Web server trends: Cloudfare, Nginx, and LiteSpeed shine in survey

Cloudfare, Nginx and LiteSpeed deliver strong performances in the sector, while the market share of Apache and Microsoft continues to decline, according to the latest instalment of Netcraft’s web server survey. In the analysis, Netcraft – which has been busy inspecting the web since 1995 – found that Cloudfare, a provider of content delivery networks and other services, had added 5.8 million (8.6%) sites and 259,000 (1.24%) domains compared with figures for the previous month.

Nginx, an open-source web server platform (with a “Plus” version for paying customers), remains just behind veteran open-source provider Apache in terms of market share of active sites – 20.2% versus 22.7%, respectively. However, unlike Apache, whose market share has been in decline for a decade, Nginx’s performance is holding firm against the competition.

Nginx combines web server, reverse proxy, and load balancing features to smooth traffic flow between clients and servers, but without adding too much overhead in terms of setup and configuration – which, judging by the survey results, is proving to be a popular strategy. Certainly, typing ‘how to migrate from Apache to Nginx’ into a popular search engine returns plenty of hits, which could also be telling in terms of web server trends.

However, given the often mission-critical nature of web servers in many organizations, switching from one platform to another is no small undertaking. Many would-be migrations will be hampered by the “if it ain’t broke, don’t fix it” mindset, despite any apparent advantages of one platform over another.

Need for speed

Apache has further close competition from LiteSpeed, which added just under a three-quarters of a million sites to its ecosystem, compared with the previous month. LiteSpeed’s web server software (available in community and enterprise forms) is sometimes dubbed a drop-in replacement for Apache – in other words, a solution that doesn’t require major code or configuration changes. And one of the biggest benefits of making the swap, according to reports, is performance. Speed tests show that LiteSpeed Web Server outperforms Apache in handling requests for popular platforms such Magneto – the widely used eCommerce framework acquired by Adobe in 2018.

Reasons for the speed boost, based on Litespeed’s literature, include a built-in cache engine with plugins for popular web apps (WordPress included, and many others), as well as other features such as a streamlined web application firewall (WAF). In independent tests, other providers – including Nginx, mentioned earlier – have also impressed against an Apache benchmark. And with metrics such as page loading time being so critical to success online, it’s easy to see why the web server software landscape doesn’t stand still.

Some of the clearest insights come from looking at the market share based on the top million busiest sites. Here, according to the Netcraft survey data, Cloudflare’s climb is steeper than even Litespeed, which could be down to several factors. Cloudflare, which began as an application for tracking down the source of email spam, now offers a range of services for accelerating internet applications and mobile experiences. To provide peak performance, users want architecture that can scale automatically to cope with surges in popularity that can happen almost in an instant – spiking behavior, which often goes hand in hand with digital growth.

Security features

A year ago, Cloudflare had 17.4% market share of the top million busiest sites – a proportion that has grown to more than 20% today. Apache on the other hand is down from 25.0% to 22.3% over the same period. And Microsoft has dipped below 6%, based on the Netcraft survey figures, as it continues to loose ground to its rivals at the bleeding edge of the web server software space. And at this point, it’s worth talking about security.

Long-time giants in the sector make big targets for bad actors looking to maximize the disruption caused by distributed denial of service (DDoS) attacks and other hostile campaigns. Given this, newer players can gain an advantage as their products will be less familiar to adversaries and, in principle, have fewer known vulnerabilities for IT managers to keep on top of with patching programs. Also, it’s not just about novelty, web servers today must provide a security perimeter in addition to their role in delivering content across the internet.

These security systems also serve as a trend-spotter for the tools, techniques, and procedures being deployed by adversaries, which included a giant 26 million requests per second DDoS attack detected by Cloudfare’s security system and named ‘Mantis’. Although most DDoS are small, reports of such large campaigns are growing in frequency . “Attackers concentrate their botnet’s power to try and wreak havoc with a single quick knockout blow — trying to avoid detection,” writes Omer Yoachimik, product Manager of Cloudfare’s DDoS protection service.

Fresh thinking

Providers need to keep their eyes peeled for security threats on all fronts as attackers are motivated to steal and manipulate information as well as disrupt services. In news relating to the web server analysis, Netcraft points to Microsoft’s announcement at the end of last month that ‘Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers’. As can often be the case, the modular architecture that is a win for users in providing the flexibility to extend and customize platforms, can turn out to be inviting for bad actors too. By borrowing the same code structure as clean modules, attackers have found ways to make such tools difficult to identify – which means that developers always need to bring fresh thinking to their products.