In the August 2021 survey we received responses from 1,211,444,849 sites across 263,733,974 unique domains and 11,327,711 web-facing computers. This reflects a loss of 4.99 million sites, but a gain of 1.64 million domains and 67,600 computers.

The number of unique domains powered by the nginx web server grew by more than a million this month, while Apache's count fell by 916,000. This has extended nginx's lead in the domains metric, giving it a 29.8% share compared with Apache's 25.5%.

OpenResty gained 234,000 domains, but its market share remained static at 14.5%, while Cloudflare gained 726,000 domains and increased its market share to 7.72%.

The number of web-facing computers using nginx has continued to increase, this month by 49,000 (+1.18%). There are now 4.19 million web-facing computers running nginx, compared with 3.52 million that run Apache. Microsoft follows in third place with 1.38 million computers.

The web-facing computers metric has painted a remarkably stable trend over the past several years, as is evident in the graph below, with both Microsoft and Apache steadily falling while nginx has progressively climbed to first overtake Microsoft in 2017, and then Apache during 2020. There has also been a rise in "Other" web servers, which includes several nginx-based spinoffs such as OpenResty and Tengine.

Websites in Afghanistan

The Taliban offensive in Afghanistan has obvious potential to upset the country's internet infrastructure, but the extent of any changes may be limited. Afghanistan has had a relatively small presence on the web throughout the past 20 years, and many of its sites were already hosted outside of the country and used generic top-level domains to avoid interference from the Taliban.

This month's survey found only 8,031 websites hosted in Afghanistan, and 23,205 sites that use Afghanistan's .af country-code top-level domain (ccTLD). More than two-thirds of the latter are hosted in the US, and more than 2,000 are hosted in Germany – although any site that relies on a .af domain would still be vulnerable to interruption by the country's new government, should it desire.

Nearly 1,000 of the .af sites are Afghan Government websites that fall under the .gov.af second-level domain – such as president.gov.af and kabul.gov.af – but surprisingly, less than half of these are hosted in Afghanistan, with the rest being hosted in the US, Germany, Singapore, France, Canada, UK, Netherlands, Ireland and India.

Even more surprisingly, dozens of the .gov.af sites hosted in the US and Germany are used to host webmail services, potentially putting Afghan Government communications in easy reach of external intelligence agencies.

Other vendor and hosting news

• Microsoft has announced the general availability of Azure Government Top Secret. The new air-gapped Azure regions are intended to handle national security workloads at the US Top Secret level.
• Microsoft also announced its new Azure Healthcare APIs, which provide pipelines to manage protected health information data at scale.
• Statistics collected by Azure DDoS Protection showed a shift towards attacks against web applications in the first half of 2021.
• Apache Tomcat 10.0.10 was released on 5 August, followed by Tomcat 10.1.0-M4 (alpha) and Tomcat 9.0.52 on 6 August, and Tomcat 8.5.70 on 16 August. All four of these releases correct the regression of an HTTP/2 flow control bug in their previous versions.
• OpenResty 1.19.9.1 was released on 6 August. This version of the web platform based on nginx and LuaJIT now uses nginx 1.19.9 (a mainline release from 30 March) as its core, and also includes some LuaJIT fixes.

Continue reading

In the July 2021 survey we received responses from 1,216,435,462 sites across 262,098,666 unique domains and 11,260,130 web-facing computers. This reflects a gain of 3.16 million sites, 1.99 million domains, and 161,000 computers.

nginx gained the largest number of sites, computers and domains this month – and continues to lead in each of these metrics – but it lost the most active sites, and its presence amongst the top million sites also fell by the largest amount. The largest active sites gain was made by Google (+1.02 million), while Cloudflare was the only major vendor to increase its share amongst the top million sites (+1,732).

Despite strong growth by Google and Cloudflare, Apache still has the largest number of active sites and greatest presence within the top million sites, while nginx is second in both of these metrics.

nginx's gain of 7.99 million sites was followed by an additional 1.36 million sites powered by OpenResty, which is a web server based on nginx. More than 12 million of the 75.4 million sites that use OpenResty are Tumblr microblogging websites under the tumblr.com domain.

