In the March 2022 survey we received responses from 1,169,621,187 sites across 272,177,331 unique domains and 11,877,217 web-facing computers. This reflects a loss of 4.00 million sites, but a gain of 977,000 domains and 103,000 web facing computers.

Cloudflare gained the largest number of sites, with 1.32 million more than in the February survey. Its growth was also consistent across other metrics, having gained +176,000 domains (+0.77%) and +256,000 active sites (+1.24%), with an extra 0.12pp share of the top one million sites.

nginx, the current leader by most metrics, had a particularly strong growth in terms of domains, having gained 978,000 domains (+1.35%) this month—the largest gain of any vendor in this metric. Though it lost 2.98 million sites, it appears to be serving more interesting content overall, as measured by a 158,000 increase in its number active sites. It also gained the most additional web-facing computers out of all vendors this month, with 39,300 more than the previous month. OpenResty, which uses nginx, is serving 62,300 more active sites and now counts towards an additional 441 of the top one million sites. OpenResty was also counted on 6,640 more computers (+5.04%) than last month.

Apache has the greatest number of active sites and, by a narrow 1.03pp margin over nginx, the greatest share of the top one million sites. However, it shrunk in both of these metrics, losing 583,000 active sites and 2,130 of the top one million. Apache lost out in most other metrics too, with 756,000 fewer domains and just over 5 million fewer sites. It did, however, gain a few more computers over last month, but nginx’s large growth meant that Apache still lost market share in this measurement.

Microsoft saw declines in all metrics this month, losing 3.22 million sites (-7.13%), 156,000 domains (-1.75%), 118,000 active sites (-1.88%), and 7,620 computers (-0.57%). Microsoft also lost 1,000 sites from its share of the top million.

Although one of the smaller web servers on the market, LiteSpeed has frequently shown strong and consistent growth, with this month being no exception. It had the largest sites and active sites growth of all web servers in the March 2022 survey, gaining 1.92 million sites and 277,000 active sites.

Vendor news

• Apache released version 2.4.53 of their httpd web server. This version contains security fixes for four different CVEs. The release also brings a number of general bug fixes. Apache also released bug patches for several versions of Tomcat.

• OpenSSL released versions 3.0.2 and 1.1.1n of their cryptography library in order to patch against a high severity denial of service vulnerability. OpenSSL is used by both Apache and nginx, which together account for a majority of all sites, domains, and web-facing computers.

• Microsoft Azure has expanded to a new region in the North of China. Microsoft’s share of the web server software market is much larger in China compared to the rest of the world, with 16.5% of active sites, 20.1% of domains, 13.4% of sites, and 15.0% of web-facing computers.

Continue reading

In the February 2022 survey we received responses from 1,173,621,471 sites across 271,199,972 unique domains and 11,774,714 web-facing computers. This reflects a gain of 5.91 million sites, 1.36 million domains and 73,800 computers.

OpenResty experienced the strongest growth this month, both in overall sites and domains, with increases of 10.4 million sites and 546,000 domains. This represents a large 13.0% increase in its number of sites, but a more modest 1.4% increase in domains. Its market share in the domains metric now stands at 15.1%, an increase of 0.13 percentage points since January.

nginx closely followed OpenResty with a growth of 538,000 domains, helping it to maintain its leading 26.7% market share. nginx also saw strong growth in web-facing computers, which increased by 53,500. In contrast to its gains in these metrics, nginx lost 12.1 million sites this month (-3.2%), however it retains its position as the most commonly used web server with 31.1% of all sites using it.

Cloudflare continues to make strong gains amongst the million busiest websites, where it saw the only notable increases, with an additional 3,200 sites helping to bring its market share up to 19.4%. Apache, Microsoft and nginx all experienced losses in this metric; however, Apache and nginx still hold the top two positions with market shares of 23.3% and 22.1%.

Vendor news

• Apache Tomcat 9.0.59, 10.0.17 and 10.1.0-M11 (alpha) were released on 28 February 2022. Some of the notable changes are common between all three versions, including resolving a regression in a fix for a race condition, and improving the detection of the Linux duplicate accept bug.
• nginx 1.21.6 mainline was released on 25 January 2022. This version contains three bugfixes and no new features.
• njs 0.7.2 was also released with several core bugfixes on 25 January 2022. njs is the subset of the JavaScript language that can be used to extend nginx functionality.
• Cloudflare has agreed to acquire Area 1 Security with the intention of integrating Area 1’s technology into its global network to protect customers from email-based security threats.
• Lighttpd 1.4.64 was released on 19 January 2022. This includes numerous changes, including a security fix for a buffer overflow vulnerability that would have been unlikely to affect most configurations.

