5

This is the connector in server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150"
               SSLEnabled="true"
               scheme="https"
               compression="off"
               connectionTimeout="1190"
               address="0.0.0.0"
               >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="/etc/ssl/certs/private.key"
                         certificateFile="/etc/ssl/certs/public.pem"
                          />
        </SSLHostConfig>
</Connector>

The goal with this connector is speed with HTTP2 and APR, along with HTTPS.

We installed tomcat native using the OS package tomcat-native.

Log output on startup:

INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.16] using APR version [1.6.3].

INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].

INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]

Everything looks great, except for the useAprConnector [false]

So is APR actually doing anything?

I can't find anything in the relevant documentation:

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support

https://tomcat.apache.org/tomcat-8.0-doc/apr.html

atlas_scoffed
  • 3,542
  • 30
  • 46

1 Answers1

8

The current default in Tomcat 8.5 is to use the Java NIO connector with OpenSSL as the crypto engine. libtcnative is still required, which requires libapr, but the "APR Connector" itself is not being used.

That means that Tomcat is using a pure-Java connector with the OpenSSL engine for crypto. You get the benefits of OpenSSL's speed without some of the downsides of the APR connector itself.

IMO this is the best configuration option available to you, so you should leave it unless you have a compelling reason to use the APR connector explicitly.

If you really want to use the APR connector, then you will need to set the useAprConnector attribute on your AprLifecycleListener to true.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • Docs should contain everything, but I have a long history with Tomcat. If there is something specific you can't find, please post a complaint to the users mailing list and someone will try to correct it. – Christopher Schultz Apr 18 '18 at 13:46
  • In high traffic production environments shouldn't we use useAprConnector=true ? – dv3 Jun 01 '18 at 20:14
  • 2
    @dv3 The NIO and NIO2 connectors are non-blocking for one additional scenario on top of APR. Non-blocking I/O will scale better in all environments, and provide better service in a high-traffic production environment. There is some discussion of dropping the APR connector in future versions because the performance benefit of APR was primarily due to the OpenSSL engine for TLS. Now that is available through the NIO connectors, so the APR connector no longer has a perceivable benefit. – Christopher Schultz Jun 02 '18 at 22:43