Using open source tools to monitor Apache Web Server performance

Much of today’s business relies on smooth operation of Web servers. Explore these three open source tools to monitor performance, security and traffic on Apache Web servers.

Organizations view their websites as a mission-critical part of daily operations. To keep critical business functions operating at peak performance, Linux systems administrators need a variety of tools to help them monitor their Web servers easily and efficiently.

The following three open source tools can go a long way toward helping Linux system administrators fully understand their Web server’s performance capabilities, potential security issues and visitor demographics:

1) Benchmark performance with Apache Bench. The best way to resolve unexpected performance degradation is to ensure it never occurs in the first place. A utility called Apache Bench—also known as ab—can be used to benchmark a Web server’s performance and optimize its configuration.

Apache Bench’s command-line interface is easy to use, allowing systems admins to define the number of concurrent requests that should occur when testing performance, a POST payload or the name of an output file containing useful performance results. Below, you can see how to check the performance of GameNomad’s staging server, which can offer some insight into the comparative performance of the website running on the production server:

This test will issue a total of 1,000 requests, performing 10 requests concurrently:

$ ab -c 10 -n 1000 http://stage.gamenomad.com/
Benchmarking stage.gamenomad.com (be patient)
Completed 100 requests
Completed 200 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software:        Apache/2.2.17
Server Hostname:        stage.gamenomad.com
Server Port:            80
Document Path:          /
Document Length:        9654 bytes
Concurrency Level:      10
Time taken for tests:   376.074 seconds
Complete requests:      1000
Failed requests:        8
   (Connect: 0, Receive: 0, Length: 8, Exceptions: 0)
Write errors:           0
Total transferred:      9988344 bytes
HTML transferred:       9596168 bytes
Requests per second:    10.91 [#/sec] (mean)
Time per request:       916.872 [ms] (mean)
Time per request:       91.687 [ms] (mean, across all concurrent requests)
Transfer rate:          106.58 [Kbytes/sec] received
Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:       88   96   9.7     94     151
Processing:   320  739 496.8    491    2640
Waiting:      221  629 494.2    376    2539
Total:        413  835 495.6    587    2735
Percentage of the requests served within a certain time (ms)
  50%    587
  66%    729
  75%    942
  80%   1528
  90%   1672
  95%   1761
  98%   1924
  99%   2735
 100%   2735 (longest request)

Among the information returned is the Connection Times section, which breaks down the mean total connection time into its constituent parts—connection, waiting and processing—and helps to identify potential bottlenecks.

Although there are no specific best practice metrics that can be applied to every situation, faster is better. Users will not stick around when page downloads are slow.

After making improvements, run ab again -- preferably multiple times — and compare the results with the original. Think about comparing not only the connection times but also the percentage of requests served within a different time. Running ab from a remote server will mimic a real-world environment as close as possible.

2) Assess server security with Nikto. The typical website resembles an electronic version of the medieval castle, with barbarians constantly pounding at the gate. The difference is that a website is global in scale, so chances are fairly high that an automated script or some other contrivance is making a concerted attack on your Web server’s defenses.

In addition to taking proactive steps, such as staying abreast of the latest security patches, it makes sense to put yourself in the place of potential attackers and scan your own server for possible security issues.

A tool for this is Nikto, which is an open source scanner that probes for thousands of known vulnerabilities pertaining to the operating system, Web server and software installations. Nikto is Perl-based and runs on all operating systems—Windows included. Once installed, scanning a website is as simple as invoking Nikto and the name of the server you’d like to scan:

$ nikto -h dev.gamenomad.com

Although performing a complete scan isn’t a bad idea, remember that Nikto places comprehensiveness ahead of other factors. That means it will perform thousands of consecutive requests.

Because of that, you may want to filter Nikto’s default scanning range. Choose a specific vulnerability that might have been introduced while a third-party package was being integrated. To check for the ability to perform known SQL injection attacks and the visibility of installed software, supply the 7 and b values to the -T flag, respectively:

$ nikto -h dev.gamenomad.com -T 7b
- Nikto v2.1.1
+ Target IP:
+ Target Hostname:    dev.gamenomad.com
+ Target Port:        80
+ Start Time:         2011-08-03 13:05:22
+ Server: Apache/2.2.17 (Ubuntu)
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Retrieved X-Powered-By header: PHP/5.3.5-1ubuntu7.2
+ DEBUG HTTP verb may show server debugging information.
See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ 21 items checked: 2 item(s) reported on remote host + End Time:           2011-08-03 13:07:59 (157 seconds)
+ 1 host(s) tested

Keep in mind that Nikto is capable of scanning only for known SQL injection attacks reported in conjunction with third-party software. It cannot detect SQL injection attacks introduced within a custom application.

A complete list of vulnerability options are available in the Nikto documentation, which includes options for creating reports, using plugins, throttling requests using timeouts and more.

3) Analyze traffic with Piwik. Google Analytics has undoubtedly grown to rule the roost when it comes to Web analytics, but other analytic tools are also worthy of consideration. One is Piwik, which aims to become the open source alternative to Google Analytics.

A relative newcomer compared to established open source tools such as AWStats and Webalizer, Piwik sports a slick interface, a mature feature set, conversion and e-commerce tracking capabilities and mobile applications for both iOS and Android that make it hard to ignore.

Piwik’s installation and configuration process is similar to Google Analytics — just insert the JavaScript tracking snippet into your website. The difference is that all analytical information is stored within a local database, and the sky is the limit in terms of making changes to the software.

Using these three open source solutions can go a long way toward fully understanding your Web server’s performance capabilities, potential security issues and visitor demographics.

Dig Deeper on Data center ops, monitoring and management

Cloud Computing
Sustainability and ESG