In the June 2017 survey we received responses from 1,766,926,408 sites and 6,522,692 web-facing computers. This represents a loss of 48 million websites, although the total number of computers has grown by 118,000 (+1.8%).

All of the top three vendors lost sites in this month's survey, but all showed gains in web-facing computers. Many of the sites that disappeared were spam sites that used the .cn (China) top-level domain. Microsoft lost the largest number of sites – nearly 28 million – while Apache lost 8.9 million and nginx lost 5.4 million.

Apache still leads the market in terms of web-facing computers, but its share fell by 0.28 points to 43.1% despite gaining 33,200 additional computers. Apache also continues to lead the active sites market, and with net growth of 1.2 million active sites this month, its share has increased to 45.9%.

nginx gained the largest number of web-facing computers, increasing its total by 54,200 to 1.36 million (+4.2%), and taking its market share of computers up by 0.46 percentage points to 20.8%. It is now less than 3 percentage points behind Microsoft's share.

nginx is also still increasing its presence amongst the top million websites. This month it gained 939 top sites, in contrast to the losses felt by Apache and Microsoft, which saw 2,970 and 692 sites depart from the top million. Some of the lesser-used servers that also increased their presence in the top million included openresty, Varnish and Tengine.

Google overtakes Microsoft in active sites

Notably, Google has overtaken Microsoft in active sites – it now has 13.3 million, compared with Microsoft's 13.2 million. This gives Google a 7.8% share of the active sites market, although its share of all sites is only 1.1%.

Netcraft first started tracking Google's custom web server software as a major vendor group 10 years ago, when it was used by 2.7 million sites. Google's servers were originally grouped under Apache, as they were based on open source Apache code, but the amount of customisation warranted making a new group – and no doubt even more changes have taken place over the past 10 years. Today, there are over 20 million Google sites, around two-thirds of which are considered active. This is a much higher ratio than most other vendors see – for example, only 1.5% of the 862 million sites using Microsoft's web server software are deemed active.

The most commonly seen Google web server is GSE (Google Servlet Engine), which is used by millions of Blogger sites that use blogspot domains (e.g. funny-cats.blogspot.com and catversushuman.blogspot.ca), and also by many Blogger-powered sites that use custom domain names. GSE is also used by sites under the googledrive.com and googlegroups.com domains, along with some other Google services such as Gmail, although none has the volume of hostnames seen at Blogger.

Another Google web server is Google Frontend, which is used by hundreds of thousands of sites, including App Engine sites hosted under the appspot.com domain. This server was much more prominent in the past, as it was also used by Blogger sites before they switched to GSE. Back then, Google Frontend sites also used an acronym in their HTTP response headers (Server: GFE), but Google Frontend sites now return the full name of the server software, i.e. Server: Google Frontend.

Google Frontend is also used to serve some of Google's legacy sites and deprecated services, such as the former social networking site at jaiku.com. This was shut down by Google in 2012, and all pages on the site now use Google Frontend to serve error pages.

Another Google server – ghs – is responsible for redirecting traffic from googlepages.com sites that were created with Google Page Creator. This website creation service was shut down in 2009, but existing pages were migrated to Google Sites, which hosts user content in subdirectories under the sites.google.com hostname. When a browser visits a legacy hostname like sunsetpizza.googlepages.com, ghs will redirect the user to its new location at https://sites.google.com/site/sunsetpizza/.

Other Server headers used more sparingly by Google-hosted services include UploadServer, sffe, ESF (used by Google Docs), and gws.

In the March 2017 survey we received responses from 1,760,630,795 sites and 6,271,146 computers, reflecting a loss of 31 million sites, but a gain of 34,000 computers.

nginx was the only major web server vendor to increase its market shares in all four metrics this month. Its share of websites grew by 0.49 percentage points, reaching nearly 20%, and its share of web-facing computers grew by 0.39 p.p. to 19.6%. The latter gain was driven by a 31,000 growth in the number of computers running nginx, which was by far the largest computer growth in the survey.

Microsoft suffered the largest loss in March, falling by 70 million sites and taking its share down by more than 3 percentage points. This drop paved the way for Apache to claw back 0.91 points with its gain of 9.4 million sites. Microsoft's market share of sites now stands just below 40%, though this remains nearly as much as Apache and nginx combined.

Microsoft also suffered the largest and only loss of active sites among the major vendors, reducing its total count of active sites by 421,000. Microsoft's active sites share is now less than 9%, far behind nginx's share of 19.7% and Apache's 45.8%.

nginx was the only major vendor to increase its presence within the top million sites, increasing its count by 1,592, while Apache lost 3,502 and Microsoft lost 746.

Microsoft web servers

Among the 704 million sites that are powered by Microsoft web server software, Windows Server 2008 is still the most commonly used platform. The original version of this operating system shipped with Microsoft IIS 7.0 as its web server, while the subsequent Windows Server 2008 R2 release included IIS 7.5. More than half a billion websites are hosted on Windows Server 2008 computers (including R2), which accounts for 72% of all Windows-hosted websites.

