Three open-source tools monitor Apache Web server performance

Enterprises regard their websites as the key business of daily operation. To maintain optimal performance for key business functions, Linux administrators need a variety of tools to help them easily and effectively monitor Web servers.

The following three open-source tools can help Linux administrators better understand their Web server features, potential security issues, and visitor count:

1. Use Apache benchmark to test the performance benchmark. The best solution to unexpected performance degradation is to ensure that it does not occur at the beginning. A tool called Apache Benchab can be used to test the server performance benchmark and optimize its configuration.

The command line interface of Apache compaction is easy to use. The system administrator can specify the number of requests, POST net loads, or output file names containing valid performance results when testing performance. Next, you can check the performance of the GameNomad development server, which allows you to see the performance comparison with running the website on the production server:

This test will publish a total of 1000 requests and execute 10 requests at the same time:

$ AB-c 10-n 1000 http://stage.gamenomad.com/
...
Benchmarking stage.gamenomad.com (be patient)
Completed100 requests
Completed200 requests
...
Completed900 requests
Completed1000 requests
Finished 1000 requests

Server Software: Apache/2.2.17
Server Hostname: stage.gamenomad.com
Server Port: 80

Document Path :/
Document Length: 9654 bytes

Concurrency Level: 10
Time taken for tests: 376.074 seconds
Complete requests: 1000
Failed requests: 8
(Connect: 0, Receive: 0, Length: 8, Exceptions: 0)
Write errors: 0
Total transferred: 9988344 bytes
HTML transferred: 9596168 bytes
Requests per secondd: 10.91 [#/sec] (mean)
Time per request: 916.872 [MS] (mean)
Time per request: 91.687 [MS] (mean, internal SS all concurrent requests)
Transfer rate: 106.58 [Kbytes/sec] canceled ed

Connection Times (MS)

Min mean [+/-sd] median max
Connect: 88 96 9.7 94 151
Processing: 320 739 496.8 491 2640
Waiting: 221 629 494.2 376
Total: 413 835 495.6 587

Percentage of the requests served within a certain time (MS)
50% 587
66% 729
75% 942
80% 1528
90% 1672
95% 1761
98% 1924
99% 2735
100% 2735 (longest request)

When the information is returned to the connection time, it divides the average total connection time into three parts: connection, waiting, and processing, and helps identify potential bottlenecks.

Although there is no dedicated best practice indicator applied to every situation, the fastest is the best. The user will not stay when the page download is slow.

After improvement, run AB again rather than try again) and compare the result with the original one. Just think about the comparison, not only the connection time, but also the service requirement ratio in different time periods. Run AB on a remote server to simulate the real-world environment as much as possible.

2. Use Nikto to evaluate server security. The General website is similar to an electronic version of the medieval castle, where the barbarian keeps hitting the door. The difference is that a website is on a global scale, so an automated script or some other inventions are more likely to attack your Web server together.

In addition, we should take positive measures, such as keeping the latest security patches updated, taking yourself as a potential attacker, and scanning servers for possible security issues.

Nikto is an available tool, an open-source scanner that detects thousands of known vulnerabilities related to operating systems, Web servers, and software installations. Nikto is based on Perl and can run on all operating systems, including Windows. Once installed, scanning a website is as simple as mentioning Nilto and the name of the server you want to scan:

$ Nikto-h dev.gamenomad.com

Although executing a full scan is not a bad idea, remember that Nikto puts the overall picture before other factors. This means that it will execute thousands of consecutive requests.

Therefore, you may want to filter the default scan range of Nikto. This vulnerability may be exploited when a third-party installation package is selected for integration. Check the ability to execute known SQL injection attacks and the visibility of installed software. Add 7 and B values after the-T sign respectively:

$ Nikto-h dev.gamenomad.com-T 7b
-Nikto v2.1.1
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: dev.gamenomad.com
+ Target Port: 80
+ Start Time: 13:05:22
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (Ubuntu)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved X-Powered-By header: PHP/5.3.5-1ubuntu7. 2
+ Debug http verb may show server debugging information.
See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ 21 items checked: 2 item (s) reported on remote host + End Time: 13:07:59 (157 seconds)
---------------------------------------------------------------------------
+ 1 host (s) tested

Remember, Nikto can only report known SQL injection attacks together with third-party software scanning. It cannot detect SQL injection attacks introduced in custom applications.

The Nikto file contains a list of available complete vulnerability options, including options for creating reports, using plug-ins, and using timeout to suppress requests.

3. Use Piwik to analyze the traffic. Google analysis is already a leading product in Web analysis, but other analysis tools are worth considering. One of them is Piwik, which aims to become an open-source alternative to Google's analysis.

Compared with mature open-source tools such as AWStats and Webalizer, Piwik is a newcomer, however, its smooth interface, mature feature sets, conversion and E-Commerce tracking functions, and mobile apps that can be used for iOS and Android make it difficult to ignore.

Piwik's installation and configuration process is similar to Google's analysis. You only need to insert a Java Script that tracks code segments on your website. The difference is that all the analysis information is stored in the local database and there is no restriction on software change.

By using these three open-source solutions, you can gain a deeper understanding of your Web server's performance capabilities, potential security issues, and visitor count.