In the April 2022 survey we received responses from 1,160,964,134 sites across 271,960,629 unique domains and 11,974,636 web-facing computers. This reflects a loss of 8.66 million sites and 217,000 domains, but a gain of 97,400 computers.

Amongst the top ten vendors, nginx gained the largest number of domains and computers this month, maintaining its lead in both of these metrics. Its net growth of 537,000 domains has taken its total up to 73.8 million domains and increased its market share in this metric to 27.1%. Coupled with a net loss of 573,000 domains powered by Apache, this has culminated in nginx’s market share lead over Apache being extended from 3.63 percentage points to 4.04.

The number of web-facing computers running nginx grew by 80,200 (+1.78%), pushing its market share up to 38.3% while Apache’s fell to 29.0%. nginx also continues to have the largest market share of sites (31.1%), despite losing more than half a million this month.

Within the top million websites, Cloudflare made the largest gain of 3,350 sites as it continues to edge its way up towards the leaders. Apache is currently still in the lead with 229,000 sites in the top million, but lost 1,700 this month; and nginx is in second place with 218,000 sites after losing 2,250. Cloudflare now has 199,000 sites and looks set to overtake both nginx and Apache by the end of the year if it maintains this pace of growth. Amongst all websites, Cloudflare lost 38,400 sites but gained 115,000 domains.

OpenResty was the major vendor that gained most sites this month, increasing its total by 1.47 million to 93.0 million (+1.61%), and it also gained 6,890 web-facing computers.

While most of the top vendors lost active sites this month, Pepyaka made a significant gain of 1.22 million active sites (+27.6%). This server is predominantly used by the Wix web development platform, which switched from using nginx in 2018. It is currently the 8th most commonly used web server by active sites, and 11th by sites. Similarities in the version numbering since 2018 suggest Pepyaka is likely based on mainline releases of nginx.

Further down the field, GHS gained 1.08 million (+36.7%) sites and 554,000 (+35.5%) domains. GHS (Google Host Server) is one of Google’s proprietary web servers, which can be used by sites registered through Google Domains. It is also still used to redirect traffic from googlepages.com sites that were created with Google Page Creator. When this website creation service shut down in 2009, existing pages were migrated to Google Sites, which hosts user content in subdirectories under the sites.google.com hostname.

Vendor news

• Apache Tomcat 8.5.78, 9.0.62, 10.0.20 and 10.1.0-M14 (alpha) were released on 1 April 2022. Amongst other changes, all of these releases include a mitigation for a Spring Framework vulnerability (CVE-2022-22965) that could make some Tomcat servers vulnerable to remote code execution attacks.
• Tomcat Native 1.2.32 was released on 22 March 2022. This is an optional component for use with Apache Tomcat that can provide better performance and compatibility by allowing Tomcat to use certain native resources.
• njs 0.7.3 was released on 12 April 2022. This is the JavaScript-based scripting language that can be used to extend the functionality of nginx, and the latest version now allows the host environment to control how imported modules are loaded.
• OpenResty 1.21.4.1 RC3 was released on 18 April 20202. This includes some bugfixes and uses a newer version of the LuaJIT 2 compiler.
• Microsoft Azure now offers a bring your own IP address (BYOIP) feature with Custom IP Prefix that lets customers bring their own public IPv4 address ranges to Azure in all public regions. These ranges can then be associated with Azure resources, interact with private addresses and VNETs within Azure’s networks, and reach external destinations via Microsoft’s Wide Area Network.
• Cloudflare’s Magic Transit DDoS mitigation solution now offers a new mode (On Demand + Flow-based Monitoring) that integrates Kentik Protect to automatically detect attacks.
• Finally, have you noticed fewer CAPTCHAs on the web? Cloudflare has reduced the number of CAPTCHAs it serves by 91% over the past year, and now plans to stop using them altogether.

Continue reading

In the March 2022 survey we received responses from 1,169,621,187 sites across 272,177,331 unique domains and 11,877,217 web-facing computers. This reflects a loss of 4.00 million sites, but a gain of 977,000 domains and 103,000 web facing computers.

