading string "/example/servlets/chat" to the worker named tomcat01. </subsection> <subsection name="Protecting the content of your Tomcat contexts"> Once again, be aware that by allowing IIS to access the content of your Tomcat context directly, you are potentially bypassing Tomcat's protection of that content. You should thus make sure to protect this content at the IIS level if needed, by using the corresponding IIS management console functions. In particular, each servlet application (context) has a special directory named WEB-INF, which contains sensitive configuration data and Java classes, and which should always be kept hidden from web users. Using the IIS management console it is possible to protect the WEB-INF directory from user access, but considering that this is a general requirement, and considering that it is easy to forget to implement this protection at the IIS level, the ISAPI redirector plugin does it automatically for you, and it will reject any request which contains WEB-INF in its URL path. It will also reject any request which contains META-INF in its URL path. </subsection> <subsection name="Advanced Worker Configuration"> Sometimes you may want to serve different contexts with different Tomcat processes (for example to spread the load among different machines). To achieve such a goal you will need to define several workers and assign each context to its own worker. Defining additional workers is done in the workers.properties file. This file includes two types of entries: <source># An entry that lists all the workers defined worker.list=worker1, worker2 # Entries that define the host and port associated with each of these workers worker.worker1.host=localhost worker.worker1.port=8009 worker.worker1.type=ajp13 worker.worker2.host=otherhost worker.worker2.port=8009 worker.worker2.type=ajp13 </source> The above example defined two workers, now we can use these workers to serve two different contexts each with its own worker: <source>example uriworkermap.properties fragment /examples/*=worker1 /webpages/*=worker2 </source> As you can see the examples context is served by worker1 while the webpages context is served by worker2. More information on using and configuring workers in the <a href="../common_howto/workers.html">Workers HowTo</a> and in the <a href="../reference/workers.html">worker.properties configuration reference</a>. </subsection> </section> <section name="Building the ISAPI redirector"> To build the ISAPI redirector you will need Mladen's Custom Microsoft Compiler. The remainder of this document assumes this installed to c:\cmsc. The steps to build the ISAPI redirector are: <ul> <li> Download the sources as a zip file and unpack it. </li> <li> Change directory to the ISAPI redirector source directory. </li> <li> <source>c:\cmsc\setenv.bat x86 nmake -f Makefile.vc c:\cmsc\setenv.bat x64 nmake -f Makefile.vc </source> </li> </ul> The resulting file isapi_redirect.dll (and the debug symbol file isapi_redirect.pdb) is located in the "x86_RELEASE" or "x64_RELEASE" sub directory. </section> <section name="Troubleshooting"> It is easy to have the ISAPI redirector not work the first time you try to install it. If this happens to you, here are some steps to follow to try to correct the problem. These steps aren't guaranteed to cover all possible problems, but they should help find the typical mistakes. If you make any corrections during these steps, restart the IIS service as described above in the last step of the installation, then retry the step. Note: These steps are based on the configuration used in the installation instructions that proxies requests for the examples web application to a single Tomcat instance. It is also assumed that the "/examples" context works correctly if you access Tomcat directly. <subsection name="Diagnostics steps"> Delete (or move elsewhere) the ISAPI redirector log file if present. Start the IIS service and Tomcat. Check for the presence of the ISAPI redirector log file at the specified location. If not found, that indicates that the ISAPI redirector has not started correctly. This is usually caused by incorrect configuration settings. <ul> <li> Check your configuration carefully against the installation instructions, particularly the location, name and contents of the ${tomcat_home}\isapi\isapi_redirect.properties file. </li> <li> If using the registry based configuration, check the path, name and values of the registry keys. Registry names are not case sensitive. </li> <li> Check that the directory specified for the log file exists and that the file permissions have been configured as per the installation instructions. </li> </ul> If the above are set correctly, the ISAPI redirector should be able to create the log file. Invoke the URL <a href="http://localhost/examples/">http://localhost/examples/</a> in your browser. Case is important in URLs. The characters following "localhost" in the URL must be lower case. If the page fails to appear, stop the IIS service (required to view the IIS log file). Then examine the last line in the IIS log file in found in C:\inetpub\logs\LogFiles\W3SVC1: If the last line contains: <source>GET "/examples/ HTTP/1.1" 404 </source> then the ISAPI redirector is not recognising that it should be handling requests for the "/examples" context. If the last line contains something like: <source>GET "/jakarta/isapi_redirect.dll HTTP1.1" </source> then the ISAPI redirector is recognising that it should handle the request, but is not successful at getting Tomcat to service the request. Check the following: <ul> <li> Check your configuration carefully against the installation instructions, particularly the name of the virtual directory and the location, name and contents of the ${tomcat_home}\isapi\uriworkermap.properties and ${tomcat_home}\isapi\workers.properties files. </li> If these are set correctly, the ISAPI redirector should recognise that it should handle requests for the "/examples" context. </ul> If the browser shows a 503 error page then the ISAPI redirector is recognising that it should handle the request but is not receiving a timely response from Tomcat. Check the following: <ul> <li> Check your configuration carefully against the installation instructions, particularly the location, name and ${tomcat_home}\isapi\workers.properties file. </li> <li> Check the AJP connector configuration in Tomcta matches the configuration in the ${tomcat_home}\isapi\workers.properties file. </li> </ul> If the browser shows a 500 error page then an internal error has occurred within IIS or the ISAPI redirector when trying to serve the request. There should be a textual description of the error towards the top of the page and an 8-digit hex error code towards the end of the page. The last four digits should be the standard windows error code associated with the problem. A common cause of 500 errors is Windows creating configuration files with hidden ".txt" file extensions that are not shown in Windows Explorer. Even if file extensions are shown for other files, double check to make sure that Windows Explorer is configured to show file extensions for all files. If the error message is Calling GetFilterVersion on ISAPI filter "...isapi_redirect.dll" failed and the code is 0x8007047e then the code translates to an error code 0x047e or 1150 which is "The specified program requires a newer version of Windows". Together these indicate that the initialisation of the ISAPI redirector failed because the configuration could not be read - either from ${tomcat_home}\isapi\isapi_redirect.properties of from the registry. Check the name location and contents of the ${tomcat_home}\isapi\isapi_redirect.properties file or the registry keys as appropriate. If the above settings are correct, the index.html page should appear in your browser. You should also be able to click the links to execute some Servlet or JSP examples. </subsection> </section> </body> </document>

xdocs/webserver_howto/iis.xml (641 lines of code) (raw):