Today I come to talk to you once more about one of the most used web services in the world: The web server Apache2.
It is a topic that has been talked about many times, but now I come to tell you about another feature to take into account with this service: The limit of simultaneous connections. It does not matter if we have very basic or a spaceship with an i7 processor and 32 GB of ram ...
The limit of simultaneous connections will always be the same unless we take the appropriate measures, which means that if we want to have many people connected at the same time, we will not only require good hardware, but also a good configuration.
In this case it is not necessary to install anything, everything is based on simple concepts that must be taken into account to configure apache; concepts that must be very clear before wanting to make any changes.
The first thing to think about is: What capacity does my team have? How many simultaneous connections can my equipment support if I force it as much as possible? All this depends on a single factor; RAM (Random Access Memory).
The greater the RAM, the greater the number of connections, although there is no fixed value (that is, X clients for each X ram), that is why first of all it is important to do some small calculations on our web server, with the in order to know our limits.
The first thing you should know is how much RAM memory on average consumes each connection to Apache, since each connection established supposes a certain consumption of RAM in the system ... Obviously not all connections consume the same ram, with which you would have to make a media ... All this can be obtained with the following command:
ps -ylC apache2 --sort: rss | awk '{SUM + = $ 8; I + = 1} END {print SUM / I / 1024} '
The result obtained would be represented in megabytes and may vary depending on the number of active connections, the type of pages accessed, etc ... Therefore, it is advisable to carry out the test with different tabs open; each one of them showing different contents if possible. In my case, for example, the result has been 9.5458, which if we round it up to the top would be 10 MB RAM consumed on average per connection.
It is also important to know how much RAM is consumed by the rest of the processes that are active in the system, since the web service is not the only one that runs in the operating system and it is necessary to leave free RAM memory on the server so that it can execute the rest of the tasks. This can be obtained with the command shown below:
ps -N -ylC apache2 --sort: rss | awk '{SUM + = $ 8} END {print SUM / 1024}'
The result obtained would also be represented in megabytes, and it would show us quite precisely the amount of RAM consumed by the rest of the processes; in my case 800 MB. With this information we could make a general calculation of the number of simultaneous connections that we could have; I calculate that we would obtain by means of a very simple operation.
(RAMTOTAL - RAM_RESTOPROCESOS) / RAM_POR_CONNEXIÓN
With this formula in hand, let's imagine that we have a computer with 4 GB RAM, that is, 4096 MB and that our computer has shown the aforementioned results; the calculation would be:
(4096 - 800) / 10 = 329 simultaneous connections
The problem with this calculation is that one is too extreme, since it would consume all the RAM (making the server consume swap) and also, in case of having a database, such as MySQL or any other, the connections to it would also consume RAM , so the number obtained could be qualified as a utopian number. Therefore, in order to free up the memory for possible additional processes and also consider the possibility that connections to a database are executed, we would reduce the number of connections to 250.
Now that we have our maximum number of simultaneous connections, we would have to prepare Apache to be able to receive this number, which is done in the configuration file of this call apache2.conf, which is hosted in / etc / apache2.
The file in question follows a structure based on modules, each one with its corresponding name, but we would only be interested in one of them, whose name is mpm_prefork_module. The module in question has the following data by default:
StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0
This module has a series of very important parameters, although there is one of them that would particularly interest us, called Maxclients. This parameter specifies the maximum number of simultaneous connections and should be modified to 250.
One detail to keep in mind is that when a value other than the default is specified in said parameter, it is necessary to add another one more just BEFORE this one. This parameter is called ServerLimit and sets the limit of connections that the server could "hold" even when it is outside the limit.
The ServerLimit parameter always has to be slightly higher than the MaxClients and here, as there is little room for maneuver, a limit of 270. This would make the module look like this:
StartServers 5 MinSpareServers 5 MaxSpareServers 10 ServerLimit 270 MaxClients 250 MaxRequestsPerChild 0
Now it would only be necessary to restart the Apache service using the command:
/etc/init.d/apache2 restart
With this we could already enjoy our optimized web server.
Greetings.
Thanks for the post!
I'm glad you found it useful.
Greetings.
There is a way to cluster Apache and two servers, can you explain how it works?
Although I have read some theory about it, I have never applied it to practice. Even so, perhaps this article can give you some guidance in this regard, although I repeat that I have not had the opportunity to put it into practice:
http://www.muspells.net/blog/2011/04/alta-disponibilidad-con-apache2-y-heartbeat-en-debian-squeeze/
you have asked for a while, if you did not solve; I have a balancing scheme with a third party that acts as a file system, you point the folders that are in var / www / html / (in my case) to the file system, so they share the same information, and you will possibly require a virtual ip that responds and redirect to the ips of the apaches, for this you can occupy a haproxy and if you want it in high availability you can integrate keepalive in case one falls, the other continues responding, or also if you already have a domain for the application, you can balance with pound doing backends to both servers, for specific cases such as moodle or certain applications that connect to a database in mysql, you would have to create a user per app server that points to the same database.
Thank you very much for the post, you are absolutely right, the ram is the primary calculation, although I imagine that we also calculate the maximum number of processes that our processor can handle (of course, first doing the calculation of the main memory) and how the disk would be distributed hard (Example partitions / var = 1TR).
You're right; everything is important, like temperature control among other things. Obviously a powerful processor can execute a greater number of tasks simultaneously with great efficiency, but the objective of this post was to explain the importance of RAM with respect to the number of simultaneous connections.
A good way to control all these factors and see if our processor is not saturated or if we have little free RAM, would be by using a bash script. You may find this post that I made a few days ago interesting that I leave you in the following link; It is a global monitoring but it may be interesting for someone:
http://bytelearning.blogspot.com.es/2015/07/controlando-la-salud-del-equipo-con-bash.html
regards
Very good note, thank you very much!
Thanks a lot! I hope you have been able to take advantage of it.
I don't want to be a jerk ...
… But by increasing the number of connections you don't leave more vulnerable to a DDoS attack?
It is no quiet cretin question. The truth is that by increasing the number of simultaneous connections, we partly fortify Apache against DDOS attacks, because you have to take into account that the number of maximum simultaneous connections established on the server is the number of total maximum connections, not those coming from a single user. Thus, while at the beginning we could only support 150 simultaneous connections (whether they are connections from a legitimate source or not) now we can count on as many as our server supports, requiring a greater number of connections at the same time to be left without service. Obviously, increasing the maximum number of connections is not a way to protect yourself from this type of attack, but rather you would have to implement firewall policies. If, for example, the web service that you want to put is going to be exposed to the internet, a security measure that could be implemented would be the addition of these lines to our firewall:
iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-upto 10 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -m state –state ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j DROP
One of the characteristics of DDoS attacks is that an attacker can appear to send packets from several different directions, which prevents the flow of packets from only coming from one direction.
You are right in the sense that a firewall like the one I have set up is not very efficient against a DDOS attack, since it comes from different sources. Still, it is better to limit the number of connections to 10 for each of these sources rather than not having a limit, so that each source can establish a hundred or more connections.
In any case, the kit of the question is that the more simultaneous connections the server supports, the more difficult it will be to knock it down with a DDOS attack, which would make it more difficult for the page to be knocked down by an attacker.
Greetings.
Good. For now I continue with NGINX on my site so as not to torture the VPS I have.
Nice post @Drassill!
I wanted to contribute with something perhaps more statistical than configuration.
Although the easiest and fastest way to calculate the consumption parameter is with the mean, maybe we could be more rigorous and use the “median” instead of the “mean”. What would save us? That the numbers shoot up in case a connection has consumed a lot of memory. For example, suppose the following clients that consume the following values, in the unit of memory they want (KB, MB, MiB, etc):
10, 15, 150, 5, 7, 10, 11, 12
The average would give approx ~ 30
And this because we have a very large end (150), and the calculations are crazy. The median consists of ordering these data, dividing the number of samples by 2 (our center) and then obtaining the number of that position. With this we would have something like
5, 7, 10, 10, 11, 12, 15, 150
So our mean would be: 8/2 = 4 that is ~ 10
Here you can see that no matter how crazy the extreme may be, it will always give us a more realistic value. If we add a customer who consumes 200, our median will be 11, while the average may go to …….
It is only a contribution, and it is very debatable, because with the connections it is not screwed.
Hug people linuxera 🙂
Hello, I have had a problem on my dedicated server, and it is that every time the number of approximately 250 people online approaches, according to google analytics in real time, my server like it collapses and the connection becomes slow until it drops the connection to the website and never uploads more than that number of users online, but when I see the performance of the dedicated server that is 8gb ram it shows 10% of use, the cpu: 5% of use and the hard disk in: 1.99 % of use.
Can you help me? I can't find what to do, is doing these steps the solution?
Good Carlos.
The problem you describe is very common when the server is not properly prepared. Your server will probably accept a much smaller number of simultaneous connections and when it reaches 250 connections it will crash. Following the manual you should be able to solve the problem, although if you have a database on that server, you would also have to optimize that database.
Greetings.
Drassill, I have done the configuration you mentioned and it has been satisfactory, yesterday I reached 280 users online and the server did not hang, I am very happy with this result, and I also want to do the other thing you tell me to optimize the database, ¿ How do I achieve this?
The database concept is quite open; using mysql is not the same as postgres (for example). Obviously I don't know all the databases; I have tried mysql and postgres, and the increase of the simultaneous connections in these would be based on the parameter max connections; mysql optimization would be done in /etc/my.conf and the max connections parameter would have to be changed (among others). For postgres instead, I have an article on my blog that explains how to optimize it that may be useful to you or that you can use as a reference for your database:
http://bytelearning.blogspot.com.es/2016/02/postgresql-una-alternativa-mysql-en.html
Greetings.
Hello, when I throw the first command, it shows me value 0. What could it be?
Thank you for this post.
What a good manual, that information is part of what I'm looking for... thanks!
But now, if I want that when those 250 visitors are exceeded, visitor 251 goes to a waiting page or virtual queue, can I do it from this same configuration?
Greetings and thanks!