Return of the Jedi – Apache reclaims web server crown Netcraft's October survey of web servers will be welcomed by open source aficionados, as the firm has found Apache is once again the planet's most-used web server. The server-counter's previous surveys found that Microsoft's internet information server (IIS) had overtaken Apache, thanks largely to Chinese link farms preferring …
"the firm has found Apache is once again the planet's most-used web server"
Wrong. It did not find that it's the most used web server, but that it's the perimeter web server for most domains. This says nothing about usage, neither in terms of end-user usage, nor in terms of server-side usage (because a single server can serve an arbitrary number of domains, and because there can be an arbitrary number of server serving a single domain).
I am sure you know very well that Apache has been well ahead during the last 15 years, no matter how you count it. It's all at netcraft.com. And as OSS was mentioned Nginx has a BSD-like license too, and what do you think Google is based on. Not that it matters but why are you getting so upset about it. Are you upset about the top500 computers too.
But not for the last few months - IIS was previously ahead with the highest market share of sites of any web platform.
Not if you added up Apache + nginx sites. Even with the July 2014 stats, they made up 37.53%, which means that more than 60% of all web servers were running something other than IIS. And even then, most of those servers were actually Chinese linkfarms anyway. If you're going to shill MS, do it with better datasets.
What I find amusing is Microsoft's obsession over this so called "market share", shown by literally paying for parked domains to be hosted with IIS (look at the discrepancy between "all sites" and "top million busiest sites"), also making it harder than it should be to remove the "Server" header (which we had do for pen testing).
There is hardly any mention of it from Microsoft ever
Microsoft are doing so well in this space
Actually they're not, which explains why they're not saying much...
"Good luck with your bumper Patch Tuesday tomorrow, Anonymous Coward."
Well certainly much less luck is need than with the far more frequent and utterly random patch release schedule of our previous OSS stack. I can plan for patch Tuesday.
A quick check shows we can expect 2 patches for 2012 R2 Core - one for .Net framework - and one for the OS - which will automatically deploy themselves onto our test servers. If those work OK then a day later we will send them to prod as well.
I moved the last one when the Open SSL mess hit
Which was the first major hole in how many years? And not even an Apache bug at that. IIS could have the same vulnerability if you were running Open SSL on it (though admittedly I can't think of any reason why anyone would run Open SSL on an IIS server - anyone that fanatical about using OSS wouldn't be running IIS in the first place).
and i'm glad I did looking at the latest OSS catastrophe with BASH.
Shellshock? Which was an issue for what, a couple days, tops, before the patch was in every major distro's repository? Debian had it before I'd even HEARD of Shellshock (I was too busy to read the news that week). Compare that to how long IIS bugs stick around. And it's not an Apache bug either.
Yes, Heartbleed and Shellshock were serious vulnerabilities, but they were fixed very quickly and you're fooling yourself if you think IIS' track record is any better.
Auditable security provided by Open Source Apache (a web server, in security terms, is a stepping stone into most companies) and concerns over Microsoft (US company) and secret FISA Court orders probably had nothing to do with the switch over in China at all.
[The same FISA who redefined the word "relevant" for the NSA so that "relevant" could be broadened to permit an entire database of records on millions of people, in contrast to a more conservative interpretation widely applied in criminal cases].
Really? Heartbleed, Shellshock ring any bells? The two greatest security threats the Internet has had to weather were caused by open code.
Open might be great in your liberal fantasy land, but in the real world people need to *ACTUALLY LOOK*. And that means paying them.
Guess who pays people? Employers.
So you want code backed by an actual company, not a group of hemp wearing, failed hippies.
"there are bugs in OSS, the difference is when they are discovered, they are fixed, with MS, you might not hear about the bug until the fix is out"
But the holes were not fixed for several days with Shell Shock - while servers were being actively exploited.
Microsoft Windows has a consistent history for the last decade of less time at risk on average than enterprise Linux distributions largely because of their policy not to detail exploits until fixes are tested and in production..
"Time at risk" does not equal the time between the exploit being admitted to by the vendor and the time it is fixed.
It is the time between either the discovery of the flaw, or the time it was introduced and the time it is fixed.
When Microsoft sit on detailing a flaw until a fix is ready, your servers ARE STILL AT RISK.
Their policy is dangerous and cavalier. This is not the security you think it is.
""Time at risk" does not equal the time between the exploit being admitted to by the vendor and the time it is fixed.
It is the time between either the discovery of the flaw, or the time it was introduced and the time it is fixed."
No. It is a measure of how long a vulnerability is in the public domain and you are at risk from attacks based on it before it is patched.
"When Microsoft sit on detailing a flaw until a fix is ready, your servers ARE STILL AT RISK."
Only if the vulnerability is publically known. See above.
"Their policy is dangerous and cavalier"
It's exactly what most software vendors including enterprise type Linux distributions do because it's the safest approach until a patch is available. You clearly have no clue about the subject.
You clearly have no clue about the subject.
