EN
Spring Boot 2 - example APR native library configuration with Tomcat 9 (Http11AprProtocol + upgrade to HTTP2)
6 points
In this article, we would like to show how in simple way configure APR native library with Spring Boot 2 (Tomcat 9).
Motivation to use APR native libraries is better connection management performance.
Using the below configuration you can:
- use APR native library with Tomcat 9 (under Spring Boot 2 application),
- enable HTTPS (or HTTP),
- enable HTTP2 support,
- enable HTTP/HTTPS conpression (gzip or brotli),
- use only
*.pemcertificate and private key when APR is enabled.
Repository: GutHub
The application was run using:
Run the command:
xxxxxxxxxx1
apt-get install libtcnative-1 # or: apt-get install libapr1-dev libssl-dev2
# or: apt-get install libapr1.0-dev libssl-dev- download native libaries (download link 1, download link 2 or direct link)
- extract
tomcat-native-2.0.3-openssl-3.0.8-win32-bin.ziparchive, - paste extracted directory into
C:\Program Filesdirectory (or:C:\Program Files (x86)).
It is necessary to add additional configurations to the application.properties file and paste TomcatAprConfig.java file into your web application configurations.
application.properties file:
xxxxxxxxxx1
# ...2
3
4
server.tomcat.apr.enabled=true5
6
server.ssl.enabled=true7
server.http2.enabled=true8
9
10
# Required for Http11AprProtocol with *.pem files (only if server.tomcat.apr.enabled=true)11
#12
# Use the OpenSSL command to generate own key store:13
# openssl.exe req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_certificate.pem -days 365 -nodes -subj '/CN=localhost'14
#15
#16
server.ssl.public-certificate=classpath:certificates/public_certificate.pem17
server.ssl.private-key=classpath:certificates/private_key.pem18
19
20
# Required for Http11NioProtocol with JKS (only if server.tomcat.apr.enabled=false)21
#22
# Use the Java CLI command to generate own key store:23
# keytool -genkey -keyalg RSA -alias my-application -keystore keystore.jks -storepass P@$$word -validity 3650 -keysize 204824
#25
#26
# server.ssl.key-store=classpath:certificates/keystore.jks27
# server.ssl.key-store-password=P@$$word28
29
30
# Required for Http11NioProtocol with P12 (only if server.tomcat.apr.enabled=false)31
#32
# Use the OpenSSL command to convert *.pem files to *.p12 file:33
# openssl pkcs12 -export -in public_certificate.pem -inkey private_key.pem -out keystore.p12 -name my-application34
#35
#36
# server.ssl.key-store-type=PKCS1237
# server.ssl.key-store=classpath:certificates/keystore.p1238
# server.ssl.key-store-password=P@$$word39
# server.ssl.key-alias=my-application40
41
42
server.compression.enabled=true43
server.compression.min-response-size=204844
server.compression.mime-types=text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml45
46
47
# ...
TomcatAprConfig.java file:
xxxxxxxxxx1
package com.example.config;2
3
import org.apache.catalina.LifecycleListener;4
import org.apache.catalina.core.AprLifecycleListener;5
import org.apache.coyote.http11.Http11AprProtocol;6
import org.apache.coyote.http2.Http2Protocol;7
import org.apache.tomcat.util.buf.StringUtils;8
import org.springframework.beans.factory.annotation.Value;9
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;10
import org.springframework.boot.autoconfigure.web.ServerProperties;11
import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;12
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;13
import org.springframework.boot.web.server.Ssl;14
import org.springframework.context.annotation.Bean;15
import org.springframework.context.annotation.Configuration;16
import org.springframework.core.io.Resource;17
import org.springframework.core.io.ResourceLoader;18
19
import java.io.File;20
import java.io.IOException;21
import java.util.Arrays;22
import java.util.Collections;23
import java.util.List;24
25
26
(name = "server.tomcat.apr.enabled", havingValue = "true")27
public class TomcatAprConfig {28
29
// properties30
31
("${server.ssl.enabled:#{true}}")32
private Boolean sslEnabled;33
34
("${server.http2.enabled:#{false}}")35
private Boolean http2Enabled;36
37
("${server.ssl.key-store-type:#{null}}")38
private String keyStoreType;39
40
("${server.ssl.key-store:#{null}}")41
private String keyStorePath;42
43
("${server.ssl.key-store-password:#{null}}")44
private String keyStorePassword;45
46
("${server.ssl.key-alias:#{null}}")47
private String keyAlias;48
49
("${server.ssl.public-certificate:#{null}}")50
private String publicCertificatePath;51
52
("${server.ssl.private-key:#{null}}")53
private String privateKeyPath;54
55
("${server.compression.enabled:#{false}}")56
private Boolean compressionEnabled;57
58
("${server.compression.min-response-size:#{2048}}")59
private Integer compressionMinSize;60
61
("${server.compression.mime-types:text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml}")62
private String compressionMimeTypes;63
64
// public methods65
66
(name = "tomcatServletWebServerFactory")67
