Tip

Using open source tools to monitor Apache Web Server performance

Organizations view their websites as a mission-critical part of daily operations. To keep critical business functions operating at peak performance, Linux systems administrators need a variety of tools to help them monitor their Web servers easily and efficiently.

The following three open source tools can go a long way toward helping Linux system administrators fully understand their Web server’s performance capabilities, potential security issues and visitor demographics:

Requires Free Membership to View


1) Benchmark performance with Apache Bench. The best way to resolve unexpected performance degradation is to ensure it never occurs in the first place. A utility called Apache Bench—also known as ab—can be used to benchmark a Web server’s performance and optimize its configuration.

Apache Bench’s command-line interface is easy to use, allowing systems admins to define the number of concurrent requests that should occur when testing performance, a POST payload or the name of an output file containing useful performance results. Below, you can see how to check the performance of GameNomad’s staging server, which can offer some insight into the comparative performance of the website running on the production server:

This test will issue a total of 1,000 requests, performing 10 requests concurrently:

$ ab -c 10 -n 1000 http://stage.gamenomad.com/
...
Benchmarking stage.gamenomad.com (be patient)
Completed 100 requests
Completed 200 requests
...
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
 
Server Software:        Apache/2.2.17
Server Hostname:        stage.gamenomad.com
Server Port:            80
 
Document Path:          /
Document Length:        9654 bytes
 
Concurrency Level:      10
Time taken for tests:   376.074 seconds
Complete requests:      1000
Failed requests:        8
   (Connect: 0, Receive: 0, Length: 8, Exceptions: 0)
Write errors:           0
Total transferred:      9988344 bytes
HTML transferred:       9596168 bytes
Requests per second:    10.91 [#/sec] (mean)
Time per request:       916.872 [ms] (mean)
Time per request:       91.687 [ms] (mean, across all concurrent requests)
Transfer rate:          106.58 [Kbytes/sec] received
 
Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:       88   96   9.7     94     151
Processing:   320  739 496.8    491    2640
Waiting:      221  629 494.2    376    2539
Total:        413  835 495.6    587    2735
 
Percentage of the requests served within a certain time (ms)
  50%    587
  66%    729
  75%    942
  80%   1528
  90%   1672
  95%   1761
  98%   1924
  99%   2735
 100%   2735 (longest request)

Among the information returned is the Connection Times section, which breaks down the mean total connection time into its constituent parts—connection, waiting and processing—and helps to identify potential bottlenecks.

Although there are no specific best practice metrics that can be applied to every situation, faster is better. Users will not stick around when page downloads are slow.

After making improvements, run ab again -- preferably multiple times — and compare the results with the original. Think about comparing not only the connection times but also the percentage of requests served within a different time. Running ab from a remote server will mimic a real-world environment as close as possible.

2) Assess server security with Nikto. The typical website resembles an electronic version of the medieval castle, with barbarians constantly pounding at the gate. The difference is that a website is global in scale, so chances are fairly high that an automated script or some other contrivance is making a concerted attack on your Web server’s defenses.

In addition to taking proactive steps, such as staying abreast of the latest security patches, it makes sense to put yourself in the place of potential attackers and scan your own server for possible security issues.

A tool for this is Nikto, which is an open source scanner that probes for thousands of known vulnerabilities pertaining to the operating system, Web server and software installations. Nikto is Perl-based and runs on all operating systems—Windows included. Once installed, scanning a website is as simple as invoking Nikto and the name of the server you’d like to scan:

$ nikto -h dev.gamenomad.com

Although performing a complete scan isn’t a bad idea, remember that Nikto places comprehensiveness ahead of other factors. That means it will perform thousands of consecutive requests.

Because of that, you may want to filter Nikto’s default scanning range. Choose a specific vulnerability that might have been introduced while a third-party package was being integrated. To check for the ability to perform known SQL injection attacks and the visibility of installed software, supply the 7 and b values to the -T flag, respectively:

$ nikto -h dev.gamenomad.com -T 7b
- Nikto v2.1.1
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    dev.gamenomad.com
+ Target Port:        80
+ Start Time:         2011-08-03 13:05:22
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (Ubuntu)
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Retrieved X-Powered-By header: PHP/5.3.5-1ubuntu7.2
+ DEBUG HTTP verb may show server debugging information.
See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ 21 items checked: 2 item(s) reported on remote host + End Time:           2011-08-03 13:07:59 (157 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Keep in mind that Nikto is capable of scanning only for known SQL injection attacks reported in conjunction with third-party software. It cannot detect SQL injection attacks introduced within a custom application.

A complete list of vulnerability options are available in the Nikto documentation, which includes options for creating reports, using plugins, throttling requests using timeouts and more.

3) Analyze traffic with Piwik. Google Analytics has undoubtedly grown to rule the roost when it comes to Web analytics, but other analytic tools are also worthy of consideration. One is Piwik, which aims to become the open source alternative to Google Analytics.

A relative newcomer compared to established open source tools such as AWStats and Webalizer, Piwik sports a slick interface, a mature feature set, conversion and e-commerce tracking capabilities and mobile applications for both iOS and Android that make it hard to ignore.

Piwik’s installation and configuration process is similar to Google Analytics — just insert the JavaScript tracking snippet into your website. The difference is that all analytical information is stored within a local database, and the sky is the limit in terms of making changes to the software.

Using these three open source solutions can go a long way toward fully understanding your Web server’s performance capabilities, potential security issues and visitor demographics.

This was first published in September 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.