What to look for in a Web server
We compare Apache, NCSA httpd, and Netscape Web servers
The boom of the Web extends far beyond the rising sea of information available to Web surfers. If it weren't for Web server software, there'd be no sea at all. New Web servers are cropping up everywhere -- just watch the list in Netcraft's monthly survey grow. As of this writing, the list tops 275. In this review, we concentrate on installation and management issues surrounding Apache, NCSA httpd, and Netsite Web servers. This story is also heavy on the resources. In addition to a comprehensive list of URLs at the end of this review, we include three extensive sidebars on Web server resources, Web server maintenance rules of thumb, and other tips for Web servers. (3,300 words)
So, you're in charge of a SPARCstation and have been asked to set it up as a Web server. What software should you use? Given the plethora of Web server software available, how do you decide? What's easiest to install? What features are important? Is free software really a bargain? In this review, we'll attempt to shed some light on these questions and get you started. We avoided comparing performance, since many others have covered this topic in depth elsewhere (see the Resources section at the end of this review) and instead focused on more subjective aspects to Web server use. We'll look at three of the most popular Web servers today: Apache, NCSA httpd, and the Netscape Commerce server (Netsite).
According to Netcraft, Apache is the most popular and fastest-growing server in use on the Web. NCSA and Netsite fall behind, respectively at second and third. We installed them all and did a little digging to find out why. What do we recommend? Well, that depends. If you've got money and disk space to spare, and fear the Unix command line, Netscape provides a quick and convenient Web server fix. However, if you're willing to invest a little time and want excellent support from the best minds in the industry, Apache is the clear winner.
Though Netsite has the allure of shrink wrap, a graphical interface, and a telephone number you can call for help (at a price), we found that Web server beauty lies deeper than the packaging. Apache, a mere 2 megabytes and $0 to Netsite's 62 megabytes(!) and $995 price tag, offers all the most important features, including Secure Sockets Layer support for those wanting to do online commerce. Apache and NCSA both have freely available source code, and Apache seems to have the best support of the three. Perhaps most importantly, Apache has some benefits that put it far ahead of the pack: a modular architecture, easy-to-read source code that allows easy customization with an attitude of openness to new ideas in server technology, and the support of a volunteer team of developers dedicated to creating the most advanced server available -- making the information accessible while keeping it free.
NCSA httpd was born back in mid-1993. The idea, according to the program's original author, Rob McCool, was "to make a server that, unlike the CERN server, was small, compact, and easy to understand." But in early 1995, when it was the most popular Web server in use, NCSA httpd 1.3 was discovered to have a major security hole (which has since been fixed). Around this time, a group of developers, concerned that httpd didn't behave the way they wanted and worried that the NCSA httpd license might not remain in the public domain, got together to create Apache. Apache was developed from the NCSA 1.3 code and some patch files, hence the name. Since then it has been rewritten from scratch by its group of all-volunteer developers. Netsite meanwhile started development before Apache and was released in early 1995. It is the only commercial product of the trio we tested.
Downloading & installation
Our review was performed remotely via a 28.8K modem connected to a SPARCstation 2 clone running Solaris 2.4 and equipped with a one-gigabyte hard drive and a puny 20 megabytes of RAM. While this is far from modern hardware, our review focused on installation and management issues and not on performance. The versions we reviewed are Apache 1.0.3, NCSA 1.5c, and Netscape Commerce Server 1.12.
Unfortunately for us, Netsite's test version was only available for download via HTTP. Because we had a remote connection to our test machine, we had to download the 17-megabyte tar file to our local PC first, then transfer it to the test machine via ftp. With data bits squeezing through our 28.8K modem, the process took the entire evening. Fortunately for people who purchase the product, Netscape provides a CD-ROM. Downloading the other two products was quick and simple.
NCSA's precompiled binary was available via HTTP using the "OneStep HTTPd downloader," an HTML form that asks the basic configuration directives necessary to get the program up and running, incorporates your data into the config files, then gives you a custom program. The tar file of the NCSA binary we downloaded was a mere 1.2 megabytes in size, so our remote connection wasn't an issue.
Apache's source code is available via ftp from it Web site, and the 800 kilobyte tar file downloaded without a hitch.
Installation proved to be a bit more interesting. Prior to this review, we had fairly sparse knowledge regarding installation of Web servers, and expected it would be difficult. Netscape's Web site hails its server products above shareware server products because of their "ease and installation and maintenance," but this review taught us that even from the command line, Web server installation is pretty simple. A rudimentary knowledge of Unix is all that's required to perform the basics.