Who are you trying to kid?
People here are trying to advise you, not point score on who's the biggest wanker - you've already killed the competition on that one.
I really hope less informed people aren't reading what you post.
Boohoo, so your favourite piece of software isn't as popular as you like - same for me - get over it, it doesn't mean you have to stop using it. Grow up: It isn't a competition.
Only if the vulnerability is publically known. See above.
You'll need to define "publicly known" since a small group of thieves could discover and exploit the vulnerability for quite some time before the general public finds out, perhaps by noticing that their savings balance is suddenly zero or their credit card is maxed out.
And over the past week this team could have been hammering this vulnerability like crazy knowing it's about to be fixed. Any one of us could have some spy/botnet installed and we have no way of knowing.
The chances are even higher this week with the aftermath of shellshock even "trusted" sites might be serving the payload - we have know idea what the payload would even look like because it's hush hush for "security" reasons.
Only a fool (or crook) would be satisfied with this situation.
Who actually looks at closed source?
You're an idiot if you think "closed source == secure". I'd say history proves you wrong, but it's happening right now! Who spotted the bugs (which were there since IE6) that are getting patched tomorrow?
Like you said, only the motivated will spot bugs - and that's either by a wage, or otherwise.
Bugs always slip the net, regardless of code visibility or being backed by a single company. Open source just means there's a theoretical higher chance for them being spotted - and the handling of discovery is much better.
If the heartbleed and shellshock bugs where in closed source, who do you think would have spotted them? You wouldn't have even been able to test/secure it yourself, since the details would be kept quiet while you're sitting like a duck until Tuesday.
By the way, even Microsoft are supporting open source. Isn't it about time their fans did the same?
see: www.microsoft.com/opensource/, and http://www.asp.net/vnext
"Heartbleed, Shellshock ring any bells? The two greatest security threats the Internet has had to weather were caused by open code."
Wow - I never knew that. What would I know as a SysAdmin?
Problems from the above - apart from taking 5 minutes to fix - zero.
Problems from Windows based DoS and brute force password attacks and dodgy hotmail accounts?
I think it a little more than zero. Have a nice Tuesday.
I nominate "out of flavour" for Eggcorn1 of the Week2.
1Prolepsis: "out of flavor" barely charts on Google Ngrams; "out of flavour" isn't found at all.
2Though it could also be "... of the Weak", for those sick of this particular tiresome and utterly unproductive religious war.
The difference between closed and open source is rather like the difference between religion and science.
Religion (closed source): you do not have evidence (source code) and have to just accept what someone says is true. Theory correction (bug fixes) is hidden - if it happens at all.
Science (open source): you know that you can look at the evidence (source code) and verify what you are being told. Theory correction (bug fixes) happens in public view.
You might not have the ability/desire to look at the source code, but know that other can.
Open source problems are visible for all the world to see, do you know what horrors lurk in closed source ?
Really? Heartbleed, Shellshock ring any bells? The two greatest security threats the Internet has had to weather were caused by open code.
Holy hyperbole Batman.
No, neither of those is even in the top 5 greatest security threats the Internet has had to weather. Maybe not even in the top 10. What they are is the two most heavily reported security threats yet known to the Internet.
Both of them combined don't come close to the ongoing threat posed by SQL injection attacks. (Apparently there's still quite a few web developers out there who haven't figured out to always cleanse their inputs.) It's not such a big deal now, but cross site scripting was huge for a long time to. And then there's the various flavors of DoS attacks. Code Red and Nimda both took down systems in droves back in their day, far more than the systems that were attacked via Heartbleed or Shellshock. I'm sure there are other viruses that did the same. There are viruses like Stuxnet, which with a little tweaking can cause major industrial accidents and kill hundreds or thousands of people. And lets not forget the many and varied attack vectors of IE6 that hung around for years and years because Microsoft refused to fix them (thank goodness they've learned since then). But if you really want to get down to it, I'd say the crown for biggest threat goes to the malware that's slurping credit card information from retailers left and right lately.
Heartbleed and Shellshock were both very serious, but no, sir, they're not in the running for 'greatest security threat the Internet has ever known'. Not even close.
Netcraft reports both "active sites" and "all sites". "Active sites" represents domains with real web sites behind them. "All sites" is mainly just domain names that are owned by speculators or domain squatters with no real web site other than a "this domain for sale" site or link farms. A real web site requires real infrastructure to support it, while a single server can support thousands of inactive ones (they rarely if get visited, except when someone makes a mistake typing in a domain name).
In other words, the "all sites" statistic is meaningless. However that's the only one where Microsoft has a significant market share. When it comes to active sites (that is real web sites), IIS has been in third place for quite a while, after losing second place to Nginx. There will be month to month statistical variation, but the long term trend for IIS has been inexorably downwards for many years. They had a bump a few years ago which turned out to be domain squatters and link farms temporarily showing up as active sites until Netcraft filtered them out again. Netcraft used to publish much more detailed statistics which showed this, but their newest reports are less informative.
