January 2017 Web Server Survey

In the January 2017 survey we received responses from 1,800,047,111 sites and 6,328,006 computers, reflecting a gain of 61 million sites and 159,000 computers.

Microsoft gained the largest number of sites this month – 38 million – although it was closely followed by Apache, which gained 32 million. Nearly 822 million sites (45.7%) are now powered by Microsoft webserver software.

Meanwhile, nginx gained 17 million sites, and has also continued to show strong and steady computer growth. This month's gain of 60,000 web-facing nginx computers was the largest seen by any vendor, outweighing Microsoft's and Apache's gains of 40,000 and 20,000. If last year's trends continue in 2017, it seems plausible to expect that nginx could overtake Microsoft to become the second largest vendor (by computers) in the second half of 2017.

Microsoft's latest version of Internet Information Services – IIS 10.0, which uses Windows Server 2016 as its primary platform – was found powering 45,000 websites this month. Future migration to IIS 10.0 may be slower than with previous IIS versions, however, as Microsoft announced Windows Server Premium Assurance in December 2016, which extends the support period from 10 to 16 years for existing Windows Server products. This means Premium Assurance customers will continue to receive security updates (as well as "critical" and "important" bulletins) for Windows Server 2008 until January 2026. In January 2017, more than 600 million sites are served from Windows Server 2008 machines.

Each of the other major server vendors released updates last month. nginx 1.11.7 mainline version was released on 13 December, followed by 1.11.8 on 27 December. Both releases included several bug fixes and a few new features.

The mainline 1.11.x branch of nginx is typically updated every 4-6 weeks and is aimed at users who require the latest features, whereas the 1.10.x stable branch is only updated when critical issues need to be fixed. Only two updates have been released on the stable branch since 1.10.0 was forked from mainline in April 2016. Stable is the most commonly used branch: nearly 24 million sites are using 1.10.x stable, compared with 2.2 million using 1.11.x mainline.

Apache 2.4.25 was released on 20 December 2016, incorporating security, feature and bug fixes (including many from the unreleased 2.4.24 version). The security fixes include a mitigation for issues caused by the httpoxy vulnerability, and better enforcement of the HTTP request grammar in RFC 7230 to reduce the likelihood of response splitting and cache pollution attacks.

While many sites still use older versions of Apache, such as the 2.2.x legacy versions, the Apache Project continues to point out that the latest release from the 2.4.x stable branch represents the best available version of Apache HTTP Server. Nonetheless, most sites—just over 100 million— report to be using 2.2.x legacy versions, compared with 69 million sites that use 2.4.x. The most commonly observed Apache Server banners are Apache/2.4.7 (Ubuntu) (36 million sites), followed by Apache/2.2.15 (CentOS) (25 million); however, these servers may not necessarily be as old and vulnerable as their version numbers imply. Netcraft previously discussed this "backporting" behaviour a few years ago.

LiteSpeed suffered the largest loss of sites this month, returning to October 2016 levels after plummeting by 42 million sites to leave a total of 5.5 million. Despite the large loss of sites, the number of web-facing computers using LiteSpeed increased modestly by 323 to 9,740. LiteSpeed 5.1.11 was released on 15 December, featuring improved caching and a few bug fixes.

December also saw the release of Tengine 2.2.0 development version, which came nearly two years after the previous development version, and a year after the most recent stable version. Not only does Tengine have a relatively sedate release cycle, but its latest version is based on nginx 1.8.1 (the final version of nginx's previous stable branch), which itself is already a year old.

Despite having relatively infrequent releases, 58 million sites are currently using Tengine. Most of these sites do not reveal which version has been installed, but among the 18 million that do, about two-thirds are using the relatively old 1.4.2 development version which was released in November 2012 and based on the nginx 1.2.x stable branch. Tengine was originally created by the Chinese marketplace Taobao, which modified the nginx core to better suit its requirements. It was released as an open source project in December 2011, and today sites under the taobao.com domain account for only 5% of its users.

Total number of websites

Web server market share

DeveloperDecember 2016PercentJanuary 2017PercentChange
Microsoft783,790,49245.07%821,905,28345.66%0.59
Apache354,949,19620.41%387,211,50321.51%1.10
nginx300,839,50717.30%317,398,31717.63%0.33
Google18,602,5441.07%17,933,7621.00%-0.07
Continue reading

December 2016 Web Server Survey

In the December 2016 survey we received responses from 1,739,031,487 sites and 6,169,471 web-facing computers; this reflects a large increase of 302 million sites, but a small loss of 55,900 computers.

