September 9, 2003
IIS vs. Apache, Looking Beyond the
Rhetoric
By Martin
Brown
For some time, Apache and
Microsoft have commanded the lion's share of the Web server market. While
Apache is the clear-cut winner in the Netcraft and Security Space monthly
surveys, Internet Information Server dominates among Fortune 1000 enterprises.
Both are viable choices,
and each carries its own set of pros and cons.
With Apache 2.0 in
production release since mid-2002 and IIS 6.0 shipping since earlier this year,
we've decided the time has come to run a feature-by-feature comparison of the
two servers to help readers better determine which server suits their needs.
IIS has been an optional
component of the Windows Server operating systems since Windows NT 4.0. Back
then, this was a basic Web server in the form of IIS 3.0. An Option Pack,
released shortly after Windows NT 4.0 was released, included IIS 4.0 and was
the first "real" version of IIS to be used heavily as a Web server
platform.
IIS 5.0 was included in
Windows 2000 in both the server and desktop versions, and the updated version,
IIS 5.1, is incorporated into Windows XP. The changes between IIS 4 and IIS 5
are fairly minor.
Windows Server 2003
includes the new IIS 6.0, which is an almost complete rewrite from the previous
editions. It sports a new execution model, better management facilities, and
significantly increased performance.
Apache, on the other
hand, has an older heritage, having been originally based on the httpd code
that some would argue started the entire Web revolution in the first place.
Apache 1.3.x, which was the production version until 2002, was a largely Unix
product that used a number of tricks to enable it to execute within other
operating systems, including Windows.
The production release of
Apache 2.0 hit the shelves in 2002. The new release incorporated a brand-new
execution environment that separated the core functionality of the Apache
system from the system that actually supported and processed requests. Apache
2.0 is now supported under a wide array of potential operating systems,
including all versions of Windows, Linux, Unix, and Mac OS X, in addition to an
array of nonmainstream OSs, like BeOS and VMS.
IIS and Apache operate
very differently and thus have a variety of advantages of disadvantages. IIS is
obviously designed and available to work only within the Windows environment.
With IIS 6.0, the only platform currently supported is Windows Server 2003.
Although this limits the deployment platforms for IIS-based Web services, it
also provides a number of benefits, including greater cooperation with the host
operating system and easier management and control through a variety of
standard OS tools and utilities.
In IIS 6.0, the
cooperation between the operating system and the server is greater than ever.
In a change to previous versions, the component that accepts requests from
clients and processes them is now two separate components. The kernel mode
listener, HTTP.sys, listens and accepts requests from clients, placing the
requests into one or more request queues. IIS then processes the requests in
these queues using at least one worker process to control the execution of the
individual requests and applications.
This separate process
allows requests to be accepted even when IIS worker processes aren't
technically running, and also enables finer control on the worker processes
that handle requests. Thus, the admin (or the server, automatically) can
recycle requests to recover from extension and application failures that would
have previously required a shutdown/restart of the IIS service or, in extreme
cases, a reboot of the entire server.
Apache 2.0 was a major
rewrite from the previous versions. Among the many changes, the Web server is
now directly available on a variety of platforms, including Windows. The
redesign enables it to support a wide array of platforms in more efficient ways
that lead to Unix- and Windows-specific execution models that make the best use
of the OS.
The core of the system is
the Apache Portable Runtime (APR), which enables the Apache core to run on more
or less any system with a C compiler. A number of multi-processing modules
(MPMs) then provide the support for actually accepting and processing requests.
Under Unix, this can be the traditional "forked" model or a newer
threaded model making use of the threading built into most modern kernels.
Under Windows, this also uses a threaded model, which in some respects is
similar to the threaded model used by the worker processes within IIS 6.0.
|
Feature |
IIS |
Apache |
|
Independent Request Handler |
Yes |
Yes (limited) |
|
Multiple Process Request
Handlers |
Yes |
Yes |
|
Thread Support |
Yes |
Yes (on a suitable OS) |
The primary dynamic
environment for development within IIS is Active Server Pages. This is a
generic term for a solution that allows code to be embedded into HTML pages.
These ASP pages are parsed by the server before being supplied to the client as
HTML. The ASP system allows developers to work in a number of different
languages, including Visual Basic, VBScript, JavaScript, Java, and C/C++, along
with other open source alternatives, such as Perl and Python. In addition, IIS
continues to support traditional CGI methods along with its own suite of
filtering and execution systems in the form of ISAPI filters.
