October 2021 Web Server Survey

In the October 2021 survey we received responses from 1,179,448,021 sites across 265,426,928 unique domains and 11,388,826 web-facing computers. This reflects a loss of 8.59 million sites, but a gain of 1.07 million domains and 20,800 computers.

The number of unique domains powered by the nginx web server grew by 789,000 this month, which has increased its total to 79.5 million domains and its leading market share to 29.9%. Conversely, Apache lost 753,000 domains and saw its second-place share fall to 24.7%. Meanwhile, Cloudflare gained 746,000 domains – almost as many as nginx – but it stays in fourth place with an 8.15% share while OpenResty’s shrank slightly to 14.5%.

Cloudflare also made strong progress amongst the top million websites, where it increased its share by 0.24 percentage points to 18.2%. nginx is in second place with a 22.5% (+0.12pp) share but has closed the gap on Apache which still leads with 24.0% after losing 0.21pp.

Apache also continues to lead in terms of active sites, where it has a total of 48.0 million. However, it was the only major vendor to suffer a drop in this metric, with a loss of 277,000 active sites reducing its share down to 23.9% (-0.29pp). In terms of all sites, nginx lost the most (-9.99 million) but remains far in the lead with a total of 412 million.

Apache vulnerability being actively exploited in the wild

Apache 2.4.51 was released on 7 October. This is the latest release in the 2.4.x stable branch, which the developers consider to be the best available version of the Apache HTTP Server; but more importantly, this release fixes a path traversal vulnerability present in Apache 2.4.49 and 2.4.50. Apache 2.4.50 was itself released a day earlier in an attempt to fix the vulnerability present in 2.4.49, but the fix was found to be insufficient.

The vulnerability is being actively exploited in the wild, so anyone still running an unpatched Apache 2.4.49 or 2.4.50 installation should upgrade immediately. In some cases, the path traversal vulnerability could facilitate remote code execution on the web server.

Due to the nature of this vulnerability, some otherwise vulnerable installations may be immune to attack if a web application firewall (WAF) is in place, or if a frontend proxy or load balancer modifies malicious requests in a way that makes them safe. For instance, all vulnerable Apache installations served via the Cloudflare content delivery network would have been protected from the outset if Normalize URLS to origin were enabled, and the Cloudflare WAF has rules that would have stopped many exploit attempts.

Other vendor and hosting news

  • During September, Microsoft released fixes for three elevation of privilege and one remote code execution vulnerabilities in the Open Management Infrastructure (OMI) framework, which is used by several Azure Virtual Machine management extensions. The remote code execution vulnerability can only affect customers using a Linux management solution with remote OMI enabled. A full list of the vulnerable extensions and update availability is being maintained on the Microsoft Security Response Center blog.
  • Microsoft announced the general availability its Azure Purview data governance solution on 28 September.
  • On 5 October, Microsoft removed the waiting list for its Azure NetApp Files bare-metal cloud file storage and data management service.
  • lighttpd 1.4.60 was released on 3 October. This version includes a large number of changes, including several bugfixes and improved handling of HTTP/2 connections.
  • LiteSpeed Web Server 6.0.9 was released on 20 September to address several bugs and add a new log rotation feature. OpenLiteSpeed 1.7.14 – the open source edition of LiteSpeed Web Server Enterprise – was released on 7 September.
Total number of websites

Web server market share

Developer September 2021 Percent October 2021 Percent Change
nginx 422,211,703 35.54% 412,222,221 34.95% -0.59
Apache 295,667,361 24.89% 290,462,410 24.63% -0.26
OpenResty 77,052,370 6.49% 76,038,576 6.45% -0.04
Cloudflare 56,362,363 4.74% 57,482,103 4.87% 0.13
Web server market share for active sites

Developer September 2021 Percent October 2021 Percent Change
Apache 48,288,904 24.21% 48,011,801 23.92% -0.29
nginx 40,553,124 20.33% 41,062,259 20.45% 0.12
Google 18,896,757 9.47% 19,233,447 9.58% 0.11
Cloudflare 18,294,632 9.17% 18,578,689 9.25% 0.08

For more information see Active Sites

Web server market share for top million busiest sites

Developer September 2021 Percent October 2021 Percent Change
Apache 242,558 24.26% 240,436 24.04% -0.21
nginx 223,775 22.38% 224,963 22.50% 0.12
Cloudflare 180,043 18.00% 182,420 18.24% 0.24
Microsoft 64,292 6.43% 63,211 6.32% -0.11
Web server market share for computers

Developer September 2021 Percent October 2021 Percent Change
nginx 4,227,284 37.18% 4,212,329 36.99% -0.19
Apache 3,503,918 30.81% 3,506,243 30.79% -0.03
Microsoft 1,357,220 11.94% 1,343,523 11.80% -0.14
Web server market share for domains

Developer September 2021 Percent October 2021 Percent Change
nginx 78,707,646 29.77% 79,496,765 29.95% 0.18
Apache 66,328,129 25.09% 65,574,868 24.71% -0.38
OpenResty 38,493,039 14.56% 38,470,511 14.49% -0.07
Cloudflare 20,874,772 7.90% 21,621,086 8.15% 0.25