public TomcatServletWebServerFactory createServerFactory(ServerProperties serverProperties, ResourceLoader resourceLoader) {68
// This configuration is used to improve client connection performance by using native libraries.69
if (this.keyStoreType != null || this.keyStorePath != null || this.keyStorePassword != null || this.keyAlias != null) {70
throw new RuntimeException("Tomcat APR configuration can not be uses with server.ssl.key-store-type, server.ssl.key-store, server.ssl.key-store-password and server.ssl.key-alias properties (Use server.ssl.public-certificate and server.ssl.private-key properties with PEM format)");71
}72
TomcatServletWebServerFactory serverFactory = new TomcatServletWebServerFactory() {73
74
public Ssl getSsl() {75
return null; // null returned to stop the default SSL customizer76
}77
};78
serverFactory.setProtocol("org.apache.coyote.http11.Http11AprProtocol"); // the protocol that will enable APR79
serverFactory.setContextLifecycleListeners(this.createLifecycleListeners());80
serverFactory.setTomcatConnectorCustomizers(this.createConnectorCustomizers(serverProperties, resourceLoader));81
return serverFactory;82
}83
84
// private methods85
86
private List<AprLifecycleListener> createLifecycleListeners() {87
AprLifecycleListener lifecycleListener = new AprLifecycleListener();88
return Collections.singletonList(lifecycleListener);89
}90
91
private List<TomcatConnectorCustomizer> createConnectorCustomizers(ServerProperties serverProperties, ResourceLoader resourceLoader) {92
TomcatConnectorCustomizer connectorCustomizer = tomcatConnector -> {93
Http11AprProtocol aprProtocol = (Http11AprProtocol) tomcatConnector.getProtocolHandler();94
// we are able to force to disable even server.ssl.* properties are defined95
if (this.sslEnabled) {96
if (this.publicCertificatePath == null) {97
throw new RuntimeException("Public certificate path is not configured.");98
}99
if (this.privateKeyPath == null) {100
throw new RuntimeException("Private key path is not configured.");101
}102
Ssl connectionSsl = serverProperties.getSsl();103
String[] connectionCiphers = connectionSsl.getCiphers();104
String[] connectionProtocols = connectionSsl.getEnabledProtocols();105
tomcatConnector.setSecure(true);106
tomcatConnector.setScheme("https");107
aprProtocol.setSSLEnabled(true);108
if (connectionProtocols != null && connectionProtocols.length > 0) {109
aprProtocol.setSslEnabledProtocols(this.joinStrings(connectionProtocols));110
}111
if (connectionCiphers != null && connectionCiphers.length > 0) {112
aprProtocol.setCiphers(this.joinStrings(connectionCiphers));113
}114
try {115
aprProtocol.setSSLCertificateFile(this.resolvePath(resourceLoader, this.publicCertificatePath));116
aprProtocol.setSSLCertificateKeyFile(this.resolvePath(resourceLoader, this.privateKeyPath));117
} catch (Exception ex) {118
throw new RuntimeException(ex);119
}120
if (this.compressionEnabled) {121
if (this.http2Enabled) {122
Http2Protocol http2Protocol = new Http2Protocol();123
http2Protocol.setCompression("on");124
http2Protocol.setCompressibleMimeType(this.compressionMimeTypes);125
http2Protocol.setCompressionMinSize(this.compressionMinSize);126
tomcatConnector.addUpgradeProtocol(http2Protocol);127
} else {128
aprProtocol.setCompression("on");129
aprProtocol.setCompressibleMimeType(this.compressionMimeTypes);130
aprProtocol.setCompressionMinSize(this.compressionMinSize);131
}132
} else {133
if (this.http2Enabled) {134
tomcatConnector.addUpgradeProtocol(new Http2Protocol());135
}136
}137
} else {138
tomcatConnector.setSecure(false);139
tomcatConnector.setScheme("http");140
aprProtocol.setSSLEnabled(false);141
if (this.compressionEnabled) {142
aprProtocol.setCompression("on");143
aprProtocol.setCompressibleMimeType(this.compressionMimeTypes);144
aprProtocol.setCompressionMinSize(this.compressionMinSize);145
}146
}147
};148
return Collections.singletonList(connectorCustomizer);149
}150
151
private String joinStrings(String[] strings) {152
List<String> list = Arrays.asList(strings);153
return StringUtils.join(list, ',');154
}155
156
private String resolvePath(ResourceLoader loader, String path) throws IOException {157
Resource resource = loader.getResource(path);158
try {159
File file = resource.getFile();160
return file.getAbsolutePath();161
} catch (Exception ex) {162
throw new IOException("Absolute '" + path + "' path resolving error.", ex);163
}164
}165
}
Run the command:
xxxxxxxxxx1
mvn clean packageNote: consider to use absolute paths to certificates and do not store them inside
*.jarfile.
Depending on operating system we need to indicate where APR libaries are installed.
Run the command:
xxxxxxxxxx1
java -Djava.library.path="/usr/lib/x86_64-linux-gnu" -jar my-application.jarNote: be sure the APR is installed in
/usr/lib/x86_64-linux-gnudirectory.
Run the command:
xxxxxxxxxx1
java -Djava.library.path="C:\\Program Files\\tomcat-native-2.0.3-openssl-3.0.8-win32-bin\\bin\\x64" -jar my-application.jarNote: use
C:\\Program Files\\tomcat-native-2.0.3-openssl-3.0.8-win32-bin\\binpath under x86.