Apache is also designed
to work with a wide range of languages, either via the CGI model, or through
the use of dynamic modules by directly incorporating the language interpreter
into the Apache environment. This significantly speeds up the execution of
dynamic components for languages like PHP, Perl, and Python.
Both systems support the
Java Server Pages model, and it's possible to migrate most JSP applications
between the two platforms with few changes. Other languages can achieve this
with varying results. Even ASP can be supported under Unix through the
ChilliSoft ASP component (www.chillisoft.com),
through the Apache::ASP module, or the Apache modmono module (http://apacheworld.org/modmono/).
One element that
currently cannot be emulated under Unix is the Microsoft.NET environment. IIS
6.0 and Windows Server 2003 make heavy use and provide excellent levels of
integration with the .NET Framework.
|
Feature |
IIS |
Apache |
|
ASP |
Yes |
With Chilisoft, Apache::ASP,
or modmono |
|
CGI |
Yes |
Yes |
|
Perl |
Yes |
Yes |
|
Python |
Yes |
Yes |
|
PHP |
Yes |
Yes |
|
JSP |
Yes |
Yes |
|
.NET Integrated |
Yes |
No |
IIS benefits from close
integration with the operating system. The same user and group configuration
system that powers the main authorization system within Windows also provides
security and authentication services for the main IIS system. It reduces the
management overhead by supporting only one system, and enables the sys admin to
automatically log in users through an intranet, assuming they are already
authenticated within the Windows environment.
Because the same system
is used throughout the OS, it can also be used to define security and access to
different components of the file system on which the Web site relies. For
example, when a user logs on to the Web site, his ability to browse the directories
within the site is defined by one set of user and group structures.
Apache's security and
administration system is not this well-integrated with the OSs it supports.
Although there are modules and adaptors that support a variety of different
authentication and security sources, including Active Directory, the Unix
passwd file, and LDAP servers, the resulting server is relatively isolated from
the system it supports. For example, when a user authenticates against the Unix
passwd file, Apache still ignores the file permissions on the underlying file
system.
In terms of secure
transactions, both systems support encryption technology in SSL, and can be
used with IPSec implementations and IPv6.
|
Feature |
IIS |
Apache |
|
Secure Login |
Yes |
Yes |
|
SSL |
Yes |
Yes |
|
Basic Authentication |
Yes |
Yes |
|
Digest Authentication |
Yes |
Yes |
|
LDAP Authentication |
Yes |
Yes |
|
Active Directory
Authentication |
Yes |
Only with third-party
modules |
|
Passport Authentication |
Yes |
No |
Gauging performance is
always difficult because no matter how identical the systems to be tested are,
minute changes in their configurations can have a dramatic effect on
performance. It is possible to pick a "winner" based on bare-bones
installations of both systems on the same hardware, but this doesn't really reflect
the true performance capabilities of a system in the field. It's equally
possible to configure one Apache and one IIS system to be either over- and
under-efficient, again skewing the potential results.
Instead it's better to
look at the potential capabilities of each system. IIS incorporates a wide
range of features designed to improve performance. The worker process execution
model provides significant performance benefits on multiprocessor machines, and
the ASP and ISAPI extensions enable applications to be executed directly from
within the processes handling the requests. The kernel mode driver, HTTP.sys,
is also capable of serving pages directly from the cache (memory or disk) for
both static and dynamic components, eliminating the need to send the request to
a worker process. IIS automatically caches pages generated from dynamic
elements to speed up responses.
Under Apache, the same
range of facilities are present. Much information can be cached, and tools like
mod_perl and mod_php enable the execution of dynamic and template pages almost
as quickly as static pages. Like ASP and ISAPI filters under IIS, the modules
effectively place the interpreter directly within the Apache executable,
eliminating the need to run an external application and greatly improving
performance.
|
Feature |
IIS |
Apache |
|
In-Memory Cache |
Yes |
Yes |
|
On Disk Cache |
Yes |
Yes, with mod_file_cache |
|
Built-In Execution support |
Yes, with a suitable ISAPI
filter |
Yes, with suitable modules |
|
Cached Execution support |
Yes, with ASP/ASP.NET |
Yes, with mod_perl and
others |
The two systems differ
radically when it comes to management. The only method of administering Apache
is through a simple text-based configuration file. Although a variety of
command line, Web, and GUI interface tools are available, they all rely on the
central text file to actually the update the configuration. Comanche, for
example, provides a full interface to the Apache system. A list of alternative
GUIs, both stand-alone and Web-based, is online at gui.apache.org.
