Apache Server (or HTTPd) powers roughly 35% of all web servers today. It is one of the most popular web servers around and serves an incredible number of web pages. However, others like Nginx are rapidly closing the gap. The most telling sign of this can be seen in the larger number of those who are beginning to develop and maintain on the Nginx platform alone.
At the height of its strength during the early 2000s, Apache was behind close to half of all active websites. What changed with it to allow fierce competition to rise so steadily over the past ten years?
The following review includes essential information, such as:
- History and Creation of Apache
- What Exactly is Apache?
- Apache Servers – Top Features
- Apache Servers Performance
- Apache Servers Security
- Apache Servers Further Development
- Version History
History and Creation of Apache
The Apache web server software was first developed by Robert McCool. Originally working on HTTPd for the National Center for Supercomputing Applications (NCSA), McCool left in 1994 along with a number of other developers. They formed the core team which was to become Apache Group.
There are two unverified theories of how the software got its name. The first claim is that the team wanted to pay tribute to the Apache native american tribe. The second explanation stemmed from the developers considering the software “a collection of patches” – hence, the name “Apache server”.
From the time it was built and released in 1995, it quickly gained in popularity and by early-mid 1996 it was the most popular web server in the world. Part of its meteoric rise at the time was due to the increasing popularity of Linux as a server platform.
It also came with many desirable features at the time, including the ability to support IP-based virtual hosts easily. Later virtual hosts were able to support that as well as name-based virtual hosts as well.
The overall result was a highly popular web server that filled the needs of users seeking an appropriate open source software for many purposes including for the web. Today, the development of the Apache web server is overseen by the Apache Software Foundation.
What Exactly is Apache?
Apache is web server software built along the open source concept. Web server software helps receive connection requests and processes them. When a user keys a web page address into their web browser, that query is directed towards the Apache web server.
The term web server is generic and actually applies to a machine that’s able to do what Apache was built for. However, it’s made up of more than just the web server software.
The full web server will include hardware (such as CPU, memory, and storage space), along with an operating system (OS). Web server software like Apache sits on top of the OS, designed to process external requests.
It is important to note that the core apache web server development was not meant to run web applications.
Apache Servers – Top Features
Free and Open Source
There are two key implications of Apache server being open source software. The first is that it’s distributed for free. There is no commercial licensing involved. The second is that the source code is widely available and open for collaborative work.
Apache server is multi-platform, meaning it can be deployed for use on multiple types of OS. Because of its roots, it is mostly run on Linux. However, it is also capable of working on Microsoft Windows and other systems.
Because of dwindling popularity of some OS like BeOS and TPF, Apache has been reducing its support for them. However, the multi-platform support also means that Apache web server is able to handle code in many different programming languages.
Good Performance Out of the Box
There are many reasons for the popularity of Apache server aside from being open source and multi-platform. For instance, a key trait is its ability to cope with significant amounts of traffic with few to none modifications.
At its core, Apache supports most common web server features including Server Side Includes (SSI), Common Gateway Interface (CGI), URL redirection, proxy caching, and user authentication.
In a nutshell, Apache is;
- Free and open source
- Unrestricted by license
- Multi-platform capable
- Able to cope with high traffic volume
- Highly configurable
Flexibility & Modularity
Apache is also highly desirable because of its two-way modularity. Those who are looking to increase functionality can make use of modules. Alternatively, those seeking lightweight deployments can strip it down to minimal operating requirements. The way it manages modules is one of the top advantages that Apache has.
The flexibility attributed to Apache doesn’t end in feature extension or module strip-down however. It is also one of the easiest web server software to install and manage. This extends to ease of migration, and moving a deployment can be done with minimal need to amend the configuration file.
In terms of support, there have been split emotions since commercially it is only available via third-parties. Unlike a web server such as Nginx, for example, there is no direct support channel for business deployment. However, this can also be seen as allowing corporates greater flexibility in their choice of vendor.
Having been built from a Linux-based foundation, Apache is one of the best-documented web server software in the market. If there’s something in the documentation that is not covered, it is likely not an issue.
That being said, thanks to its history and extensive use, there is also a massive global community of Apache users. There is a huge amount of community support available where help can be obtained at any time.
Apache Servers Performance
Earlier I noted that part of the appeal in Apache server is its ability to easily scale with modules. It does this especially well because of the isolation of its core. Unfortunately, the Apache core itself has a slight drawback.
The original design of the Apache core makes use of a processing model called prefork which assigns one process (or thread) per connection. Thanks to the immense capabilities of server hardware and volume of web traffic today, the model has become a notable weakness for Apache.
Optimizations do exist such as with the use of multi-processing modules, but Apache does not work well out of the box for high traffic volume websites. Typically, it is accepted that Apache is ideal for sites receiving less than 1,000 requests per hour.
Compared to many other web servers, Apache needs to process an inordinately higher number or requests per connection. (Img source: RootUsers)
The issue stems from the fact that Apache makes use of the .htaccess file to store part of its configuration data. Each time a request is made, that file needs to be read. At high volume, it becomes a bottleneck where I/O is concerned.
Because of this, Apache’s main competitor, Nginx, has been known to perform between 2 to 2.5 times faster.
Content Handling: Static versus Dynamic
In the early days of the Internet, most websites simply served static content. The delivery of this type of content is fairly simply – request and serve. Today, thanks to web applications and the use of different scripts, sites delivering dynamic content have become common.
