Optimizing Apache for High Load Sites - Part 2

This is going to be quite an extension from what I had planned, instead of providing just a list of results post optimization I am going to provide a basic list of modules loaded as part of a basic apache install, and provide a description for each, the ones I have disabled are mods I have deemed not required for my purposes, use your own best judgment before switching things off…

  • LoadModule auth_basic_module modules/mod_auth_basic.so

ENABLED: User authentication for access control using HTTP basic authentication (.htaccess and .htpasswd)

  • LoadModule auth_digest_module modules/mod_auth_digest.so

ENABLED: Similar to auth_basic_module but instead of using a plain text authentication scheme, it uses a cryptographic one. (MD5 etc …)

  • LoadModule authn_file_module modules/mod_authn_file.so

ENABLED: Allows authentication front-ends such as auth_digest_module and auth_basic_module to authenticate users by looking up users in plain text password files. This function was previously part of auth_module and auth_digest_module.

  • LoadModule authn_alias_module modules/mod_authn_alias.so

DISABLED: Allows extended authentication providers to be created within the configuration file and assigned an alias name.

  • LoadModule authn_anon_module modules/mod_authn_anon.so

DISABLED: Allows anonymous user access and logs the password given. Previously known asauth_anon_module.

  • LoadModule authn_dbm_module modules/mod_authn_dbm.so

DISABLED: Allows authentication front-ends such as auth_digest_module and auth_basic_module to authenticate users by looking up users in dbm password files. Previously known asauth_dbm_module.

  • LoadModule authn_default_module modules/mod_authn_default.so

DISABLED: Fallback authentication module - it simply rejects any credentials supplied by the user

  • LoadModule authz_host_module modules/mod_authz_host.so

ENABLED: Access control by browser hostname. Previously known asaccess_module.

  • LoadModule authz_user_module modules/mod_authz_user.so

DISABLED: Provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site. This function was previously part of auth_module.

  • LoadModule authz_owner_module modules/mod_authz_owner.so

DISABLED: Authorization based on file ownership.

  • LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

DISABLED: Group authorization using plaintext files. This function was previously part of auth_module.

  • LoadModule authz_dbm_module modules/mod_authz_dbm.so

DISABLED: Group authorization using DBM files. This function was previously part of auth_dbm_module.

  • LoadModule authz_default_module modules/mod_authz_default.so

DISABLED: Fallback authorisation module - it simply rejects any authorization request.

  • LoadModule ldap_module modules/mod_ldap.so

DISABLED: LDAP connection pooling and result caching services for use by other LDAP modules.

(I don’t use LDAP, if you use apache interaction with ldap keep this module, if you use LDAP within PHP you can turn this mod off!)

  • LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

DISABLED: Allows authentication front-ends such as auth_basic_module to authenticate users through an ldap directory. Previously known asauth_ldap_module. (same as above)

  • LoadModule include_module modules/mod_include.so

DISABLED: Server-side includes.

  • LoadModule log_config_module modules/mod_log_config.so

ENABLED: Configurable logging of requests and reponses.

  • LoadModule logio_module modules/mod_logio.so

ENABLED: Logging of input and output bytes per request.

  • LoadModule env_module modules/mod_env.so

DISABLED: Changes the environment that CGI program are run in.

  • LoadModule ext_filter_module modules/mod_ext_filter.so

ENABLED: Pass the response body through an external program before delivery to the client (i’m using mods like gzip compression, disalbe this if you don’t need it).

  • LoadModule mime_magic_module modules/mod_mime_magic.so

ENABLED: Determines MIME types based on file contents. (Great for directly serving download easily).

  • LoadModule expires_module modules/mod_expires.so

ENABLED: Autogenerates the Expires: header according to user rules.

  • LoadModule deflate_module modules/mod_deflate.so

ENABLED: Compress content prior to serving it. (If you don’t have compression configured for your websites disable this mod).

  • LoadModule headers_module modules/mod_headers.so

ENABLED: More general control of HTTP headers. (You can disable this if you do not want to handle bespoke HTTP headers)

  • LoadModule usertrack_module modules/mod_usertrack.so

DISABLED: Provision of cookies. (I am using PHP to handle cookies).

  • LoadModule setenvif_module modules/mod_setenvif.so

ENABLED: Sets the environment for CGI programs based on properties of the request.

  • LoadModule mime_module modules/mod_mime.so

ENABLED: Determines MIME types based on file names.

  • LoadModule dav_module modules/mod_dav.so

DISABLED: Distributed Authoring and Versioning functionality. (This is a webserver not serving a versioning system).

  • LoadModule status_module modules/mod_status.so

ENABLED: Provides information about the server’s current status via a web request. (If you don’t have this set in your httpd.conf then disable the mod, I use this for apache monitoring).

