Slashdot Mirror
eWeek: Apache 2.0 Trumps IIS
AK47 writes "eWeek has a very positive review of Apache 2.0, entitled "Apache 2.0 Beats IIS at Its Own Game." They recommend the native Apache version on Windows over IIS for production use, citing superior security with no loss in performance."
It's nice to see apache beating IIS on windows, but how does IIS compare to apache 2.0 running on linux? I can't find anything with a recent kernel, preferably post-2.4.10. Even an apache on windows vs apache on linux benchmark would be nice.
that IIS is not so much about raw speed and security as it is web services? That this is what microsoft is really pushing?
We were able to port all of our web-based reporting code with only 1 line change (including COM objects). However if your ASP is truly hard-core then it might be more difficult.
who needs Windows at all with this
http://www.halcyonsoft.com/
combined with
.NET,.ASP both on Linux and having used it, it actually doesnt suck as much as chillisofts implementation
Apache is the way to go. According to http://www.netcraft.com/, 9,522,954 active sites are running some version of Apache as of March 2002, versus only 3,966,743 active web sites that run some kind of Microsoft web server. Of course Apache is better, easier, faster and secure, but the numbers of active web sites running Apache versus Microsoft's number is just icing on the cake.
You forgot the upside "can't be hacked by any script kiddie out there who's downloaded the latest attack script".
Of course, there's always the downsides for Apache- "log files get awfully full of failed attacks from owned IIS servers" and "don't get the amusement value of seeing what's been done to your web server's main page every morning by some cracker from China".
Despite a general disdain for replying to my own post, here's a nifty little list of Why Free Software Usability Tends to Suck that I just noticed. In my experience, numbers 2 and 5, at least, are true.
Disclaimer: I've found the Apache interface on Windows to be far less irritating than IIS.
.sig last updated Jan. 14, 2000
One of these days PHP will support Apache 2.0 and then we can revisit these benchmarks. Until then I'll write this off as a Zdnet troll for Slashdot attention.
http://www.apache.org/server-status
A) Halcyon's iNET does not (as of yet) run ASP.NET (which is much more important then ASP).
.NET stuff. Talk about a huge undertaking.
B) They require a seperate runtime that sits ON TOP of your Java Application Server. Double licenses per box (unless you use an Open Source JAS, however, I have yet to find an "enterprise quality" one).
However, it is pretty cool what they've done with the
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
One question that popped up in my mind while reading the article is: why doesn't the apache team use .xml files for the configuration files like almost every other server these days? ie: weblogic,tomcat,etc..
.conf 's, but also to keep the mainstream masses happy... I'm sure it'll be easier for us oss developers to come up with nice gui interfaces to manage the server by reading xml files rather than parsing the .conf files.
Not only do I find editing xml easier than
[alk]
IIS has always performed well, and Microsoft knows that benchmarks sell licenses.
In fact, I used to have arguments that went like this all the time:
IIS User: IIS is faster and easier to use!
Me: Apache is more stable, more secure by default, and easier to extend.
IU: But I can handle 20 bazillion hits a nanosecond, your site can't scale.
Me: Whatever.
IU: Ha, I bet you can barely saturate a T1! etc
Microsoft is obsessed with performance because performance benchmarks give "tangible" proof of goodness. They are not obsessed with security, because features are more important. Or were; who knows what it's like there now.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
"A study of Apache security advisories dating back to Apache 1.0 shows the server's last serious problem (one where remote attackers could run arbitrary code on the server) was announced in January 1997. This problem was a buffer overflow in Apache's cookie module that was fixed in Apache 1.1.3.
A group of less serious problems (including a buffer overflow in the server's logresolve utility) was announced and fixed in January 1998 with Apache 1.2.5. In the three and a half years since then, Apache's only remote security problems have been a handful of denial-of-service and information leakage problems (where attackers can see files or directory listings they shouldn't)."
There are your numbers :)
I'm running Apache 2.0.35 and php 4.3.0-dev (CVS checkout from last night) right now. Flawless install. I've setup apache from source many many times and Apache 2.0.x leaves 1.3.x for dead. Very Cool.
http://home.y3m.net/ if you want to bang on it.
No, I did not read the f***ing article!
I just ran some quick-N-dirty benchmarks using ab (the benchmark tool that comes with Apache) and see some interesting results.
All tests were 1000 requests, 10 concurrent connections, with small html file (51 bytes).
Apache 1.3.22 on Linux 2.4.14 Dual PIII Xeon 550 w/ 1MB cache
On this setup, I saw requests/second in the 1500-2100 range, always with 0% failed requests, no matter how many times I re-ran the test
Apache 2.0.35 on Linux 2.4.14 Dual PIII Xeon 550 w/ 1MB cache
On this setup, I saw requests/second in the 1700-2500 range, (again always 0% failed requests)
Apache 2.0.35 on Windows 2000 SP2 PIII 400
Here I saw requests range wildly, from over 7700 requests/sec to as low as 350 req/sec. When I ran 'ab' multiple times in a row, the percentage of failed connections jumped radically from 0% to over 90%! It seemed that perhaps Win2000 TCP sockets were getting filled up (in TIME_WAIT) and this was causing the problems.
IIS 5.0 on Windows 2000 SP2 PIII 400
Very weird here. I only saw the req/sec go as high as 500-900 and still saw the large amount amount of failed requests after I re-ran the tests again and again.
Please keep in mind the Windows 2000 box is pretty much stock, so I haven't tweaked any of the TCP/IP stack stuff at all (and I have done this on the Linux box) Despite this it appears that Apache 2 on Win32 can seriously outperform Apache 2 on Linux. (Which sucks, but the truth hurts) Maybe someone can prove my results wrong, or at least explain what I need to do to stop the connection failures w/ Win2000.