New Admins: Register for our new Pure Lecture Series!
Pure's logos
Pure Help Center for Pure Administrators

If you are a researcher, or other non-admin at your institution, click here.

  • Home
  • Announcements
  • Release Notes
  • Technical user guides
  • Training
  • Events
  • Support
  • Contact Us
  • Home
  • Training
  • Technical user guides
  • Pure installation and upgrade guide (self-hosted customers only)

How Can We Help?

Search Results

Filter By Category

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Contact us

Reverse proxyReverse proxy

This guide describes how to run Pure behind a reverse proxy server.

Apache HTTP Server is used as the proxy using the AJP protocol in this guide, but any proxy can be used with the normal HTTP protocol.

This is the recommended way to have Pure accessible on port 80 on Unix systems, and it is also easier to setup HTTPS in Apache HTTP Server than directly in Tomcat.

Prerequisites

A working Pure installation.

A working Apache HTTP Server with the following modules enabled: mod_proxy and mod_proxy_ajp.

Tomcat configuration

Make sure that the connector for the AJP protocol is enabled in the Tomcat server.xml and that the URIEncoding is set to UTF-8

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" />
 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" secure="true" />

It can also be a good idea to keep the HTTP connector as that makes it possible to bypass the proxy and access the Tomcat directly for troubleshooting.

If Pure is access through a non-ajp proxy server there is a chance that Pure will see the IP address of the proxy server instead of the actual client IP address. To address this configure the remote IP valve in Tomcat. The documentation for the valve are available here: https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Proxies_Support. See Other proxy servers below.

 

Apache HTTP Server configuration

In your Apache HTTP Server config you should add the following lines to enable the proxy connection to Tomcat.

Change localhost to the IP / DNS of the Tomcat server if it is running on a different server than the Apache HTTP Server.

This example will forward everything to the Tomcat server.

ProxyRequests Off
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

You can also specify each Pure webapp so only those URL's are forwarded to the Tomcat.

ProxyRequests Off
ProxyPass /admin ajp://localhost:8009/admin
ProxyPassReverse /admin ajp://localhost:8009/admin
 
ProxyPass /ws ajp://localhost:8009/ws
ProxyPassReverse /ws ajp://localhost:8009/ws
 
ProxyPass /portal ajp://localhost:8009/portal
ProxyPassReverse /portal ajp://localhost:8009/portal

If you are running Apache HTTP Server on Windows, it can be necessary to add the following to http.conf.

AcceptFilter http none
AcceptFilter https none

The default is

AcceptFilter http data
AcceptFilter https data

Link: https://httpd.apache.org/docs/2.4/mod/core.html

 

 

Virtual host examples

Some full Apache HTTP Server virtual hosts examples

Single Tomcat with one connector

This example will proxy one Tomcat server with one connector, and it will redirect Pure admin and ws from HTTP to HTTPS and Pure portal from HTTP to HTTPS.

<VirtualHost *:443>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/pure.atira.dk.crt
    SSLCertificateKeyFile /etc/apache2/ssl/pure.atira.dk.key
    SSLCACertificateFile /etc/apache2/ssl/ca_issues_intermediate_cert.crt
  
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
 
    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
 
    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/(portal).*
    RewriteRule ^/?(.*) http://pure.atira.dk/$1 [R,L]
 
    ProxyRequests Off
    ProxyPass / ajp://localhost:8009/
    ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>
 
<VirtualHost *:80>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/(admin|ws).*
    RewriteRule ^/?(.*) https://pure.atira.dk/$1 [R,L]
 
    ProxyRequests Off
    ProxyPass / ajp://localhost:8009/
    ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>

Multiple Tomcats / Multiple Connectors

This example will proxy either multiple Tomcats or one Tomcat with multiple connectors.  It also has a limit on how many connections is allowed to the Pure ws webapp, and it shows the maintenance.xhtml page if Pure is down.

It will also send /admin and /ws from HTTP to HTTPS, and everything else that is not /portal or /static will be sent to /portal.

