Configuring the ISAPI redirector for Microsoft IIS

Requirements

The Tomcat redirector requires three entities:

  • isapi_redirect.dll - The IIS ISAPI redirector plugin, either obtain a pre-built DLL or build it yourself (see the build section).
  • workers.properties - A file that describes the host(s) and port(s) used by the workers (Tomcat processes). A sample workers.properties can be found under the conf directory.
  • uriworkermap.properties - A file that maps URL-Path patterns to workers. A sample uriworkermap.properties can be found under the conf directory as well.

The installation includes the following parts:

  • Configuring the ISAPI redirector with a default /examples context and checking that you can serve servlets with IIS.
  • Adding more contexts to the configuration.

Note that in a 64 Bit environment - at least for IIS 7 - the used IIS Application Pool should have "Enable 32-bit Applications" set to "False". Otherwise the redirector will not be called and returns an http code 404. If you think, the 32bit version of isapi_redirect.dll would do the job instead, you will get an http code 500, because the library is not loadable into a 64 Bit IIS.

Registry settings

ISAPI redirector reads configuration from the registry, create a new registry key named:

"HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0"

Attributes described below as a "string value representing a boolean" can be set either using the numbers 0 (false) and 1 (true) as values, or off (false) and on (true) or any other string starting with the letters f (false), n (false), t (true) or y (true). The values are taken case insensitive. In this documentation we will stick to false and true.

Attribute Description
extension_uri

A string value pointing to the ISAPI extension /jakarta/isapi_redirect.dll

log_file

A value pointing to location where log file will be created. (for example c:\tomcat\logs\isapi.log)
If one of the log rotation settings (log_rotationtime or log_filesize) are specified then the actual log file name is based on this setting. If the log file name includes any '%' characters, then it is treated as a format string for strftime(3), e.g. c:\tomcat\logs\isapi-%Y-%m-%d-%H_%M_%S.log. Otherwise, the suffix .nnnnnnnnnn is automatically added and is the time in seconds. A full list of format string substitutions can be found in the Apache rotatelogs documentation

log_level

A string value for log level (can be debug, info, warn, error or trace).

This directive was added in version 1.2.31

log_rotationtime

The time between log file rotations in seconds. Setting this to 0 (the default) disables log rotation based on time.

This directive was added in version 1.2.31

log_filesize

The maximum log file size in megabytes, after which the log file will be rotated. Setting this to 0 (the default) disables log rotation based on file size.
The value can have an optional M suffix, i.e. both 5 and 5M will rotate the log file when it grows to 5MB.
If log_rotationtime is specified, then this setting is ignored.

worker_file

A string value which is the full path to workers.properties file (for example c:\tomcat\conf\workers.properties)

worker_mount_file

A string value which is the full path to uriworkermap.properties file (for example c:\tomcat\conf\uriworkermap.properties)

rewrite_rule_file

A string value which is the full path to rewrite.properties file (for example c:\tomcat\conf\rewrite.properties)

shm_size

A DWORD value size of the shared memory. Set this value to be the number of all defined workers * 400. (Set this value only if you have more then 64 workers)

This directive has been added in version 1.2.20

Starting with version 1.2.27 the size of the shared memory is determined automatically, even for large numbers of workers. This attribute is not needed any longer.

worker_mount_reload

A DWORD value specifying the time in seconds upon which the worker_mount_file will be reloaded.

This directive has been added in version 1.2.20

strip_session

A string value representing a boolean. If it is set to true, URL session suffixes of the form ";jsessionid=..." get stripped of URLs, if the are served locally by the web server.

The default value is false.

This directive has been added in version 1.2.21

auth_complete

A DWORD value representing "0" or "1". This is needed because of minor incompatibilities with IIS 5.1.

By default its value is 1, which means we use the SF_NOTIFY_AUTH_COMPLETE event. If you set this to 0, then we use SF_NOTIFY_PREPROC_HEADERS. This might be needed for IIS 5.1 when handling requests using the PUT HTTP method.

This directive has been added in version 1.2.21

uri_select

A string value which influences, how URIs are decoded and re-encoded between IIS and Tomcat. You should leave this at it's default value, unless you have a very good reason to change it.

If the value is "parsed", the forwarded URI will be decoded and explicit path components like ".." will already be resolved. This is less spec compliant and is not safe if you are using prefix forwarding rules.

If the value is "unparsed", the forwarded URI will be the original request URI. It's spec compliant and also the safest option. Rewriting the URI and then forwarding the rewritten URI will not work.

If the value is "escaped", the forwarded URI will be the re-encoded form of the URI used by "parsed". Explicit path components like ".." will already be resolved. This will not work in combination with URL encoded session IDs.

If the value is "proxy", the forwarded URI will be a partially re-encoded form of the URI used by "parsed". Explicit path components like ".." will already be resolved. and problematic are re-encoded.

The default value since version 1.2.24 is "proxy". Before it was "parsed".

reject_unsafe

A string value representing a boolean. If it is set to true, URLs still containing percent signs '%' or backslashes '\' after decoding will be rejected.

Most web apps do not use such URLs. By enabling reject_unsafe you can block several well known URL encoding attacks.

The default value is false.

This directive has been added in version 1.2.24

collapse_slashes

This options is deprecated as of 1.2.44 and will be ignored if used.

Before version 1.2.41 collapsing was never done. Starting with version 1.2.41 collapsing before looking for unmount matches is the default to prevent easy bypassing of unmount rules. As of 1.2.44, collpasing is always performed before looking for mount or unmount rules.