OpenResty was originally sponsored by Yahoo! China and Taobao prior to 2011, but Taobao now maintains its own Tengine web server, which is also based on nginx. This is currently used by 11.3 million websites, including 3.13 million C2C ecommerce sites that use the taobao.com domain and 265,000 sites like disney.tmall.com that use the Tmall.com B2C platform.

The number of websites powered by Microsoft IIS (Internet Information Services) fell by 1.92 million to 51.6 million this month. These sites are spread across 13.5 million unique domains and use several different versions of IIS.

The widespread use of several different versions of IIS is likely to continue as Microsoft announced Extended Security Updates for Windows Server 2012 and 2012 R2 on 14 July. Customers who migrate their workloads to Microsoft Azure will get free extended security updates for three more years, while those who choose to run Windows Server on-premises will have the option to purchase the updates. These versions of Windows Server provide the IIS 8.0 and IIS 8.5 web server software, which is still used by 21.4 million websites in this month's survey.

One year of extended security updates are also available for Windows Server 2008 and 2008 R2 on Azure only. These older versions of Windows Server use IIS 7.0 and IIS 7.5, which are still used by 15.7 million websites.

The latest version of Microsoft's web server software, IIS 10.0, is currently used by 12.1 million websites. This version can be found on Windows Server 2016, Windows Server 2019, and can also run on the preview version of Windows Server 2022.

Other vendor and hosting news

• nginx 1.21.1 mainline was released on 6 July. This version includes a few bugfixes and improved error reporting.
• njs 0.6.1 – the JavaScript-based scripting language that allows nginx functionality to be extended – was released on 29 June. This is a bugfix release.
• Caddy Web Server saw its 100th release on 17 June. Caddy 2.4.3 includes some bugfixes and an important security update for PHP-based websites.
• Apache Tomcat 10.1.0-M2 (alpha), 10.0.8 and 9.0.50 were released on 2 July, followed by Tomcat 8.5.69 on 5 July. Tomcat 10.1.0-M2 (alpha) differs from 10.0.8 in that it is targeted at Jakarta EE 10 rather than EE 9. A migration tool is available for applications that run on Tomcat 9 and earlier, as these are targeted at Java EE and must be changed to use Jakarta EE.
• Windows Server 2022 is now in preview on the Evaluation Center.

Continue reading

In the June 2021 survey we received responses from 1,213,277,377 sites across 260,108,646 unique domains and 11,098,973 web-facing computers. This reflects a loss of 5.15 million sites, but a gain of 513,000 domains and 47,100 web-facing computers.

nginx experienced the largest gains in web-facing computers and domains this month; despite a large loss of sites. In the web-facing computer metric nginx’s gain of 74,100 (1.86%) was substantially the largest, and resulted in a market share increase of 0.5 percentage points to 36.5%. Its lead in this metric continues to steadily grow, with Apache’s share in second place dropping to 31.7% — a gap of over half a million web-facing computers.

LiteSpeed saw the only other notable increase in web-facing computers, with an additional 10,400 (+17.6%) boosting its total to 69,500 web-facing computers. LiteSpeed also gained the 2nd largest number of domains this month, with an increase of 289,000, increasing its total to 5.75 million.

Apache suffered the largest loss in domains and active-sites this month, dropping by 597,000 and 886,000 respectively; and was followed by Microsoft with a loss of 203,000 domains and 115,000 active sites. Meanwhile in the web-facing computers and top million busiest sites metrics, Microsoft instead had the largest losses of 21,600 computers and 3,700 of the million busiest sites, followed by Apache with a loss of 15,400 computers and 2,500 of the million busiest sites. Despite its losses in these metrics, Apache continues to power the largest number of active sites with a share of 24.8%, and top-million sites with a share of 25.2%.

Continue reading

In the May 2021 survey we received responses from 1,218,423,991 sites across 259,596,021 unique domains and 11,051,830 web-facing computers. This reflects a gain of 6.28 million sites and 112,000 computers, but a loss of 4.87 million domains.

nginx gained the largest number of hostnames, active sites, and computers this month; but also suffered the largest loss of 4.73 million domains. Its most notable gain was of 78,900 computers (+2.03%), which increased its leading share to 36.0%. It also continues to lead in the hostnames and domains metrics, while Apache is top in active sites.

