On the wake of Kenyan government websites getting hacked ht.ly/8w3rM It immediately reminded me of the Windows Vs Linux debate that has been going on forever. So does the Apache vs IIS debate.
Apache vs IIS is the hardest decision System Administrators and Web Host Administrators face. And this decision is more than the simple comparison of pros and cons of Apache and IIS. For example, If you go for IIS then you have to use Windows, while if you decided to go for Apache Web Server you have a right to choose between Unix, Linux and even different versions Windows.
When I got out of University, I worked for an ISP, and one of my job descriptions was to handle the Web hosting side of the business. Initially we started out on IIS until later on when we moved to Linux based servers and Apache as a Web server.
Understanding IIS and Apache
Apache
Apache HTTP Server is an open-source Web server that operates on UNIX, Windows, Mac or Netware computers. According to The Apache Foundation, it “has been the most popular web server on the Internet since April 1996.” The current recommended release is 2.2, as of October 2010. This version was principally a security and bug fix release. The Apache Software Foundation has a security team that documents and corrects security bugs and implements fixes.
IIS
Formerly known as Internet Information Server, IIS 7.5 is an integral part of the Microsoft family of servers, currently Windows Server 2008. IIS is not installed by default but is available through “Add and Remove Programs.” Like Apache, Microsoft released IIS to the public in mid-1995. Although Apache has the lead in the general market share, IIS is the preferred Web platform for Fortune 1000 companies.
While both Apache and IIS service HTTP requests, each Web server has its own architecture, built-in features, and common add-ons. Though developed independently, both Web servers provide many of the same features, through either built-in functionality or add-on modules. Both servers support the following functions:
• HTTP request processing
• Authentication
• Access control
• Encryption (SSL)
• Caching
• Web site isolation
• Bandwidth throttling
• Load balancing
• Web frameworks and middleware
• Configuration files and management APIs
• Modular architecture
In solving this questions a systems administrator has to answer the most common questions on performance and scalability, stability setup and maintenance costs, reliability and security
Performance and scalability
Both Apache and IIS 7.0 allow administrators to optimize performance and scalability with bandwidth throttling, compression, and some load balancing. Static and dynamic compressions are built in to IIS 7.0 in order to use bandwidth efficiently and IIS 7.0 also supports bandwidth throttling,
Caching often provides the biggest performance improvement for Web sites, and IIS provides built-in output caching and object caching that can automatically detect when the underlying database has changed. Apache administrators will find that these IIS 7.0 features are similar in functionality to the caching modules that they typically use with Apache.
Setup and Maintenance Costs
If you do your own cost comparisons, you’ll likely find that the total cost of IIS on Windows is the same or less than Apache on Linux.
Apache may be free software, but users should keep in mind that up-front cost is not the only type of price to be paid. Software vendors often market against free software by talking about the total cost of ownership.
I will give you an example, although Apache is free, it does not come with support. Organizations deal with this lack of support in two ways. One method involves paying for support though a Linux subscription such as Red Hat Enterprise Linux or Novell SUSE Linux Enterprise though this might be even more expensive than, Windows licensing.
Another alternative is to support Apache with internal expertise. This means getting highly skilled experts in order to Apache—in some regions these experts are hard to find. In contrast, Windows expertise is relatively common.
Apache records errors in a log file that includes information from the Apache HTTP server and additional information from the relevant modules. Apache also lets users control the amount of information logged, ranging from emergency issues only to verbose debugging information. If users need additional information, they can add such things as mod_log_forensic to capture entire requests.
IIS also logs errors, and Microsoft has focused on ensuring that IIS error messages are understandable and useful. IIS defaults to providing verbose error information on the localhost and a more generic message to remote users to ensure that security information is not remotely disclosed. Error information often includes suggested causes and solutions. IIS also provides Failed Request Tracing, which lets users capture entire requests. Failed Request Tracing lets you set the number of log files to keep, which URLs should be traced, and which response codes should generate a trace. Users can even specify that requests for certain URLs be captured only if those requests take over a certain amount of time to process.
Reliability
Like Apache, IIS has a number of features to help ensure reliable and available operation.
Apache administrators are familiar with using open-source projects like monit to restart Apache based on failed requests, CPU usage, or other factors. IIS also enables administrators to restart the process based on simple configuration options. IIS can monitor and recycle the process based on an apparent crash, elapsed time, total number of requests, amount of memory usage, or other factors. A controlled IIS process “recycle” should not result in any dropped requests.
Because apache is open source bugs are communicated and easily fixed, updates follow the bug fix and this has made apache more reliable.
Security
IIS includes a number of new security features. For example, IIS 7.0 isolates each Web site into its own “sandbox” to help prevent single-site exploits and failures from compromising other sites or the entire server. The IIS process, which executes requests from the web, run as a restricted user account by default, and does not require administrative privileges. To further protect the Web server, IIS 7.0 includes request filtering. Request filtering is a rules-based security module that inspects every incoming request for malicious request patterns, such as SQL injection attacks. This prevents some malicious requests from ever reaching the core Web server.
PHP applications
PHP is one of the most popular server side scripting languages running today. It is used for creating dynamic webpages that interact with the user offering customized information In addition to providing the basic infrastructure for running PHP applications, IIS-specific features are also available for those workloads. For example, you can use IIS authentication mechanisms such as NTLM that integrate with Active Directory. You can use the SQL Server driver for PHP. In addition, PHP applications get the benefit of IIS application pools and sandboxing. PHP also benefits from the performance that IIS Kernel Mode Caching offers. PHP and ASP.NET can be combined for quick development by leveraging certain functionality that ASP.NET provides out of the box, such as Forms Authentication.
Apache is designed so that other programs can be incorporated into it as part of itself, and PHP is designed so that it can be used this way. When the two programs are merged together, the things PHP can do become built-in features of Apache, and PHP is said to be a module of Apache, or an Apache module. While Apache is processing a file, the execution of PHP code to produce the result text is something that it now inherently knows how to do using only the code that’s been built into it.
“According to Netctaft’s Web Server Survey, the percentage of websites using Microsoft’s IIS is rapidly decreasing. Netcraft’s survey covers a total of more than 340 million websites. The percentage of websites using Microsoft IIS has decreased to such an extent that it is now at the level that it was before 1998. Within a one month period between May 2011 and June 2011, Microsoft IIS lost as many as 1.4 million host names while Apache gained 21 million host names. With the market share of Microsoft IIS down to around 16% only, Apache with a market share of around 65% is the only major web server software left.
Although both IIS and Apache are similar in features my take would be Linux and apache given the advantages of running Linux box as compared to windows. but then as a systems administrator you get to be answerable on the platform you pick in case of eventualities like the recent web hacking of government websites. What a tough choice? but then that is why we paid to do what we do.