Cloudflare gained the largest number of sites, with 1.32 million more than in the February survey. Its growth was also consistent across other metrics, having gained +176,000 domains (+0.77%) and +256,000 active sites (+1.24%), with an extra 0.12pp share of the top one million sites.

nginx, the current leader by most metrics, had a particularly strong growth in terms of domains, having gained 978,000 domains (+1.35%) this month—the largest gain of any vendor in this metric. Though it lost 2.98 million sites, it appears to be serving more interesting content overall, as measured by a 158,000 increase in its number active sites. It also gained the most additional web-facing computers out of all vendors this month, with 39,300 more than the previous month. OpenResty, which uses nginx, is serving 62,300 more active sites and now counts towards an additional 441 of the top one million sites. OpenResty was also counted on 6,640 more computers (+5.04%) than last month.

Apache has the greatest number of active sites and, by a narrow 1.03pp margin over nginx, the greatest share of the top one million sites. However, it shrunk in both of these metrics, losing 583,000 active sites and 2,130 of the top one million. Apache lost out in most other metrics too, with 756,000 fewer domains and just over 5 million fewer sites. It did, however, gain a few more computers over last month, but nginx’s large growth meant that Apache still lost market share in this measurement.

Microsoft saw declines in all metrics this month, losing 3.22 million sites (-7.13%), 156,000 domains (-1.75%), 118,000 active sites (-1.88%), and 7,620 computers (-0.57%). Microsoft also lost 1,000 sites from its share of the top million.

Although one of the smaller web servers on the market, LiteSpeed has frequently shown strong and consistent growth, with this month being no exception. It had the largest sites and active sites growth of all web servers in the March 2022 survey, gaining 1.92 million sites and 277,000 active sites.

Vendor news

• Apache released version 2.4.53 of their httpd web server. This version contains security fixes for four different CVEs. The release also brings a number of general bug fixes. Apache also released bug patches for several versions of Tomcat.

• OpenSSL released versions 3.0.2 and 1.1.1n of their cryptography library in order to patch against a high severity denial of service vulnerability. OpenSSL is used by both Apache and nginx, which together account for a majority of all sites, domains, and web-facing computers.

• Microsoft Azure has expanded to a new region in the North of China. Microsoft’s share of the web server software market is much larger in China compared to the rest of the world, with 16.5% of active sites, 20.1% of domains, 13.4% of sites, and 15.0% of web-facing computers.

Continue reading

In the February 2022 survey we received responses from 1,173,621,471 sites across 271,199,972 unique domains and 11,774,714 web-facing computers. This reflects a gain of 5.91 million sites, 1.36 million domains and 73,800 computers.

OpenResty experienced the strongest growth this month, both in overall sites and domains, with increases of 10.4 million sites and 546,000 domains. This represents a large 13.0% increase in its number of sites, but a more modest 1.4% increase in domains. Its market share in the domains metric now stands at 15.1%, an increase of 0.13 percentage points since January.

nginx closely followed OpenResty with a growth of 538,000 domains, helping it to maintain its leading 26.7% market share. nginx also saw strong growth in web-facing computers, which increased by 53,500. In contrast to its gains in these metrics, nginx lost 12.1 million sites this month (-3.2%), however it retains its position as the most commonly used web server with 31.1% of all sites using it.

Cloudflare continues to make strong gains amongst the million busiest websites, where it saw the only notable increases, with an additional 3,200 sites helping to bring its market share up to 19.4%. Apache, Microsoft and nginx all experienced losses in this metric; however, Apache and nginx still hold the top two positions with market shares of 23.3% and 22.1%.