All three of the largest server vendors gained sites this month, with growth concentrated at a handful of lesser-known web hosting providers. These changes have triggered large jumps in market share, with nginx (+3.2 percentage points) and Microsoft (+1.6 p.p.) gaining, and Apache losing (-2.2 p.p.).

The growth in number of sites was not reflected in other metrics this month, however, with small drops being seen in both the total number of web-facing computers (-0.9%) and the number of active sites (-0.8%).

Nginx was the only major web server vendor to experience gains across all metrics this month, including active sites, web-facing computers, and the million busiest sites. It now stands only 390,000 computers (6 percentage points) behind second place Microsoft, having surpassed Microsoft in terms of active sites in January 2012, and the top million busiest sites in May 2013.

Previously the 10th most commonly seen web server in terms of active sites, “Webs.com/1.0”, has vanished this month after the website builder began using the Cloudflare CDN service. Cloudflare uses a customised version of nginx (cloudflare-nginx), that powered over 3.6 million active sites in the December survey.

Looking back over 2016, the total number of sites seen in the survey has grown significantly, from 900 million in January to 1.7 billion in December. Much of this growth can be attributed to Microsoft, which has gained more than 520 million hostnames and risen from 28.95% market share to 45.07%. However, the more stable active sites metric shows nginx grew the most this year, having increased by 4.8 million active sites and 2.85 percentage points of market share over the course of 2016.

The year also saw the notable rise of OpenResty: in January, OpenResty was being used by 760,000 sites, 200,000 active sites, and just 3,100 web-facing computers; but in September, tumblr.com switched from using nginx to OpenResty for millions of Tumblr blogs. The number of sites using OpenResty in December is now nearly 15 million, the number of active sites is 5.8 million, and the number of web-facing computers seen running OpenResty has increased to nearly 8,000. The server is now the 9th most popular by number of web-facing computers.

Microsoft’s newest web server software, IIS 10.0, was released this year although it is yet to make a significant impact in the number of sites. Windows Server 2016, the primary operating system for running IIS 10.0 was only fully released in October after months of preview releases; the December 2016 survey finds the operating system being used on 5,800 web-facing computers to host 18,250 sites.

Another notable arrival during 2016 were the hundreds of thousands of Western Digital My Cloud personal storage devices. These Network Attached Storage (NAS) devices run an Apache web server and each has a hostname on the wd2go.com domain. The fact that these devices are placed in end-users' homes, using less-stable home Internet connections, and more commonly powered off than a typical web server has increased the volatility of the Apache web-facing computer data. The December 2016 survey found 680,000 sites for these devices.

Total number of websites

Web server market share

DeveloperNovember 2016PercentDecember 2016PercentChange
Microsoft625,173,66443.51%783,790,49245.07%1.56
Apache324,174,41722.56%354,949,19620.41%-2.15
nginx202,932,12214.12%300,839,50717.30%3.17
Google20,689,2731.44%18,602,5441.07%-0.37
Continue reading

November 2016 Web Server Survey

In the November 2016 survey we received responses from 1,436,724,046 sites and 6,225,374 web-facing computers, reflecting a gain of 7 million sites and 81,000 computers.

nginx was the only major vendor to gain hostnames this month, increasing its site count by 6.1 million, while Apache and Microsoft lost 16.6 million and 12.4 million.

Outweighing the existing major vendors, LiteSpeed demonstrated the largest hostname growth after it gained more than 40 million sites – a remarkable 740% increase. LiteSpeed's growth included 38 million existing sites that were hosted by OVH, and previously using Taobao's Tengine web server, which consequently suffered the largest loss of sites this month. The sites involved in this movement—nearly all of which make use of the .science TLD—are now hosted by Amazon Web Services. As a result of these changes, LiteSpeed's market share of sites has leapt from 0.39% to 3.29%, taking it from 10th to 4th place – while Tengine has been displaced to 5th.

Using the less-volatile web-facing computers metric, Apache showed the largest growth this month with an increase of 39,900 computers, while nginx was not too far behind with net growth of 32,881. Despite LiteSpeed's large hostname growth, it gained only a modest sum of 312 computers (+3.4%), making it the 7th largest vendor by this metric.

OpenResty gained significant traction in September after millions of Tumblr blogs switched from using nginx. This month, OpenResty gained a further 560 web-facing computers (+7.8%), taking its total up to 7,700. It also gained half a million more sites, but not all of the new sites are used by Tumblr blogs this time, which indicates growing interest amongst other users. More than a tenth of the new sites found using OpenResty in November are being used to serve PHPWind forum installations hosted by Raksmart in China, and thousands more new OpenResty sites are found at the likes of Fastly, DigitalOcean and Amazon Web Services.

