Netcraft Claims Apache Now Runs 2/3rds Of The Web

Mr Bill writes "According to NetCraft the Apache web server now owns over 2/3rds of the web. The jump of 2.8% since last month is mostly due to a number of large domain parking sites switching back to Apache from IIS. 'During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, register.com and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%.' See the full report here."

That's Netcraft with a LOWER CASE 'c'

from Magnus at netcraft dot com

OpenSSL...

[admbws]

Take a look at the article below. It's incredibly worrying how many sites are still using vulnerable versions of OpenSSL.

Re:Apache 2.0

The Apache version comes directly from the server signature. This is changed easily enough (we find 3K Apache 7.x sites) but most people don't bother.

This month, we found

• 26.3M Apache 1.x hostnames
• 1M Apache 2.x hostnames
• 3M Unknown Apache hostnames

Magnus at netcraft dot com

Re:Apache 2.0

[madprof]

This seems about right. Apache 2.0 is still not as complete as Apache 1.3.x when it comes to support from surrounding software.
I'm waiting for Apache::Request to be ported properly.

Re:Microsoft running on Linux?

From Netcraft's FAQ:

""
Why do you report impossible operating system/server combinations ?

Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.
""

RTFM :-)

Re:Mono-cultures not good!!!!!

[jalet]

Problem with Zope is that it's often installed behind Apache which serves as proxy/urlrewriter and so Netcraft may only see Apache some times. (it correctly detects Zope for my own website though)

Re:Is this correct?

The oddity is caused by Microsoft's use of Akamai's mirroring services.

Re:Apache 2.0

[Nevyn]

FWIW, the server name is transmitted in a standard HTTP/1.1 response so it's trivial to work out what kind of server something is running. As a simple test, run 'telnet [host] 80' and type 'GET / HTTP/1.1' and hit enter a few times. You'll get a response (usually an error saying invalid HTTP/1.1 request) which includes a server version.

To be pedantic, that should really be... "A server name is trans ... what kind of server something says it's running."

Re:Microsoft running on Linux?

[PowerBert]

Ummm, could it be because it's their Unix. Hp push Linux too, and their website runs HPUX. All vendors use their own OS to run their websites. Can you imagine all the flack they would get if they didn't?

Funnily enough SCO are the only ones that don't run their own OS on their webservers. The run Linux, whats wrong with OpenServer???

Who really stands behind their products?

IBM run IBM/Apache on AIX

HP run Apache on HP-UX

SGI run Netscape Enterprise on Irix

Sun run SunONE webserver on Solaris

Apple run Apache on MacOS-X

FreeBSD run Apache on FreeBSD

NetBSD run Apache on Net/OpenBSD

OpenBSD runs Apache on Solaris? I'm sure thats because a uni hosts it.

Microsoft got scared at the last worm outbreak and now hide
2003 behind a Linux webcache farm ;-)

The one to beat them all.............

SCO run Apache on Linux

httpd versus Tomcat?

[ewg]

According to their platform groupings, they lump Apache Coyote together with Apache httpd.

Since Coyote is the Connector component that allows Tomcat to function as a standalone webserver, I wonder how many of "Apache" sites are running Tomcat versus httpd.

Re:Apache doesn't OWN anything

[Little+Brother]

Um what I think the article is saying is that 2/3 of the sites on the World Wide Web are run by Apache software. In the English Language this is equivalant to saying "Apache [Software] Runs 2/3 Of the [World Wide] Web."

The article doesn't claim that Apache is neccicary for the web, simply that it is well utilized.

Going beyond the article however, without Apache there would be a fairly noticable difference in the Web to the users. Fewer low-end sites would have the capasity for advanced features as there are few other free (as in Beer, although Apache qualifies by both meanings of the word) Web Servers with the advanced features Apache can incorperate. Thus, the sites that wouldn't be able/willing to shell out for commercial web server software would use less-featured servers and have to redo their pages in a less sophisitacated form to run.

Re:Microsoft running on Linux?

[gazbo]

Not at all.

If you have a look round the netcraft site you'll find they have a page dedicated to the fact MS appears to host on Linux.

Condensed notes: MS have vast bandwidth needs to distribute media/software round the world. Akamai are a company specialising in distributing media around the world (which means machines physically around the world so as not to saturate global links). Hence, MS use Akamai to host their media/data.

Akamai choose to host on Linux, hence requests to MS IPs often redirect to a linux server.

Incidentally, the fact MS use Akamai for this rather than cut their nose off by insisting on a Win/IIS from a different distribution company is why I laugh at the person (people) theorising that MS paid domain parking people to switch to Win/IIS in order to subvert Netcraft. Yeah, they're so obsessed with subverting Netcraft rankings that they don't even bother to make themselves look like they're running Windows.

Factual post : most secure server is NOT apache

This valuable informative post got modded down to -1 even though it is nothing but 100% informative, and I rarely ever post it. Therefore I will post it three times in case the apache-fanboy mods it down to -1 again

I in 400 SECURE servers is still a classic Mac Os host even cccording to netcraft !

Because no mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 tolwers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 7 years, even when paired up with its preferred web server app.

The Army (www.army.mil) has used Webstar for years on macs for security.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

For years, except, for a couple months ago, the army has always used MacOS and has never had a break-in on a Mac. Unlike their other MS defacements.

http://uptime.netcraft.com/up/graph?site=www.arm y. mil

That is why the US Army gave up on MS IIS and got a Mac for a web server, sometimes it is a honeypot for OSX testing, and US ARmy use regular Mac OS on other internal servers

I am not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs t

Re:Factual post : most secure server is NOT apache

[javester]

B4 you blow a gasket, check it out yourself - Netcraft survey of www.army.mil.

