In the November 2021 survey we received responses from 1,175,392,792 sites across 267,027,794 unique domains and 11,525,855 web-facing computers. This reflects a loss of 4.06 million sites, but a gain of 1.60 million domains and 137,000 computers.

nginx gained the largest number of domains (+741,000) and web-facing computers (+81,300) this month and continues to lead in both metrics with market shares of 30.1% and 37.3%.

Further down in the market, there was also a noticeable increase in the total number of web-facing computers running LiteSpeed, which went up by 11,200 to 101,000 (+12.5%), although this resulted in only a 1.44% increase in domains. These counts include sites that run on LiteSpeed Web Server and its open source variant, OpenLiteSpeed, both of which exhibit the same “LiteSpeed” server banner.

Both nginx and Apache lost nearly 4 million hostnames each, reducing their sites market shares to 34.7% and 24.4%. Meanwhile, Cloudflare gained 1.15 million sites, which has taken its total up to 58.6 million (+2.00%) and increased its sites share to 4.99%.

nginx and Apache also suffered losses amongst the top million websites, paving the way for Microsoft to increase its presence by 2,369 sites (+3.75%). Microsoft web server software is now used by 65,600 of the top million sites, but Apache is still the most commonly used web server in this sector, with 240,000 of the top million sites using it, and nginx is not far behind with 224,000.

Apache 2.4.49 vulnerability

Following last month’s news of a path traversal vulnerability in Apache 2.4.49 being actively exploited in the wild, this month’s survey shows that more than 11 million websites had server banners containing “Apache/2.4.49” before a fix was released. The only other version vulnerable to attack was Apache 2.4.50, which failed to fix the vulnerability properly – but this version was released after the survey ran and was promptly replaced with Apache 2.4.51, where the vulnerability was resolved properly.

The true number of websites that were vulnerable during the survey period is likely to have been much greater than the 11 million websites that openly reported themselves to be running Apache 2.4.49, as nearly two-thirds of all Apache-powered websites do not reveal a version number in their server banners. This configuration is often a deliberate act towards security through obscurity, although attackers can often deduce precise version numbers by carrying out additional tests. There may also have been additional vulnerable instances of Apache 2.4.49 hidden behind frontend load balancers or content delivery networks such as Cloudflare.

Conversely, some websites running on Apache 2.4.49 may not have been vulnerable if they used an appropriately configured web application firewall that prevents path traversal attacks. More generally, the true number of web servers that contain a version-specific vulnerability can also be masked by future backported security patches, which typically fix vulnerabilities without changing the apparent version number of the software. From an external perspective, a server might appear to be running a vulnerable software version but may not actually be vulnerable to the issues affecting that version.

Vendor news

• LiteSpeed Web Server 6.0.11 was released on 10 November. This is the latest version in the LSWS 6.0 stream and includes improvements in HTTP/2 and HTTP/3 throughput, new support for WebSocket proxy targets in rewrite rules, and several bugfixes.
• Microsoft has announced new Azure Bounty Program rewards of up to $60,000 to encourage and reward research into vulnerabilities that would have the highest potential impact on the security of its customers.
• nginx 1.21.4 mainline was released on 2 November. This version includes some new features and changes relating to TLS and HTTP/2.
• Lighttpd 1.4.61 was released on 28 October to address a number of bugs. Lighttpd is used by 245,000 unique domains in this month’s survey.
• njs 0.7.0 was released on 19 October to add HTTPS support for its Fetch API, along with a few other new features and bugfixes.
• Apache Tomcat 9.0.54, 10.0.12 and 10.1.0-M6 (alpha) were released on 1 October, followed by Tomcat 8.5.72 on 6 October.
• Cloudflare Pages now supports custom headers natively, without having to use Cloudflare Workers. This makes it easier for developers to add best-practice security headers and others to their JAMstack applications.
• Cloudflare for SaaS is now generally available to all, following a beta launch earlier in the year.

Continue reading

In the October 2021 survey we received responses from 1,179,448,021 sites across 265,426,928 unique domains and 11,388,826 web-facing computers. This reflects a loss of 8.59 million sites, but a gain of 1.07 million domains and 20,800 computers.

