If you host a website, chances are good that you are running either Apache or Internet Information Services (IIS). They are by far the two most common web server platforms, between them commanding about 70% of the market.
They each also have their passionate supporters and haters. In fact, IIS vs. Apache flame wars are many times really spillover or proxy tirades of ‘Microsoft vs. Linux’. A compare-and-contrast exercise between the two web servers should be as objective as possible, which is what we’ll try and do here and not get drawn into personal preferences and emotional-laden outbursts.
Apache, or to use its full royal title The Apache HTTP web server, is an open source Web server application managed by the Apache Software Foundation. The server software is freely distributed, and the open source license means users can edit the underlying code to tweak performance and contribute to the future development of the program – a major source of its beloved status among its proponents. Support, fixes and development are handled by the loyal user community and coordinated by the Apache Software Foundation.
Although Apache will run on all major operating systems, it is most frequently used in combination with Linux. These two, combined with MySQL database and PHP scripting language, comprise the popular LAMP Web server solution.
Apache is the clear leader in the web server market, accounting for just under 42% of the total market, according to a Feb 2014 Netcraft survey. However, that’s not the whole story, as this figure represents a large, worrying, sustained drop, from about 54% in June 2013 and 59% in 2010. Most of this loss has been to its number one rival IIS, but also a bit to the best-of-the-rest - Nginx.
Feature-wise, Apache boasts an impressive repertoire. Many features are implemented as compiled modules to extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter). Apache also supports virtual hosting, which enables one machine to host and simultaneously server several different websites, and a number of good, well-developed GUI interfaces. Another notable feature is webpage compression to reduce their size over http. This is also achieved by an external module, one called mod_gzip. And security is one of Apache’s noted strengths.
When it comes to performance, conventional wisdom has it that Apache is just OK, a bit better than IIS but quite a bit slower than its main open-source rival Nginx. This has been borne out by objective tests. Though by no means slow for most general tasks, Apache is still held back by two of its main features:
Feature bloat: Apache is frequently compared to MS Word – an extremely feature-rich application in which 90% of users only use about 10% of the features on a regular basis.
Apache is a process-based server, unlike many of its rivals that are event-based or asynchronous in nature. In a process-based server, each simultaneous connection requires a separate thread and this incurs significant overhead. An asynchronous server, on the other hand, is event-driven and handles requests in a single or very few threads.
IIS (Internet Information Services) is Microsoft’s web server offering, playing second fiddle to market leader Apache. As is expected of a core Microsoft product, it only runs and is bundled on Windows operating systems, but is otherwise free for use. It is a closed software product and supported by solely by Microsoft. Although development is not as open and quick as the open-source user-supported nature of Apache, a behemoth like Microsoft can throw formidable support and development resources at its products, and IIS has fortunately benefitted from this. Actually it is one of the few Microsoft products that even its detractors (grudgingly) agree can stand toe-to-toe with its open source rival and even trounce it soundly in some areas. There is a lite version called IIS Express that has been installable as a standalone freeware server from Windows XP SP3 onwards. But this version only supports http and https.
Solid feature, performance and security improvements over the years have meant that IIS has steadily improved and gained ground and market share on Apache, from about 21% in 2010 to about 32% as at Feb 2014. Security has been one area of significant gain, making huge leaps from the days of IIS 6.0’s vulnerability to the infamous Code Red worm. All is not yet perfect however; for instance IIS has been called out as still being poor at supporting PFS (Perfect Forward secrecy) – a property of key cryptography that ensures a long-term key will not be compromised if a single component session key is compromised or broken. Still, the IIS-Apache security comparison may not be fair to IIS. IIS vulnerability may also be largely blamed on its operating system parent since most malware targets Windows, and Linux (Apache’s main choice of OS) is itself an offshoot of the inherently iron-clad Unix OS.
Like Apache, IIS also utilizes external web extensions to implement some features. For example FTP publishing, application request routing, media services and URL rewriting are all new features introduced in IIS 7.5 via extensions. And IIS offers strong support for the Microsoft products .NET (framework) and ASPX (scripting), so if your website relies heavily on these, IIS is a clear frontrunner as a choice of web server. And IIS offers in-depth diagnostic tools such as failed request tracing, request monitoring and runtime data, in addition to virtual hosting support. But a major concern is that choosing IIS necessitates also picking Windows, with its attendant high cost and security implications compared to Linux.
IIS is reported as being slightly behind Apache in terms of performance. However, these results are tainted because the underlying operating system environment cannot be equalized in order to set an equal base. IIS is inextricably tied with Windows (for example IIS can easily pass and receive process threads from the Windows OS), and Apache simply cannot perform as well there. But both Apache and IIS are still handily beaten in terms of performance by the Nginx web server.
Both Apache and IIS have their pros and cons as outlined above. Determining which one to use is determined by several factors: IIS must be bundled with Windows but Apache does not have big-name corporate support, Apache has excellent security but does not offer IIS’s excellent .NET support. And so on. The final choice may well be a compromise dictated by whichever solution meets as many of your must-have needs as possible. The table summary below may also help.