Using a text file this
way has its advantages; it's easy to share configuration information between
machines by copying the relevant content from the text file. The primary
disadvantage is that it's relatively easy to corrupt the file and therefore
upset the configuration. Without a "soft" restart, Apache cannot
update its configuration, so before restarting Apache the admin must ensure the
configuration file is working. This can be achieved using a built-in testing
mechanism.
IIS, on the other hand,
offers a number of different interfaces to modify the configuration of the
system. Although the underlying configuration is primarily stored in an
XML-based text file, the IIS system enables the admin to change the configuration
and the underlying file while the system is still running. Because the file is
XML, it has a more rigid structure, yet is still flexible enough to support the
different configuration options. For remote support, Windows Server 2003 also
incorporates a telnet server, which keeps the XML Metabase modifiable and
allows the use of various command-line tools for remote server management.
The various editing
interfaces include a GUI-based interface through the Microsoft Management
Console, a Web-based administration system, and a suite of command line tools
for adding, updating, and configuring different components. Admins can also
edit the XML file live and have saved changes automatically reflected within
the IIS system. The XML format also makes it easy to export and import
configuration information between machines to share configuration details.
System for system, there
is not a huge amount to compare. The MMC within IIS provides a consistent and
distributed interface for updating the configuration across a wide range of
machines. However, Web-based administration tools, like Webmin, or dedicated
GUI tools, like Comanche, can provide the same functionality.
|
Feature |
IIS |
Apache |
|
Text File Configuration |
Yes, through XML Metabase |
Yes |
|
Command Line Management |
Yes |
Limited |
|
Remote CLI |
Yes |
Yes |
|
Web-Based Management |
Yes |
Yes, through Webmin and
others |
|
GUI-Based Management |
Yes |
Yes, through Comanche and
others |
This last comparison is
probably the most contentious when comparing IIS and Apache. Based on this
writer's experience, there's very little differentiation between the most
recent versions both applications. In the lab, a Windows Server 2003 box has
been running a Web site since January 2003 (when the system was installed) --
almost eight months solid at press time. All necessary updates have been
applied without restarting the server. By comparison, the Apache/Solaris 8
machine next to it has been running for 335 days without issue.
IIS 6.0 now provides
extensive management and control systems over the worker processes that control
most requests. To improve the reliability, IIS can also compartmentalize
applications, giving them their own memory and execution space, or using a
space shared with other applications. This means that when an application
causes a problem, it dies within the worker process and doesn't affect any of
the other applications or the request processing core in the process.
Apache automatically
handles much of the process and thread management aspects, but memory and
application isolation is still an issue that has not been effectively resolved
or covered. Apache avoids some of the problems by automatically recycling
components, with the core continuing to run even in the event of a serious
failure in one of the components. There are still situations, however, where
Apache may need to be restarted.
One example of this is
the configuration of the Apache system itself. For a Web site running from an
IIS-based server, most updates and improvements will have no effect on users'
ability to access them because the configuration changes are made while the
system is still running. Apache, however, requires a notional restart.
That said, the use of
.htaccess within Apache means many items that normally need modification
through the course of a Web site's life can be handled dynamically.
|
Feature |
IIS |
Apache |
|
Process/Thread Management |
Yes |
Yes |
|
Isolated Applications |
Yes |
Limited |
|
Live Configuration Editing |
Yes |
No<> |
Despite the array of
differences between the two systems, choosing between them comes down to the
needs and requirements of the organization and, to a lesser extent, the
personal needs and preferences of those using it. For example, many developers
prefer to work in Perl in a Unix-based Apache environment, even though Perl and
Apache are available under Windows, and Perl is supported separately under IIS.
If server management is a
prime concern, then the extensive management capabilities of IIS may be the way
to go. The security aspect and integration with Active Directory, and therefore
the rest of the security mechanisms, is also a major benefit.
However, it's important not to ignore the cost of deployment issue. Apache is free, and can be installed on OSs like Linux that are also free. IIS is available only as part of Windows Server 2003. Although a new Windows Server 2003, Web Edition is available at a significant discount compared to its Standard Edition cousin, it is still, at least on the surface, more expensive than Apache.