The number of unique domains powered by the nginx web server grew by 789,000 this month, which has increased its total to 79.5 million domains and its leading market share to 29.9%. Conversely, Apache lost 753,000 domains and saw its second-place share fall to 24.7%. Meanwhile, Cloudflare gained 746,000 domains – almost as many as nginx – but it stays in fourth place with an 8.15% share while OpenResty's shrank slightly to 14.5%.

Cloudflare also made strong progress amongst the top million websites, where it increased its share by 0.24 percentage points to 18.2%. nginx is in second place with a 22.5% (+0.12pp) share but has closed the gap on Apache which still leads with 24.0% after losing 0.21pp.

Apache also continues to lead in terms of active sites, where it has a total of 48.0 million. However, it was the only major vendor to suffer a drop in this metric, with a loss of 277,000 active sites reducing its share down to 23.9% (-0.29pp). In terms of all sites, nginx lost the most (-9.99 million) but remains far in the lead with a total of 412 million.

Apache vulnerability being actively exploited in the wild

Apache 2.4.51 was released on 7 October. This is the latest release in the 2.4.x stable branch, which the developers consider to be the best available version of the Apache HTTP Server; but more importantly, this release fixes a path traversal vulnerability present in Apache 2.4.49 and 2.4.50. Apache 2.4.50 was itself released a day earlier in an attempt to fix the vulnerability present in 2.4.49, but the fix was found to be insufficient.

The vulnerability is being actively exploited in the wild, so anyone still running an unpatched Apache 2.4.49 or 2.4.50 installation should upgrade immediately. In some cases, the path traversal vulnerability could facilitate remote code execution on the web server.

Due to the nature of this vulnerability, some otherwise vulnerable installations may be immune to attack if a web application firewall (WAF) is in place, or if a frontend proxy or load balancer modifies malicious requests in a way that makes them safe. For instance, all vulnerable Apache installations served via the Cloudflare content delivery network would have been protected from the outset if Normalize URLS to origin were enabled, and the Cloudflare WAF has rules that would have stopped many exploit attempts.

Other vendor and hosting news

• During September, Microsoft released fixes for three elevation of privilege and one remote code execution vulnerabilities in the Open Management Infrastructure (OMI) framework, which is used by several Azure Virtual Machine management extensions. The remote code execution vulnerability can only affect customers using a Linux management solution with remote OMI enabled. A full list of the vulnerable extensions and update availability is being maintained on the Microsoft Security Response Center blog.
• Microsoft announced the general availability its Azure Purview data governance solution on 28 September.
• On 5 October, Microsoft removed the waiting list for its Azure NetApp Files bare-metal cloud file storage and data management service.
• lighttpd 1.4.60 was released on 3 October. This version includes a large number of changes, including several bugfixes and improved handling of HTTP/2 connections.
• LiteSpeed Web Server 6.0.9 was released on 20 September to address several bugs and add a new log rotation feature. OpenLiteSpeed 1.7.14 – the open source edition of LiteSpeed Web Server Enterprise – was released on 7 September.

Continue reading

In the September 2021 survey we received responses from 1,188,038,392 sites across 264,360,621 unique domains and 11,368,033 web-facing computers. This reflects a loss of 23.4 million sites, but a gain of 627,000 domains and 40,300 computers.

The largest increase in both unique domains and active sites was seen by LiteSpeed this month, with gains of 571,000 (+9.3%) domains and 458,000 (+6.0%) active sites. Much of this increase was concentrated at a single hosting provider, NameCheap, where there were corresponding drops in the numbers of domains and active sites using Apache. As a result, LiteSpeed’s market share in the domains metric increased by 0.21 percentage points to 2.6%.

Cloudflare also saw strong growth in domains, with an increase of 519,000 resulting in a small increase in its market share to 7.90%. Amongst the million busiest websites Cloudflare had substantially the biggest increase in use, leaving it with an 18.0% market share. It is now just 44,000 sites or 4.4 percentage points of market share behind nginx in second position.

Other server vendors to see increases in terms of unique domains include OpenResty which grew by 314,000 domains, and market leader nginx which grew by 195,000. Despite having only the fourth largest growth this month, nginx maintained its 29.8% market share.

