Enterprises last week had 11 more reasons to rethink using IIS: 10 new security holes in the Microsoft Web server and the arrival of Apache 2.0.
After three years of development, Apache 2.0 (or, more accurately, Version 2.035) has finally been released. Unix users will find plenty to like in Version 2.0, but the biggest impact will be on Windows servers, where Apache can now perform as a production-level Web server.
Unlike previous Windows versions of the open-source server, which were built from ported Unix code, the new version is written as a native Windows application and is recommended by the Apache Software Foundation for production use.
And, based on our tests, we agree. eWEEK Labs compared the performance of Apache 2.0 and Microsoft Corp.s Internet Information Services 5.0, both running on Windows 2000 Advanced Server. Apache kept pace with IIS during the entire test, which means that sites that move from IIS to Apache 2.0 on Windows wont have to worry about taking a performance hit.
When it comes to security, IIS doesnt come close to Apache. Apaches security track record is excellent, while IIS has taken hit after security hit. Just last week, Microsoft announced that 10 new security holes (several of which were serious buffer overruns) had been discovered in IIS.
One potential gotcha for organizations that wish to move to Apache from IIS is the open-source servers unfriendly administration interface: All configuration and administration is done by editing .conf files, although Version 2.0 has greatly streamlined configuration directives.
This gotcha may actually be a grabber for some: Many experts advise disabling administration interfaces, especially Web-based ones, because they are a potential attack point for hackers. Those who want a browser-based management interface despite the security risks can find it in Apache implementations from Covalent Technologies Inc. and IBM.
Of course, not all the benefits of Apache 2.0 are for Windows users—Apache also runs on every version of Unix, as well as on Mac OS, BeOS and OS/2. Companies with Unix versions of Apache will find that the server has been completely redesigned and can take advantage of POSIX support to run in a multiprocess, multithreaded mode that provides much greater scalability than before.
On Unix, dont expect a big performance boost with the new release. In tests of Apache 2.0 vs. Apache 1.3.24 running on Red Hat Inc.s Red Hat Linux 7.2, performance was nearly identical (though still very good). However, platforms such as Solaris and AIX, where a process switch is relatively slower than it is on Linux, will benefit much more from Apache 2.0s hybrid process/thread design. Click here for the test results.
Apache modules are also significantly different in Version 2.0. The API for writing modules is completely new, and modules can now run as filters, giving them greater flexibility to act on content delivered from the server.
Most core modules of the server were available at press time, but several had yet to be ported to Version 2.0.
Because of the magnitude of some of these changes, eWEEK Labs recommends that any site planning a move to Apache 2.0 first set up a system on which it can test all its Web applications and specific setups to make sure they work well on the new server.
Apache 2.0 can be downloaded at httpd.apache.org.
Technical Director Jim Rapoza can be reached at firstname.lastname@example.org.
- IE, Apache Clash on Web Standard
- Apache Avoids Most Security Woes
- IIS: Stay or Switch?