This guide describes how to run Pure behind a reverse proxy server.

Apache HTTP Server is used as the proxy using the AJP protocol in this guide, but any proxy can be used with the normal HTTP protocol.

This is the recommended way to have Pure accessible on port 80 on Unix systems, and it is also easier to setup HTTPS in Apache HTTP Server than directly in Tomcat.

Prerequisites

A working Pure installation.

A working Apache HTTP Server with the following modules enabled: mod_proxy and mod_proxy_ajp.

Tomcat configuration

Make sure that the connector for the AJP protocol is enabled in the Tomcat server.xml and that the URIEncoding is set to UTF-8

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" />
 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" secure="true" />

It can also be a good idea to keep the HTTP connector as that makes it possible to bypass the proxy and access the Tomcat directly for troubleshooting.

Apache HTTP Server configuration

In your Apache HTTP Server config you should add the following lines to enable the proxy connection to Tomcat.

Change localhost to the IP / DNS of the Tomcat server if it is running on a different server than the Apache HTTP Server.

This example will forward everything to the Tomcat server.

ProxyRequests Off
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

You can also specify each Pure webapp so only those URL's are forwarded to the Tomcat.

ProxyRequests Off
ProxyPass /admin ajp://localhost:8009/admin
ProxyPassReverse /admin ajp://localhost:8009/admin
 
ProxyPass /ws ajp://localhost:8009/ws
ProxyPassReverse /ws ajp://localhost:8009/ws
 
ProxyPass /portal ajp://localhost:8009/portal
ProxyPassReverse /portal ajp://localhost:8009/portal

<VirtualHost *:443>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/pure.atira.dk.crt
    SSLCertificateKeyFile /etc/apache2/ssl/pure.atira.dk.key
    SSLCACertificateFile /etc/apache2/ssl/ca_issues_intermediate_cert.crt
  
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
 
    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
 
    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/(portal).*
    RewriteRule ^/?(.*) http://pure.atira.dk/$1 [R,L]
 
    ProxyRequests Off
    ProxyPass / ajp://localhost:8009/
    ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>
 
<VirtualHost *:80>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/(admin|ws).*
    RewriteRule ^/?(.*) https://pure.atira.dk/$1 [R,L]
 
    ProxyRequests Off
    ProxyPass / ajp://localhost:8009/
    ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>

Multiple Tomcats / Multiple Connectors

This example will proxy either multiple Tomcats or one Tomcat with multiple connectors.  It also has a limit on how many connections is allowed to the Pure ws webapp, and it shows the maintenance.xhtml page if Pure is down.

It will also send /admin and /ws from HTTP to HTTPS, and everything else that is not /portal or /static will be sent to /portal.

For HTTPS everything that is not /admin, /ws, or /static is sent to /portal on HTTP

<VirtualHost *:443>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/pure.atira.dk.crt
    SSLCertificateKeyFile /etc/apache2/ssl/pure.atira.dk.key
    SSLCACertificateFile /etc/apache2/ssl/ca_issues_intermediate_cert.crt
 
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
 
    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
 
    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/(admin|ws|static).*
    RewriteRule ^/?(.*) http://pure.atira.dk/portal/ [R,L]
 
    ProxyRequests Off
    # Pure Admin
    ProxyPass /admin ajp://localhost:8010/admin
    ProxyPassReverse /admin ajp://localhost:8010/admin
    # Pure WS, limited to 20 connections to Tomcat
    ProxyPass /ws ajp://localhost:8011/ws max=20
    ProxyPassReverse /ws ajp://localhost:8011/ws
    # Show maintenance page if Pure is down
    ProxyErrorOverride on
    ErrorDocument 503 /static/maintenance.html
</VirtualHost>
 
<VirtualHost *:80>
    ServerName pure.atira.dk
    ServerAdmin webmaster@atira.dk
    DocumentRoot /var/www
 
    LogLevel Warn
    ErrorLog /var/logs/apache2/pure.atira.dk_error.log
    CustomLog /var/logs/apache2/pure.atira.dk_access.log combined
 
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/(admin|ws).*
    RewriteRule ^/?(.*) https://pure.atira.dk/$1 [R,L]
    RewriteCond %{REQUEST_URI} !^/(portal|static).*
    RewriteRule ^/?(.*) http://pure.atira.dk/portal/ [R,L]
 
    ProxyRequests Off
    ProxyPass /portal ajp://localhost:8009/portal
    ProxyPassReverse /portal ajp://localhost:8009/portal
    # Show maintenance page if Pure is down
    ProxyErrorOverride on
    ErrorDocument 503 /static/maintenance.html
</VirtualHost>

Other proxy servers

To access Pure through another reverse proxy than Apache and AJP, you need to send the traffic to the HTTP connector (running on port 8080 by default). You also need to configure the RemoteIpValve in the Host section of the Tomcat server.xml. 

Example RemoteIpValve configuration:

The internalProxies property should contain the IP of the proxy server.

Make sure that the Proxy server sends the X-Forwarded-For and X-Forwarded-Proto headers, otherwise Pure may not function correctly.

Example:

X-Forwarded-For: <client IP>
X-Forwarded-Proto: https

We also recommend adding the requestAttributesEnabled="true" property to the AccessLogValve  so the Tomcat access log logs the remote IP instead of the proxy server IP.

Additional information

You can find additional information about reverse proxies and Tomcat here

• Apache mod_proxy
• Apache mod_proxy_ajp
• Tomcat 8 Proxy HOW-TO
• Apache Tomcat Connectors
• IIS HowTo