Netcraft also tracks the top million web sites in terms of traffic. Those have always mirrored the "active sites" numbers pretty closely (minus the domain squatter bump). In other words, the anomaly is the "all sites" figures. Apache hasn't "returned". When it comes to real web sites, Apache never left.
The only real news over the past 5 years or so has been the rise of Nginx. That has been popular lately due to it being easier to configure. Since it simply doesn't support the more complex use cases that Apache does, it has fewer knobs to twiddle.
The differences between Netcrafts "all sites" and "active sites" has been well known in the industry for years. If you still see a report today that confuses the two, you need to take anything else in that report with a very large grain of salt.
Apache is slowly being replaced by nginx. Makes sense, since Apache is over-kill for most sites.
IIS is irrelevant - "Other" is more popular, and even Google was at one point.
Apache is slowly being replaced by nginx. Makes sense, since Apache is over-kill for most sites.
Most distros pre-configure Apache, and they do it in a way to support all 12,000 different web apps that they can install as packages. The resulting Apache is clunky and slow, and has the distros take on how it should be configured, probably with > 20 configuration files.
Most distros don't pre-configure nginx. People using nginx search google for "setup nginx php", and copy/paste the config file they find, making tweaks until it works.
If you start with an empty Apache httpd.conf, and explicitly add the configuration to do what you need it to do, you end up with a server that runs as efficiently as nginx but within the Apache environment, meaning all those extra things that are overkill can actually be easily added when they aren't overkill.
There is nothing wrong with nginx, it is a perfectly fine webserver. It is just that httpd is also a perfectly fine webserver.
you end up with a server that runs as efficiently as nginx but within the Apache environment
Possibly, if you're running Apache 2.2 with a suitable MPM (worker or event) configured. With a forking MPM, Apache is never going to be as "efficient" (either in resource consumption or responsiveness) as a threaded event-driven server - and that includes Apache itself, when it's configured for threading rather than (exclusively) forking. For many sites, the robustness and security advantages of forking make it a fine choice, but it's always going to be heavier.
I don't know of a methodologically-sound benchmark comparing current Apache with worker or event MPM and nginx.
There is nothing wrong with nginx, it is a perfectly fine webserver. It is just that httpd is also a perfectly fine webserver.
Agreed. It would be very foolish to recommend one over the other as a general rule, without considering any context. Few sites have to worry about thousands of simultaneous requests - and the ones that do generally have load balancers in front anyway. And many sites don't need Apache's more esoteric capabilities (though certainly many do).
IIS is irrelevant - "Other" is more popular, and even Google was at one point.
I'd also note that Java Application Servers might also have a better market share than IIS. Of all the banks in my country, only two use IIS. The rest are running some kind of app server, usually IBM's WebSphere.
So it seems they can't even get the serious financial market.
"In other words, the "all sites" statistic is meaningless. However that's the only one where Microsoft has a significant market share"
However it was always quoted as the accepted Apache market share number and no one questioned it - until Microsoft took the lead....
"IIS is irrelevant "
Microsoft have over a third of reported on web sites on the planet running IIS.
This post has been deleted by its author
Microsoft have over a third of reported on web sites on the planet running IIS.
The majority of which are unvisited static parked domains. Hardly something to get giddy about.
Of the active sites (you didn't look at the link, did you?), IIS is irrelevant, unless you have a large amount of parked domains and feel like making a quick buck from MS.
You can't dispute the fact, no matter how much you squint your eyes while looking at the graph.
"You can't dispute the fact"
And you cant dispute that face that over a third of the worlds reported on by Netcraft websites run on IIS. A chargeable product basically at parity with a 'free' one.
Says a lot about how much better it must that even though people have to pay for IIS, it has roughly the same market share as the leading freeware!
"Microsoft have over a third of reported on web sites on the planet running IIS."
Just what is the colour of the sky on your planet, anyway? Most of the IIS servers that aren't just linkfarms are probably needed to host the 'help' files for the atrocious ribbon based Windows applications.
TFA said
> The .公司 is one to watch: it's the Chinese equivalent of .com.
China already has .com.cn, of course, in latin characters. I wondered how far .公司 might have come, so I went to Google™ and asked it for all pages with the phrase 中国 and a domain of .公司. A bit of sedding and grepping later, I find that the eleven pages of results yield exactly two distinct sites: www.天堂寨.公司 (www.ttzly.com) and 中国人寿养老保险股份有限公司.公司 (www.chinalifepension.com.cn).
For comparison, the search '"United Kingdom" site:.co.uk' yields about 280 million results. I'm not about to grep that lot!
Even if we take out that the 37% figure from previous months was artificially pumped up by Chinese linkfarms, 37% is nowhere near "overtaking all FOSS web servers". Yet it is stated a lot by "AC"s who seem to be pushing up MS as the best solution. Try harder, astroturfing/shilling is easily noticed over here.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