Although its R2 version was released more than 7 years ago, Windows Server 2008 is likely to remain prevalent for several more years. Last year's launch of the Windows Server Premium Assurance program allows customers to extend Windows Server 2008's support period from 10 to 16 years, giving access to security updates (as well as "critical" and "important" bulletins) until January 2026.

A further 185 million sites are still running on Windows Server 2003 computers, which are not covered by the Windows Server Premium Assurance program. The extended support period for Windows Server 2003 ended on July 14, 2015, so unless site operators have a special agreement in place, Microsoft will no longer be issuing security updates for any version of Windows Server 2003. US-CERT warned that these unsupported installations of Windows Server 2003 are exposed to an elevated risk of cybersecurity dangers, such as malicious attacks or electronic data loss.

Microsoft's newest operating system, Windows Server 2016, may still seem in its infancy, but it is now starting to show promising growth. 80,200 sites are now being served from Windows Server 2016 machines, which is nearly 20,000 more than last month. The number of web-facing computers running Windows Server 2016 also grew by 2,509, while Windows Server 2008 lost 2,316.

Windows Server 2016's computer growth was outpaced only by Window Server 2012, which gained 7,100 computers this month. Windows Server 2012 now accounts for 463,000 web-facing computers, which is nearly half as many as Windows Server 2008, but it is used to host far fewer websites – just 22 million compared with the 535 million sites hosted on Windows Server 2008 computers.

In the February 2017 survey we received responses from 1,792,104,054 sites and 6,236,791 web-facing computers, reflecting a loss of 7.9 million sites and 91,200 computers.

nginx gains sites and computers

nginx had the largest growth of both sites and web-facing computers amongst the major vendors this month, enjoying a gain of 31 million sites and 13,400 computers, while hefty losses by Microsoft and Apache led to the overall losses seen in this month’s survey. Microsoft lost 48 million sites and 9,900 computers, while Apache lost 13 million sites and 85,700 computers.

Much of the loss of web-facing computers using Apache is the result of declining numbers of Western Digital My Cloud personal storage devices being found in Netcraft's survey. These devices allowed consumers to access their files remotely using public hostnames under the wd2go.com domain. This disappearing act might have been influenced by the three My Cloud firmware updates that were released in December – the first of these changed how files are accessed from the My Cloud web and mobile apps, and the other two resolved a security vulnerability related to remote access.

Despite suffering the largest loss, Microsoft web servers power 43.2% of all sites on the internet, more than twice Apache's share. Meanwhile, nginx's growth has increased its own count to 348 million, bringing it to within striking distance of Apache. This highlights a dramatic change in fortunes for Apache, which was comfortably in first place a year ago, but is now under threat of falling into third place.

In terms of web-facing computers, Apache continues to fare well. While its 3% decline is significant in the space of a month, Apache's 2.7 million computers still give it the lion's share of the market (44.1%). This is followed by Microsoft's 1.5 million computers (24.7%), and nginx's 1.2 million (19.2%).

nginx was also the only major vendor to make a gain within the top million busiest sites. Its share grew slightly to 28.34%, while Apache suffered the largest loss of 0.21 percentage points, taking its share down to 41.41%, though Apache maintained its first-place position with a lead of 13.1 percentage points over nginx.

Apache still strong in active sites

Despite its losses elsewhere, Apache gained 887,000 active sites this month. nginx made the second largest gain, with an increase of 757,000 active sites. The active sites metric is more appropriate for some applications, as it counts websites but excludes those that contain automatically generated content such as domain holding pages.

Apache also has the largest share of this market (45.8%), with its total number of active sites now reaching almost 80 million – comfortably ahead of nginx, which takes up second place with 34 million active sites.

LiteSpeed 5.1.13 addresses DDoS vulnerability

February saw some new releases of the LiteSpeed web server. Most notably, version 5.1.13 was released on 17 February, after some LiteSpeed Enterprise customers reported service disruptions. These were caused by a surge of distributed denial of service (DDoS) attacks that specifically targeted a bug in LiteSpeed servers earlier that day. Rather impressively, it took LiteSpeed less than two hours to identify the heap buffer overflow that was responsible for the problem, push a bug fix build of 5.1.12, and release 5.1.13.

Looking ahead, it is likely that the first release in the 5.2 branch of LiteSpeed will support HTTP/2 Server Push, which could speed up some websites by allowing the server to send resources to clients before the browser has requested them. This feature has already been implemented in the second release candidate (5.2RC2), which was made available on 13 February.

LiteSpeed gained 42 million sites this month as a large number of sites under the .science gTLD reappeared. This did not have a positive impact on its computer count, however, which fell by 666 to 23,240.