Vendor news

• Apache Tomcat 9.0.59, 10.0.17 and 10.1.0-M11 (alpha) were released on 28 February 2022. Some of the notable changes are common between all three versions, including resolving a regression in a fix for a race condition, and improving the detection of the Linux duplicate accept bug.
• nginx 1.21.6 mainline was released on 25 January 2022. This version contains three bugfixes and no new features.
• njs 0.7.2 was also released with several core bugfixes on 25 January 2022. njs is the subset of the JavaScript language that can be used to extend nginx functionality.
• Cloudflare has agreed to acquire Area 1 Security with the intention of integrating Area 1’s technology into its global network to protect customers from email-based security threats.
• Lighttpd 1.4.64 was released on 19 January 2022. This includes numerous changes, including a security fix for a buffer overflow vulnerability that would have been unlikely to affect most configurations.

Continue reading

In the January 2022 survey we received responses from 1,167,715,133 sites across 269,835,071 unique domains and 11,700,892 web-facing computers. This reflects a loss of 1.15 million sites, but a gain of 1.51 million domains and 31,100 computers.

nginx lost 7.33 million sites this month (-1.91%) but continues to be the most commonly used web server with 32.3% of all sites using it. Although nginx’s share has fallen, Apache is still more than eight percentage points behind after losing 3.70 million sites (-1.31%), which has taken its own market share down to 23.9%.

nginx also leads in the domains metric, where it has a share of 26.6% compared with Apache’s 23.9%. This reflects a small reduction in nginx’s share – despite a modest gain of 25,400 domains – while Apache suffered the largest loss of 287,000 domains.

The largest site and domain growth was seen by Pepyaka, which is a web server that has primarily been used by the Wix web development platform since it switched from using nginx in 2018. The number of sites using Pepyaka grew by 4.02 million to 7.30 million this month, while its domain count went up by 1.80 million to 3.30 million.

The next largest domain growth was seen by OpenResty, which gained 686,000 domains this month, and 1.34 million sites in total. The second largest site growth was seen by Microsoft, which gained 2.46 million sites and now accounts for 4.86% of all sites and 5.00% of all domains.

Constraining the view to active sites, Apache is still the most commonly used web server, but its market share has fallen slightly to 23.4% after losing more than half a million active sites this month. Meanwhile, nginx gained 230,000 active sites and has increased its share to 20.2%.

Apache also maintains a slight lead in the top million websites, where it is used by 235,000 sites compared with 222,000 for nginx. However, Cloudflare has increased its presence by a further 4,959 sites and is now not too far behind with a total of 191,000. If this trend continues, Cloudflare could soon overtake both nginx and Apache to become the most commonly used top-million web server.

Looking at web-facing computers, nginx’s strong growth continues unabated. This month it is being used by an additional 32,700 web-facing computers and its market share has increased to 37.7%. Its lead over Apache was further extended by Apache’s loss of 29,100 computers, which sent Apache’s share down to 29.9%.

Vendor news

• Apache 2.4.52 was released on 20 December 2021. This is the latest release from the 2.4.x stable branch and includes two security fixes amongst a host of other changes.
• Apache Tomcat 9.0.56, 10.0.14 and 10.1.0-M8 (alpha) were released on 8 December 2021. Each of these versions include a fix for a known operating system bug that could cause incoming connections to be reported more than once.
• nginx 1.21.5 was released on 28 December 2021. This is the latest release in the mainline branch of nginx and is now built with the PCRE2 library by default.
• njs 0.7.1 was also released on 28 December 2021. This release includes several bugfixes and some other changes to ensure that njs scripts use the same regular expression library as nginx.
• Microsoft has mitigated an insecure default behaviour in the Azure App Service that inadvertently exposed hundreds of source code repositories. The team that found the vulnerability noted that it had existed since September 2017 and has probably been exploited in the wild. The problem could have impacted PHP, Node, Ruby, Python and Java applications that serve static content, as well as some Azure App Service Linux applications that were deployed using Local Git after files were created or modified in the content root.
• Cloudflare has introduced a new product called Bulk Redirects, which lets website administrators upload and enable large numbers of URL redirects. These were typically implemented with Page Rules before, which are limited to a maximum of 125 redirects.
• OpenResty 1.21.4.1 RC1 was released on 16 December 2021. This version is based on nginx 1.21.4 and adds several new features including support for BoringSSL.

Continue reading