When Apache OFBiz® is deployed in a production environment, it should never be exposed directly to public internet traffic. Apache OFBiz runs on Tomcat, an application server that operates on a private IP address and is designed to process business logic, not to handle raw internet traffic. Without a web server in front of it, users would need to access OFBiz directly through Tomcat’s port, which is neither secure nor practical for a live deployment.
This is where Apache HTTP Server comes in. It acts as the middleman between the outside world and OFBiz. Apache HTTP Server sits on the public-facing side, receives requests from users on the public IP, and forwards them internally to the OFBiz Tomcat server running on the private IP. Users interact only with Apache HTTP Server and never communicate with Tomcat directly. To establish this forwarding between Apache HTTP Server and Tomcat, a connector must be configured.
There are three connectors available for this purpose: mod_jk, mod_proxy_ajp, and mod_proxy_http. Each connector uses a different method to pass requests from Apache HTTP Server through to Tomcat and on to OFBiz. This guide covers all three, explaining what each one does and providing a complete configuration walkthrough so that the right connector can be selected and set up for the deployment at hand.
This guide is specific to server-based and on-premise deployments. If Apache OFBiz is being deployed on a cloud platform such as AWS, GCP, or Azure, the role of Apache HTTP Server is typically fulfilled by a managed load balancer instead. On AWS, for example, an Application Load Balancer (ALB) can receive public traffic and forward it directly to OFBiz running on ECS or EC2, with no Apache HTTP Server or connector configuration required. The connector-based approach covered in this guide remains relevant for traditional infrastructure, but teams deploying to the cloud can evaluate their provider’s native load balancing services as a simpler alternative.
For a detailed look at how HotWax Systems approaches cloud infrastructure for Apache OFBiz, refer to - How Our DevOps Team Designs Scalable and Secure Cloud Infrastructure for Apache OFBiz.
Apache HTTP Server and Apache OFBiz are two independent pieces of software. Apache HTTP Server is a web server: its role is to listen for requests arriving from the internet and decide how to handle them. Apache OFBiz is an application server: it runs the business logic of the system, managing operations such as orders, inventory, and supply chain processes. The two do not communicate with each other automatically. A connector is what makes that communication possible.
A connector is a configuration layer that instructs Apache HTTP Server to forward incoming requests to OFBiz’s Tomcat server using a specific protocol, and to return Tomcat’s responses back to the user. Without this connector in place, Apache HTTP Server has no way of knowing that OFBiz exists, and the two systems operate in complete isolation from each other.
To illustrate this with an analogy: Apache HTTP Server is the receptionist at the front desk of an organisation. Every visitor arrives at reception and states their request. The receptionist does not handle the request personally but routes it to the appropriate internal department, which in this case is Apache OFBiz running on Tomcat. The response then travels back through the receptionist to the visitor. The connector is the internal communication line that makes this handoff possible. Without it, the receptionist has no means of reaching the department, and no request can be fulfilled.
Before diving into setup steps, here is what each connector actually does:
All three achieve the same goal. Use mod_jk if you need fine-grained load-balancing control. Use mod_ajp_proxy for a simpler AJP setup. Use mod_proxy_http if you prefer HTTP-based proxying or if AJP is locked down in your environment.
This guide assumes:
mod_jk is the classic connector. It has been around since the early days of Tomcat and is still widely used. It requires a bit more configuration but gives you detailed control over how requests are routed.
Start by updating your package list and installing the required packages:
|
sudo apt update sudo apt install apache2 libapache2-mod-jk -y |
This installs both Apache HTTP Server and the mod_jk module in one go.
Enable mod_jk along with the proxy modules:
|
sudo a2enmod jk sudo a2enmod proxy sudo a2enmod proxy_ajp sudo systemctl restart apache2 |
The workers.properties file tells mod_jk where Apache OFBiz (Tomcat) is running. Create it at:
|
sudo nano /etc/apache2/conf-enable/workers.properties |
Add the following content:
|
worker.list=ofbiztesting worker.Apache OFBiz.type=ajp13 worker.Apache OFBiz.host=localhost worker.Apache OFBiz.port=8009 |
This defines a worker named "ofbiztesting" that connects to Tomcat on port 8009 using the AJP 1.3 protocol.
Open the jk.conf file and update the JkWorkersFile path:
|
sudo nano /etc/apache2/mods-available/jk.conf |
Change the JkWorkersFile line from:
|
JkWorkersFile /etc/libapache2-mod-jk/workers.properties |
To:
|
JkWorkersFile /etc/apache2/mods-enabled/workers.properties |
Create the SSL virtual host file for your domain. This tells Apache to accept traffic on ports 80 and 443 and forward it to Apache OFBiz:
|
<VirtualHost ${SERVER_LAN_IP}:80> Include vhosts.d/includes/ofbiztesting.hotwaxsystems.com.conf </VirtualHost>
<VirtualHost ${SERVER_LAN_IP}:443> Include vhosts.d/includes/ofbiztesting.hotwaxsystems.com.conf SSLEngine on # Add your SSL certificate paths here </VirtualHost> |
Then create the included conf file with the actual routing rules:
|
ServerName ofbiztesting.hotwaxsystems.com DocumentRoot /var/www/domains/.../htdocs ErrorLog .../logs/error_log RewriteEngine On JkMount /*ofbiztesting ErrorDocument 502 "Site under maintenance" |
The JkMount /*ofbiztesting line is what does the routing. It tells Apache to forward all requests to the worker named ofbiztesting, which we defined in workers.properties.
|
sudo apachectl configtest sudo systemctl reload apache2 |
The configtest will tell you if there are any syntax errors before you reload. Always run it first.
