Got it, let’s walk through setting this up properly— I’ve handled similar Spring MVC + Tomcat + Apache proxy setups before, so let’s break down your requirements one by one.

1. Lock Down Tomcat’s 8080 Port to Localhost Only #

First, make sure external machines can’t access Tomcat’s 8080 port directly. Open your Tomcat conf/server.xml file and update the 8080 Connector to explicitly listen only on 127.0.0.1:

<Connector port="8080" 
           address="127.0.0.1"  <!-- This restricts listening to localhost only -->
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

Quick check: If there was an existing address attribute set to 0.0.0.0 (which lets all network interfaces connect), replace it with 127.0.0.1 to block external access.

2. Configure Tomcat as Reverse Proxy to Your Windows Apache 2.4 #

Tomcat can act as a reverse proxy, but we need to enable two key components: the ProxyHandler to forward requests, and the RemoteIpValve to preserve client info (super important for Spring Security to handle logins correctly).

2.1 Set Up Proxy in Tomcat’s Config #

You have two options here, depending on whether you want to use the 8080 port for proxying or keep it separate for your Spring app:

Option A: Use 8080 for Proxying (Single Connector)

Modify the 8080 Connector in server.xml to include proxy details, then add proxy mappings in conf/context.xml (or your app’s META-INF/context.xml):

First, update the Connector:

<Connector port="8080"
           address="127.0.0.1"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           proxyName="your-private-apache-servername"  <!-- e.g., internal-apache.local -->
           proxyPort="80"  <!-- Use Apache's listening port, usually 80 -->
           scheme="http" />

Then add the proxy handler and IP valve to your context file:

<Context>
  <!-- Keep any existing context config here -->
  
  <!-- Preserve original client IP/protocol for Spring Security -->
  <Valve className="org.apache.catalina.valves.RemoteIpValve"
         internalProxies="127\.0\.0\.1"
         remoteIpHeader="X-Forwarded-For"
         protocolHeader="X-Forwarded-Proto" />
  
  <!-- Forward all requests to your Windows Apache -->
  <Handler className="org.apache.catalina.handlers.ProxyHandler">
    <Proxy proxyName="your-private-apache-servername" proxyPort="80">
      <Path urlPattern="/*" />
    </Proxy>
  </Handler>
</Context>

Option B: Separate Proxy Connector (Two Connectors)

If you want to keep 8080 dedicated to your Spring app, add a second Connector (e.g., port 8081) that handles proxying—still locked to localhost:

<!-- Existing 8080 Connector (locked to localhost) -->
<Connector port="8080"
           address="127.0.0.1"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

<!-- New Proxy Connector, also localhost-only -->
<Connector port="8081"
           address="127.0.0.1"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           proxyName="your-private-apache-servername"
           proxyPort="80"
           scheme="http" />

Then add the same RemoteIpValve and ProxyHandler to the context of the app using the 8081 port, or globally in conf/context.xml.

2.2 Prepare Your Windows Apache 2.4 to Accept Proxy Requests #

On your Windows Apache, enable the necessary proxy modules and set up a VirtualHost for your private ServerName:

1. Open httpd.conf and enable these modules (uncomment them if they’re commented out):

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so

2. Add a VirtualHost block for your private ServerName (replace placeholders with your actual details):

<VirtualHost *:80>
    ServerName your-private-apache-servername
    DocumentRoot "C:/path/to/your/apache/web-content"

    <!-- Optional: Restrict access to only Tomcat's localhost (127.0.0.1) -->
    <Directory "C:/path/to/your/apache/web-content">
        Require ip 127.0.0.1
    </Directory>
</VirtualHost>

Pro tip: If your private ServerName isn’t resolvable locally, add an entry to your Windows hosts file (C:\Windows\System32\drivers\etc\hosts):

127.0.0.1 your-private-apache-servername

3. Fix Spring Security Login Redirect Issues #

Since your app is behind a proxy, Spring Security might get confused about redirect URLs. Here’s how to fix that:

If Using Java Configuration #

Add these beans to your Spring Security config class:

import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.web.filter.ForwardedHeaderFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SecurityConfig {

    // Handle proxy headers to preserve original request info
    @Bean
    public ForwardedHeaderFilter forwardedHeaderFilter() {
        return new ForwardedHeaderFilter();
    }

    // Make login redirects use proxy-aware URLs
    @Bean
    public LoginUrlAuthenticationEntryPoint loginUrlAuthenticationEntryPoint() {
        LoginUrlAuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint("/login");
        entryPoint.setUseForwardHeaders(true);
        return entryPoint;
    }

    // Add your existing Spring Security rules here...
}

If Using XML Configuration #

Update your security config XML to enable forward headers:

<security:http>
    <!-- Your existing config (intercept-url, etc.) -->
    <security:form-login login-page="/login" use-forward-headers="true" />
    <security:headers>
        <security:frame-options policy="SAMEORIGIN" />
    </security:headers>
</security:http>

Critical note: Make sure Tomcat’s RemoteIpValve (from Step 2.1) is correctly set up—this ensures Spring gets the right client IP and protocol headers.

4. Test Your Setup #

1. Start your Windows Apache 2.4 first.
2. Start Tomcat 9.
3. From the local machine, access http://127.0.0.1:8080 (or your proxy port like 8081)—you should see your Apache content, and your Spring app’s login page should load without redirect loops or missing styles.
4. Test external access: Try hitting Tomcat’s public IP on port 8080 from another machine—it should be unreachable (use telnet <public-ip> 8080 or a browser to confirm).

Troubleshooting Tips #

• If proxying fails, check Tomcat’s logs/catalina.out for errors related to ProxyHandler or RemoteIpValve.
• Verify that Apache’s private ServerName is reachable from Tomcat (ping it to confirm).
• For Spring Security login issues, use browser dev tools to check if X-Forwarded-For and X-Forwarded-Proto headers are present in requests to the login page.

内容的提问来源于stack exchange，提问作者TheBitMuncher