Running a Tomcat application alongside Apache on the same server is a common requirement — you want JSP/Java apps on standard port 80/443 but Tomcat runs on 8080. mod_proxy bridges the gap cleanly.
The Architecture
Apache handles all incoming requests on port 80. Requests matching your JSP app’s path are proxied internally to Tomcat on port 8080. From the outside, it looks like a single web server. Tomcat never needs to be exposed publicly.
Enable mod_proxy
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo systemctl reload apache2
Configure the Virtual Host
<VirtualHost *:80>
ServerName yourjspapp.com
# Proxy all traffic to Tomcat
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
# Or proxy only a specific path
# ProxyPass /app http://localhost:8080/yourapp
# ProxyPassReverse /app http://localhost:8080/yourapp
ErrorLog ${APACHE_LOG_DIR}/jsp_error.log
CustomLog ${APACHE_LOG_DIR}/jsp_access.log combined
</VirtualHost>
Secure Tomcat — Block Direct Access
Once Apache is proxying, block direct access to Tomcat’s port to prevent bypassing your Apache configuration:
# Allow only localhost to connect to Tomcat
sudo ufw deny 8080
# Or with iptables:
sudo iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
SSL Termination at Apache
With this setup, SSL is handled entirely by Apache. Let’s Encrypt works normally with Certbot — Tomcat needs no SSL configuration. Simpler, and certificates are managed in one place.
Troubleshooting
- Check
error.log— most issues are configuration typos or Tomcat not running - Verify Tomcat is listening:
ss -tlnp | grep 8080 - Test internal proxy:
curl http://localhost:8080 - Check
AllowOverridesettings if .htaccess isn’t working