In the September 2016 survey we received responses from 1,285,759,146 sites and 6,118,785 web-facing computers, reflecting large gains in both metrics: 132 million additional sites, and 138,000 more computers.

Microsoft made up the majority of this month's website growth, with the largest gain of 97 million sites, although it showed only modest increases of 5,200 web-facing computers and 693,000 active sites.

Apache was responsible for most of this month's additional web-facing computers, increasing its count by 87,000 to 2.8 million (+3.2%). Similarly, nginx made a 3.0% gain of 30,000 computers. However, Microsoft's 0.3% gain was not enough to stop its share falling by half a percentage point to 25.3% as a result of the gains made by Apache and nginx.

Although nginx made a healthy gain in web-facing computers, it lost more than 5 million active sites and 5,600 sites within the top-million. 27.6% of the busiest million sites now use nginx (-0.56 pp from last month), while Apache retains its lead with a 42.5% share.

Along with nginx, all of the major web server vendors suffered losses within the top million sites, largely due to the growth of OpenResty this month. More than 10,000 of the top million sites are now using OpenResty, compared with fewer than 4,000 last month, after millions of Tumblr blogs switched from nginx. As well as tumblr.com, basecamp.com — the home of the Basecamp web-based project management tool — ranks amongst the most visited sites to use OpenResty.

Tumblr's adoption of OpenResty has caused the web server to leap up the rankings to become the seventh largest web server vendor by websites, and fifth by active sites. This month, 87% of all OpenResty sites appear under the tumblr.com domain.

Although most OpenResty sites reside under the tumblr.com domain, the number of unique domains using OpenResty also increased noticeably this month.

Switching from nginx to OpenResty is not such a paradigm shift as moving to, say, Apache or Microsoft IIS. The OpenResty web application platform is built around the standard nginx core, which offers some familiarity, as well as allowing the use of third-party nginx modules. One of the key additional features provided by OpenResty is the integration of the LuaJIT compiler and many Lua libraries – this gives scope for high performance web applications to be run completely within the bundled nginx server, where developers can take advantage of non-blocking I/O.

Another web server that has gained prominence over the past year is Cowboy, a small and fast modular HTTP server written in Erlang. Optimised for low latency and low memory usage, it is currently the fifth most common web server software installed on web-facing computers that accept HTTP connections. Most of the computers used by Cowboy servers are powered by the Heroku Cloud Application Platform and hosted at Amazon Web Services.

In the August 2016 survey we received responses from 1,153,659,413 sites and 5,980,524 web-facing computers. This reflects an increase of 80 million sites, but a loss of 78,000 computers.

While the overall number of sites increased this month, this growth was not felt evenly by each web server vendor: Microsoft gained the largest number of sites with an increase of 66 million, while second-placed Apache lost 41 million sites. Tengine, the nginx-based web server from Chinese online shopping giant Taobao, gained 28 million sites.

Whilst there were large changes in total number of sites, these were accompanied by much more modest changes in active sites – a more stable metric designed to ignore automatically generated bulk content. Apache and Microsoft both suffered small drops in the number of active sites, -0.5% and -0.8% respectively, whilst Tengine and nginx gained 120,000 (7.3%) and 81,000 (0.2%).

The majority of this month’s drop in web facing computers were running Apache, with a decrease of just over 107,000 (3.8%) using the open-source server. One of the primary contributors to this drop was the loss of a large number of consumer-NAS devices running Apache. While these devices have steadily increased in number since the start of 2016, this month has seen a marked decline. These devices are mostly connected via home internet lines and are therefore likely to come and go from month to month. As a result, the Apache losses this month are spread over a large number of consumer ISPs. On the other hand, Apache continued to see growth amongst web hosting providers.

A gain of 24,000 web-facing computers for nginx, the largest gain in web facing computers this month, once more boosts its market share, which now stands at 17.0%. Microsoft also experienced a small increase in market share, despite its loss of 4,000 web-facing computers, given Apache’s large loss this month.

Windows Server 2016 — which will be the main platform for Microsoft IIS 10.0 — is edging closer to its official launch at Microsoft's Ignite conference in September. In the meantime, developers can try out many of the new features in IIS 10 by either installing the latest Windows Server 2016 Technical Preview 5, or by installing the self-contained IIS 10.0 Express on Windows 7 SP1 or later.

More than 11,000 websites are already using Microsoft IIS 10.0, with almost all of these sites using a version of Windows Server 2016.

The previous month saw two new releases of the mainline version of nginx, mostly incorporating bug fixes and feature additions, while the release of Apache 2.4.23 addressed a security issue which could have allowed clients to gain unauthorised access to protected resources if a server was configured to use HTTP/2.

Several web servers were also updated following the disclosure of a set of vulnerabilities dubbed httpoxy. These vulnerabilities can affect web applications running in CGI or CGI-compatible environments.

The vulnerability stems from a simple namespace conflict where the client-provided HTTP Proxy header was placed into an HTTP_PROXY environment variable as is the custom for CGI applications; but where HTTP_PROXY was trusted by the application and used to configure an outgoing proxy.

This type of vulnerability was first discovered in libwww-perl more than 15 years ago, but in July it was found to be still exploitable in PHP and many other modern languages and libraries. Successful exploitation of these issues could allow a remote attacker to proxy outgoing HTTP requests made by a vulnerable web application, which may expose sensitive data.

To mitigate the httpoxy vulnerability, Apache 2.4.24-dev avoids populating the HTTP_PROXY variable from a Proxy header in httpd CGI environments. Similar mitigations have also been implemented in Lighttpd 1.4.41 and LiteSpeed, while nginx and Varnish have published mitigation advice.

In the July 2016 survey we received responses from 1,073,777,722 sites and 6,058,513 web-facing computers. This reflects an increase of 28 million sites and 107,000 computers.

Microsoft and Apache continue to fluctuate between 1st and 2nd places for total number of websites, with Microsoft retaking the lead again this month after an increase of 36 million sites, and the loss of 20 million Apache sites. However, it is only in the hostnames metric that Microsoft leads, with Apache coming out on top by a considerable margin in all other areas - active sites, domains, IP addresses and web-facing computers.

Looking at the number of active sites, a more stable metric created by Netcraft to ignore automatically generated bulk content, Apache leads with a 46.4% market share. nginx is the second most popular vendor, with a 21.8% market share, and is the only major vendor to consistently gain share in recent months. A similar percentage of both Apache’s and nginx’s sites are deemed to be active, 23.7% of Apache sites and 22.1% for nginx. In comparison, only 4.5% of sites using Microsoft server software are considered active, leaving Microsoft in 3rd place by this active sites metric with a 9.8% market share.

Apache, Microsoft and nginx all gained web-facing computers this month; however, nginx once again saw the only increase in market share. nginx gained 46,000 computers, a growth of 4.8% on last month, and now stands just shy of 1 million web-facing computers. Apache and Microsoft gained 31,000 and 11,000 computers.

nginx also continues to gain market share among the top million busiest websites, where it is now used by 27.9% of sites. Apache, while still holding a dominant position, continues to slowly lose market share, falling 0.55 percentage points to 43.2%.