  • LoadModule autoindex_module modules/mod_autoindex.so

ENADLED: Automatically picks the index file when browsing to a folder, (index.html, index.php etc ..)

  • LoadModule info_module modules/mod_info.so

DISABLED: Similar to a php info call, provides running configuration information about the apache server.

  • LoadModule dav_fs_module modules/mod_dav_fs.so

DISABLED: More no required D.A.V

  • LoadModule vhost_alias_module modules/mod_vhost_alias.so

ENABLED: Allows for handling enormous numbers of virtual hosts without having to change the configuration each time.

  • LoadModule negotiation_module modules/mod_negotiation.so

ENABLED: Provides for content negotiation between server and client. (Accept encoding etc…)

  • LoadModule dir_module modules/mod_dir.so

ENABLED: Supports the use of index.html files for directory lookups.

  • LoadModule actions_module modules/mod_actions.so

ENABLED: Run specific CGI programs according to the MIME content type of the object served.

  • LoadModule speling_module modules/mod_speling.so

ENABLED: Attempts to correct misspelled URLs. (Ignores case etc..)

  • LoadModule userdir_module modules/mod_userdir.so

ENABLED: Allow public_html userdir and use of https://servername/~username, I have disabled this as can be used to verify the presence of a valid username to be used in a brute force attack

  • LoadModule alias_module modules/mod_alias.so

ENABLED: Override the DocumentRoot directive for specific URLs.

  • LoadModule rewrite_module modules/mod_rewrite.so

ENABLED: Allows the use of the Rewriteengine to provide SEO friends URL’s amoungst other things.

  • LoadModule proxy_module modules/mod_proxy.so

ENABLED: Lets your web server be a proxy. Typically it needs additional modules for specific protocols.

  • LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
  • LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
  • LoadModule proxy_http_module modules/mod_proxy_http.so
  • LoadModule proxy_connect_module modules/mod_proxy_connect.so

ENABLED: As above, I have need to have apache act as a proxy, in the future

  • LoadModule cache_module modules/mod_cache.so

ENABLED: Implements an RFC 2616 compliant HTTP content cache that can be used to cache either local or proxied content.

  • LoadModule suexec_module modules/mod_suexec.so

ENABLED: Allows CGI scripts to run as a user other than wwwrun.

  • LoadModule disk_cache_module modules/mod_disk_cache.so
  • LoadModule file_cache_module modules/mod_file_cache.so
  • LoadModule mem_cache_module modules/mod_mem_cache.so

ENABLED: More cache-ing functions (reduces need for disk read time).

  • LoadModule cgi_module modules/mod_cgi.so

ENABLED: Run CGI programs

  • LoadModule version_module modules/mod_version.so

ENABLED: Version dependent configuration (Can be handy when writing configs to have this enabled).

Source’s used:

Module information can be found HERE: https://www-uxsup.csx.cam.ac.uk/~jw35/courses/apache/html/a2617.htm

----- MEMORY USAGE REPORT FOR 'apache' -----
PID Count: 32
Mem usage: 4594 MB
Mem/PID: 143 MB
For more information run: pmap -x 12345

So 143mb down from 189mb, saving 46mb/thread.

Not much of a saving right? … well actually wrong.

Take for example a webserver with 2048MB Avail system ram, lets allocate 15% of that for the OS use.

So we have 1741MB to play with, with the original setup of 189mb 9.21 concurrent connections could be active an any one given time.

now however 12.71 concurrent connections can be in memory at any given time (28% increase).

Still a long way to go to bring the memory foot print down to a minimal level, but as you can see spending 5 minutes disabling mod’s in the config yields a quick win 28% increase in capacity.

UPDATE

Following the improvements to the appmem script in part 4 here are the new figures.

With all mods enabled:

 ----- MEMORY USAGE REPORT FOR 'httpd' ----- 
PID Count: 37
Shared Mem usage: 176 MB
Total Resident Set Size: 112 MB
Mem/PID: 3 MB

Results attained running “ab -n 1000 -c 100 https://xxx.xxx.xxx.xxx/”.

Results with disabled mods (listed above):

 ----- MEMORY USAGE REPORT FOR 'httpd' ----- 
PID Count: 41
Shared Mem usage: 140 MB
Total Resident Set Size: 95 MB
Mem/PID: 2 MB

Shared mem down 36MB (20.45% improvement), RSS/PID down 1mb (33% improvement)

Allowing for 1741MB availble ram, means 1601mb (1741MB -140MB shared) is available for apache threads, allowing for 800.5 concurrent connections with the improved config and by comparison

1565 MB Avail for threads (1741MB - 176MB), allowing 521.66 concurrent connections.

So with the improvements outlined above in theory the Apache server can now handle ~280 more concurrent connections.

Comments