The Apache Open Source Webserver

As businesses move their IT infrastructure to a web services model, the need for powerful and reliable web server software is becoming ever more crucial. Apache is the world's leading web server. Surveys conducted by NetCraft indicate that for a number of years, Apache has been the server software chosen by a majority of users. At the time of writing it runs on around 65% of all web servers – about 10 million at present. This link should show current figures and trends from Netcraft.

Why do so many people rely on Apache? Apache has all the advantages that serious users have come to expect from Open Source software: reliability, security through auditability, flexibility, efficiency, standards compliance, and low cost.

Migrating to Apache

Apache is available for a wide range of operating system environments (platforms); all of the mainstream Unix derivatives are supported as are many of the Microsoft environments. Bundled installers like Foxserv have made it easy for Windows users to install Apache, MySQL, PHP, Perl and associated products, increasing their popularity outside the pure Open Source arena. The bundle is entirely free-of-charge and imposes no licence comliance, being freely copiable. Foxserv can be downloaded relatively quickly; the whole package (April 2003) is under 50MB.

This bundle of tools has led to acronyms like LAMP (Linux, Apache, MySQL, Perl/PHP/Python) and WAMP (Windows, Apache, MySQL, Perl/PHP/Python) being coined. They permit easy cross-platform development and the deployment of database-driven websites and intranets. Developers can use the desktop environment that are most familiar with (often Windows-based), test their applications locally, then deploy them on GNU/Linux or Unix-based servers for performance, security and reliability.

For many organisations, the adoption of cross-platform tools such as the LAMP/WAMP collection has been their first exposure to Open Source software at enterprise level. It is a simple and effective way of discovering what Open Source software has to offer and requires very little investment since it can be used on an existing infrastructure with almost no cost of change. This is almost the perfect migration exemplar. To judge by numerous news and howto articles, the industry has agreed.

Reliability

Apache has long proven to be among the most reliable of web servers. Netcraft measure web site uptimes, and list a league table of the top fifty longest running sites. At the time of writing Apache drives all but four of them. Many high-profile sites (The Register, Amazon, Verio, Hewlett-Packard, IBM, Deutsche Bank, European Central Bank, Abbey National) choose Apache because its uptime is usually limited only by the reliability of the underlying operating system. Moreover, many of these sites must handle many millions of HTTP clients each day.

Security

It is extremely hard (if not impossible) to guarantee that any complex piece of software is free of security vulnerabilities. However, high-quality software is carefully written to minimise both the likelihood and the severity of security flaws. Apache falls into this category. Though it has contained vulnerabilities, they have tended to be relatively minor, easy to fix, and few in number.

The fact that Apache is open-source software constitutes a significant advantage in this respect. As with all open-source software, Apache has large numbers of people using the software, discovering bugs in it, auditing it, and ultimately correcting it – and note that availability of source code is crucial in this respect.

It is instructive to compare this situation with that for Microsoft's IIS, Apache's nearest competitor in terms of market share. IIS has had a number of bugs which permit remote attackers to execute any program on the server, and these bugs have been widely exploited. One such exploit was the so-called ‘Code Red’ worm, which defaces pages on infected machines. Once Code Red has infected a susceptible IIS server, it aggressively tries to search out other machines to infect. This leads to an explosive growth in both the number of machines infected and the amount of network bandwidth devoted to this worm's self-propagation. Later, more virulent strains of Code Red also enabled attackers to acquire system-level access to compromised machines.

The effects of the Code Red worm were serious. Many high-profile websites — including some machines running Microsoft's own Hotmail service — were compromised. Some analysts estimated the costs of the damage caused world-wide to be in the billions of dollars, and while this may be an over-estimate, it is undeniable that the costs were significant. In the wake of these events, the respected analysis firm Gartner advised that “enterprises hit by both Code Red and Nimda [another IIS-targeting worm] immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache.” (Gartner Group ‘ditch IIS’ report.)

Flexibility

Apache is extendable through the concept of ‘modules’; a form of plug-in that can be added to extend the server's capabilities. As supplied it typically comes bundled with modules that support PHP, Perl, CGI scripting, secure sockets, URL rewriting, URL spelling correction and numerous other facilties which you might choose to consider as either basic essentials or useful extensions. Providing built-in support for server-side language such as PHP and Perl gives noticeable performance benefits yet leaves the door open for others to be added as suitable. Apache runs on a wide range of platforms, both Open Source and proprietary.

Performance

Apache was not designed specifically as a high-performance webserver but in practice delivers mre than enough power for all normal commercial requirements. Performance of the server software is almost never an issue in most applications and we would advise against taking this to be an important or even relevant question. The fact that so many high-profile misson-critical sites (c.f. Amazon.com and the others) run with Apache is probably evidence enough of its performance.

Standards compliance

Full HTTP/1.1 implementation. Commitment to track future web standards. Earliest HTTP/1.1 server used in the wild; exposed client implementation bugs in IE, JDK, Navigator, AOL, etc.

Low cost

As an open-source application, Apache may be freely downloaded from the Internet for the cost of the download. Most serious users are well aware that initial purchase cost is a small part of the total cost of ownership of a piece of software. However, the inherent insecurity of many of Apache's competitors, including IIS, means that system-administration staff must spend significant amounts of time tracking and installing security patches. Apache's superior security record means that both its initial purchase cost and its total cost of ownership are low.

The Apache Projects

Home