Weaving Your Way Through the Web Server Scene
March 12, 2003
Web servers don't compete in the same sense as most other software offerings do. For one thing, the most widely used server, Apache, is open source and essentially free. It has no advertising budget or any other promotion aside than downloads, user experience, and word of mouth. Even the second most widely used server, Microsoft Internet Information Server (IIS) doesn't compete in the open market as it's typically picked up in conjunction with a Windows operating system (i.e., it's bundled).
Yet this is a fiercely competitive category of software, partly because it's one of the most important pieces of all software (Web servers are often described as the heartbeat of the Internet), and the total number of servers in use is approaching an astronomical 12 million. There are many commercial Web servers (a large selection of which are reviewed on ServerWatch); many ways to supplement and enhance Web servers that can make money; and besides, there's always bragging rights.
Later in this ServerWatch tutorial, we'll detail what the "Big Four" Web servers (Apache, IIS, SunONE, and Zeus) are up to, but it's important to bear in mind that there are literally dozens of Web servers. Many are embedded within other products (such as application servers), and you might be using them without even knowing about it. Other Web servers are developed for specific purposes, such as e-commerce or streaming media.
If there is one across-the-board issue in Web servers in 2003, it remains the same one it has been for (at least) two years -- security. A lot of negative publicity has been generated by Web server security holes and their exploitation. During 2000 and 2001 Microsoft IIS seemed to take the brunt of attack, but during 2002 Apache and other servers also came under fire. Statistically speaking, we may be talking about an almost infinitesimal number of breaches relative to the total number of Web server connections and transactions, but like airline disasters, only the memory of bad news seems to endure. The impression of flawed software now clings to many Web server products.
To counteract this impression, most Web server developers have shifted their attention to not only fixing security problems, but also re-focusing the software around security issues. In some cases this has resulted in heavily redesigned products; in other cases, features designed to implement and monitor server security have been added.
Update and Maintenance
Closely related to the need for vigilance in security is the need to pay attention to updates. This is much more than deciding whether or not to implement new versions of the server software. It includes the onerous task of frequently patching installed software to update security fixes. It also includes more sophisticated monitoring of server activity, not only to manage loads, but also to deal with attacks and illegitimate use of the server. The problems are particularly acute for organizations running hundreds (or thousands) of servers, but the same problems -- especially because they often go unattended -- exist in much smaller installations.
Consequently, another major trend in Web servers has become the addition of tools and features that make updating easier and timelier.
The Big Four
As mentioned, there are scores of Web servers available today. Some are free. Some are commercial. Some are heavy-duty; some are light-duty (even personal). Some are highly visible products; others are nearly invisibly embedded within another product. The most heavily used products, as indicated in the graph below, are Apache Web Server, Microsoft IIS, Sun ONE Web Server, and the largest of the "other" group, Zeus Web Server (which in actuality has more active servers than SunONE).Market Share for Top Servers Across All Domains August 1995 to February 2003
Source: Netcraft (February 2003)
Apache Web Server
The Apache Software Foundation, the umbrella organization that guides and polices the development of the far-flung Apache code, has numerous development projects continually in progress. The HTTP Server Project (Apache Web Server) has been particularly busy addressing security issues that cropped up during 2002.
Internet Information Server
Sun ONE Web Server
Zeus Web Server
The Web Server Market
Although the struggles for Web server market share are in some ways titanic (or at least from the perspective of Microsoft, Sun, and the open source people), the changes in products are usually incremental and not particularly swift in coming. Apache had a major revision in 2002 and Microsoft will in 2003, but after that, no major changes are planned from either of them for some time -- measurable in years.
Consequently, those who follow the products, especially server administrators responsible for making update and patching decisions, must pay attention to the fine details of interim revisions and the various announcements about fixes and patches.
Also, we find that many of the more interesting aspects of the Web server market are not the primary servers, but support and peripheral products such as accelerator boards, cache systems, monitoring software, and various plug-ins that improve performance and make life easier for administrators. Integration with server blades (i.e., densely packed rack-mounted servers) will be a major focus for Web servers in 2003 as enterprises try to consolidate and improve efficiency in the current economic climate.