Apache also maintains its lead amongst the top million websites, with a 25.4% share compared to nginx's 22.9%. Cloudflare's share of the top million sites is now up to 17.0% after increasing its presence by a further 3,090 sites, and Microsoft added 1,840 sites to bring its share up to 6.85%.

OpenResty saw the largest decrease of 8.10 million hostnames (-9.88%), which has taken its market share down to 6.06% (-0.7 pp). Microsoft also suffered a large loss of 6.92 million sites (-10.3%), which took its share down to 4.95% (-0.6 pp).

One of OpenResty's most prominent users is Automattic, which uses it to serve millions of Tumblr microblogging websites that can be found under the tumblr.com domain – for example, icontherecord.tumblr.com.

Automattic is also responsible for the popular WordPress.com blogging service, where it instead uses nginx to serve millions of blogs. These WordPress-powered sites can either use custom domain names, or free blogs can be created directly under the wordpress.com domain – for example, catsbeingcats.wordpress.com.

The underlying WordPress blogging software reached its 18th birthday this month. Automattic continues to contribute to this open source project, and the software is freely available from wordpress.org, allowing anyone to download and install the software on other compatible web server platforms. Although Apache and nginx are recommended, any server that supports PHP and MySQL ought to be capable of running a WordPress site. Such is the popularity of WordPress, some hosting providers also provide one-click installers and other tools that make it easy to manage WordPress sites.

Other vendor and hosting news

• nginx 1.20.1 stable and nginx 1.21.0 mainline were released on 25 May. Both versions include a fix for a 1-byte memory overwrite vulnerability.
• NGINX Unit 1.24.0 was released on 27 May. This adds several new features, including SSL/TLS configuration commands, static file chrooting with symlink and mount resolution controls, static file filtering by MIME type, and compatibility with Ruby 3.0. It also includes some bugfixes.
• Caddy 2.4.0 was released on 10 May, with over 110 patches to resolve bugs and add features likes remote API access, automated identity management and dynamic config loading.
• Apache Tomcat 10.0.6, 9.0.46 and 8.5.66 were released on 12 May. Version 1.0.0 of the Apache Tomcat Migration Tool for Jakarta EE was released a few days earlier on 7 May – this is the tool that allows Tomcat web applications written in Java EE 8 to be automatically converted to run on Tomcat 10 which implements Jakarta EE 9.
• To showcase its new architectural paradigm of Workers, WebSockets and Durable Objects, Cloudflare has released a multiplayer Doom port which can be played at https://silentspacemarine.com. This game demonstrates how application code can be run on Cloudflare edge nodes rather than only on a client or server.

Continue reading

In the April 2021 survey we received responses from 1,212,139,815 sites across 264,469,666 unique domains and 10,939,637 web facing computers. This is an increase of 24,611,866 sites, 1,114,050 domains and 91,955 computers.

nginx gained the largest number of sites this month increasing by 12.5 million sites to 432,167,302. This also increases its market share to 35.65%, up 0.32 percentage points. Microsoft last month lost its place as third largest web server developer to OpenResty, this month it continued to lose sites (-3.6M) and market share, dropping 0.42pp to a market share of 5.54%. OpenResty gained 4.1 million sites and 0.21pp market share, while Apache gained 5.4 million sites but lost 0.08pp market share.

Looking at domains Apache and OpenResty gained the largest amount, with LiteSpeed and Oracle also seeing increases. OpenResty increased by 467k unique domains (+1.2%), this growth is primarily fueled by its increased use at both Google Cloud and Amazon AWS. Apache gained a similar amount with 426k domains (+0.6%), LiteSpeed gained 52k (+1.0%), and Oracle gained 27k (+3.6%). In contrast, nginx, Microsoft and Google each lost domains, 483k (-0.6%), 331k (-2.2%) and 233k (-9.2%) respectively.

In terms of web facing computers nginx gained the largest number with an increase of 59.6k (+1.6%) extending its market lead over Apache to 3.32 percentage points. Apache saw a smaller increase in the number of web facing computers making use of it (8k, +0.2%), this resulted in Apache losing 0.20pp market share. Microsoft lost both absolute numbers of computers, -15.3k (-1.1%), and market share, -0.25pp.