The number of web-facing computers using nginx has increased once again, whilst both Apache and Microsoft lost both in absolute numbers and market share. This month nginx saw an increase of 40,800 raising its market share to 37.2%. Apache and Microsoft each lost 0.24 percentage points of market share to leave them with 30.8% and 11.9% shares. LiteSpeed gained 4,660 computers (+5.9%).

Continue reading

In the August 2021 survey we received responses from 1,211,444,849 sites across 263,733,974 unique domains and 11,327,711 web-facing computers. This reflects a loss of 4.99 million sites, but a gain of 1.64 million domains and 67,600 computers.

The number of unique domains powered by the nginx web server grew by more than a million this month, while Apache's count fell by 916,000. This has extended nginx's lead in the domains metric, giving it a 29.8% share compared with Apache's 25.5%.

OpenResty gained 234,000 domains, but its market share remained static at 14.5%, while Cloudflare gained 726,000 domains and increased its market share to 7.72%.

The number of web-facing computers using nginx has continued to increase, this month by 49,000 (+1.18%). There are now 4.19 million web-facing computers running nginx, compared with 3.52 million that run Apache. Microsoft follows in third place with 1.38 million computers.

The web-facing computers metric has painted a remarkably stable trend over the past several years, as is evident in the graph below, with both Microsoft and Apache steadily falling while nginx has progressively climbed to first overtake Microsoft in 2017, and then Apache during 2020. There has also been a rise in "Other" web servers, which includes several nginx-based spinoffs such as OpenResty and Tengine.

Websites in Afghanistan

The Taliban offensive in Afghanistan has obvious potential to upset the country's internet infrastructure, but the extent of any changes may be limited. Afghanistan has had a relatively small presence on the web throughout the past 20 years, and many of its sites were already hosted outside of the country and used generic top-level domains to avoid interference from the Taliban.

This month's survey found only 8,031 websites hosted in Afghanistan, and 23,205 sites that use Afghanistan's .af country-code top-level domain (ccTLD). More than two-thirds of the latter are hosted in the US, and more than 2,000 are hosted in Germany – although any site that relies on a .af domain would still be vulnerable to interruption by the country's new government, should it desire.

Nearly 1,000 of the .af sites are Afghan Government websites that fall under the .gov.af second-level domain – such as president.gov.af and kabul.gov.af – but surprisingly, less than half of these are hosted in Afghanistan, with the rest being hosted in the US, Germany, Singapore, France, Canada, UK, Netherlands, Ireland and India.

Even more surprisingly, dozens of the .gov.af sites hosted in the US and Germany are used to host webmail services, potentially putting Afghan Government communications in easy reach of external intelligence agencies.

Other vendor and hosting news

• Microsoft has announced the general availability of Azure Government Top Secret. The new air-gapped Azure regions are intended to handle national security workloads at the US Top Secret level.
• Microsoft also announced its new Azure Healthcare APIs, which provide pipelines to manage protected health information data at scale.
• Statistics collected by Azure DDoS Protection showed a shift towards attacks against web applications in the first half of 2021.
• Apache Tomcat 10.0.10 was released on 5 August, followed by Tomcat 10.1.0-M4 (alpha) and Tomcat 9.0.52 on 6 August, and Tomcat 8.5.70 on 16 August. All four of these releases correct the regression of an HTTP/2 flow control bug in their previous versions.
• OpenResty 1.19.9.1 was released on 6 August. This version of the web platform based on nginx and LuaJIT now uses nginx 1.19.9 (a mainline release from 30 March) as its core, and also includes some LuaJIT fixes.

Continue reading

In the July 2021 survey we received responses from 1,216,435,462 sites across 262,098,666 unique domains and 11,260,130 web-facing computers. This reflects a gain of 3.16 million sites, 1.99 million domains, and 161,000 computers.

nginx gained the largest number of sites, computers and domains this month – and continues to lead in each of these metrics – but it lost the most active sites, and its presence amongst the top million sites also fell by the largest amount. The largest active sites gain was made by Google (+1.02 million), while Cloudflare was the only major vendor to increase its share amongst the top million sites (+1,732).

