In the December 2021 survey we received responses from 1,168,864,866 sites across 268,328,184 unique domains and 11,669,818 web-facing computers. This represents a loss of 6.53 million sites, but a gain of 1.30 million domains and 144,000 computers.
nginx lost a significant number of sites (-23.88 million) and domains (-8.54 million) this month, though it continues to hold the highest market share in both categories with 32.9% of sites and 26.7% of domains. nginx’s domain market share lead over Apache dropped significantly, falling from a 5.6 percentage point lead to a 2.6 percentage point lead. nginx also gained 81,100 web-facing computers this month, giving it 37.5% of market share in this category.
Apache also lost sites (-3.09 million) and domains (-446,000) this month, though it gained 5,700 web-facing computers. Apache continues to hold second place across all three key metrics.
The largest increase in both domains and hostnames was seen for “awselb”, used by Amazon’s Elastic Load Balancing service, and accounts for the majority of the loss experienced by nginx. The change was as a result of GoDaddy’s URL redirector service, which allows domains registered with GoDaddy to be pointed at arbitrary URLs, being moved from their own hosting facilities to Amazon’s ELB service.
Many other web servers also saw reasonable growth in the number of sites this month, with OpenResty and Microsoft gaining 2.42 million and 2.15 million respectively, followed by LiteSpeed and Cloudflare with 1.76 million and 1.28 million. Fewer servers gained domains this month, though OpenResty gained a respectable 850,500 (+2.19%).
Cloudflare gained 2,431 sites in the million most popular sites, increasing its market share by 0.24 percentage points to 18.6%. Apache continues to maintain a slim lead over nginx, though both lost sites this month. Microsoft’s market share dropped, as it lost 4,119 sites this month taking it to 6.15% of the total and down from 6.89% at the start of the year.
Log4Shell impact on web servers
A critical vulnerability dubbed “Log4Shell” was identified in the Java log4j logging library, and was publicly disclosed on 9th December. The vulnerability has impacted a broad range of organizations as the log4j library is widely used, and the flaw can be easily exploited to break into systems, steal data, and infect networks with malicious software.
Many widely-used web servers such as Tomcat and Jetty are written in Java but do not use the log4j library by default so are not directly affected by the issue. However, they can be configured to do so, and it is also possible that sites that use popular web servers written in other languages – Apache and nginx are written in C, for instance – may still use the vulnerable library at some level in their technology stack.
Several less well-known servers integrate the log4j library directly, such as IBM WebSphere. Several WebSphere components such as the Admin Console use the library and so are vulnerable to the issue, while applications served using WebSphere may be vulnerable if they use the library. IBM WebSphere is not widely used: this month Netcraft identified 3,778 sites using the server, which were hosted on 830 IP addresses. Amongst these, Netcraft found government and banking websites, though it is unknown whether these sites are vulnerable.
Vendor news
- Apache 2.4.52 was released on 20 December. This release fixes several security issues, including a possible buffer overflow in mod_lua and server-side request forgery vulnerability in forward proxy configurations.
- nginx unit 1.26.1 was made available on 2 December and fixes several bugs introduced in the 1.26.0 release.
- Lighttpd 1.4.62 and 1.4.63 were released in quick succession at the start of December and include many minor changes and bugfixes.
- Apache Tomcat 9.0.56, 10.0.14, and 10.1.0-M8 (alpha) were released on 2 December.
Developer | November 2021 | Percent | December 2021 | Percent | Change |
---|---|---|---|---|---|
nginx | 408,226,319 | 34.73% | 384,347,394 | 32.88% | -1.85 |
Apache | 286,494,600 | 24.37% | 283,409,491 | 24.25% | -0.13 |
OpenResty | 76,480,927 | 6.51% | 78,902,138 | 6.75% | 0.24 |
Cloudflare | 58,629,365 | 4.99% | 59,904,450 | 5.13% | 0.14 |