Focusing in on the million busiest sites Cloudflare gained 2,721 sites, the only significant gain this month, it is now used by 16.70% of the million busiest sites. nginx and Microsoft saw the largest losses, 1,978 and 1,806 sites respectively, with Apache dropping 608.

Other vendor and hosting news

• nginx version 1.20.0 was released on April 20th; this incorporates the features from the last year of development on the 1.19 mainline branch into a stable release that will not receive further feature updates. Prior to the release of version 1.20.0 the mainline 1.19 branch received a bug fix update on March 30th, and a minor update with features related to keepalives on April 13th.
• Apache Tomcat major versions 8, 9 and 10 were all updated on April 6th to pick up binaries built with OpenSSL 1.1.1k. Version 7 received a bug fix release on April 26th.

Continue reading

In the March 2021 survey we received responses from 1,187,527,949 sites across 263,355,616 unique domains and 10,847,682 web-facing computers. This reflects a loss of 16,724,462 sites, but a gain of 313,561 domains and 81,076 computers.

nginx gained 3.7 million sites this month and holds 35.3% of the market with a total of 419.6 million sites. By contrast, Apache lost 8.5 million sites and accounts for just over a quarter of all sites with 308.5 million. Microsoft lost 9.6% (-7.5M) of its sites this month and ceded third place to OpenResty which in turn gained 1.2 million (+1.6%).

OpenResty is a web platform based on nginx which integrates Lua-based modules and has been the third-largest server by domains for several months. Despite this, it trails the competition in terms of web-facing computers, with only 105,800 computers compared to Microsoft’s 1.4 million.

nginx, Google, OpenResty, and LiteSpeed all acquired significant numbers of domains this month. nginx gained just over a million domains (+1.3%), while Google, OpenResty, and LiteSpeed gained 250,000 (+11.0%), 212,000 (+0.6%), and 68,600 (+1.3%). nginx’s domain growth came primarily from Freenom with 1.3 million domains using the server, while OpenResty’s growth came from its increased use on Google Cloud. Meanwhile, Apache and Microsoft lost -540,000 (-0.8%) and -585,000 (-3.7%) domains.

nginx and Apache both gained web-facing computers this month with nginx gaining a substantial 74,000 additional computers and a gain of 0.4 percentage points of market share and Apache gaining 3,300 - though losing 0.2 percentage points of market share due to nginx’s comparative higher growth. Other vendors also saw market share losses, with Microsoft losing 24,200 computers (-0.3 pp) and OpenResty losing just over 200 computers (-0.01 pp) despite its gains in sites and domains.

Looking at which web servers power the million busiest sites, only Cloudflare saw its count increase this month with a gain of 3,200 sites (+0.3 pp). Cloudflare’s growth came at the expense of nginx which lost the most with 1,570 fewer sites (-0.2 pp), along with Apache and Microsoft which both lost around 250 sites. The top spot remains hotly contested between Apache and nginx - Apache leads, but less than 2.5 percentage points separate the two.

Other vendor and hosting news

• A major fire at OVH’s Strasbourg datacenters resulted in around 3.6 million websites across 464,000 domains being taken offline at the start of March. While this was not captured by this month’s Web Server Survey, additional investigation by Netcraft found that nearly 20% of the IP addresses attributed to OVH stopped responding during the incident. One of the four data centers at the site, SBG2, was completely destroyed, and OVH is now provisioning thousands of new servers to replace those lost.
• Windows Server 2022 is now in preview and will be made generally available later in 2021. The features added in this release focus on adding new layers of security, integrating more tightly with Microsoft’s Azure platform, and improving Windows Containers. The current major release, Windows Server 2019, was made generally available nearly two and a half years ago in October 2018.
• nginx version 1.19.8 and njs version 0.5.2 were released on the 9th March. Both updates add minor new features and bug fixes.
• OpenLiteSpeed, the open-source variant of LiteSpeed Enterprise, received several updates through February and March, with versions 1.5.12, 1.6.20, and 1.7.9 containing primarily security updates and bug fixes.
• Apache Tomcat was updated to versions 9.0.44 and 10.0.4. Both updates include a variety of fixes, including improvements to asynchronous error handling.

Continue reading