The world of Web servers has always moved at a clip, with the leading players sometimes changing faster than the technology itself.
In the beginning, Netscape Enterprise Server (NES) ruled the roost. Then, in 1995, the Apache Group released the open source Apache HTTP Server, which quickly took the top spot. Shortly after that, Microsoft released Personal Web Server and Internet Information Server. Personal Web Server has since been retired, and Internet Information Server (IIS) has been rechristened Internet Information Services (retaining the IIS acronym) and made part of Windows Server 2000 and, later, 2003.
Even with Microsoft's strong presence in the world of operating systems, however, Apache, by most accounting, has held fast to the No. 1 spot for Web server penetration.
The oft-cited survey from U.K.-based Netcraft, a self-described "Internet services company," shows Apache holding fast to being the Web server of choice for more than 67 percent of all Web sites and Microsoft's servers consistently hovering around 21 percent. Yet reading between the lines reveals a different story. A Port80 Software survey that focuses on Fortune 1000 companies' server deployments shows Microsoft's IIS with 53.9 percent share, followed by Apache with 20.3 percent, and NES with 14.6 percent.
It should be noted that Port80 Software has a horse in this race, however. The vendor's bread and butter comes from developing software that integrates with IIS to beef up the server's security and performance as well as enhance the IIS user experience.
Security Space, an online services portal published by Canada-based E-Soft, also publishes a monthly Web server survey measuring Web server penetration. Its requirements for site inclusion are much more stringent: The survey counts only those servers referenced on other sites. As a result, Security Space's numbers are much lower than those from Netcraft though the percentages and the key players are similar.
It's hard to discern which survey gives the fairest account. But whichever way the numbers are crunched, the same three Web servers come up on top.
The above numbers on Apache offer a clear picture of its basic use and function. With more than 3 million host names (compared to 1 million for IIS), Apache would win any "People's Choice Award" in the Web server category. The fact that it is not the choice of the Fortune 1000, though, indicates some of its shortcomings. While Apache is great for general usage, it does not have a broad enough feature set for the needs of many large enterprise customers.
"The success of Apache is another example of open source 'good enough'," Gordon Haff, an analyst with Illuminata, told ServerWatch. "There are more sophisticated solutions out there, but Apache is quite capable enough for many tasks."
Its "good enough" capabilities are demonstrated by its victory over other open source offerings, such as Sambar, Roxen, and Jigsaw, on its rise to the top.
Version 2.0 of Apache was deemed production ready in January 2002. It delivered a wealth of enhancements to features found in version 1.3: multiprotocol support, Unix threading (which improves scalability), improved support for non-Unix platforms (such as BeOS, OS/2, and Windows), a new native API, and a simplified configuration.
At press time, the latest version of "the world's most popular Web server" is Apache HTTP Server 2.0.50. This is principally a bug fix release aimed at two specific security vulnerabilities:
- A remotely triggered memory leak that can allows a denial of service (DoS) attack due to excessive memory consumption
- A buffer overflow bug for trusted client certificates
The biggest problem for Apache is the proliferation of outdated versions. Close examination of the ratings for Apache on Port80 Software's survey reveals an an interesting phenomenon: Many sites are still using older versions. More than 20 versions of Apache are in circulation, and Version 2.0 accounts for only about 1 in 40 Web servers. Users are almost universally advised to upgrade to take advantage of the new features, and to save themselves security headache, as hackers are increasingly targeting Apache boxes yet they do not.
>> IIS and NES