If you host a website, chances are good that you are running either Apache or Internet Information Services (IIS). Depending on the data source, they are two of the most common web server platforms, comprising a virtual triumvirate with Nginx for control of the market.
They each also have their passionate supporters and haters. In fact, IIS vs. Apache flame wars are many times really spillover or proxy tirades of ‘Microsoft vs. Linux’. A compare-and-contrast exercise between the two web servers should be as objective as possible, which is what we’ll try and do here and not get drawn into personal preferences and emotional-laden outbursts.
What is IIS?
IIS (Internet Information Services) is Microsoft’s web server offering, playing second fiddle to market leader Apache. As is expected of a core Microsoft product, it only runs and is bundled on Windows operating systems, but is otherwise free for use. It is a closed software product and supported by solely by Microsoft. Although development is not as open and quick as the open-source user-supported nature of Apache, a behemoth like Microsoft can throw formidable support and development resources at its products, and IIS has fortunately benefitted from this. Actually it is one of the few Microsoft products that even its detractors (grudgingly) agree can stand toe-to-toe with its open source rival and even trounce it soundly in some areas. There is a lite version called IIS Express that has been installable as a standalone freeware server from Windows XP SP3 onwards. But this version only supports http and https.
Solid feature, performance and security improvements over the years have meant that IIS has steadily improved and gained ground and market share on Apache. Security has been one area of significant gain, making huge leaps from the days of IIS 6.0’s vulnerability to the infamous Code Red worm. All has not been perfect however; for instance IIS historically experienced poor support for PFS (Perfect Forward secrecy) – a property of key cryptography that ensures a long-term key will not be compromised if a single component session key is compromised or broken. Still, the IIS-Apache security comparison may not be fair to IIS. IIS vulnerability may also be largely blamed on its operating system parent since most malware targets Windows, and Linux (Apache’s main choice of OS) is itself an offshoot of the inherently iron-clad Unix OS.
Like Apache, IIS also utilizes external web extensions to implement some features. For example FTP publishing, application request routing, media services and URL rewriting are all new features introduced in IIS 7.5 via extensions. And IIS offers strong support for the Microsoft products .NET (framework) and ASPX (scripting), so if your website relies heavily on these, IIS is a clear frontrunner as a choice of web server. And IIS offers in-depth diagnostic tools such as failed request tracing, request monitoring and runtime data, in addition to virtual hosting support. But a major concern is that choosing IIS necessitates also picking Windows, with its attendant high cost and security implications compared to Linux.
IIS is reported as being slightly behind Apache in terms of performance. However, these results are tainted because the underlying operating system environment cannot be equalized in order to set an equal base. IIS is inextricably tied with Windows (for example IIS can easily pass and receive process threads from the Windows OS), and Apache simply cannot perform as well there. But both Apache and IIS are still handily beaten in terms of performance by the Nginx web server.
What is Apache?
Apache, or to use its full royal title The Apache HTTP web server, is an open source Web server application managed by the Apache Software Foundation. The server software is freely distributed, and the open source license means users can edit the underlying code to tweak performance and contribute to the future development of the program – a major source of its beloved status among its proponents. Support, fixes and development are handled by the loyal user community and coordinated by the Apache Software Foundation.
Although Apache will run on all major operating systems, it is most frequently used in combination with Linux. These two, combined with MySQL database and PHP scripting language, comprise the popular LAMP Web server solution.
Apache used to command a huge lead in the web server market, but this has changed over the years. According to a 2019 Netcraft survey, IIS and Apache are now virtually tied for market share of installations, at 28.4% and 26.1%, respectively. However, that’s not the whole story, as Apache has a big lead on the measure of “active sites,” with 30.99% compared to just 6.21% for IIS, suggesting that many IIS installations are on sites that are not actively used, such as default demo sites set up internally and never used.
Feature-wise, Apache boasts an impressive repertoire. Many features are implemented as compiled modules to extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter). Apache also supports virtual hosting, which enables one machine to host and simultaneously server several different websites, and a number of good, well-developed GUI interfaces. Another notable feature is web page compression to reduce their size over http. This is also achieved by an external module, one called mod_gzip. And security is one of Apache’s noted strengths.
When it comes to performance, conventional wisdom has it that Apache is just OK, a bit better than IIS but quite a bit slower than its main open-source rival Nginx. This has been borne out by objective tests. Though by no means slow for most general tasks, Apache is still held back by two of its main features:
- Feature bloat: Apache is frequently compared to MS Word – an extremely feature-rich application in which 90% of users only use about 10% of the features on a regular basis.
- Apache is a process-based server, unlike many of its rivals that are event-based or asynchronous in nature. In a process-based server, each simultaneous connection requires a separate thread and this incurs significant overhead. An asynchronous server, on the other hand, is event-driven and handles requests in a single or very few threads.
Does IIS or Apache have better performance?
Apache has good performance out of the box, however, performance tuning is essential to optimize the server, whether you are hosting on premises or in the cloud using services like Google Cloud or Microsoft Azure. Because the Apache HTTP Server comes with a ton of features, many of which you won’t need for serving your own application, you should eliminate modules and features you don’t need. This will improve application speed and enhance Apache’s overall performance.
