Apache Now the Leader in SSL Servers?

miller60 writes "Apache has overtaken Microsoft as the leading developer of secure web servers, according to Netcraft's monthly SSL survey. Apache now runs on 44.0% of secure web sites, compared to 43.8% for Microsoft. Apache's recent gains are attributed to the inclusion of mod_ssl in version 2, and strong growth of SSL-enabled sites in non-US markets where Apache has stronger market share."

oblig troll

[thepotoo]

43.8% for Microsoft vs. 44.0%
Netcraft confirms it...Windows is dying.
Until next month when MS is at 44.0% again.

Re:oblig troll

[bepe86]

Well, statistics can always lie, but apache has had a steady growth, according to that graph, so I'm not too certain that Microsoft will take back that position by next sunday... Anyways, another victory for FOSS, and proves once again that there's still hope for alternative software has a place in professional businesses :) What I'm really curious about, is how many of those apache servers runs on windows machines, anyone got a statistic to point me to?

Re:oblig troll

[Billly+Gates]

My guess is not alot. The threading model for Windows is very different from Unix which apache is optimized for.

Not to mention if the organization does not care to only use Microsoft products to satisfy the phb's, then there will be more of a reluctance to use Windows rather than Linux on intel based hardware. Especially if the geeks get to decide what to use.

I have not played with Apache since 1.3x so my information maybe outdated. I wonder if Apache 2.x can take advantage of Windows threading and process models more for better performance?

Re:oblig troll

[rabbit994]

Answer is no, IIS 6 is still better then Apache 2.x when comparing them on Windows servers speed wise. Considering PHP 4 and 5 run on IIS 6 without issues (unless php apps themselves do funky stuff), running Apache on Windows is retarded. If your going to run Windows, might as well just run IIS 6 and at least let Windows Update take care of the patching.

Re:oblig troll

[Homology]

On Windows, forking a new process is expensive thus the heavy use of threads. On Unix, forking is not so expensive, comparatively.

Apache http 2.x is supposed to run much better on Windows than 1.3, and do indeed use threading.

Congratulations

[EraserMouseMan]

to a quality open source product! Whatever Apache is doing development and management-wise, don't change a thing!

Re:Congratulations

[Homology]

to a quality open source product! Whatever Apache is doing development and management-wise, don't change a thing!

They rejected many security patches from OpenBSD for httpd 1.3.29, and even before OpenBSD forked httpd 1.3 (the infamous license change) the in-tree diff was over 4000 lines of code.

Re:Congratulations

[antic]

Wait a minute, isn't this all the work of OpenSourceParking...?

Re:Congratulations

[pembo13]

Change can sometimes be good. That said, I have no idea what they are doing internally.

Re:Congratulations

[DrSkwid]

I was going to mention how easy setting up SSL Apache was but then your post reminded me it was OpenBSD's install :

man ssl

GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS
          To support https transactions in httpd(8) you will need to generate an
          RSA certificate.

                      # openssl genrsa -out /etc/ssl/private/server.key 1024

          Or, if you wish the key to be encrypted with a passphrase that you will
          have to type in when starting servers

                      # openssl genrsa -des3 -out /etc/ssl/private/server.key 1024

          The next step is to generate a Certificate Signing Request which is used
          to get a Certifying Authority (CA) to sign your certificate. To do this
          use the command:

                      # openssl req -new -key /etc/ssl/private/server.key \
                          -out /etc/ssl/private/server.csr

          This server.csr file can then be given to Certifying Authority who will
          sign the key.

          You can also sign the key yourself, using the command:

                      # openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
                          -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

          With /etc/ssl/server.crt and /etc/ssl/private/server.key in place, you
          should be able to start httpd(8) with the -DSSL flag, enabling https
          transactions with your machine on port 443.

          You will most likely want to generate a self-signed certificate in the
          manner above along with your certificate signing request to test your
          server's functionality even if you are going to have the certificate
          signed by another Certifying Authority. Once your Certifying Authority
          returns the signed certificate to you, you can switch to using the new
          certificate by replacing the self-signed /etc/ssl/server.crt with the
          certificate signed by your Certifying Authority, and then restarting
          httpd(8)

Re: Congratulations

At some point the OpenBSD guys threw some patches over the wall to add lots of code which would only work on OpenBSD, and called these "security fixes" - they were really just changing the code to use different string handling routines; no actual security issues were involved. Needless to say, there are many people who think Apache should be usable on platforms other than OpenBSD; patches like that generally get rejected.

Shows what I know

[Illbay]

I didn't even know that Apache had NOT been the leader in this category.

Re:Shows what I know

[PFI_Optix]

I'm not sure why this was modded redundant. I too am surprised that Apache wasn't the leading secure server. I'd find it interesting to know just how many people didn't realize that MS held as much share in this particular category as they do.

Re:Shows what I know

[DaHat]

I agree... but for a different reason: I'm surprised that this was not mentioned previously by the Microsoft camp in response to the traditional OSS claim of Apache and Linux running more web servers than Windows and IIS.

Re:Shows what I know

[harshmanrob]

I have to agree as well. I have always believed Apache was the #1 web server in use today in all areas, with the exception of the most number of successful hack attacks on a web server. The winner there is clearly IIS.

Re:Shows what I know

[gbjbaanb]

It has been mentioned, just that the figures were not available for the SSL survey unless you coughed up cash for the report.

Its the response that, despite Apache's strength in overall websites, IIS was used for more 'serious' sites. The OSS people who read these comments (usually in another Apache has more/is better/etc than IIS stories) just ignore them.

Re:Shows what I know

[Secrity]

It was my understanding that for heavy duty "serious" sites that Netscape web server/Sun whatever web server had been the usual choice. news.bbc.co.uk (serios web site, number 8 behind Yahoo, Microsoft, and Google) is using Zeus/4.2 on most of it's sites. www.yahoo.com is running something under freebsd. cgi.ebay.com, #9, is mostly running WebSphere. #10, toolbar.netcraft.com (?) is running Apache The only Netcraft top 10 most visited site that is running IIS is www.microsoft.com (#6). For reference, www.sony.com, www.weather.com, and www.cnn,com are running Apache (all of which are serious sites)

Re:Shows what I know

[archen]

Well I don't think he meant uber Amazon.com level sites, but mid-grade sites. Bigger than hello-world.html, smaller than newegg. I've actually seen a LOT of IIS based solutions utilizing SSL that I wouldn't even consider "production grade". The sites go down a lot, stuff is broken left and right, html disaster... but they DO have an ssl certificate.

Usually these sites are an indicator of a business offering a web based "service" although they themselves have nothing to do with technology. In a non tech business which is 100% MS and the IT staff only knows windows, this is pretty common. Although as of late I've been comming across more Apache + Mysql stuff on windows too.

Re:Shows what I know

[toadlife]

"with the exception of the most number of successful hack attacks on a web server. The winner there is clearly IIS."

Actually it's not. Apache takes that crown.

Re:Shows what I know

[the_womble]

I suspect the MS camp did not want to mention the figures too often as it would draw attention to the survey which also showed Apache well ahead in market share.

Re:Shows what I know

[the_womble]

So even when IIS had more SSL sites:

1) Apache ran more sites in all
2) Most visits were to sites running on Apache
3) If the biggest SSL sites ran Apache, most visits to SSL sites were to sites running on Apache

I am not clear if the GP endorsed the idea that greater SSL market share meant greater "serious site" market share, but that does not follow: the most visited serious sites are information and search sites. Certainly almost all the work related sites I use are information sites that run Apache - although to the fair the single site I use the most runs IIS.

I few years ago I used to have access to some investment banks institutional customer only sites and they ran on a good variety of platforms. I can remember at least one ran on Lotus Domino.

In a non tech business which is 100% MS and the IT staff only knows windows

I have found that the IT staff in SMEs often can not even configure Windows correctly and are terrified of taking any risk at all. I have seen plenty of examples of incompetence.

I think there is a reason for this. Consider the pool of people who are bright enough to make good admins and interested in IT. They have a choice of careers and most of them probably choose another path (being a developer is probably more obviously attractive to most people).

Of those who are left, most of the good ones get hired by a few big organisations that are willing to pay well to get good people to run mission critical systems.

This leaves SMEs with a limited talent pool.

Now if a company is hiring a Chief Financial Officer the CEO and directors will know enough about accounts to judge who is a good candidate. The same applies to hiring marketing people and any function to do with a company's core business.

Now consider this. How many CEO's have a clue about IT? How well equipped are they to select a head of IT?

So the job of head of IT goes to the best talker - i.e. it is almost a random choice in terms of competence. If the head of IT is an idiot, their hiring decisions are not going to be good.

Now combine all that with a limited talent pool and a cost that is seen as an overhead and the result is pretty much want you see.

I have also noticed the kiss of death is a small company whose IT people claim "a good relationship" with Microsoft. No, if you buy a few tens of desktop licences for Windows and Office a year and a have have a few services you do not matter to MS at all. What they mean is that they have a good relationship with an MS salesman.

Re:Shows what I know

[Tough+Love]

I didn't even know that Apache had NOT been the leader in this category.

Patents on some SSL algorithms kept Apache from distributing the SSL code freely. Now the patents have expired and secure commerce is finally free. Just one example example of how patents harm society, in this case they helped support the inveterate monopolist Microsoft.

Re:Shows what I know

[gbjbaanb]

Really? sure more sites run on Apache, but I thoughtthe Netcraft survey didn't count SSL sites at first, and then only counted them for their paid-for survey. So it does not follow that most visits to SSL sites were to Apache SSL sites. Don't try your spurious logic with me Mr red clearance! :-)

By 'serious', I meant sites where the organisation running them cared about the security of it because they had something behind it to secure. In these cases it will be some form of application server (forget your PHP shops that have sql embedded into them, they are inherently insecure, you should always put a protective layer between your data and your website). These applications will be written in the system the organisation is most familiar with - and for most organisations, that will be Windows, therefore IIS.

CEOs too have a better clue than you give them credit for - only they don't care what particular system is running the business, only that it does. Cost doesn't factor into it - the cost of the admins, devs, software, hardware, skills training, support are all considered well before choosing whether Apache or IIS!

It has nothing to do with some salesman saying 'you must use ours', and Microsoft having better salesmen. More down to the market share of Windows in general (which they have due to historical circumstances).

In relation to admins, you don't want 'bright' admins. You want methodical ones. The kind that enjoy the boring job of keeping something running and unchanged. the ones who don't have the urge to fiddle, and will be happiest doing what the documented system configuration says the system is setup to do. You can have very good Windows admins who do this, its a good thing they do not want any risk - risk is the last thing you want if your customer's credit card numbers are stored on a system connected to the web!

Re:Shows what I know

[Secrity]

Do you mean those web sites that on weekends and holidays frequently display a Microsoft SQL error page when you click on anything?

Not really. It all depends on how you count it.

[LWATCDR]

Sure Apache may have more installs than Microsoft but if you go by dollar value of product shipped I am sure that Microsoft is still way out in front of Apache!

Re:Not really. It all depends on how you count it.

[Keyslapper]

Umm, No.

If you go in dollars collected, then yes, I'd have to agree that Microsoft is way out in front. Dollar value on the other hand, is most certainly up for debate.

And of course the obligatory:

I for one, welcome our new open source overlords!!

Re:Not really. It all depends on how you count it.

[reldruH]

It does all depend on how you count it, but using the amount of revenue each product generates as your method of counting is the kind of thinking that leads to open source software being considered worthless. Yes the products that Microsoft's shipped have generated far more revenue, but Apache isn't even trying to compete on that level. If you must compare the two, compare them by actual quality of product, usually as determined by market share. If one program costs $10 and another costs $100 and you measure their quality by how much money each has made, you're not going to get an accurate comparison.

Re:Not really. It all depends on how you count it.

[LWATCDR]

Okay... I suggest you read this http://en.wikipedia.org/wiki/Joke and learn to smile a little.

Re:Not really. It all depends on how you count it.

[Bohiti]

If you must compare the two, compare them by actual quality of product, usually as determined by market share.

Whoa, hold on there Pancho. By your logic, Microsoft Windows' market share makes it a higher quality product than... *bows head* ..the great one..

This is Slashdot! Sacrilege! Get the brooms!

[cliche]Don't forget about VHS vs BetaMax![/cliche]

Re:Not really. It all depends on how you count it.

[reldruH]

*Caveat: in a truly open market, quality can be determined by market share, and the closer one gets to an open market, the better an approximation one can get of the quality of the products involved.

The web server market has some real competition, making it a much more open market than the desktop OS market. I never meant to imply that the Windows monopoly made it a high quality OS. Thanks for pointing that out.

Re:Not really. It all depends on how you count it.

[Schraegstrichpunkt]

Depends for whom it is making the money...

Re:Not really. It all depends on how you count it.

[DrSkwid]

How about we sum the value of the transactions shipped via the 44.0% of secure web sites, compared to 43.8% for Microsoft.

Just now?

[TimmyDee]

With IIS's myriad of security issues, you'd think this would have happened a long time ago. I guess we just have to chalk it up to the slow movements of corporations (or the death of those who used IIS ;).

Re:Just now?

[bod1988]

IIS: http://secunia.com/product/1438/

Apache: http://secunia.com/product/72/

What were you saying again?

Re:Just now?

[ad0gg]

You should probably check your facts first. IIS is a lot more secure than Apache.

IIS 6 2 exploits all patched
Apache 2.028 exploits 3 unpatched

I bet i get modded down for posting these two links.

Re:Just now?

[gexen]

Security issues? Sounds like somebody just likes to spew anti-ms propgrada without knowing the facts. IIS 6 has had NO critical security vulnerabilities since its release with Windows 2003 Server. IIS 6 is WAY more secure than Apache.

Re:Just now?

[Not_Wiggins]

It is more likely attributable to corporations setting up separate web/app servers. It is fairly common to have the front-end content served up by Apache and requests for dynamic content forwarded from the front-end webservers back through firewalls to application servers. Those backend appservers may still be anything... Websphere, IIS, WebLogic, etc.

The stats listed might simply be reflecting this trend towards a split/more secure setup.

Re:Just now?

[dadragon]

Hell, I'm just an average guy and I have my website set up so that OpenBSD on my P2 233 handles static content, but all my dynamic stuff is handled by Tomcat on my a64 3000+.

Works very nicely.

Re:Just now?

Cool! Can you post the URL so we can test and see if it is able to withstand the power of a semi-slashdotting?

Re:Just now?

[TimmyDee]

Note that I didn't say which version of IIS. I can't speak to IIS 6, but previous versions weren't exactly Fort Knox. Plus, many businesses don't upgrade to whichever is the latest version of X to come out of Redmond (or any software firm, really).

Re:Just now?

Realistically, comparisons need to be done at the present time, not 4 or 5 years ago. If you are trying to imply that a comparison needs to be made with IIS4 or IIS5, then lets find an old version of Apache. Much of the time businesses do infact upgrade to whichever is the latest version of X because it comes with the server they are purchasing. It is rare that someone will go out and purchasing a license for Windows 2000 Server when you can get Windows Server 2003 which is more reliable.

Re:Just now?

[ad0gg]

So compare IIS5.0 to later version of apache. IIS5.0 is what came out with windows2000, IIS6 comes with 2003 server. IIS 5.0 is still has half the number of security problems that apache has. And just think IIS, isn't just web, its also does SMTP, FTP and NNTP and still has less security problems than apache which is really quite sad. Kinda makes you wonder why anyone would choose apache over IIS, maybe its because of all the disinformation on the net that fan boys spread.

Re:Just now?

[RzUpAnmsCwrds]

With IIS's myriad of security issues

Frankly, this kind of crap needs to stop.

Over the past three years, IIS 6 has had a grand total of 2 vulnerabilities - neither one being particularly severe. If you can point out more, I'd like to hear it.

Microsoft has a lot of problems with security, but IIS 6 isn't one of them. IIS 6 has proven to be a very secure webserver.

Re:Just now?

[ocelotbob]

I tried running that IIS thing on my box. Doesn't seem to like FreeBSD for some reason. Is there some patch you know of that'll let me run it, because I really like my uptime and stability; I don't want to run on an inferior operating system.

Terrorism!

[jZnat]

Everyone knows that if you have nothing to hide, you don't need to encrypt your communications traffic. This obviously means that terrorists are using open source software more often now! We need a law banning open source software now!

Re:Terrorism!

[Crizp]

sssh! don't give them ideas!

Re:Terrorism!

Damn, I think CIA and white house already know this. Cat is out of the bag!

From the Article

[Orrin+Bloquy]

"Late Wednesday evening, Microsoft executive Steve Ballmer was found buried up to his honey-glazed, fire-ant covered head, apparently the result of a misunderstanding over his outspoken reaction to the news."

Re:the only winners

[AuMatar]

Does it matter? Do you really think anyone does anything other than blindly click accept? Hell, do you think the average user would understand a certificate if you sat down and explained it to them?

Who chooses Microsoft?

[Mc_Anthony]

Are there any admins out there that actually prefer Microsoft web solutions
over LAMP (Linux, Apache, MySQL, PHP)? Or do decisions like that come from on high in many organizations. As an admin who works for a government institution, I
always have the freedom to select the software I want...

I have pity on those admin that are forced to maintain Microsoft solutions
against their will

Re:Who chooses Microsoft?

[DaHat]

Yes... Call me crazy but I love Windows, IIS, ASP.NET and MS SQL.

Granted... I have limited experience with LAMP, when I set out to build my lil beg site back in January I tried doing it with LAMP for a time because of the cost savings that I'd have from hosting on Linux... unfortunately there were plenty of behind the scenes things that I just couldn't figure out and didn't have the time or desire to spend to make it work... so I backed off and did it under a pure Microsoft side and things came together quite smoothly.

My only regret is not yet getting enough traffic to my site, as well as having my Adsense account nuked.

Re:Who chooses Microsoft?

[remembertomorrow]

Call me crazy but I love Windows, IIS, ASP.NET and MS SQL.

You, sir, are indeed crazy.

Or you work at Microsoft. ;)

Re:Who chooses Microsoft?

[Alkrun]

That hasn't been my experience at all. I run some PHP forums and I'm a .NET developer so I don't think I really qualify as an administrator. But my experience has been:

As far as dynamic web-page language/technology goes, PHP runs poorly, is a bit painful to install / configure compared to the .NET runtime which is almost a no-brainer install.

As far as databases go, MS SQL server comes with better tools than mysql, and generally requires less knowledge to administer.

Apache might be more configurable but editing Apache configuration XML has been problematic for me the limited times I've had to do it. IIS has most of that exposed in the UI, and there are generally more "30 second how-tos" for doing that stuff with the meta-data editor if you need to.

Linux vs. Windows comes down to the fact that I prefer Linux for a server OS but IIS / MS SQL don't run on Linux.

Re:Who chooses Microsoft?

[CCFreak2K]

I think this indeed is a case in point for my argument. Why do people NOT switch from IIS to Apache? TCO. Not only do they have to change over all of their IIS running machines (may just be one, may be more than one), but they have to learn an entirely new product. Apache isn't all point-and-click, either (from my standpoint, anyway; I set up apache on a server without X on it), so they have to contend with administrative incompetence until they understand it. It costs dollars to train those people. On the flip side, Microsoft software is easier to set up, but the dollars are lost in licensing for use of the software in the first place.

I'm not FOR IIS, nor am I against it. I'm just saying that it's sometimes difficult for someone/some group to make such a big switch.

Re:Who chooses Microsoft?

Are there any admins out there that actually prefer Microsoft web solutions over LAMP (Linux, Apache, MySQL, PHP)?

(Posting as AC, obviously...)

I do. I've never had any trouble with Windows 2003 Server and IIS6. However, Win2k and IIS5 were, uhm, I'm not allowed to post obscene words here - even minors read Slashdot. IIS6 is a really, really great web server, and the usual Slashdot MS bashing aside, it's even much more secure than Apache. Win2k3 is also stable as a rock and very secure.

MSSQL is also a great RDBMS for small to medium systems (1-5 terabytes of data). We are, however, pondering PostgreSQL for future projects of the same size; MySQL isn't even an option.

Likewise, PHP isn't an option for any code written. We use .NET, as it's fast, stable and most importantly, a standardized framework. If one of our devs gets run over by a truck tomorrow, we can plug a new hiring in, without worrying much if he's knowledgeable in one of the zillion incomplete frameworks that currently exist for PHP, plus the obligatory in-corporation system framework.

Vendor lock-in? Maybe. Do we care? No, we don't. Things get slightly more, eh, complicated when your applications aren't 100-line scripts, but when you have 2.500 lines of code just dealing with a "simple" form (simple to the user). PHP and Unicode don't go hand in hand (which is mandatory for our software), and its lack of namespaces even in version 5 completely eliminates it from any serious enterprise use with a few dozen programmers. Software doesn't cost much compared to the manpower behind it.

That being said, we're currently training a batch of developers in RoR for small-scale projects.

Back on topic: what Netcraft says doesn't mean a thing. Fortune Top 1000 sites are mostly MS-technology sites, for example, and what you don't see in such surveys is the vast majority of intranets running Windows and IIS. Who the hell cares about MS buying web server marketshare for parked domains, or Apache going up in SSL count? My personal web server runs Linux and Apache, and I've got a dual-boot Ubuntu+WinXP laptop. I wouldn't even dream of transferring my server to Windows and IIS, just as I wouldn't dream of having any enterprise-level app written in PHP running on Apache.

Re:Who chooses Microsoft?

[ZiakII]

As an admin who works for a government institution, I always have the freedom to select the software I want...

Um you work for the US? I'm stuck always using Microsoft products.... as an USMC network admin.

Re:Who chooses Microsoft?

To get anywhere in Dot-Net, at least version 2, you need to know about the XML based Web.Config files. XML can be harder to understand than the more traditional plain text UNIX config file. To take advantage of stronger security features and set up a minimum privelage system needs a lot of skill.

Dot-Net 2 on IIS is not always a no-brainer to install. You sometimes have to tweak it manually to get things working. mixing Dot-Net-1 and Dot-Net-2 can be difficult, especially if your Dot-Net-2 app needs to put something in the global Web.Config that Dot-Net-1 can't understand and falls over on.

PHP installation on my Linux box was a case of selecting php4 in Aptitude, my package manager of choice. The Debian installers are really very good and set up the link with Apache for you.

Database connectivity in Dot-Net-2 is giving us nightmares at the moment. It may be fine if you stick to a single MSSQL database, but try distributed transactions with MSDTC or try non-Microsoft databases and things become sticky very quickly. The word Fragile doesn't do it justice. I'm sure we never had this kind of trouble with JDBC.

Looking at the graph, I note that Apache plus the Apache derived cNet have summed to about level or slightly more than Microsoft all along.

Re:Who chooses Microsoft?

[Mc_Anthony]

I work for NASA/JPL. Not all of us here have the same freedom. In fact, some admins here are forced to deal with software decisions that are made from the top down - by management - a poor way to run IT if you ask me.

Anyhow, I'm assuming you're a Marine, so let me just say, thank you for your service.

Re:Who chooses Microsoft?

[dsci]

It costs dollars to train those people.

Or, just hire competent people to begin with. Quality people, those with the knowledge and flexibility to adapt to new environments/problems/challenges, cost money.

Re:Who chooses Microsoft?

[republican+gourd]

Here, have some clicks. Good luck... my student debt is a tenth of yours and its still pissing me off.

Re:Who chooses Microsoft?

[heinousjay]

Where is the magical source of infinite competence that produces all these people? Quality people cost money because they are in short supply.

Re:Who chooses Microsoft?

[CarpetShark]

Are there any admins out there that actually prefer Microsoft web solutions

Depends. Who is doing the calling? Other professional admins, them, or microsoft?

Re:Who chooses Microsoft?

[micheas]

As far as databases go, MS SQL server comes with better tools than mysql, and generally requires less knowledge to administer.

MS SQL does come with better tools than mysql. But, phpmyadmin (which does not come with mysql but is free) is adequate for most peoples uses. and installed by most hosting companies that offer mysql databases. As far as requiring less knowledge to administer the worms that targeted MSSQL server should have been dead in the water, but because many, many people had grossly misconfigured MSSQL servers they worked, (a database server listening on a public port without strong encryption and reliable authentication in this day and age is grossly misconfigured. period.) So it may be easy to get MSSQL working. Getting it to work properly has historically been problematic. MySQL almost always only listens to 127.0.0.1 by default with it up to the admisitrator to figure out riskier configurations. (FreeBSD Ports is an exception last I checked, but I suppose if you are installing mysql from ports you probably have more than a couple of howto's in front of you.)

Apache might be more configurable but editing Apache configuration XML has been problematic for me the limited times I've had to do it. IIS has most of that exposed in the UI, and there are generally more "30 second how-tos" for doing that stuff with the meta-data editor if you need to.

IIS is more configurable than Apache, but it is sendmail type configurable, you can do anything with it, but trying to figure out what either one is configured to do can be a black art at times. The odds of a neophyte being able to figure out what a custom configuration is doing is slim.

As for php being hard to configure, I have only experienced that if the app coding is seriously brain damaged in places. (see almost all php4 only apps for an example of this which includes a lot of popular software such as sugarcrm.) If the software is hard to configure it has a good chance of containing exploitable coding errors that you probably don't want on your website. Just as you don't want people installing weatherbug on their windows workstations. Some problems really are not the operating systems fault. I would look at changing your forum software if it fits this criteria.

Re:Who chooses Microsoft?

[dhasenan]

It's not TCO; it's cost of changing. Regardless of what you start out with, you're largely stuck with it.

However, it's simple enough to do a gradual change. You'll lose some productivity for a while while your sysadmins learn LAMP, but all your main functions will be running continually. Plus, if Windows is actually better for your business, you'll find out the easy way.

Re:Who chooses Microsoft?

[jonadab]

Frequently, the decision to use IIS is made by a third-party software vendor that chooses to build a product on ASPX (often in conjunction with either Oracle or MS SQL Server). I'm not talking here about standard general-purpose software, such as office suites, but more in terms of specialized, field-specific software designed for a certain type of business or organization. Because of the economics of smaller scales (fewer customers per product), these things tend not to be held to anything like the same standards as general-purpose software that almost everyone uses (e.g., office suites). Typically, the usability is nightmarishly bad and the security worse. Oh, and for the joy of using such junk you get to pay... let's just say rather a lot more than it costs to license standard off-the-shelf software such as office suites and image editors.

Re:Who chooses Microsoft?

[wtarreau]

I have pity on those admin that are forced to maintain Microsoft solutions against their will

You don't understand : there are many incompetent windows admins which are asked to deploy a web server. What do you think they do ? They click on the Start button, searching for anything which looks like 'web server' and start it, then click on a few boxes and believe they are secure.

Don't imagine that a windows admin will suddenly choose to take weeks to try to discover how linux and apache work, then install it to impress their boss !

Re:Who chooses Microsoft?

[geminidomino]

Are there any admins out there that actually prefer Microsoft web solutions
over LAMP (Linux, Apache, MySQL, PHP)?


Not Microsoft, but give me FAPP (Freebsd, Postgres) any day.

Re:Who chooses Microsoft?

[jonadab]

> On the flip side, Microsoft software is easier to set up *Some* Microsoft software is easier to set up; I personally would not place IIS in this category. The first time I ever installed Apache (on Windows 95, no less -- hey, it came with the computer) it took me about an hour, and most of that time was spent reading stuff I *probably* didn't need to know, just in case it should happen to contain anything important. I now have half a dozen more years of experience, and we've had an IIS server at work since August, and I've done quite a bit more than an hour's worth of reading about it, but if I had to set up IIS on my own, I'd still be pretty much lost. Setting up Apache on a new system takes me perhaps five minutes, unless I need to do something complicated. It does, however, greatly depend on what you're accustomed to. When I went to set up Apache, I was already very used to the idea of editing a configuration file in a text editor, having done so for various other applications over the preceding several years; plus, I had enough background in programming to make the Apache config file format intuitive. The sample config file was very well laid out, thoroughly commented, and easy for me to understand, so I didn't have any trouble. If I hadn't been afraid of doing it wrong, it probably would have taken me fifteen minutes. Basically, I'm one of those people who thinks these steps: 1. edit /etc/resolv.conf are easier to perform than these: 1. Right-click on My Network Places and choose Properties. 2. Right-click on Local Area Connection and choose Properties. 3. Under the General tab, find TCP/IP in the list, and select it 4. Click the Properties button. 5. Edit the Preferred and Alternate DNS server entries. That's not true for everyone. It depends on your experience. If you've never used a text editor before, for instance, you're going to have a hard time figuring out how to make the former procedure work for you. If you were trained in an IT shop that does everything the Microsoft way, you're going to prefer the second procedure. So it depends on your background.

Why so much different?

[imemyself]

Out of curiosity, does anyone know why the stat's for SSL servers so much different for regular HTTP? Are more business or ecomm(shudder) sites running on IIS? Or am I missing something.

Re:Why so much different?

[Billly+Gates]

In the US the answer is yes because they want to standardize on Microsoft to lower support costs.

I also just wrote a post mentioning that many eccommerce sites use java based http servers and run java based servlets where mission critical applications need to be robust. Most of these run neither apache nor IIS and run on Unix.

Re:Why so much different?

[tedhiltonhead]

The vast majority of virtual hosting is done using Apache, and most domains don't have SSL support. The SSL stat may get us closer to counting the number of IP's using the two packages, rather than just the number of domains.

Re:Why so much different?

[DragonWriter]

Microsoft paying domain parkers to use IIS affects HTTP, but not HTTPS, stats, perhaps? Just a possibility.

Re:Why so much different?

[whoever57]

Out of curiosity, does anyone know why the stat's for SSL servers so much different for regular HTTP?

Because it is ether impossible (or perhaps merely very difficult) to virtually host an SSL site -- the problem, is: when the client connects and requests a certificate, what certificate should be returned? The certificate needs to match the domain name of the request, but since the HTTP request has not yet been made (this happens after the certificate validation), the server does not know this name yet.

Re:Why so much different?

while many of us don't like to admit it, the numbers for apache are greatly inflated due to the popular use of apache for domain parking, ie, 1 apache server with 10's of thousands of domains, it is a free choice and a popular one in these realms. Sadly SSL numbers probably give a figure that is closer to reality.

Thought MS was further back.

[gasmonso]

Honestly, all MS bashing aside, why would anyone use MS over Apache? The support and knowledgebase surrounding Apache is second to none. Plus its free, but to me thats second to the quality and performance. Keep it up Apache!

http://religiousfreaks.com/

Re:Thought MS was further back.

[gexen]

Because IIS is easy, secure (no critical updates for IIS 6 ever!) and can run ASP.NET/Python/PHP/Perl and anything else you can throw at it with very little configuration. The application pool isolation is also a very nice feature for those who came from IIS 5, so one web site can't bring down an entire box. There are tons and tons of IIS resources on the Net, and while there may be more Apache information, that is only because there is less to know for IIS, it just works.

Re:Thought MS was further back.

[MightyMartian]

It's better phrased that IIS can *almost* run PHP, Perl or Python written for *nix, but more often than not there are tweaks required. I have yet to see anything written in these languages on *nix boxes of any reasonable size port without work to IIS.

Re:Thought MS was further back.

[midnighttoadstool]

Apache is seriously old (I'm thinking of the real-world Apache : 1.x); its no wonder it has such a knowledgebase. But the fact that it has such a big knowledge base is not enough. MS would be proud of you since they, I reckon, would emply similar reasons for stagnation.

Re:Thought MS was further back.

[Thundersnatch]

It's all about the developers. People use IIS because it serves ASP and more importantly ASP.net. Say what you will about Microsoft, but Visual Stuido is a first-class development environment. Building scalable and functional web applications in ASP.net using the graphical tools in VS is easier than anything I've seen in the LAMP world, with the possible exception of Rails.

Plus, Microsoft's near-suicidal devotion to backwards compatibility makes heavily mixed ASP/ASP.net sites like CDW reasonably easy, probably easier than mixing different web frameworks on a LAMP or Java platform.

Re:Thought MS was further back.

[Gorshkov]

if IIS is so freaking "secure", then why do I have rules in my apache configuration trying to detect URLS that include things like "/MSADC", "/c/...", "/_", "/uri-res", etc, so I can block all those infected machines that keep trying to infect ME?

Less to know my arse - it's more like wilfull ignorance

Re:Thought MS was further back.

[killjoe]

How is VS + ASP.NET + IIS any better then eclipse/netbeans/Idea + Java. If anything it's worse because java tools have always been better then VS. How long has it taken for VS to get refactoring and a decent build system for example? The java programmers were enjoying those features for years while the VS people plodded along thinking they were l33t because they could draw their guis.

I won't even go into how much more productive rails in then ASP.NET.

Honestly the ASP.NET crowd thinks everybody else is working with stick and stones for some reason. Most likely this is because they have never used anything else.

Re:Thought MS was further back.

[carlislematthew]

ASP.NET.

Check out the job postings these days. C#/ASP.NET developers are in VERY HIGH demand. For a long time, ASP was pretty shitty and worse than PHP and other technologies. With the arrival of ASP.NET/C#, the tide is turning back towards MS technologies, although these changes occur over periods of years and so it's hard to judge sometimes.

Apache/Linux/etc may be free, but the costs of the MS software is minimal compared to the cost of a developer. A decent developer will cost you anywhere from 70-100K depending on a number of factors. If you included "fully loaded" costs of healthcare, 401k, vacation, then the actual cost is about 25% higher. Who gives a shit if that same company spends a few thousand here and there on software, especially when the MS software is potentially more productive, and certainly easier and quicker to learn...

Sure, if you have a LOT of servers per developer (Google, for example) then your OS/software costs are critical. But imagine a mid-sized company, with 5 developers working on a web site that runs on 2 Servers. You think they care about 20K of software?

Re:Thought MS was further back.

Typical comment from a Microsoft user with NO experience with any other product.
That's why we call MS solutions: The Starter System.

When you graduate to real systems, let us know.

JBuilder/JDeveloper/Netbeans handily beat VStudio.

This is Microsoft's problem, Brain Drain.
All the good people have left, leaving the clueless on the MS platform.

Re:Thought MS was further back.

[Thundersnatch]

How is VS + ASP.NET + IIS any better then eclipse/netbeans/Idea + Java

The simple answer is: ASP.net requires less code, and less design-up-front to get something working.

In my experience, J2EE is fine for huge project with lots of design resources and a bunch of proficient Java coders, but it is often a sledgehammer in search of something to hit. It's too big and clumsy for many smaller projcts, and offers little if you want to "start small and scale up". Granted, J2EE's requirements for separating logic into MVC makes enforces better application design in many cases, but it is cumbersome if you need to do something outside that design pattern.

Rails is a nifty development platform, but the non-native threading model and interpreted code make for apps that don't scale without a lot of extraneous CPU and memory on the front end.

funny

[Billly+Gates]

I mention how bad Microsoft products are for mission critical servers and applications like websites. The response is always " .. but this is what everyone is using".

So in other words it must not be that bad because everyone else is using it and everyone else is using it because everyone else is also using it. If that makes sense?

Now it looks like the phb's are going to have to come up with a better excuse. :-)

Also what is not mentioned here is that Java is the number one standard with big ecommerce sites that use SSL. Php does not even come closs for large sites. Most corporate SSL sites use Jboss, BEA, or some java based http server to run the servlets.

I wonder what the percentage of these are as well since java servlets use neither apache or IIS?

Re:funny

A million flies can't be mistaken - shit is good!

Re:funny

[Psiren]

I mention how bad Microsoft products are for mission critical servers and applications like websites.

On what information are you basing this statement? If you looked at the stats (several comments above have the links) you'll see that IIS 6 compares very well against Apache. When you're making these statements, do you mention these statistics? I'm guessing not. There are plenty of reasons to use Apache over IIS, but security is not top of the list.

I'm all for advocating open source, but if you're going to do it, don't spout bullshit. You come across as nothing more than a MS basher, and frankly, I don't want people like you speaking on my behalf.

Re:funny

[msuzio]

I suspect most people are going to front-end Java servlet containers with Apache via something like mod_caucho or mod_jk (or, um, whatever the newest version of the Apache Server-to-Tomcat communications format is, those darn open source folks seem to change their minds a lot). Apache a lot more customizable options for controlling access, rewriting urls, and other things you usually end up needing in any realy production environment.

Re:funny

[Billly+Gates]

I am considered a Microsoftie to some here on slashdot.

Windows/IIS is known to have over 1,000 security holes since it was introduced and the combination is not as reliable as Apache and Unix.

Also .Net is still very new and Java has it beat in terms of robustness and age for dynamic content.

Re:funny

[Gorshkov]

On what information are you basing this statement? If you looked at the stats (several comments above have the links) you'll see that IIS 6 compares very well against Apache. When you're making these statements, do you mention these statistics? I'm guessing not. There are plenty of reasons to use Apache over IIS, but security is not top of the list.

I hate religous wars, but what the hell - it's been a while since I've been in a good jihad (kidding)

Seriously - I have never used IIS, and never will. It has nothing to do with open source (apache) vs microsoft (IIS). It has nothing to do with the TCO, featureset, availability of support between the two, or anything else that anything to do with those two particular package.

It's simply this:

When I run apache, it's running on a system that routinly has system uptimes in the range of XXX days (I don't get more because my local power sucks). When I run IIS, I have uptimes that run in uptimes in the range of X (maybe XX, if lucky) days before you have to "schedule" a reboot.

If I'm running something "mission critical", folks, it's critical, and I need it to BE there. Anybody betting their business on an operating system as unreliable as windows seriously needs to rethink the technical compitence of their IT staff.

Re:funny

[Eristone]

System information for \\:
Uptime: 380 days, 3 hours, 43 minutes, 28 seconds
Kernel version: Microsoft Windows 2000, Uniprocessor Free
Product type: Advanced Server
Product version: 5.0
Service pack: 4

And it isn't even that decent a box. A skilled IT staff can keep any operating system running for long uptimes -- it isn't the uptime of the box that you should look at -- it is the uptime of the application - if you've had to restart it (for whatever reason - died/patched/etc.) then zero out the clock and start counting again.

Re:funny

[Gorshkov]

I would really, REALLY like to know exactly how much work that machine is doing, or if it's just sitting there idle. No, I'm not trolling - it's a serious question.

And yes, it DOES matter what the uptime for the box can be. Because if the box can't stay up, it doesn't matter how reliable the applications are (or are not). That was my point.

Re:funny

And the botnet worm writters like the uptime as well since rebooting for security updates was never performed on this mission critical mission.

Re:funny

oh my this post is just asking to be laughed at but has somehow been modded up even though it was obviously meant as a joke. After all Linux and apache combined has had in excess of 1,000 security vulnerabilities since it was introduced as well. but hey lets look at some facts

for the record, IIS 6 has had far less security holes than Apache.
check for yourself www.secunia.com. in fact since its came out with windows 2003 it has only had 2 non critical vulnerabilites in 3 years. .NET is new? wow 7 years old and people still call it new.

Re:funny

[b0bby]

I have found W2K server to be just as reliable as my Linux boxes. I do apply security patches & reboot on the weekend every month or so, but that doesn't affect our business and really I don't need to apply them all. Our current file server has been great for 4 years now running W2K server. My intranet server has been great for 4 years running Linux. I like them both.

Re:funny

[Eristone]

Two small websites and Exchange and pretending to be a file server. The mail traffic is from a few lists plus the household stuff - but then it's Exchange so go figure.

Not Apache

[TheRaven64]

If it's SSL, then it's not Apache, it's Apache-which-includes-code-from-the-OpenSSL-projec t. All marketing material which references the SSL features of products that contain OpenSSL are required to include that text by the OpenSSL license.

Oh, how I wish they'd move to a proper 3-clause BSD license...

Re:Not Apache

[Homology]

If it's SSL, then it's not Apache, it's Apache-which-includes-code-from-the-OpenSSL-projec t.

So what? mod_ssl is an Apache module using the OpenSSL library, but borrows code as well from OpenSSL. They do acknowledge that: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin /httpd/src/modules/ssl/ssl_engine_init.c?rev=1.27& content-type=text/x-cvsweb-markup

false readings

[Keruo]

Netcraft statistics lie.
I run several ssl www-servers with linux+apache configuration, and yet they show as windows 2003 on netcraft surveys because eNom reports them that way.
The true amount of IIS-based ssl servers is much smaller.

Re:false readings

[PsychicX]

More importantly, the reported difference is 0.2%. You can't honestly expect me to believe that's a statistically significant difference; you'd need much more data to even get 1% margin of error.

Re:false readings

[vinlud]

So based on your knowledge that a few servers are registred in the wrong category you assume this is true also for lots of other Apache servers? Have you taken into consideration that the reverse could also be possible? Tested it? In significant numbers?

I have no doubt that the Netcraft statistics aren't 100% correct but your statement has no proof.

Re:false readings

[cphipps]

Please mail webmaster@netcraft.com with your hostname and it will be looked at. Detection is not 100%, but it would be unusual for an SSL server to have a Windows proxy server in front.

Could just be the tin foil

[drrngrvy]

Like the article mentioned, it's probably got something to do with mod_ssl being included as standard in Apache 2.0. Maybe it's just that those running websites these days are more paranoid than their 'forefathers'? Afterall, generally, Apache use has fallen recently.

Re:Could just be the tin foil

[TheRaven64]

From that graph, I see that Apache has fallen by roughly the amount 'others' has increased. I moved my Apache server over to Lighttpd a while ago - it's faster, uses less memory, has a more permissive license, and is easier to configure. Apparently there are things that Apache can do that Lighttpd can't, but I strongly suspect that they are things that 90% of the web-server-running world doesn't need to do.

Re:Could just be the tin foil

[cant_get_a_good_nick]

Take fluctuations like that, and the entire NetCraft survey, with a grain of salt. Apache lost 4.4 million installed sites with a single decision. GoDaddy moved it's domain parking to IIS. These are not real sites in which you can do anything, they're pretty much just placeholders and ads for GoDaddy at this point. Can't really bitch about it, it has to be on somehting, and at one time those 4.4 million servers were counted for Apache. In fact, NetCraft said most domain parkers use Apache.

How do you pronounce ...

SSL??

do you say "ess ees elle"
or
do you say "sussell"

Re:How do you pronounce ...

[grub]

"ess ess ell" like a real man. "Sussell" is retarded. I recall a fellow who pronunced "SSH" as it was spelled "Sshhhhhhhh"...

Re:How do you pronounce ...

I agree with that. Anyone who tries to pronounce SQL as a word needs to be stabbed in the face. Maybe we should all start calling it 'Squirrel' just to piss those people off.

Re:How do you pronounce ...

[pclminion]

SQL was originally called SEQUEL, but the name was changed due to a trademark issue. Although ANSI has decreed that the official pronunciation is to spell it out, there *is* historical precedent for calling it "Sequel."

Re:the only winners

[Keyslapper]

Much as I hate to admit it, you've got it right on the nose.

I know this firsthand, and unfortunately, I have to lump in a distressingly large section of the software development community - even in the web sector! Some time ago, I was tasked with implementing client side SSL functionality (HTTPS, actually) in a web based product, as well as running the internal analysis on several SSL appliances. I spent so much time trying to explain certs to the rest of the company (both technical and non-technical personnel) that I wrote a document with a brief overview and several links to online sources. When that didn't stem the flow of questions, I gave up and started working from home until I could actually get some work done.

Still, if you want to run your own HTTPS site, just create your own CA, sign your web cert with that, and make the public key available on the website (nonsecure) as a .crt file. Anyone coming to your site should have the option of installing your CA. Just make sure you use a strong passphrase on the private key and keep it well hidden - preferably somewhere not accessible from outside your firewall. While this isn't practical for commercial sites, it's fine for personal stuff - like running your own private webmail server or serving up private pics of the kids to family members.

And yes, $100, or whatever it is these days, is a scam, but the point is they do the due diligence to verify your identity - or they should. The real problem with this is that the company signing the cert bears no responsibility if they issue a cert for a "near-miss" domain, like "cnnn.com" or "WallMart.com" - I don't know if these are real, but they demonstrate the point.

Bundled with Oracle

[pocketstheclown]

Since Apache is bundled with Oracle App. Server, were those counted too?

We like Microsoft *MUCH* better

Microsoft pays for us to develop to their new platforms (sharepoint, biz-talk) - Microsoft invites us into sales calls with their biggest customers (fed government, etc) - Microsoft has offered to donate money to organizations to buy our software. And they have vague veiled threats to our customers if they choose competitor's bids instead of ours.

If you sell to the government, the Microsoft partners are the best friends you could ever have (unless you have friends in IBM or Oracle instead, who are also in that league).

Should title not end with ! instead of ?

[Provocateur]

Or did Slashdot use up all their !!!!! during the infamous OMG! Ponies!!! issue...
 

Re:Should title not end with ! instead of ?

[Limburgher]

Actually, it was OMG!!! Ponies!!! with 3 !s each. Which only makes the shortage worse. . .

Re:Should title not end with ! instead of ?

[RPoet]

This is Slashdot, not digg. We don't take kindly to story titles with exclamation marks in them around here.

secure is not the same as using SSL

[juergen]

MS might have had a bigger installed base of SSL-capable webservers in the past, but that's not the same as secure. Whatever marketing says.

Re:secure is not the same as using SSL

yep you only have to look at the vulnerability count to see which is more secure.... oooh you mean apache is more secure even though IIS6 has a better security record than apache? please enlighten me!

apache http://secunia.com/product/73/
IIS http://secunia/

hell even the mod_ssl package for apache has had more vulnerabilities than IIS6 without including the apache ones.

Huh?

[Foamy]

I don't know if you are just trolling for dollars, but I did visit your site.

What exactly couldn't you get done on that site with LAMP?

This is a serious question because the only dynamic content I see is your "donor list".

Re:Huh?

[DaHat]

Why should dynamic content be obvious? There is far more to that site than meets the eye.

The current debt image is dynamically created daily to show the current debt load based on the each loans rates and the different ways both of the banks that have these loans calculate their interest.

To solve this problem I came up with a very object oriented solution that from what I learned later is well beyond what PHP is capable of in order to make it expandable, easy to maintain and clear in terms of readability.

Re:Huh?

You, sir, are talking out of your asshole. You have near zero skills, that's your problem, not a different platform.

Re:Huh?

Oh come on. This is total bullshit.

Re:Huh?

That's marvelous that you came up with a very object-oriented solution to do a few basic calculations. You never know when you might need to subclass something the next time you need to divide a number.

Re:Huh?

[DaHat]

I guess I will respond to all three of you trolls at once, but I do have to say that I love it when people rant on about things they know nothing about.

Yes, calculating interest on a loan is a rather simple task.

Calculating interest on loans in two different ways because of the way that the two different banks do it is a little trickier without building logic along the lines of if(loanNum == 0) in.

Automatic updating of interest rates based on the 2 different indexes that the rates of these loans are based off of is a little trickier.

Adding in screen scraping to the mix to allow the app to automatically know when a payment has been posted is even more so.

There is a hell of a lot of work going on behind the hood of that site and I've only mentioned a fraction of it.

Sure, I went well overboard with my design, however ASP.NET lets me do that quite easily and when you actually examine all of the work I am doing within you come to realize that it is not only useful, but necessary too, but then I haven't discussed some of the other features. With any luck this extensive design could turn into some extra cash later.

Re:the only winners

[mattyrobinson69]

I explained SSL certificates (encryption and authentication), and she understood, and she's a mere woman.

Re:false readings QWZX

Can I ask one question -- why is this bullshit moderated up? Can anyone just post any piece of random crap and Slashdot will just believe it if it favors Apache or disfavors Microsoft?

Is it too much to ask for this Bozo to actually, I don't know, PROVE his ridiculous statement? Would it be too much to ask that he explain exactly how ANY Apache server would show if his stupid accusation were true?

Bah. I'm no Microsoft fan, but I hate stupidity more.

i believe it's because...

[WeAreAllDoomed]

everyone just now finally figured out how to create and use self-signed certs with apache and openssl :-)

Re:i believe it's because...

[cphipps]

The main figures in Netcraft's SSL survey, as cited in the article, only count sites with a certificate from a recognised CA.

43.8%*$.01 would even be more than 44%*$0 - SO!!!

[doodlebumm]

All Micro$oft would have to charge to have made more money on their SSL products is $.01 each. So what if they made more. The true value of one Apache server is more than all the Micro$soft servers put together.

What a coincidence

[Yi+Ding]

Granted... I have limited experience with LAMP, when I set out to build my lil beg site back in January I tried doing it with LAMP for a time because of the cost savings that I'd have from hosting on Linux... unfortunately there were plenty of behind the scenes things that I just couldn't figure out and didn't have the time or desire to spend to make it work... so I backed off and did it under a pure Microsoft side and things came together quite smoothly.

Wow, what a coincidence. I just started a similar site, but it's done in LAMP (in fact, up to yesterday, it had almost the same tagline yours does). I find the enormity of open source tools (and programs) written for and on LAMP far outweighs the benefits of ASP.NET. Let me know if you'd like any help.

Re:What a coincidence

[DaHat]

Are you saying that there exist tools for LAMP that reach the level of integration and simplicity of debugging that can be achieved with Visual Studio 2005 with an ASP.NET application that is hitting a SQL 2005 Server?

Given that I had two legitimate copies of VS 2005 Pro (one through a costume contest and one through a launch event) it was an obvious choice for me for when I found LAMP not working the way I wanted.

Re:What a coincidence

[Yi+Ding]

Hmm... well, the main advantage of LAMP is that the various pieces Linux, Apache, MySQL, and PHP work really really well with each other. On the development tools side, there isn't anything free that matches Visual Studio in sheer development speed (I use vim myself), but I've heard good things about PHP Eclipse. On the database side, PHPMyAdmin beats everything else I've ever used, open source and commercial. If you're really interested in rapid development and programming ease, I'd suggest looking into Ruby on Rails.

However, the real wealth of tools come in the form of the applications that are built on top of the LAMP stack, including blogging tools and Content Management Systems which make creating and maintaining a website infinitely easier.

LAMP and SSL Management

I too am a admin at a government institution. We have some serious LAMP deployments here, as it can be automated very nicely. Whereas the SSL features of IIS still feel very propretary to me. We use a third party tool http://www.certalertsoftware.com/ to manage about 1000 SSL certificates all on Apache here, but Apache makes it seamless.

Long live Apache!

Use WAMP instead...

You can run Apache, MySQL, PHP, etc, under Windows... http://www.devside.net/

Re:Use WAMP instead...

[DaHat]

WAMP doesn't do ASP.NET very well, nor does a high end development tool like Visual Studio 2005 integrate well with it.

Re:Use WAMP instead...

[Benanov]

Try another "high end development tool", then. VS 2005 is only one such tool.

Of course

[CarpetShark]

That's certainly true, because Microsoft don't consider webservices a basic part of servers in the internet age, so the mugs that use insecure windows OS's have to pay extra (often for a limited number of clients). Meanwhile, real IT professionals (read: unix people) know exactly what a webserver is, and can build their own if it comes right down to it. Except, we don't; instead, we cooperate and share technology, like mature professionals do.

Re:Of course

[carlislematthew]

What on earth are you talking about? Windows *server* OS's have IIS included and ready to run. The cost of Windows Server is MINIMAL when compared to the cost of admin staff, and even the cost of the HVAC system that cools whatever computer you buy! For many businesses (not all of course - this is not a black and white world) using a Windows Server platform saves them time and money. This quite simply because many companies don't have "real IT professionals" as you put it, and instead have a team of windows IT staff already in place.

There are no Microsoft secure servers.

[MikeFM]

Microsoft 'secure' server. That just seems wrong to me. Is that even possible? Maybe if you unplug it and bury it in concrete. In my experience that's the only way to keep a Windows machine secure.

Agree. Why does Firefox help them?

[r00t]

Popping up a big scary and incomprehensible dialog only serves to annoy users and help certificate authorities.

As ssh has proven, you can get fairly good security without such an authority. The same could work for email too.

The basic solution is to ship the public key all the time. Sure, there is initially no authority behind it, but eventually you will come to believe that the key is good. Then one day, connected to some evil wireless network that tries a man-in-the-middle attack, you'll be alerted that something is amiss.

CSE/FIPS certification just happenned

[anon+mouse-cow-aard]

Things will get better over time.

This is the first uyear that OpenSSL is certifed by the government cryptographers as usable. This allows, for the first time, official government use of openssl as a solution
in many, many government contract situations, where IPSEC or hardware would formerly have been required.

http://csrc.nist.gov/cryptval/140-1/1401val2006.ht m

Leader in...

[suv4x4]

That's an odd statistic to run. I tmakes sense at first but then it feels like something MS did so it can make IIS first in something (no longer though I guess).

Now MS can start a new stat: who's the leader in "commercial" (non-free) servers. That can go on forever...

No, that's not how it happened at all.

[Homestar+Breadmaker]

Using safer and more effecient string handling functions like strlcpy and strlcat was not the issue, those are portable to every operating system with a C compiler. The problem was some of the security fixes were not portable to amigaOS. They were actual security fixes. Which were ignored, because they don't work on an obsolete platform. The apache devs couldn't even be bothered to wrap an ifndef around the code in question, they care so little about security.

Your two questions are very different.

[Homestar+Breadmaker]

I do not choose microsoft, I would never consider using windows for a webserver. However I certainly prefer windows + IIS + MSSQL over "LAMP". Every linux distro I've tried is a painful, poorly hobbled together mess. I am too used to decent unix systems to suffer with that. Mysql is absolutely awful, and PHP is the worst of the bunch. Microsoft's offerings are a hell of a lot better than "LAMP", but don't choose either, I choose openbsd, apache, postgresql and pike.

Re:Your two questions are very different.

[Homology]

I've not heard heard about Pike before your post, and is not in the ports collection either as far as I can see. Care to prepare a port?

Re:Your two questions are very different.

[Homestar+Breadmaker]

I have one sorta working, but I need to figure out how to deal with all the bundled modules, flavors are easier, but I think subpackages makes more sense.

Re:Your two questions are very different.

[Homestar+Breadmaker]

Oh yeah, you can just download pike and type "make && make install" and it will work fine. I've gotten all of the openbsd related fixes into pike.

You can also use NSS in apache instead of openSSL

[steveparkinson]

Seems a good a time as any to mention that you can also use Mozilla's NSS SSL libraries in Apache, if you have some particular problem with OpenSSL:

See http://directory.fedora.redhat.com/wiki/Mod_nss for more details.

You can send feedback to developers via the Mozilla NSS newsgroup: http://groups.google.com/group/mozilla.dev.tech.cr ypto?lnk=lr&hl=en

Apache stale!

[Frank+T.+Lofaro+Jr.]

No new versions since 2.0.55 and 2.2.0. Known vulnerabilities in 2.0.55 with no production version fix. 2.2.0 doesn't support Cold Fusion.

Re:Apache stale!

[ocelotbob]

Have you tried using 2.2 with mod_security as the frontend to handle the vulnerabilities, with 2.0.55 handling the coldfusion support on the backend?

Re:Apache stale!

[Frank+T.+Lofaro+Jr.]

Thanks for the advice, but that seems too complicated to trust for a production system.

Plus, would the attacks get thru the 2.2 layer anyway? (I don't know the details).

slightly offt

[GnuDiff]

Just to point out. Bashing MS for IIS is by now old.

I work for (my tiny country's) largest datacenter company, we have MS & Unix solutions group.

The guys in the MS group, being skilled and diligent admins, are keeping their IIS servers just as safe and sound as we do our Apaches. We haven't had security breaches for years and their server and application uptimes are just as big as ours.

P.S. Their licensing costs could pay some 10 more admins' wages tho.

Re:slightly offt

[Gorshkov]

If you'd read what I had posted, you'd know that I *wasn't* bashing MS for IIS - I was bashing them for the unreliable O/S that IIS has to run on.

I can't comment on what you and another poster have claimed for their uptimes, because I have no basis to do so.

All I can say is that what you and another poster are claiming goes directly against my experience on both the desktop, and from having contracts with companies that *do* have MS infrastructure.

Re:slightly offt

The point is the OS isn't unreliable and to compare a desktop install with idiot users on it to a server is just plain stupid. If you deal with companies that have issues with there Ms infrastructure then more than likely you are dealing with a company that has incompetant IT staff. If you want to see what MS OS is capable of you need to see it in competant hands just the same as for any other OS. I too work in a large datacentre 80% MS and 20% solaris, with hundreds of windows servers, uptime is in the range of XXX days and 99% of those have only ever been brought down for routine maintence on power and patching in the past 3 years. The myth that MS servers are unreliable is exactly that a myth. competent admins can have MS servers with as good if not better reliability and uptime as any other OS, don't judge the OS on others incompetence.

Re:slightly offt

[Gorshkov]

#1: I may be a lot of things, but an idiot user is most certainly not one of them

#2: I've never dealt with a company that has an MS infrastructure that has *not* had issues. I guess that means that of the 100s of MS admins I've come across that there's not a compotent one in the lot

That being said, there's also #3, to wit:
I freely admit that there may be a difference between the desktop systems and the server systems. But given the design and track record of what *I've* seen, I sure as hell wouldn't bet my business on it.