Microsoft's latest server software, IIS 10.0, has yet to make significant inroads on the web, with the total number of sites using it still floating around 10,000; however, its primary platform—Windows Server 2016—has only been available since October. Preview releases have been available for several months, though, and so the number of web-facing computers using Windows Server 2016 has gradually been creeping up. Netcraft found a total of 4,347 Windows Server 2016 computers in the November survey.

Total number of websites

Web server market share

DeveloperOctober 2016PercentNovember 2016PercentChange
Microsoft637,583,71744.61%625,173,66443.51%-1.09
Apache340,793,66223.84%324,174,41722.56%-1.28
nginx196,861,41513.77%202,932,12214.12%0.35
Google21,516,3081.51%20,689,2731.44%-0.07
Continue reading

October 2016 Web Server Survey

In the October 2016 survey we received responses from 1,429,331,486 sites and 6,144,093 web-facing computers. This reflects a large increase of 144 million sites, and a more modest increase of 25,300 computers.

Microsoft once again saw the largest increase of web sites this month, gaining 95 million. Apache and nginx made up the majority of the remainder of web site growth, gaining 25 million and 11 million. Despite Microsoft’s large gain of web sites, it lost both web-facing computers (-17,700) and active sites (-1.2 million).

Apache saw the largest increase of active sites this month, gaining 1.8 million, while nginx gained 400,000, the second largest growth. These gains, coupled with Microsoft’s loss of 1.2 million active sites, led to Microsoft’s share of active sites dropping to 9.27%, the first time that it has fallen below 10%. Apache increased its market share by 0.19 percentage points and continues to dominate, now with 46.30% of the active sites.

The largest increase of web-facing computers was made by nginx, gaining 20,000. Despite now having more than twice as many active sites as Microsoft, nginx remains in third place by number of web-facing computers with 17.41% of the market, compared to Microsoft’s 24.91%. Apache leads, running on 45.97% of all web-facing computers, however, both Apache and Microsoft are gradually losing market share to nginx.

Within the million busiest sites, the long-term trend is the ascent of nginx, at the expense of both Apache and Microsoft. This month continues that trend, with Apache losing 0.13 percentage points, Microsoft losing 0.14, and nginx gaining 0.20. However, Apache still leads by a significant margin over second-placed nginx, with 146,000 more of the million busiest sites using Apache.

Total number of websites

Web server market share

DeveloperSeptember 2016PercentOctober 2016PercentChange
Microsoft542,498,79642.19%637,583,71744.61%2.41
Apache316,042,28924.58%340,793,66223.84%-0.74
nginx186,529,03814.51%196,861,41513.77%-0.73
Google21,467,7291.67%21,516,3081.51%-0.16
Continue reading

September 2016 Web Server Survey

In the September 2016 survey we received responses from 1,285,759,146 sites and 6,118,785 web-facing computers, reflecting large gains in both metrics: 132 million additional sites, and 138,000 more computers.

Microsoft made up the majority of this month's website growth, with the largest gain of 97 million sites, although it showed only modest increases of 5,200 web-facing computers and 693,000 active sites.

Apache was responsible for most of this month's additional web-facing computers, increasing its count by 87,000 to 2.8 million (+3.2%). Similarly, nginx made a 3.0% gain of 30,000 computers. However, Microsoft's 0.3% gain was not enough to stop its share falling by half a percentage point to 25.3% as a result of the gains made by Apache and nginx.

Although nginx made a healthy gain in web-facing computers, it lost more than 5 million active sites and 5,600 sites within the top-million. 27.6% of the busiest million sites now use nginx (-0.56 pp from last month), while Apache retains its lead with a 42.5% share.

Along with nginx, all of the major web server vendors suffered losses within the top million sites, largely due to the growth of OpenResty this month. More than 10,000 of the top million sites are now using OpenResty, compared with fewer than 4,000 last month, after millions of Tumblr blogs switched from nginx. As well as tumblr.com, basecamp.com — the home of the Basecamp web-based project management tool — ranks amongst the most visited sites to use OpenResty.

Tumblr's adoption of OpenResty has caused the web server to leap up the rankings to become the seventh largest web server vendor by websites, and fifth by active sites. This month, 87% of all OpenResty sites appear under the tumblr.com domain.

Although most OpenResty sites reside under the tumblr.com domain, the number of unique domains using OpenResty also increased noticeably this month.

Although most OpenResty sites reside under the tumblr.com domain, the number of unique domains using OpenResty also increased noticeably this month.