To enhance the scalability of your application, you can host Apache together with the Nginx web server as a reverse proxy. Apache’s process-based model handles each request in a separate thread. This yields slower results that Nginx’s event-based asynchronous request processing. With Nginx as a reverse proxy, Nginx serves static files quickly and passes data processing to Apache, then returns the result to the client. This configuration yields such fast results that it has become a defacto gold standard for hosting web applications.
IIS is the golden standard of serving applications on Windows Server 2019 and other Windows Server versions. The web server is tightly integrated with the Windows operating system and Microsoft’s .NET framework, also known as Dot NET framework. Recent updates to IIS, such as IIS 8.0, IIS 8.5, and IIS 10.0, have included enhancements such as Idle worker-Process page-out and improved gzip compression for better performance. Perhaps even more so than Apache, Microsoft IIS suffers from its own share of feature bloat, but this makes available a wide set of modules to support enterprise level deployments that need robust features like granular logging and load balancing.
Does IIS or Apache have better security?
While IIS has made strides in security in recent years, it has suffered over the years from the general state of security in the Windows ecosystem. Hackers spend a good deal of their efforts exploiting and breaching Windows due to its popularity, and this has naturally exposed IIS deployments as well. Linux servers, as noted by ComputerWorld, have benefitted from an open source model that means more eyes on the code, improving critical aspects such as security. Apache deployments, while perceived as being more secure, are no panacea for keeping web applications safe. Since Apache is so commonly deployed, it comes with its own set of security challenges.
This means you should be vigilant concerning security, whether you choose to go with the Apache web server or choose to deploy on IIS. You might not have much leeway concerning your selection of web server anyway, for example if you are developing your application in ASP.NET or .NET MVC, running on Microsoft IIS will simplify your development and deployment.
Hardening both IIS and Apache involves making tradeoffs between security and ease of use, portability, and, sometimes, performance.
These are some steps you can take to harden your IIS web server installation:
- Disable 'directory browsing'
- Put web content on a non-system partition
- Configure application pool identity for application pools
- Disable WebDAV to prevent remote web content authoring
- Restrict sensitive features to authenticated principals
- Require SSL for “forms authentication”
- ...and more, this is just a start, ideally you should have a standard hardening checklist for new IIS installs
Apache requires just as much attention when it comes to hardening, and these steps should provide security one step above the default configuration:
- Update your Apache install from the Linux repositories for the latest security patches
- Set “mod_log_config” to monitor client requests and web accesses
- Turn on ModSecurity to prevent SQL injection and other malicious activity
- Prevent brute force attacks and DDoS with Mod_evasive
- Delete unused and out of date modules to reduce potential for hacks
As with IIS, the security of your Apache installation can be greatly enhanced by working with consistent, well-architectured security best practices. Given the potential for breaches of all kinds in the data center, taking steps to secure your infrastructure takes precedence.
How do IIS and Apache differ in licensing costs and enterprise support?
Apache is an iconic open source web server, with a proud history stretching more than 20 years in the open source community. Licensed under a standard Apache Software Foundation Apache 2.0 License, the web server is both free to use, distribute, and modify, without being subject to royalties or other license fees. Given this permissive licensing, which the server has in common with other critical software projects from the Apache Software Foundation, it has seen vibrant adoption and contributor participation in the open source world. Apache consistently holds the lead among the most popular web servers and has inspired imitators such as OpenBSD’s Httpd web server.
Licensing for IIS Server is much more complex, and will cost you more, too. IIS Server Express can be downloaded for free from Microsoft’s downloads site. This version is optimized for developers, and lets you develop and test your application on a lite version of the production IIS server. To fully test your code and features like SMTP in your staging environments , however, you will need an IIS Server license so you can run IIS Server. This comes with Windows Server, and can cost from $500 to over $6,000 depending on the Windows Server version and number of cores in your deployment.
Is IIS or Apache easier to use?
Thanks to its handy graphical user interface and improvements to the software over the years, IIS Server, despite its many features and services, is easy to use on a day to day basis. As a Microsoft server, IIS integrates seamlessly with other Microsoft tools such as MSSQL Server and Visual Studio. The Microsoft community is large, with numerous forums where you can get support, in addition to the wide ecosystem of vendors and certified Windows IT solutions experts. On the other hand, the proprietary nature of IIS has resulted in a product tightly interwoven into the Windows ecosystem. While this makes it easy to integrate into your other Windows tech, it does come with a cost regarding portability. This will rule it out if you want a solution that works seamlessly across operating systems and with mixing and matching of technology providers. web server.
Licensing for Apache is much simpler, and more permissive. There is no direct licence cost for the use, modification, or redistribution of the software. The open source nature of the Apache server has resulted in a product that works well with various technologies on UNIX-like systems including Linux and Mac. Notably, Apache’s cross-platform support extends to Windows as well. Apache is not only extremely stable, with a history of use in web hosting at some of the biggest tech players, but it keeps things flexible to support your stack. For example, you can just as easily run Python or PHP scripts using the CGI interface or deploy advanced web frameworks such as Django. This portability across tech stacks and operating systems makes it easier to stick with Apache when changing your deployment OS.
Both Apache and IIS have their pros and cons as outlined above. Determining which one to use is determined by several factors: IIS must be bundled with Windows but Apache does not have big-name corporate support, Apache has excellent security but does not offer IIS’s excellent .NET support. And so on. The final choice may well be a compromise dictated by whichever solution meets as many of your must-have needs as possible. The table summary below may also help.