Web Server Choices for Performance and Security

In March of 2003, a survey conducted by Netcraft (http://news.netcraft.com) of active websites showed that Apache ran on 62.51 percent of the web server computers surveyed. Apache's nearest competitor, Microsoft's Internet Information Services (IIS), ran on 27.44 percent of the server computers. (IIS is not available for Linux.) Thus, it should come as no surprise that discussions of web servers in Linux, including most of this chapter, focus on Apache. Nonetheless, there are alternatives to Apache, and many of them have advantages over Apache. Some servers are smaller and, therefore, consume less RAM; some are optimized to serve web pages more quickly than Apache can; and some offer features that Apache doesn't offer.

Perhaps one of the strongest reasons to use an alternative to Apache is to diversify the Internet's installed base of web servers. When an important infrastructure component, such as web server software, comes to be dominated by just one product, the result is known as a monoculture. Monocultures are risky because a security problem can quickly lead to a huge number of servers being compromised. For instance, a worm written to take advantage of a hypothetical Apache vulnerability could quickly spread to most web servers, crippling the Web as a whole. If fewer server computers ran Apache, this same worm would spread less quickly and infect fewer computers.

If you want to run a Linux web server, you have surprisingly many choices. A very incomplete list includes:

Apache Naturally, Apache heads the list of Linux web servers. Most of this chapter focuses on Apache. Check its web page at http://httpd.apache.org for more information, or read a book on the server, such as Charles Aulds' Linux Apache Server Administration, 2nd Edition (Sybex, 2002). As I write, Apache 2.0.44 is the current version, but the 1,3.x series remains popular. The differences between the two are small by the standards of this chapter's coverage, but many Apache administrators have carefully tweaked their configurations and don't want to disrupt their setups with an upgrade that modifies the way

Apache handles features that are key for them but may not be critical for others.

Roxen This web server is one of Apache's closest competitors in terms of features. It includes a web-based configuration tool, which may make it more appealing than Apache to some new administrators. Although Roxen is a commercial product, a free version with some limitations is available. Consult its web page, http://www.roxen.com, for more information.

thttpd The Tiny/Turbo/Throttling HTTP Server (thttpd; http://www.acme.com/software/ thttpd/thttpd.html) is designed as a lightweight server for sites that don't need all of Apache's features. By shedding support for features such as Secure Sockets Layer (SSL) security, thttpd can be much smaller than Apache—roughly 90KB, versus about 300KB for Apache. The thttpd developers claim that their server can outperform Apache by a wide margin, but this comparison was to the older 1,3.x Apache, and they also point out that few sites need that sort of speed.

Zeus This product is a fairly popular commercial web server for Linux. It's pricey, at $1700 for the standard version in early 2003, but its developers claim it's faster than Apache. Read more on its web page, h ttp ://www. ze u s. co. u k/prod u cts/zws/.

Kernel-Based Web Servers At their core, web servers perform a very simple task: They transfer data from the disk to the network. This task is so simple that various projects exist to implement web server features in the Linux kernel. This approach can greatly improve web server efficiency by cutting out a user-level process (the traditional web server). One of these projects, kHTTPd, is a standard part of 2.4.x and later kernels. Kernel-based servers, though, can't handle complex tasks such as dynamic content. Furthermore, by moving extra code into the very sensitive kernel, they have the potential to reduce the reliability of the computer.

Note Search on Sourceforge (http://sourceforge.net) or perform a web search to locate many additional web server options for Linux. The thttpd website includes some performance statistics on various web servers at http://www.acme.com/software/ thttpd/benchmarks.html, although as I write, these results aren't very recent.

Overall, Apache is the simplest choice for most users. All major Linux distributions ship with Apache, and it works with few or no modifications for many simple sites. The thttpd server can also be a good choice if you don't need Apache's features or if you're running on a particularly underpowered computer; however, you may need to hunt it down and install it. Although thttpd isn't harder to configure than Apache, distributions don't support it as well, and because few people use it, you may find it harder to get support on Usenet newsgroups or the like. Kernel-based servers also offer advantages when your server is straining under the load and you can't afford to upgrade the hardware. Roxen and Zeus are both worthy competitors to Apache at the high end, but their commercial or semicommercial nature makes them less practical for sites operating on a tight budget.

Team LiB

Team LIB

^ previous

Was this article helpful?

0 0

Post a comment