Apache is now ready to forward requests, but Apache OFBiz needs to be configured to listen for them over AJP. Open:
|
/opt/Apache OFBiz/framework/catalina/Apache OFBiz-component.xml |
Inside the catalina-container section, verify or add this AJP connector block:
|
<property name="ajp-connector" value="connector"> <property name="address" value="j2ee.ofbiztesting.hotwaxsystems.com"/> <property name="port" value="8009"/> <property name="protocol" value="AJP/1.3"/> <property name="scheme" value="http"/> <property name="secure" value="false"/> <property name="URIEncoding" value="UTF-8"/> </property> |
Apache OFBiz validates incoming host headers for security. You need to allow your domain explicitly:
|
sudo nano /opt/Apache OFBiz/framework/security/config/security.properties |
Add at the bottom:
|
host-headers-allowed=localhost,127.0.0.1,ofbiztesting.hotwaxsystems.com |
|
./gradlew cleanAll loadAll ./gradlew Apache OFBiz |
cleanAll loadAll resets and reloads seed data. On subsequent starts you can skip cleanAll and just run ./gradlew Apache OFBiz.
If mod_jk feels like too many moving parts, mod_ajp_proxy is the cleaner alternative. It uses Apache's built-in proxy capabilities, so no extra module to install. You still get AJP, just without the workers.properties file.
a2enmod proxy proxy_ajp
In your SSL virtual host configuration, replace the JkMount directive with these ProxyPass lines:
|
ProxyPreserveHost On ProxyRequests Off ProxyPass / ajp://j2ee.ofbiztesting.hotwaxsystems.com:8009/ ProxyPassReverse / ajp://j2ee.ofbiztesting.hotwaxsystems.com:8009/ |
ProxyPreserveHost On ensures the original Host header is passed through to Apache OFBiz. Without it, Apache OFBiz might not recognize the incoming domain. ProxyRequests Off prevents Apache from acting as a forward proxy, which is a security must.
The Apache OFBiz side is identical to mod_jk. Configure the AJP connector in Apache OFBiz-component.xml, whitelist your hostname in security.properties, and start Apache OFBiz with ./gradlew Apache OFBiz. Refer to Steps 7, 8, and 9 from Option 1 above.
This option skips AJP entirely. Instead of a binary protocol, Apache forwards requests to Apache OFBiz over HTTPS. This is useful in environments where AJP is disabled or if you want end-to-end encryption all the way to Tomcat.
|
sudo a2enmod proxy proxy_http |
This configuration is slightly more involved because you are proxying over SSL. Add these directives to your virtual host:
|
SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire Off ProxyPass / https://j2ee.ofbiztesting.hotwaxsystems.com:8443/ ProxyPassReverse / https://j2ee.ofbiztesting.hotwaxsystems.com:8443/ |
The SSLProxyVerify none and related directives tell Apache not to validate Apache OFBiz's self-signed certificate. In production, you should use a proper CA-signed certificate and remove these relaxed settings.
Unlike the AJP options, this connector points to Apache OFBiz's HTTPS port (8443). In Apache OFBiz-component.xml, configure the https-connector block:
|
<property name="https-connector" value="connector"> <property name="address" value="j2ee.ofbiztesting.hotwaxsystems.com"/> <property name="port" value="8443"/> <property name="protocol" value="HTTP/1.1"/> <property name="scheme" value="https"/> <property name="secure" value="true"/> <property name="SSLEnabled" value="true"/> <property name="URIEncoding" value="UTF-8"/> <!-- SSL certificate configuration --> <property name="certificateKeystoreFile" value="framework/base/config/Apache OFBizssl.jks"/> <property name="certificateKeyAlias" value="Apache OFBiz"/> <property name="certificateKeyPassword" value="changeit"/> </property> |
Apache OFBiz ships with a default keystore at framework/base/config/Apache OFBizssl.jks. For production, replace it with a proper certificate.
Same as before. Add your domain to host-headers-allowed in security.properties, then run ./gradlew cleanAll loadAll and ./gradlew Apache OFBiz.
Here is a quick comparison to help you decide:
|
Connector |
Protocol |
Extra Module Needed? |
Best For |
|
mod_jk |
AJP |
Yes (libapache2-mod-jk) |
Detailed load-balancing, legacy setups |
|
mod_ajp_proxy |
AJP |
No |
Simpler AJP setup, modern Apache |
|
mod_proxy_http |
HTTPS |
No |
No AJP, end-to-end SSL, stricter environments |
All three connectors remain in active use and none are deprecated for Apache HTTP Server 2.4 with Tomcat 9 or above. mod_jk received a maintenance release as recently as August 2024, while mod_proxy_ajp and mod_proxy_http ship directly with Apache HTTP Server and require no additional installation.
Key limitations to be aware of:
● mod_jk requires a separate module installation and a workers.properties file, adding configuration overhead relative to the built-in proxy modules.
● mod_jk and mod_proxy_ajp both use AJP, which transmits data as cleartext internally. This is safe on a private network, but an exposed AJP port carries real risk. CVE-2020-1938 (Ghostcat) demonstrated this. Modern Tomcat versions mitigate this with a required secret attribute on the AJP connector.
● mod_proxy_http avoids AJP entirely but introduces additional SSL processing overhead on both sides of the connection.
For teams considering alternatives outside the Apache HTTP Server ecosystem, Nginx and HAProxy are both widely adopted options for reverse proxying and load balancing in front of OFBiz. Within Apache HTTP Server, mod_proxy_ajp remains the most practical starting point for most deployments.