Maxhttpheadersize Tomcat 8

Posted onby admin

Apache Portable Runtime (APR) based Native library for Tomcat

Table of Contents

For Linux Tomcat 7 and Tomcat 8.5 cannot be deployed on the same port i.e. 8080, 8005 and 8009, so if you have Footprints installed which is prior to 20.18.03 that requires Tomcat 7 for deployment, when upgrading to the latest Footprints that requires Tomcat 8.5, Ports of Tomcat 7 needs to be changed to some other ports that are not in use. MaxHttpHeaderSize='32768' redirectPort='8443' / (Optional) Configure additional connectors. You might want to connect from your front end load balancer with a different protocol, like AJP, or you might want to terminate TLS directly in Tomcat. In our spring-boot app, we have set the tomcat server's max-http-header-size value to a higher number, e.g. 64K, to accommodate larger HTTP GET requests with lot of values in query parameter. Default value varies between 2K and 8K. We use spring-boot 1.3.8.RELEASE, where the property to set this is server.tomcat.max-http-header-size.

  • Installation
  • APR Connectors Configuration


Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets).

These features allows making Tomcat a general purpose webserver, will enable much better integration with other native web technologies, and overall make Java much more viable as a full fledged webserver platform rather than simply a backend focused technology.


APR support requires three main native components to be installed:

  • APR library
  • JNI wrappers for APR used by Tomcat (libtcnative)
  • OpenSSL libraries


Windows binaries are provided for tcnative-1, which is a statically compiled .dll which includes OpenSSL and APR. It can be downloaded from here as 32bit or AMD x86-64 binaries. In security conscious production environments, it is recommended to use separate shared dlls for OpenSSL, APR, and libtcnative-1, and update them as needed according to security bulletins. Windows OpenSSL binaries are linked from the Official OpenSSL website (see related/binaries).


Most Linux distributions will ship packages for APR and OpenSSL. The JNI wrapper (libtcnative) will then have to be compiled. It depends on APR, OpenSSL, and the Java headers.


  • APR 1.2+ development headers (libapr1-dev package)
  • OpenSSL 1.0.2+ development headers (libssl-dev package)
  • JNI headers from Java compatible JDK 1.4+
  • GNU development environment (gcc, make)

The wrapper library sources are located in the Tomcat binary bundle, in the bin/tomcat-native.tar.gz archive. Once the build environment is installed and the source archive is extracted, the wrapper library can be compiled using (from the folder containing the configure script):

Maxkeepaliverequests Tomcat 8

APR Components

Once the libraries are properly installed and available to Java (if loading fails, the library path will be displayed), the Tomcat connectors will automatically use APR. Configuration of the connectors is similar to the regular connectors, but have a few extra attributes which are used to configure APR components. Note that the defaults should be well tuned for most use cases, and additional tweaking shouldn't be required.

Maxhttpheadersize Tomcat 9

When APR is enabled, the following features are also enabled in Tomcat:

  • Secure session ID generation by default on all platforms (platforms other than Linux required random number generation using a configured entropy)
  • OS level statistics on memory usage and CPU usage by the Tomcat process are displayed by the status servlet

APR Lifecycle Listener Configuration

APR Connectors Configuration

Maxhttpheadersize Tomcat 8 Server.xml



For HTTP configuration, see the HTTP connector configuration documentation.

Maxhttpheadersize Tomcat 8 Free

For HTTPS configuration, see the HTTPS connector configuration documentation.

An example SSL Connector declaration is:


Tomcat Packet Size

For AJP configuration, see the AJP connector configuration documentation.

Notice: This comments section collects your suggestions on improving documentation for Apache Tomcat.
If you have trouble and need help, read Find Help page and ask your question on the tomcat-users mailing list. Do not ask such questions here. This is not a Q&A section.
The Apache Comments System is explained here. Comments may be removed by our moderators if they are either implemented or considered invalid/off-topic.

Tomcat Connector Config

On Sun, Sep 30, 2012 at 6:21 AM, Konstantin Kolinko
<[hidden email]> wrote:
> In Tomcat each request processor has a byte buffer and all the headers
> must fit into that buffer.
Thanks so much for the detailed response. I have a couple more questions:
1) When a request is rejected for being too large, is there any
logging that happens or can happen in Tomcat?
2) Apache httpd will accept a request-line of 8190 bytes.
Additionally, each header line can have a maximum length of 8190
bytes. With the default maximum of 100 request fields, this means that
httpd will accept a header of up to (101 * 8190) = 827,190 bytes in
Let's say I'm fronting Tomcat with Apache, and I set maxHttpHeaderSize
to 827,190 bytes so that they have the same limit.
Is a byte array of that size going to be allocated for each incoming
request, regardless of how short or long it actually is?
And, in a worst-case scenario, if all of Tomcat's default 200 threads
receive headers of 827,190 bytes at the same time, I'm looking at
about 166 megabytes of memory allocated on the heap. Is that accurate?
(I think I have enough memory to handle this; GC might be a little
much, though).
For the record, I'm not seriously expecting headers of this size on a
regular basis, but wondering about the edge cases.
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]