Despite strong growth by Google and Cloudflare, Apache still has the largest number of active sites and greatest presence within the top million sites, while nginx is second in both of these metrics.

nginx's gain of 7.99 million sites was followed by an additional 1.36 million sites powered by OpenResty, which is a web server based on nginx. More than 12 million of the 75.4 million sites that use OpenResty are Tumblr microblogging websites under the tumblr.com domain.

OpenResty was originally sponsored by Yahoo! China and Taobao prior to 2011, but Taobao now maintains its own Tengine web server, which is also based on nginx. This is currently used by 11.3 million websites, including 3.13 million C2C ecommerce sites that use the taobao.com domain and 265,000 sites like disney.tmall.com that use the Tmall.com B2C platform.

The number of websites powered by Microsoft IIS (Internet Information Services) fell by 1.92 million to 51.6 million this month. These sites are spread across 13.5 million unique domains and use several different versions of IIS.

The widespread use of several different versions of IIS is likely to continue as Microsoft announced Extended Security Updates for Windows Server 2012 and 2012 R2 on 14 July. Customers who migrate their workloads to Microsoft Azure will get free extended security updates for three more years, while those who choose to run Windows Server on-premises will have the option to purchase the updates. These versions of Windows Server provide the IIS 8.0 and IIS 8.5 web server software, which is still used by 21.4 million websites in this month's survey.

One year of extended security updates are also available for Windows Server 2008 and 2008 R2 on Azure only. These older versions of Windows Server use IIS 7.0 and IIS 7.5, which are still used by 15.7 million websites.

The latest version of Microsoft's web server software, IIS 10.0, is currently used by 12.1 million websites. This version can be found on Windows Server 2016, Windows Server 2019, and can also run on the preview version of Windows Server 2022.

Other vendor and hosting news

• nginx 1.21.1 mainline was released on 6 July. This version includes a few bugfixes and improved error reporting.
• njs 0.6.1 – the JavaScript-based scripting language that allows nginx functionality to be extended – was released on 29 June. This is a bugfix release.
• Caddy Web Server saw its 100th release on 17 June. Caddy 2.4.3 includes some bugfixes and an important security update for PHP-based websites.
• Apache Tomcat 10.1.0-M2 (alpha), 10.0.8 and 9.0.50 were released on 2 July, followed by Tomcat 8.5.69 on 5 July. Tomcat 10.1.0-M2 (alpha) differs from 10.0.8 in that it is targeted at Jakarta EE 10 rather than EE 9. A migration tool is available for applications that run on Tomcat 9 and earlier, as these are targeted at Java EE and must be changed to use Jakarta EE.
• Windows Server 2022 is now in preview on the Evaluation Center.

Continue reading

In the June 2021 survey we received responses from 1,213,277,377 sites across 260,108,646 unique domains and 11,098,973 web-facing computers. This reflects a loss of 5.15 million sites, but a gain of 513,000 domains and 47,100 web-facing computers.

nginx experienced the largest gains in web-facing computers and domains this month; despite a large loss of sites. In the web-facing computer metric nginx’s gain of 74,100 (1.86%) was substantially the largest, and resulted in a market share increase of 0.5 percentage points to 36.5%. Its lead in this metric continues to steadily grow, with Apache’s share in second place dropping to 31.7% — a gap of over half a million web-facing computers.

LiteSpeed saw the only other notable increase in web-facing computers, with an additional 10,400 (+17.6%) boosting its total to 69,500 web-facing computers. LiteSpeed also gained the 2nd largest number of domains this month, with an increase of 289,000, increasing its total to 5.75 million.

Apache suffered the largest loss in domains and active-sites this month, dropping by 597,000 and 886,000 respectively; and was followed by Microsoft with a loss of 203,000 domains and 115,000 active sites. Meanwhile in the web-facing computers and top million busiest sites metrics, Microsoft instead had the largest losses of 21,600 computers and 3,700 of the million busiest sites, followed by Apache with a loss of 15,400 computers and 2,500 of the million busiest sites. Despite its losses in these metrics, Apache continues to power the largest number of active sites with a share of 24.8%, and top-million sites with a share of 25.2%.

Continue reading