This directive has been added in version 1.2.41

watchdog_interval

A DWORD value representing the watchdog thread interval in seconds. The workers are maintained periodically by a background thread running periodically every watchdog_interval seconds. Worker maintenance checks for idle connections, corrects load status and is able to detect backend health status.

The maintenance only happens, if since the last maintenance at least worker.maintain seconds have passed. So setting the watchdog_interval much smaller than worker.maintain is not useful.

The default value is 0 seconds, meaning the watchdog thread will not be created, and the maintenance is done in combination with normal requests instead.

This directive has been added in version 1.2.27

error_page

A string value representing the error page url redirection when backend returns non-200 response. This directive can be used to customise the error messages returned from backend server.

The url must point to a valid server url and can contain format string number (%d) that can be used to separate the pages by error number. The redirect url in that case is formatted by replacing %d from error_page to returned error number.

This directive has been added in version 1.2.27

enable_chunked_encoding

A string value representing a boolean. If it is set to true, chunked encoding is supported by the server.

The default value is false.

This directive has been added in version 1.2.27. Until version 1.2.30 it was considered experimental and only available when a special build containing chunking support was used. Starting with 1.2.30 it is no longer considered experimental.

flush_packets

A string value representing a boolean. If it is set to true, data is flushed immediately to the client as each AJP packet is received. Otherwise, IIS buffers the data and only writes to the client when the buffer is full or the response is complete.

The default value is false.

This directive has been added in version 1.2.42

Using a properties file for configuration

The ISAPI redirector can read it's configuration from a properties file instead of the registry. This has the advantage that you can use multiple ISAPI redirectors with independent configurations on the same server. The redirector will check for the properties file during initialisation, and use it in preference to the registry if present.

Create a properties file in the same directory as the ISAPI redirector called isapi_redirect.properties i.e. with the same name as the ISAPI redirector DLL but with a .properties extension. A sample isapi_redirect.properties can be found under the conf directory.

The property names and values in the properties file are the same as for the registry settings described above. For example:

# Configuration file for the Tomcat ISAPI Redirector

# The path to the ISAPI Redirector Extension, relative to the website
# This must be in a virtual directory with execute privileges
extension_uri=/jakarta/isapi_redirect.dll

# Full path to the log file for the ISAPI Redirector
log_file=c:\tomcat\logs\isapi_redirect.log

# Log level (debug, info, warn, error or trace)
log_level=info

# Full path to the workers.properties file
worker_file=c:\tomcat\conf\workers.properties

# Full path to the uriworkermap.properties file
worker_mount_file=c:\tomcat\conf\uriworkermap.properties

Notes:

  • Back-slashes - '\' - are not escape characters.
  • Comment lines begin with '#'.

Starting with version 1.2.27 two environment variables are automatically added to the environment that can be used inside .properties files.

  • JKISAPI_PATH - Full path to the ISAPI Redirector.
  • JKISAPI_NAME - Name of the ISAPI Redirector dll without extension

# Use the logs in the installation path of ISAPI Redirector
log_file=$(JKISAPI_PATH)\$(JKISAPI_NAME).log

Log file rotation

The ISAPI redirector with version 1.2.31 can perform log rotation, with configuration and behaviour similar to the rotatelogs program provided with Apache HTTP Server.

To configure log rotation, configure a log_file, and one of the log_rotationtime or log_filesize options. If both are specified, the log_rotationtime will take precedence, and log_filesize will be ignored.
For example, to configure daily rotation of the log file:

# Configuration file for the Tomcat ISAPI Redirector
...

# Full path to the log file for the ISAPI Redirector
log_file=c:\tomcat\logs\isapi_redirect.%Y-%m-%d.log

# Log level (debug, info, warn, error or trace)
log_level=info

# Rotate the log file every day
log_rotationtime=86400

...

Or to configure rotation of the log file when it reaches 5MB in size:

# Configuration file for the Tomcat ISAPI Redirector
...

# Full path to the log file for the ISAPI Redirector
log_file=c:\tomcat\logs\isapi_redirect.%Y-%m-%d-%H.log

# Log level (debug, info, warn, error or trace)
log_level=info

# Rotate the log file at 5 MB
log_filesize=5M

...

The log will be rotated whenever the configured limit is reached, but only if the log file name would change. If you configure a log file name with strftime(3) format codes in it, then ensure it specifies the same granularity as the rotation time configured, e.g. %Y-%m-%d if rotating daily (log_rotationtime=86400).
See the rotatelogs documentation for more examples.

Using a simple rewrite rules

The ISAPI redirector with version 1.2.16 can do a simple URL rewriting. Although not as powerful as Apache HTTP Server's mod_rewrite, it allows a simple exchange of request URIs

The rule is in the form original-url-prefix=forward-url-prefix. For example:

# Simple rewrite rules, making examples
# available under shorter URLs
/jsp/=/examples/jsp/
/servlets/=/examples/servlets/

You can also use regular expressions, if you prefix the rule with a tilde ~:

# Complex rewrite rule, prefixing "/examples/"
# to the first path component of all requests
~/([^/]*)=/examples/$1

Note that uriworkermap.properties must use the URLs before rewriting.

Comments

Notice: This comments section collects your suggestions on improving documentation for Apache Tomcat.

If you have trouble and need help, read Find Help page and ask your question on the tomcat-users mailing list. Do not ask such questions here. This is not a Q&A section.

The Apache Comments System is explained here. Comments may be removed by our moderators if they are either implemented or considered invalid/off-topic.