Switching from nginx to OpenResty is not such a paradigm shift as moving to, say, Apache or Microsoft IIS. The OpenResty web application platform is built around the standard nginx core, which offers some familiarity, as well as allowing the use of third-party nginx modules. One of the key additional features provided by OpenResty is the integration of the LuaJIT compiler and many Lua libraries – this gives scope for high performance web applications to be run completely within the bundled nginx server, where developers can take advantage of non-blocking I/O.

Another web server that has gained prominence over the past year is Cowboy, a small and fast modular HTTP server written in Erlang. Optimised for low latency and low memory usage, it is currently the fifth most common web server software installed on web-facing computers that accept HTTP connections. Most of the computers used by Cowboy servers are powered by the Heroku Cloud Application Platform and hosted at Amazon Web Services.

Total number of websites

Web server market share

DeveloperAugust 2016PercentSeptember 2016PercentChange
Microsoft445,105,75538.58%542,498,79642.19%3.61
Apache300,028,83226.01%316,042,28924.58%-1.43
nginx181,606,29715.74%186,529,03814.51%-1.23
Google22,111,4311.92%21,467,7291.67%-0.25
Continue reading

August 2016 Web Server Survey

In the August 2016 survey we received responses from 1,153,659,413 sites and 5,980,524 web-facing computers. This reflects an increase of 80 million sites, but a loss of 78,000 computers.

While the overall number of sites increased this month, this growth was not felt evenly by each web server vendor: Microsoft gained the largest number of sites with an increase of 66 million, while second-placed Apache lost 41 million sites. Tengine, the nginx-based web server from Chinese online shopping giant Taobao, gained 28 million sites.

Whilst there were large changes in total number of sites, these were accompanied by much more modest changes in active sites – a more stable metric designed to ignore automatically generated bulk content. Apache and Microsoft both suffered small drops in the number of active sites, -0.5% and -0.8% respectively, whilst Tengine and nginx gained 120,000 (7.3%) and 81,000 (0.2%).

The majority of this month’s drop in web facing computers were running Apache, with a decrease of just over 107,000 (3.8%) using the open-source server. One of the primary contributors to this drop was the loss of a large number of consumer-NAS devices running Apache. While these devices have steadily increased in number since the start of 2016, this month has seen a marked decline. These devices are mostly connected via home internet lines and are therefore likely to come and go from month to month. As a result, the Apache losses this month are spread over a large number of consumer ISPs. On the other hand, Apache continued to see growth amongst web hosting providers.

A gain of 24,000 web-facing computers for nginx, the largest gain in web facing computers this month, once more boosts its market share, which now stands at 17.0%. Microsoft also experienced a small increase in market share, despite its loss of 4,000 web-facing computers, given Apache’s large loss this month.

Windows Server 2016 — which will be the main platform for Microsoft IIS 10.0 — is edging closer to its official launch at Microsoft's Ignite conference in September. In the meantime, developers can try out many of the new features in IIS 10 by either installing the latest Windows Server 2016 Technical Preview 5, or by installing the self-contained IIS 10.0 Express on Windows 7 SP1 or later.

More than 11,000 websites are already using Microsoft IIS 10.0, with almost all of these sites using a version of Windows Server 2016.

The previous month saw two new releases of the mainline version of nginx, mostly incorporating bug fixes and feature additions, while the release of Apache 2.4.23 addressed a security issue which could have allowed clients to gain unauthorised access to protected resources if a server was configured to use HTTP/2.

Several web servers were also updated following the disclosure of a set of vulnerabilities dubbed httpoxy. These vulnerabilities can affect web applications running in CGI or CGI-compatible environments.

The vulnerability stems from a simple namespace conflict where the client-provided HTTP Proxy header was placed into an HTTP_PROXY environment variable as is the custom for CGI applications; but where HTTP_PROXY was trusted by the application and used to configure an outgoing proxy.

This type of vulnerability was first discovered in libwww-perl more than 15 years ago, but in July it was found to be still exploitable in PHP and many other modern languages and libraries. Successful exploitation of these issues could allow a remote attacker to proxy outgoing HTTP requests made by a vulnerable web application, which may expose sensitive data.

To mitigate the httpoxy vulnerability, Apache 2.4.24-dev avoids populating the HTTP_PROXY variable from a Proxy header in httpd CGI environments. Similar mitigations have also been implemented in Lighttpd 1.4.41 and LiteSpeed, while nginx and Varnish have published mitigation advice.

Total number of websites

Web server market share

DeveloperJuly 2016PercentAugust 2016PercentChange
Microsoft378,655,75935.26%445,105,75538.58%3.32
Apache340,551,07431.72%300,028,83226.01%-5.71
nginx170,896,71615.92%181,606,29715.74%-0.17
Google22,552,9012.10%22,111,4311.92%-0.18
Continue reading