For HTTPS everything that is not /admin, /ws, or /static is sent to /portal on HTTP

<VirtualHost *:443>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/pure.atira.dk.crt
    SSLCertificateKeyFile /etc/apache2/ssl/pure.atira.dk.key
    SSLCACertificateFile /etc/apache2/ssl/ca_issues_intermediate_cert.crt
 
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
 
    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
 
    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/(admin|ws|static).*
    RewriteRule ^/?(.*) http://pure.atira.dk/portal/ [R,L]
 
    ProxyRequests Off
    # Pure Admin
    ProxyPass /admin ajp://localhost:8010/admin
    ProxyPassReverse /admin ajp://localhost:8010/admin
    # Pure WS, limited to 20 connections to Tomcat
    ProxyPass /ws ajp://localhost:8011/ws max=20
    ProxyPassReverse /ws ajp://localhost:8011/ws
    # Show maintenance page if Pure is down
    ProxyErrorOverride on
    ErrorDocument 503 /static/maintenance.html
</VirtualHost>
 
<VirtualHost *:80>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/(admin|ws).*
    RewriteRule ^/?(.*) https://pure.atira.dk/$1 [R,L]
    RewriteCond %{REQUEST_URI} !^/(portal|static).*
    RewriteRule ^/?(.*) http://pure.atira.dk/portal/ [R,L]
 
    ProxyRequests Off
    ProxyPass /portal ajp://localhost:8009/portal
    ProxyPassReverse /portal ajp://localhost:8009/portal
    # Show maintenance page if Pure is down
    ProxyErrorOverride on
    ErrorDocument 503 /static/maintenance.html
</VirtualHost>

Other proxy servers

To access Pure through another reverse proxy than Apache and AJP, you need to send the traffic to the HTTP connector (running on port 8080 by default). You also need to configure the RemoteIpValve in the Host section of the Tomcat server.xml. 

Example RemoteIpValve configuration:

<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192\.168\.1\.20" />

The internalProxies property should contain the IP of the proxy server.

 

Make sure that the Proxy server sends the X-Forwarded-For and X-Forwarded-Proto headers, otherwise Pure may not function correctly.

Example:

X-Forwarded-For: <client IP>
X-Forwarded-Proto: https

We also recommend adding the requestAttributesEnabled="true" property to the AccessLogValve  so the Tomcat access log logs the remote IP instead of the proxy server IP.

See https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Proxies_Support for additional information on how to configure Tomcat with a reverse proxy.

 

 

Additional information

You can find additional information about reverse proxies and Tomcat here

  • Apache mod_proxy
  • Apache mod_proxy_ajp
  • Tomcat 8 Proxy HOW-TO
  • Apache Tomcat Connectors
  • IIS HowTo

Published at November 08, 2023

Download
Table of Contents
  1. Prerequisites
  2. Tomcat configuration
  3. Apache HTTP Server configuration
  4. Virtual host examples
  5. Single Tomcat with one connector
  6. Multiple Tomcats / Multiple Connectors
  7. Other proxy servers
  8. Additional information
Related Articles
  • Development, Test, or Production mode
  • Manual Pure deployment on Linux
  • Monitor Pure
Keywords
  • reverse proxy
  • proxy server

Was this article helpful?

Yes
No
Give feedback about this article

    About Pure

  • Announcements

    Additional Support

  • Events
  • Client Community
  • Training

    Need Help?

  • Contact Us
  • Submit a Support Case
  • My Cases
  • Linkedin
  • Twitter
  • Facebook
  • Youtube
Elsevier logo Relx logo

Copyright © 2025 Elsevier, except certain content provided by third parties.

  • Terms & Conditions Terms & Conditions
  • Privacy policyPrivacy policy
  • AccesibilityAccesibility
  • Cookie SettingsCookie Settings
  • Log in to Pure Help CenterLog in to Helpjuice Center

Knowledge Base Software powered by Helpjuice

Expand