Dynamic websites are popular due to their capacity for complex behavior. These sites are typically highly interactive and can be custom-built on the fly to suit a range of needs. As you might expect, the web server needs for handling these two types of content are not the same.
Thanks to the simplicity of serving static content, Apache (and most other web servers) take a very direct approach. When a request is received, the site is simply served “as is”. It is in handling dynamic content that Apache takes its own path.
Apache attempts a very simplistic approach to dynamic content by trying to read it directly. It then passes on those results in response to the original query. The result is a much easier implementation process of the Apache server software.
The problem is that it requires modules to interpret dynamic files because the core was not designed to handle them. This results in less than optimal efficiency, particularly when load increases.
Apache Servers Security
As with most server software, Apache was designed to be secure. However, as with almost everything connected the possibility of hacks and exploits still remains. This has been demonstrated a number of times over the course of Apache server’s lifetime.
One more recent example of a vulnerability (that has since been patched) was CVE-2019-0211. The flaw was discovered by a researcher which could have enabled attackers to gain full root access to the server.
These flaws exist alongside possible vulnerabilities that exist simply because of the way Apache server was designed. Some potential weak spots in default Apache server deployments include;
- Enabled directory listings
- Lack of SSL encryption
- Running the daemon user and group
- Configuration information in footer of server-generated documents
- Inclusion of possibly unnecessary modules
Hardening Apache Security
Despite inherent robustness, it should be noted that tech teams should take further steps to harden Apache server deployments. This will involve changing default settings as well as the installation of additional security modules especially mod_security.
Basic hardening activities should at the very least include:
- Installation of mod_evasive – This vital module is used to help Apache servers mitigate the effects of Distributed Denial of Service (DDoS) as well as brute force attacks. It works by blacklisting failed multiple login attempts and helps to monitor noted negative IP addresses.
- Maintaining HTTP Limits – Another DDoS mitigation utility, setting these limits will help by working against the most basic concept of such attacks – a flood of requests. SImple, yet very effective.
- Deletion of Modules Not in Use – While this is a common tactic used cross platform, Apache has a leg up because of its focus on modularity. Its capacity for strip-down enables users to tightly limit the number of modules in use, lowering risk profiles
- Denying Directory Indexing – Access to the root is the cause of much evil and disabling this can help protect the contents of your main directory.
- Masking of Server Configuration Details – The less information an attacker has about a server the better things will be. Unfortunately, there are instances where Apache tends to append this information and these need to be mitigated against.
- Disabling the Ability to Override .htaccess – This core file is vital to many websites, especially WordPress sites which are highly popular today. Make sure the server locks this file unless there is a special reason why it should not be.
- Deploying Mod SSL – Unfortunately Apache server doesn’t supp[ort web pages with SSL out of the box. For this, you will need to make use of mod SSL which makes use of OpenSSL for cryptography.
Do note that hardening activities will sometimes be dependent on the Apache http server version.
Apache Servers Further Development
The current latest release for Apache httpd is version 2.4.46. However, this is more of a minor update with a small handful of security updates addressing CVE-2020-11984, CVE-2020-11993, and slight modifications to mod_http2.
The last major release of Apache server was 2.4 and that was close to a decade ago. Version 2.4 was meant primarily to cater to shifts towards Cloud technology at the time and optimize Apache performance for those platforms.
To really realize the direction that Apache server is headed in requires an understanding that as an entity, the Apache Foundation firmly believes in an open and interoperable Internet. This has increasingly become a challenge as major industry leaders champion their individual flavor of technology.
The people who develop and maintain Apache believe that these actions break the foundation that allowed Apache server to grow in the first place. Much of the future will be spent addressing these challenges and attempting to avoid scenarios where monetization drives product creation.
According to the core founders of Apache, part of those attempts will involve active involvement in educational curricula, communication, and strengthening of the support within the community.
- April 1995 – First public release of Apache HTTP Server version 0.6.2.
- June 1995 – Switch to new “Shambhala” server base architecture with modular structure and API.
- March 1999 – Establishment of the Apache Software Foundation
- December 2001 – Apache 1.0 released.
- April 2002 – Apache 2.0 released to support filtered I/O and IPv6.
- January 2004 – Codebase relicensed to the Apache 2.0 License
- December 2005 – Release of Apache 2.2
- September 2009 – Apache serves over 54.48% of all websites.
- March 2000 – Apache version 2.0 Alpha 1 introduced with complete server architecture redesign.
- April 2002 – More flexible API authorization, improved cache and proxy modules.
- August 2011 – Apache 2.2.20 release fixes “Apache Killer” DoS bug.
- December 2012 – Version 2.4 released. First major release in over six years aimed at improving Cloud performance.
- October 2015 – Support for HTTP/2 added
- April 2019 – 2.4.39 update patches six flaws including Carpe Diem Vulnerability.
- August 2020 – Version 2.4.46 released
There is no doubt that Apache server has grown into a behemoth spanning the globe. However, evolution of technology has not been entirely favorable to open source and interoperability.
Weaknesses in the Apache core also come under greater spotlight as the way the web works moves into the next decade. Unless Apache revolutionizes again and considers another rework of its core, it is likely that competitors like Nginx will move further ahead in the business.