November 2021 Web Server Survey

In the November 2021 survey we received responses from 1,175,392,792 sites across 267,027,794 unique domains and 11,525,855 web-facing computers. This reflects a loss of 4.06 million sites, but a gain of 1.60 million domains and 137,000 computers.

nginx gained the largest number of domains (+741,000) and web-facing computers (+81,300) this month and continues to lead in both metrics with market shares of 30.1% and 37.3%.

Further down in the market, there was also a noticeable increase in the total number of web-facing computers running LiteSpeed, which went up by 11,200 to 101,000 (+12.5%), although this resulted in only a 1.44% increase in domains. These counts include sites that run on LiteSpeed Web Server and its open source variant, OpenLiteSpeed, both of which exhibit the same “LiteSpeed” server banner.

Both nginx and Apache lost nearly 4 million hostnames each, reducing their sites market shares to 34.7% and 24.4%. Meanwhile, Cloudflare gained 1.15 million sites, which has taken its total up to 58.6 million (+2.00%) and increased its sites share to 4.99%.

nginx and Apache also suffered losses amongst the top million websites, paving the way for Microsoft to increase its presence by 2,369 sites (+3.75%). Microsoft web server software is now used by 65,600 of the top million sites, but Apache is still the most commonly used web server in this sector, with 240,000 of the top million sites using it, and nginx is not far behind with 224,000.

Apache 2.4.49 vulnerability

Following last month’s news of a path traversal vulnerability in Apache 2.4.49 being actively exploited in the wild, this month’s survey shows that more than 11 million websites had server banners containing “Apache/2.4.49” before a fix was released. The only other version vulnerable to attack was Apache 2.4.50, which failed to fix the vulnerability properly – but this version was released after the survey ran and was promptly replaced with Apache 2.4.51, where the vulnerability was resolved properly.

The true number of websites that were vulnerable during the survey period is likely to have been much greater than the 11 million websites that openly reported themselves to be running Apache 2.4.49, as nearly two-thirds of all Apache-powered websites do not reveal a version number in their server banners. This configuration is often a deliberate act towards security through obscurity, although attackers can often deduce precise version numbers by carrying out additional tests. There may also have been additional vulnerable instances of Apache 2.4.49 hidden behind frontend load balancers or content delivery networks such as Cloudflare.

Conversely, some websites running on Apache 2.4.49 may not have been vulnerable if they used an appropriately configured web application firewall that prevents path traversal attacks. More generally, the true number of web servers that contain a version-specific vulnerability can also be masked by future backported security patches, which typically fix vulnerabilities without changing the apparent version number of the software. From an external perspective, a server might appear to be running a vulnerable software version but may not actually be vulnerable to the issues affecting that version.

Vendor news

  • LiteSpeed Web Server 6.0.11 was released on 10 November. This is the latest version in the LSWS 6.0 stream and includes improvements in HTTP/2 and HTTP/3 throughput, new support for WebSocket proxy targets in rewrite rules, and several bugfixes.
  • Microsoft has announced new Azure Bounty Program rewards of up to $60,000 to encourage and reward research into vulnerabilities that would have the highest potential impact on the security of its customers.
  • nginx 1.21.4 mainline was released on 2 November. This version includes some new features and changes relating to TLS and HTTP/2.
  • Lighttpd 1.4.61 was released on 28 October to address a number of bugs. Lighttpd is used by 245,000 unique domains in this month’s survey.
  • njs 0.7.0 was released on 19 October to add HTTPS support for its Fetch API, along with a few other new features and bugfixes.
  • Apache Tomcat 9.0.54, 10.0.12 and 10.1.0-M6 (alpha) were released on 1 October, followed by Tomcat 8.5.72 on 6 October.
  • Cloudflare Pages now supports custom headers natively, without having to use Cloudflare Workers. This makes it easier for developers to add best-practice security headers and others to their JAMstack applications.
  • Cloudflare for SaaS is now generally available to all, following a beta launch earlier in the year.
Total number of websites
Web server market share
Developer October 2021 Percent November 2021 Percent Change
nginx 412,222,221 34.95% 408,226,319 34.73% -0.22
Apache 290,462,410 24.63% 286,494,600 24.37% -0.25
OpenResty 76,038,576 6.45% 76,480,927 6.51% 0.06
Cloudflare 57,482,103 4.87% 58,629,365 4.99% 0.11
Web server market share for active sites
Developer October 2021 Percent November 2021 Percent Change
Apache 48,011,801 23.92% 47,499,411 23.73% -0.19
nginx 41,062,259 20.45% 41,163,240 20.56% 0.11
Google 19,233,447 9.58% 18,957,833 9.47% -0.11
Cloudflare 18,578,689 9.25% 18,873,075 9.43% 0.17

For more information see Active Sites

Web server market share for top million busiest sites
Developer October 2021 Percent November 2021 Percent Change
Apache 240,436 24.04% 239,880 23.99% -0.06
nginx 224,963 22.50% 223,634 22.36% -0.13
Cloudflare 182,420 18.24% 183,514 18.35% 0.11
Microsoft 63,211 6.32% 65,579 6.56% 0.24
Web server market share for computers
Developer October 2021 Percent November 2021 Percent Change
nginx 4,212,329 36.99% 4,293,594 37.25% 0.27
Apache 3,506,243 30.79% 3,519,668 30.54% -0.25
Microsoft 1,343,523 11.80% 1,344,322 11.66% -0.13
Web server market share for domains
Developer October 2021 Percent November 2021 Percent Change
nginx 79,496,765 29.95% 80,237,541 30.05% 0.10
Apache 65,574,868 24.71% 65,185,640 24.41% -0.29
OpenResty 38,470,511 14.49% 38,800,716 14.53% 0.04
Cloudflare 21,621,086 8.15% 22,024,974 8.25% 0.10

Posted by Contributor