http://wiki.openbravo.com/wiki/Performance_and_Security_Tips
Introduction
This document describes some performance and security tips, recommended for production environments.
Performance tips
This is a list of tips to enhance Openbravo performance.
Tomcat
Compression
If you want to use Tomcat in conjunction with Apache httpd then you can skip this part. In case you want to run a standalone Tomcat then enable the gzip compression. Open $CATALINA_BASE/conf/server.xml with an editor, and modify the HTTP(S) tag:
<Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/javascript,application/x-javascript,application/javascript" />
Disable unused connectors
If you decide to use Tomcat in conjunction with Apache httpd, then you can disable the 8080 connector by commenting the portion of code described above. The same rule applies to the ones using a standalone Tomcat, so that they can disable the 8009 ajp connector.
Increase maxThreads
Tomcat as a default is configured to handle 40 threads/requests simultaneously. To increase the thread count set the maxThreads, minSpareThreads and maxSpareThreads (in the http Connector) to higher values, for example to 350, 25 and 200. Some useful links:
- Tomcat Http Connector Configuration
- Consider using a tomcat executor
- See also this forum post: How to make tomcat destroy threads.
Decreasing the session time out
As a default the session time out is set to 60 minutes. This means that if someone does not logout then his/her session will remain in memory for 60 minutes after the last access. For a larger user base it can make sense to decrease the session time out to quicker free up system resources.
The session time out is specified in web.xml:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
You can change the web.xml directly in the WEB-INF folder, but be aware that a next Openbravo build action can overwrite it. So to permanently change it, change the value in the web.xml in the following location:
openbravo/src-wad/src/org/openbravo/wad/web.xml
Apache Portable Runtime Library (apr)
If you observe the $CATALINA_BASE/logs/catalina.out file, it might have a line such as this:
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /opt/sun-jdk-1.5.0.12/jre/lib/i386/server: /opt/sun-jdk-1.5.0.12/jre/lib/i386: /opt/sun-jdk-1.5.0.12/jre/../lib/i386
First install apr. To do so refer to your distribution package manager or the official documentation.
Then, add -Djava.library.path=/usr/lib to your CATALINA_OPTS, so that for example:
CATALINA_OPTS="-Djava.library.path=/usr/lib -server -Xms512M -Xmx1024M"
Apache
Connector
Connect Apache and Tomcat using a connector. Tomcat recommends mod_jk for production environments. Look at the Tomcat documentation for installation instructions.
Once it's installed and configured, don't forget to change the web.url property in build.xml, so that it points to the Apache port. Otherwise the grid won't work.
<property name="web.url" value="http://hostname/openbravo/web"/> <property name="context.url" value="http://hostname/openbravo"/>
And to apply these changes:
cd AppsOpenbravo ant compile -Dtab=xx ant war deploy
- Gentoo
To set it up in Gentoo Linux, first install the required packages:
emerge -av apache mod_jk
Then add -D JK to APACHE_OPTS in /etc/conf.d/apache2:
APACHE2_OPTS="-D DEFAULT_VHOST -D JK"
And finally map the openbravo context. Add this line to /etc/apache2/modules.d/88_mod_jk.conf :
jkMount /openbravo* ajp13
Change the web.url property as explained above. Finally restart Tomcat and Apache and test it in http://hostname/openbravo
Compression
To reduce the needed bandwidth, one can use the mod_deflate Apache module. This compresses (gzip) HTML, XML, CSS and Javascript files (or any other filetype). We don't compress images because they already should be.
Edit httpd.conf and add the following lines:
LoadModule deflate_module modules/mod_deflate.so
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html Header append Vary User-Agent env=!dont-vary
The LoadModule path may vary depending on the distribution.
PostgreSQL
When using PostgreSQL use a 8.2.x version. It's been called the performance release. Check the release notes for more information. Also, make sure you vacuum often your database. vacuumdb is a utility for cleaning a PostgreSQL database. This can dramatically increase its performance and the Openbravo compilation times. To run it by hand:
vacuumdb -f -v -z -d openbravo -U tad
Also one can turn on the autovacuum in postgresql.conf
autovacuum = on
Optimize your performance in PostgreSQL
It could be helpful to use a tool like pgFouine. pgFouine is a PostgreSQL log analyzer used to generate detailed reports from a PostgreSQL log file. pgFouine can help you to determine which queries you should optimize to speed up your PostgreSQL based application.
Another tool that can be used to tunning your PostgreSQL database is pgbench distributed by PostgreSQL. It will launch multiple processes that all execute scripts against a test database as fast as it can handle them. Most pgbench results you'll see focus on the gross transactions per second or TPS results. These benchmark results should be run many times with different variations of clients and transactions. Save this information for later comparison to results generated from other tests after configuration tweaks.
Operating System
It's recommended to use Linux or *BSD.
Linux has a limit of 1024 open files by default. In case you are under a heavy load, increase this number with ulimit. To count the number of open files of the tomcat process:
lsof -p [process-id] | wc -l ulimit -Ha ulimit -Hs
Then you can use ulimit, for example:
ulimit -n 4000
Security tips
This is a list of tips to enhance Openbravo security.
Tomcat
SSL
It's necessary to generate a key
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /home/openbravo/.keystore
Uncomment the "SSL HTTP/1.1 Connector" entry in $CATALINA_HOME/conf/server.xml (default file) and tweak it as necessary.
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/openbravo/.keystore"
keystorePass="xxxxxx"/>
Note: Both asked keys should be the same
If you wish to secure the entire tomcat installation add the following to $CATALINA_HOME/conf/web.xml inside the web-app tags:
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SLL Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Enable Access Log
In the server.xml file add the following:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt "pattern="common" resolveHosts="false"/>
You can execute this command in Linux to see "who and how many times" he requested information to Tomcat
awk '{print $1}' localhost_access_log.YYYY-MM-DD.txt |sort|uniq -c|sort -g
If you suspect from an address, just execute as root
iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP
And it'll be blocked from your server
Execute this command to see all the addresses that you have blocked
iptables -L -n
Disable Robots
In order to avoid Web Spiders and other Web Robots indexing Openbravo content, the file robots.txt must be changed (see robots.txt).
Disallow: /openbravo/