How To — Use JMeter to test Apache connection handling

If you are wondering how many concurrent connections can your web server handle at the same time? Or maybe, after some time the performance of your application start degrading over time? If those are your questions this How To post is for you!

If you are here, probably you may know what Apache does, it is a HTTP web server which serves the content of a web. There are different modes such as Worker mode and Pre fork mode configuration (but we can discuss that into another post) can also handle proxies, reverse proxies, etc.

Since it is a web server that servers the web content to our users this means it will behave different if a lot of users are trying to access to our web at the same time OR maybe after some time we start noticing the performance is not as good right after a restart. Here is where JMeter plays a key role! JMeter is designed to load test functional behavior and measure performance of a web application. This means we are going to test our web application against heavy load, multiple and concurrent user traffic, simulating a real use case scenario!

How To Install JMeter (CentOS)

We need to download the tar files to our VM or if you are on windows you will need to download the installer. You can download it from here.

In our VM you can just download using the following command, and also save the zip file under a directory. In this case I’m going to save it under /opt/jmeter

#download the binaries
wget https://downloads.apache.org//jmeter/binaries/apache-jmeter-5.3.zip

#unzip it
unzip apache-jmeter-5.3.zip

#go inside the bin folder
cd /opt/jmeter/apache-jmeter-5.3/bin/

#execute the application
./jmeter

Proxies basics

The proxy can be understood as a filter, in which a coming URL containing specific entries can be redirected to an internal port of our application. When we send a request to the your application it usually looks like https://<IP>/something in which after the IP we may have a specific URL entry, in this case (/something). This part of the URL may be mapped as a proxy in our Apache web server configuration, and depending of the content of that URL (and our configuration) we can send requests to specific parts/process/endpoints of our web application. For example: when we go to https://15.200.130.132/home those connections will go to the target web proxy and redirected to the internal 8001 port and then serve the content.

In the previous example the Coming URL contains: /home so our apache proxy will redirect (Redirect URL) those incoming request to: ajp://localhost:8001/home which uses Port: 8001 and this port is own by Web Process and it is Exposed by Local Tomcat. This is really important to understand since this usually helps to identify bottlenecks between Apache and (usually) embedded tomcat services.

If you want to test the 443 port you will send the request only with the IP (this may vary if you have a different port configured in your apache configuration)

Setting up our first Test Plan

1- We need to create a thread group which will contain all our tests

2- Right-click on our Test Plat > Add > Threads (Users) > Thread Group > HTTP Request

3- On HTTP Request let’s add the following info: Modify the IP and the PATH depending on the request you want to do. Here we are going to do simple GETs, you can also do POST but you may add the json params as part of the body request.

4- On the thread group lets add this:

  • The number of threads will be the total number of connections to attack the target.
  • Ram-up Period is the time in seconds JMeter will take in order to reach the maximum number of threads set above
  • The above properties need to be handled gracefully if you set a lot of a number of threads and a low ramp up period that will impact the CPU of the target.
  • For example: In the next image we will create 100 connections (user connections) in 1 second until we stop the attack (infinity Loop count)

5- Click in the green play button in the navbar to start the attack

Monitoring the target

Depending on the path used in the previous section you will monitor the specific port connection, and also when you stop the attack you will need to see if all those connections are being closed properly (internal and external) and if your MaxThreads threshold is not reached!

#Details of the connections 
netstat -alnp | grep 8001
#Count of the connections at 8001netstat -alnp | grep 8001 | wc -l

--

--

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH