Strong results for Cloudfare, Nginx and LiteSpeed in web server survey
Cloudfare, Nginx and LiteSpeed are showing strong industry performance, while Apache and Microsoft’s market shares continue to decline, according to the latest installment of Netcraft’s web server survey. In the analysis, Netcraft – which has been surveying the web since 1995 – found that Cloudfare, a provider of content delivery networks and other services, added 5.8 million (8.6%) sites and 259,000 (1.24%) domains compared to the figures of the previous month.
Nginx, an open-source web server platform (with a “Plus” version for paying customers), remains just behind veteran open-source provider Apache in terms of market share of active sites – 20.2% compared to 22, 7%, respectively. However, unlike Apache, whose market share has been declining for a decade, Nginx’s performance holds up against the competition.
Nginx combines web server, reverse proxy, and load balancing functionality to smooth traffic between clients and servers, but without adding too much installation and configuration overhead – which, judging by survey results, is proving to be a popular strategy. Admittedly, typing “how to migrate from Apache to Nginx” into a popular search engine returns many results, which could also be telling in terms of web server trends.
However, given the often mission-critical nature of web servers in many organizations, switching from one platform to another is no small feat. Many potential migrations will be hampered by the “if it ain’t broke, don’t fix it” mindset, despite the apparent advantages of one platform over another.
Need of speed
Apache still has close competition from LiteSpeed, which added just under three-quarters of a million sites to its ecosystem, compared to the previous month. LiteSpeed’s web server software (available in community and enterprise forms) is sometimes dubbed a drop-in replacement for Apache – in other words, a solution that doesn’t require major code or configuration changes. configuration. And one of the biggest benefits of the exchange, according to reports, is performance. Speed tests show that LiteSpeed Web Server outperforms Apache in handling requests from popular platforms such as Magneto – the widely used e-commerce framework acquired by Adobe in 2018.
The reasons for the speed increase, based on Litespeed literature, include an integrated caching engine with plugins for popular web applications (WordPress included, and many others), as well as other features such as a Simplified Web Application Firewall (WAF). In independent testing, other vendors – including the previously mentioned Nginx – also impressed against an Apache benchmark. And with metrics like page load time being so critical to online success, it’s easy to see why the web server software landscape isn’t standing still.
Some of the clearest information comes from looking at market share based on millions of top traffic sites. Here, according to Netcraft survey data, Cloudflare’s rise is steeper than even Litespeed, which could be due to several factors. Cloudflare, which started as an app to track down the source of email spam, now offers a range of services to accelerate internet apps and mobile experiences. To deliver optimal performance, users want an architecture that can automatically scale to cope with spikes in popularity that can occur almost in an instant – peak behavior, which often goes hand in hand with digital growth.
A year ago, Cloudflare held a 17.4% market share of the top one million sites, a proportion that has grown to over 20% today. Apache, on the other hand, went from 25.0% to 22.3% over the same period. And Microsoft has fallen below 6%, based on Netcraft survey figures, as it continues to lose ground to rivals at the forefront of the web server software space. And at this point, it’s worth talking about security.
Long-time industry giants make big targets for malicious actors looking to maximize disruption from Distributed Denial of Service (DDoS) attacks and other hostile campaigns. Given this, new players may gain an advantage as their products will be less familiar to adversaries and, in principle, will have fewer known vulnerabilities for IT managers to keep abreast of patching programs. Also, it’s not just a novelty, today’s web servers need to provide a security perimeter in addition to their role in delivering content across the internet.
These security systems also serve as a trend watcher for the tools, techniques and procedures deployed by adversaries, which included a giant DDoS attack of 26 million requests per second detected by Cloudfare’s security system and codenamed “Mantis”. Although most DDoS attacks are small in scale, reports of such large campaigns are increasingly common. “Attackers are focusing their botnet’s power to try and wreak havoc with a single, quick kill — trying to evade detection,” writes Omer Yoachimik, Product Manager of Cloudfare’s DDoS Protection Service.
Providers must remain alert to security threats on all fronts, as attackers are motivated to steal and manipulate information as well as disrupt services. In web server scanning news, Netcraft points to Microsoft’s announcement late last month that “attackers are increasingly using Internet Information Services (IIS) extensions as backdoors to the servers”. As can often be the case, the modular architecture which is a win for users by providing the flexibility to extend and customize platforms, can also prove inviting for bad actors. By borrowing the same code structure as clean modules, attackers have found ways to make these tools difficult to identify, which means developers always have to put new thinking into their products.