Other new releases from web server vendors

Apache 2.2.32 was released on 13 January. This is the latest version in the 2.2 legacy branch, which now enforces a stricter HTTP request grammar, corresponding to RFC 7230 for request lines and request headers. This addresses a security vulnerability (CVE-2016-8743) that might have allowed malicious clients or downstream proxies to carry out response splitting and cache pollution attacks. This release also mitigates the "httpoxy" (CVE-2016-5387) issues that were already addressed in the 2.4 stable branch.

New stable and mainline versions of nginx were also released in the past month. nginx 1.10.3 stable was released on 31 January, followed by nginx 1.11.10 mainline on Valentine's Day. Both versions include several bugfixes, while the mainline release also introduces a few new features.

Meanwhile, documentation for the Microsoft IIS Administration API is now available. This REST API allows IIS instances to be configured with any HTTP client, using tools such as the one available at manage.iis.net. The rationale for providing the API is to have an open and standard interface that can be used from any platform, unlike AppCmd.exe, which can only be run on Windows.

In the January 2017 survey we received responses from 1,800,047,111 sites and 6,328,006 computers, reflecting a gain of 61 million sites and 159,000 computers.

Microsoft gained the largest number of sites this month – 38 million – although it was closely followed by Apache, which gained 32 million. Nearly 822 million sites (45.7%) are now powered by Microsoft webserver software.

Meanwhile, nginx gained 17 million sites, and has also continued to show strong and steady computer growth. This month's gain of 60,000 web-facing nginx computers was the largest seen by any vendor, outweighing Microsoft's and Apache's gains of 40,000 and 20,000. If last year's trends continue in 2017, it seems plausible to expect that nginx could overtake Microsoft to become the second largest vendor (by computers) in the second half of 2017.

Microsoft's latest version of Internet Information Services – IIS 10.0, which uses Windows Server 2016 as its primary platform – was found powering 45,000 websites this month. Future migration to IIS 10.0 may be slower than with previous IIS versions, however, as Microsoft announced Windows Server Premium Assurance in December 2016, which extends the support period from 10 to 16 years for existing Windows Server products. This means Premium Assurance customers will continue to receive security updates (as well as "critical" and "important" bulletins) for Windows Server 2008 until January 2026. In January 2017, more than 600 million sites are served from Windows Server 2008 machines.

Each of the other major server vendors released updates last month. nginx 1.11.7 mainline version was released on 13 December, followed by 1.11.8 on 27 December. Both releases included several bug fixes and a few new features.

The mainline 1.11.x branch of nginx is typically updated every 4-6 weeks and is aimed at users who require the latest features, whereas the 1.10.x stable branch is only updated when critical issues need to be fixed. Only two updates have been released on the stable branch since 1.10.0 was forked from mainline in April 2016. Stable is the most commonly used branch: nearly 24 million sites are using 1.10.x stable, compared with 2.2 million using 1.11.x mainline.

Apache 2.4.25 was released on 20 December 2016, incorporating security, feature and bug fixes (including many from the unreleased 2.4.24 version). The security fixes include a mitigation for issues caused by the httpoxy vulnerability, and better enforcement of the HTTP request grammar in RFC 7230 to reduce the likelihood of response splitting and cache pollution attacks.

While many sites still use older versions of Apache, such as the 2.2.x legacy versions, the Apache Project continues to point out that the latest release from the 2.4.x stable branch represents the best available version of Apache HTTP Server. Nonetheless, most sites—just over 100 million— report to be using 2.2.x legacy versions, compared with 69 million sites that use 2.4.x. The most commonly observed Apache Server banners are Apache/2.4.7 (Ubuntu) (36 million sites), followed by Apache/2.2.15 (CentOS) (25 million); however, these servers may not necessarily be as old and vulnerable as their version numbers imply. Netcraft previously discussed this "backporting" behaviour a few years ago.

LiteSpeed suffered the largest loss of sites this month, returning to October 2016 levels after plummeting by 42 million sites to leave a total of 5.5 million. Despite the large loss of sites, the number of web-facing computers using LiteSpeed increased modestly by 323 to 9,740. LiteSpeed 5.1.11 was released on 15 December, featuring improved caching and a few bug fixes.

December also saw the release of Tengine 2.2.0 development version, which came nearly two years after the previous development version, and a year after the most recent stable version. Not only does Tengine have a relatively sedate release cycle, but its latest version is based on nginx 1.8.1 (the final version of nginx's previous stable branch), which itself is already a year old.

Despite having relatively infrequent releases, 58 million sites are currently using Tengine. Most of these sites do not reveal which version has been installed, but among the 18 million that do, about two-thirds are using the relatively old 1.4.2 development version which was released in November 2012 and based on the nginx 1.2.x stable branch. Tengine was originally created by the Chinese marketplace Taobao, which modified the nginx core to better suit its requirements. It was released as an open source project in December 2011, and today sites under the taobao.com domain account for only 5% of its users.