Continue reading

In the January 2022 survey we received responses from 1,167,715,133 sites across 269,835,071 unique domains and 11,700,892 web-facing computers. This reflects a loss of 1.15 million sites, but a gain of 1.51 million domains and 31,100 computers.

nginx lost 7.33 million sites this month (-1.91%) but continues to be the most commonly used web server with 32.3% of all sites using it. Although nginx’s share has fallen, Apache is still more than eight percentage points behind after losing 3.70 million sites (-1.31%), which has taken its own market share down to 23.9%.

nginx also leads in the domains metric, where it has a share of 26.6% compared with Apache’s 23.9%. This reflects a small reduction in nginx’s share – despite a modest gain of 25,400 domains – while Apache suffered the largest loss of 287,000 domains.

The largest site and domain growth was seen by Pepyaka, which is a web server that has primarily been used by the Wix web development platform since it switched from using nginx in 2018. The number of sites using Pepyaka grew by 4.02 million to 7.30 million this month, while its domain count went up by 1.80 million to 3.30 million.

The next largest domain growth was seen by OpenResty, which gained 686,000 domains this month, and 1.34 million sites in total. The second largest site growth was seen by Microsoft, which gained 2.46 million sites and now accounts for 4.86% of all sites and 5.00% of all domains.

Constraining the view to active sites, Apache is still the most commonly used web server, but its market share has fallen slightly to 23.4% after losing more than half a million active sites this month. Meanwhile, nginx gained 230,000 active sites and has increased its share to 20.2%.

Apache also maintains a slight lead in the top million websites, where it is used by 235,000 sites compared with 222,000 for nginx. However, Cloudflare has increased its presence by a further 4,959 sites and is now not too far behind with a total of 191,000. If this trend continues, Cloudflare could soon overtake both nginx and Apache to become the most commonly used top-million web server.

Looking at web-facing computers, nginx’s strong growth continues unabated. This month it is being used by an additional 32,700 web-facing computers and its market share has increased to 37.7%. Its lead over Apache was further extended by Apache’s loss of 29,100 computers, which sent Apache’s share down to 29.9%.

Vendor news

• Apache 2.4.52 was released on 20 December 2021. This is the latest release from the 2.4.x stable branch and includes two security fixes amongst a host of other changes.
• Apache Tomcat 9.0.56, 10.0.14 and 10.1.0-M8 (alpha) were released on 8 December 2021. Each of these versions include a fix for a known operating system bug that could cause incoming connections to be reported more than once.
• nginx 1.21.5 was released on 28 December 2021. This is the latest release in the mainline branch of nginx and is now built with the PCRE2 library by default.
• njs 0.7.1 was also released on 28 December 2021. This release includes several bugfixes and some other changes to ensure that njs scripts use the same regular expression library as nginx.
• Microsoft has mitigated an insecure default behaviour in the Azure App Service that inadvertently exposed hundreds of source code repositories. The team that found the vulnerability noted that it had existed since September 2017 and has probably been exploited in the wild. The problem could have impacted PHP, Node, Ruby, Python and Java applications that serve static content, as well as some Azure App Service Linux applications that were deployed using Local Git after files were created or modified in the content root.
• Cloudflare has introduced a new product called Bulk Redirects, which lets website administrators upload and enable large numbers of URL redirects. These were typically implemented with Page Rules before, which are limited to a maximum of 125 redirects.
• OpenResty 1.21.4.1 RC1 was released on 16 December 2021. This version is based on nginx 1.21.4 and adds several new features including support for BoringSSL.

Continue reading

In the December 2021 survey we received responses from 1,168,864,866 sites across 268,328,184 unique domains and 11,669,818 web-facing computers. This represents a loss of 6.53 million sites, but a gain of 1.30 million domains and 144,000 computers.

nginx lost a significant number of sites (-23.88 million) and domains (-8.54 million) this month, though it continues to hold the highest market share in both categories with 32.9% of sites and 26.7% of domains. nginx’s domain market share lead over Apache dropped significantly, falling from a 5.6 percentage point lead to a 2.6 percentage point lead. nginx also gained 81,100 web-facing computers this month, giving it 37.5% of market share in this category.

Apache also lost sites (-3.09 million) and domains (-446,000) this month, though it gained 5,700 web-facing computers. Apache continues to hold second place across all three key metrics.

The largest increase in both domains and hostnames was seen for “awselb”, used by Amazon’s Elastic Load Balancing service, and accounts for the majority of the loss experienced by nginx. The change was as a result of GoDaddy’s URL redirector service, which allows domains registered with GoDaddy to be pointed at arbitrary URLs, being moved from their own hosting facilities to Amazon’s ELB service.