And security thru obscurity is one strategy that does work - why heck! Even MS keeps pestering security companies not to release advisories until they get a peek at it first.

Another survey - lots of IIS in .gov

[Tim+Colgate]

There is another survey at Security Space.

What's interesting about this one is that results can be viewed by domain. The highest proportion, and highest growth, of IIS seemed to be in the gov domain, where Apache is actually decreasing. IIS usage in education was also pretty high.

Use of Apache was particularly high in Germany .

Re:Microsoft running on Linux?

[Clover_Kicker]

OpenBSD runs Apache on Solaris? I'm sure thats because a uni hosts it.

Yep. The OpenBSD FAQ has this to say:

Although none of the developers think it is particularly relevant, this question comes up frequently enough in the mailing lists that it is answered here. www.openbsd.org and the main OpenBSD ftp site are hosted at a SunSITE at the University of Alberta, Canada. These sites are hosted on a large Sun system, which has access to lots of storage space and Internet bandwidth. The presence of the SunSITE gives the OpenBSD group access to this bandwidth. This is why the main site runs here. Many of the OpenBSD mirror sites run OpenBSD, but since they do not have guaranteed access to this large amount of bandwidth, the group has chosen to run the main site at the University of Alberta SunSITE.

webstar.

[leuk_he]

sorry, I would call this that flaimbait. But since it is well argumented i will reply...
1> No command shell.
Absence of features is not always a good thing. now you will have to add scripting in the webserver.

2> No Root user
Like windows 95?.. see 1.

3> pascal strings
but you can have buffer overflows with pascal strings if you fail to allocate enough memory for the string.

4>..only run CGI placed in correct directory location..
And if you get a script in there you have the same problem. And it is not easy to remotely administer....

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing!
You mean like the unix "x" attribute that was in the very first unix? This is a thing that windows has badly affected. But is this a thing that affects web servers or clients......

4> Stack return address positioned in safer location than some intel OSes
There are 3 kind of people.. that that can count and those who cannot 8-).
But a better solution would be not to have the stack in memory that can be executed.

7> There are less macs, though there are huge cash prizes for cracking into a
The fact that there are huge cash prices would

not be a ood advertisement for safety. And generally they are set on well protected servers that are doing nothing.
8> MacOS source not available traditionally,
same argument goes for ISS

no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.
I am 100% sure that they get scanned all the time. which makes me doubt all the other points. But then you can always blaim the user.

Re:Questionable

[daviddennis]

They switched to Windows with gigantic fanfare about a year or so ago. I was shocked and incomprehending, since it just didn't make any sense to do that given their Unix heritage.

I guess they're now back to Solaris, which is just where they were before.

So much for Microsoft's marketing.

D

Re:Apache 2.0

[Mr+Bill]

Apache 2.0 has a lot more going for it than just better windows support.

One of the most useful features is the new Filter architecture. This allows you to send you HTML through multiple stages for processing. In other words, you could have a page that is parsed by PHP, then mod_perl, and then mod_include! Although that is a contrived example and no one would want to write a dynamic page using three languages, it does explain the possibilities. A useful example of a filter in Apache2 is mod_deflate which compresses content on the way out to the client. Also, it would be simple to write a filter in mod_perl that grabbed all the response headers and printed them to a file for debugging.

The new MPM (Multi-Processing Modules) , which has allowed for the improvement of windows support, also gives you choices on Unix in allowing you to use threaded models, or process models, or a combination of both...

But you are absolutely right in your observation that most admins are more than happy with what Apache 1.3.x provides for them.

I think Apache is one of the great success stories in the internet age.

Re:good

[optikSmoke]

Hmmm, yes by numbers IIS is at its highest ever, however that is an irrevelent statistic. The fact that its percent of market share has decreased is much more useful. It basically means the market size has increased (ie, there are more total servers now) but IIS hasn't kept up.

As a simple (and exageratted) example, let's say the market increased by a million servers, but IIS only got 100 more. Yes, they would be at their "highest ever", but in reality they would have a much smaller presence in the market.

Numbers don't matter, its numbers relative to the competition (ie, market %). So, the graph is not really misleading, since it shows a useful statistic (market share) rather than a not-so-useful one (number of servers).

Re:Apache 2.0

[fferreres]

PHP is pretty stable on Apache 2, at least for me. I was a bit scared at first, but after running a relatively large and badly written PHP site with not problems at all for about 3 month, I feel confident now. But yes, better wait for PHP to declare it stable.

Don't know what other people experiences are...

F

Re:That's Just Crazy

[jc42]

Well, yes; sometimes it feels that way. ;-)

Actually, of course, it's just normal American corporate management practices that I'm talking about here. I keep getting the feeling that it's not outsourcing to cheaper parts of the world that we should be worried about. If any other part of the world ever invents a rational scheme for organizing companies, they'll wipe out our economy overnight.

Fortunately, there seems little danger of this threat materializing.

The funniest case was a few years back, when the project's management decreed the Netscape server as the standard. We tried several times. But the same thing always killed the effort: This server can be configured only through its web interface. Invariably, we would make some config mistake that turned the server into a zombie. At that point, there was no way to correct the problem because we couldn't change the configuration any more. We'd wipe the server's directories, reinstall -- and it would happen again. Sometimes we'd get it running for a few days, but every config change carried with it the possibility that we'd have to wipe the server and start over.

You'd think that people would understand why you can't trust a web server to handle changing its own config files. But the managers couldn't be convinced that there was a fundamental problem here. And we never found a way to get at those files with a plain editor. They just didn't make sense, and weren't documented anywhere that we could find.

I've long argued that one of apache's real strengths is its plain-text config file (with lots of good comments in the text). The commercial guys don't seem to be able to figure out why this is a good idea.