Many other web servers also saw reasonable growth in the number of sites this month, with OpenResty and Microsoft gaining 2.42 million and 2.15 million respectively, followed by LiteSpeed and Cloudflare with 1.76 million and 1.28 million. Fewer servers gained domains this month, though OpenResty gained a respectable 850,500 (+2.19%).

Cloudflare gained 2,431 sites in the million most popular sites, increasing its market share by 0.24 percentage points to 18.6%. Apache continues to maintain a slim lead over nginx, though both lost sites this month. Microsoft’s market share dropped, as it lost 4,119 sites this month taking it to 6.15% of the total and down from 6.89% at the start of the year.

Log4Shell impact on web servers

A critical vulnerability dubbed “Log4Shell” was identified in the Java log4j logging library, and was publicly disclosed on 9th December. The vulnerability has impacted a broad range of organizations as the log4j library is widely used, and the flaw can be easily exploited to break into systems, steal data, and infect networks with malicious software.

Many widely-used web servers such as Tomcat and Jetty are written in Java but do not use the log4j library by default so are not directly affected by the issue. However, they can be configured to do so, and it is also possible that sites that use popular web servers written in other languages - Apache and nginx are written in C, for instance - may still use the vulnerable library at some level in their technology stack.

Several less well-known servers integrate the log4j library directly, such as IBM WebSphere. Several WebSphere components such as the Admin Console use the library and so are vulnerable to the issue, while applications served using WebSphere may be vulnerable if they use the library. IBM WebSphere is not widely used: this month Netcraft identified 3,778 sites using the server, which were hosted on 830 IP addresses. Amongst these, Netcraft found government and banking websites, though it is unknown whether these sites are vulnerable.

Vendor news

• Apache 2.4.52 was released on 20 December. This release fixes several security issues, including a possible buffer overflow in mod_lua and server-side request forgery vulnerability in forward proxy configurations.
• nginx unit 1.26.1 was made available on 2 December and fixes several bugs introduced in the 1.26.0 release.
• Lighttpd 1.4.62 and 1.4.63 were released in quick succession at the start of December and include many minor changes and bugfixes.
• Apache Tomcat 9.0.56, 10.0.14, and 10.1.0-M8 (alpha) were released on 2 December.

Continue reading

In the November 2021 survey we received responses from 1,175,392,792 sites across 267,027,794 unique domains and 11,525,855 web-facing computers. This reflects a loss of 4.06 million sites, but a gain of 1.60 million domains and 137,000 computers.

nginx gained the largest number of domains (+741,000) and web-facing computers (+81,300) this month and continues to lead in both metrics with market shares of 30.1% and 37.3%.

Further down in the market, there was also a noticeable increase in the total number of web-facing computers running LiteSpeed, which went up by 11,200 to 101,000 (+12.5%), although this resulted in only a 1.44% increase in domains. These counts include sites that run on LiteSpeed Web Server and its open source variant, OpenLiteSpeed, both of which exhibit the same “LiteSpeed” server banner.

Both nginx and Apache lost nearly 4 million hostnames each, reducing their sites market shares to 34.7% and 24.4%. Meanwhile, Cloudflare gained 1.15 million sites, which has taken its total up to 58.6 million (+2.00%) and increased its sites share to 4.99%.

nginx and Apache also suffered losses amongst the top million websites, paving the way for Microsoft to increase its presence by 2,369 sites (+3.75%). Microsoft web server software is now used by 65,600 of the top million sites, but Apache is still the most commonly used web server in this sector, with 240,000 of the top million sites using it, and nginx is not far behind with 224,000.

Apache 2.4.49 vulnerability

Following last month’s news of a path traversal vulnerability in Apache 2.4.49 being actively exploited in the wild, this month’s survey shows that more than 11 million websites had server banners containing “Apache/2.4.49” before a fix was released. The only other version vulnerable to attack was Apache 2.4.50, which failed to fix the vulnerability properly – but this version was released after the survey ran and was promptly replaced with Apache 2.4.51, where the vulnerability was resolved properly.

The true number of websites that were vulnerable during the survey period is likely to have been much greater than the 11 million websites that openly reported themselves to be running Apache 2.4.49, as nearly two-thirds of all Apache-powered websites do not reveal a version number in their server banners. This configuration is often a deliberate act towards security through obscurity, although attackers can often deduce precise version numbers by carrying out additional tests. There may also have been additional vulnerable instances of Apache 2.4.49 hidden behind frontend load balancers or content delivery networks such as Cloudflare.

Conversely, some websites running on Apache 2.4.49 may not have been vulnerable if they used an appropriately configured web application firewall that prevents path traversal attacks. More generally, the true number of web servers that contain a version-specific vulnerability can also be masked by future backported security patches, which typically fix vulnerabilities without changing the apparent version number of the software. From an external perspective, a server might appear to be running a vulnerable software version but may not actually be vulnerable to the issues affecting that version.

Vendor news

• LiteSpeed Web Server 6.0.11 was released on 10 November. This is the latest version in the LSWS 6.0 stream and includes improvements in HTTP/2 and HTTP/3 throughput, new support for WebSocket proxy targets in rewrite rules, and several bugfixes.
• Microsoft has announced new Azure Bounty Program rewards of up to $60,000 to encourage and reward research into vulnerabilities that would have the highest potential impact on the security of its customers.
• nginx 1.21.4 mainline was released on 2 November. This version includes some new features and changes relating to TLS and HTTP/2.
• Lighttpd 1.4.61 was released on 28 October to address a number of bugs. Lighttpd is used by 245,000 unique domains in this month’s survey.
• njs 0.7.0 was released on 19 October to add HTTPS support for its Fetch API, along with a few other new features and bugfixes.
• Apache Tomcat 9.0.54, 10.0.12 and 10.1.0-M6 (alpha) were released on 1 October, followed by Tomcat 8.5.72 on 6 October.
• Cloudflare Pages now supports custom headers natively, without having to use Cloudflare Workers. This makes it easier for developers to add best-practice security headers and others to their JAMstack applications.
• Cloudflare for SaaS is now generally available to all, following a beta launch earlier in the year.

Continue reading

In the October 2021 survey we received responses from 1,179,448,021 sites across 265,426,928 unique domains and 11,388,826 web-facing computers. This reflects a loss of 8.59 million sites, but a gain of 1.07 million domains and 20,800 computers.

The number of unique domains powered by the nginx web server grew by 789,000 this month, which has increased its total to 79.5 million domains and its leading market share to 29.9%. Conversely, Apache lost 753,000 domains and saw its second-place share fall to 24.7%. Meanwhile, Cloudflare gained 746,000 domains – almost as many as nginx – but it stays in fourth place with an 8.15% share while OpenResty's shrank slightly to 14.5%.

Cloudflare also made strong progress amongst the top million websites, where it increased its share by 0.24 percentage points to 18.2%. nginx is in second place with a 22.5% (+0.12pp) share but has closed the gap on Apache which still leads with 24.0% after losing 0.21pp.

Apache also continues to lead in terms of active sites, where it has a total of 48.0 million. However, it was the only major vendor to suffer a drop in this metric, with a loss of 277,000 active sites reducing its share down to 23.9% (-0.29pp). In terms of all sites, nginx lost the most (-9.99 million) but remains far in the lead with a total of 412 million.

Apache vulnerability being actively exploited in the wild

Apache 2.4.51 was released on 7 October. This is the latest release in the 2.4.x stable branch, which the developers consider to be the best available version of the Apache HTTP Server; but more importantly, this release fixes a path traversal vulnerability present in Apache 2.4.49 and 2.4.50. Apache 2.4.50 was itself released a day earlier in an attempt to fix the vulnerability present in 2.4.49, but the fix was found to be insufficient.

The vulnerability is being actively exploited in the wild, so anyone still running an unpatched Apache 2.4.49 or 2.4.50 installation should upgrade immediately. In some cases, the path traversal vulnerability could facilitate remote code execution on the web server.

Due to the nature of this vulnerability, some otherwise vulnerable installations may be immune to attack if a web application firewall (WAF) is in place, or if a frontend proxy or load balancer modifies malicious requests in a way that makes them safe. For instance, all vulnerable Apache installations served via the Cloudflare content delivery network would have been protected from the outset if Normalize URLS to origin were enabled, and the Cloudflare WAF has rules that would have stopped many exploit attempts.

Other vendor and hosting news

• During September, Microsoft released fixes for three elevation of privilege and one remote code execution vulnerabilities in the Open Management Infrastructure (OMI) framework, which is used by several Azure Virtual Machine management extensions. The remote code execution vulnerability can only affect customers using a Linux management solution with remote OMI enabled. A full list of the vulnerable extensions and update availability is being maintained on the Microsoft Security Response Center blog.
• Microsoft announced the general availability its Azure Purview data governance solution on 28 September.
• On 5 October, Microsoft removed the waiting list for its Azure NetApp Files bare-metal cloud file storage and data management service.
• lighttpd 1.4.60 was released on 3 October. This version includes a large number of changes, including several bugfixes and improved handling of HTTP/2 connections.
• LiteSpeed Web Server 6.0.9 was released on 20 September to address several bugs and add a new log rotation feature. OpenLiteSpeed 1.7.14 – the open source edition of LiteSpeed Web Server Enterprise – was released on 7 September.

Continue reading