With files uncompressed and telnet connection in place, we set out on our adventure.
Since we were more familiar with Netsite and felt reassured that we could take refuge in its GUI interface, we installed it first. The process was simple, but we did encounter one minor glitch. Our first attempt to run the installation script resulted in the following error message:
Can't start the installation server. The output was: ld.so.1: bin/ns-admin: warning: /usr/4lib/libc.so.1.8 has older revision than expected 9
According to our system administrator, that is usually a harmless
warning, but in this case it prevented us from installing the software.
So, we copied over the
/usr/4lib directory from one of our
machines running Solaris 2.5, and went on our way.
The script asked us for our machine's full name, told us to do the rest via a Web browser, and asked whether we wanted to perform the configuration remotely or locally. It then directed us to a URL on our machine from which we were to continue the installation and configuration. We fired up the Web browser on our PC, input the URL, which was a temporarily open port on our server, and filled out a series of HTML forms. The questions on the form were stated clearly, and brief explanations illuminated each configuration option.
Because the NCSA configuration and download process had been so simple, we felt a bit cocky. Upon inspection of the online installation documentation, it looked like we were ready to go. So, at our Unix command line, we ran the server's come-hither OneStep start-up shell script and were rebuffed by the following error message:
httpd: could not open server config. file /usr/local/etc/httpd/conf/httpd.conf fopen: No such file or directory
Though we had specified our server root as something else when we filled out the initial configuration form (we were using another, larger drive), it appeared, by examining the httpd.conf file, that the server was looking for the configuration files in NCSA's default directory. We looked more closely at the documentation and tried what it suggested -- specifying an initial default directory in the command line. This seemed to work, but gave us a new error:
httpd: cannot determine local host name. Use ServerName to set it manually.
It appeared the fork-tongued OneStep downloader required, in fact, several steps. So, with the trusty vi editor, we forayed into NCSA's configuration files. In the httpd.conf file, we added our server's host name where instructed, ran the start-up shell script again, and voila! Our HTML documents were available for the masses.
Installation of Apache 1.03 was only slightly more complicated than the others. This was due mostly to our lack of experience compiling source code, and to the fact that our machine lacked a C compiler.
Once system administrator installed gcc, a freely available and popular C compiler, Apache compiled cleanly. We then edited the three configuration files by hand. All three files -- httpd.conf, access.conf, and srm.conf -- were quite similar to those of NCSA, so we thought by this time we had figured out what to do. Well, almost. We input the start-up command, and all appeared to be well. However, our attempts to access the server with our browser failed. Upon examination of the error log files, we discovered the following line:
unable to set group idThis was the result of our own neglect -- we needed to set the group id in the httpd.conf file. We were slightly perplexed that Apache didn't have nobody as the default group id. But we changed httpd.conf, and Apache was up and serving.
Maintenance & features
Care and feeding is fairly simple with all three products. Though Netsite provides the convenience of a graphical interface, the comments in Apache's and NCSA's configuration files are extremely clear. We found editing them by hand to be good for the soul, and it gave us a clearer picture of what we were doing. For some basics ideas about server maintenance, have a look at our sidebar Web server maintenance rules of thumb. Log file rotation in all three products is simply a matter of moving the old log file and restarting the server. Netsite comes with a log-analysis program called analyze. Our sidebar, Tips for Web servers, has pointers to many other log-analysis tools for use with all of these servers. Another nice feature of Netsite is its real-time performance measurement tool, which breaks down different areas of server usage. Netsite reportedly works hand-in-glove with Netscape's other servers (including mail, news, cache, and commerce) though we didn't look at these since they are outside the scope of this review. All three servers offer virtual host support, a standard feature that lets the server handle multiple IP addresses. Our Tips for Web servers lists several online tutorials about virtual hosting. NCSA was first of the three to implement the keep-alive feature of HTTP 1.1, which allows compatible browsers to send multiple requests over one open connection with the server, doubling or tripling the number of accesses per second. Keep-alive is available in Apache 1.1 and Netscape's 2.0 servers (both in beta as we write this in mid-April). Netsite's features can be expanded through Netscape's NSAPI. We weren't able to try it out for this review, but a little lurking on comp.infosystems.www.servers.unix revealed some comments about the irony of uninspired documentation of a supported product. We conducted no performance tests, but Spyglass did a few benchmarks highlighting their own server, which mention all three of these products. These are available at Spyglass' Web site (see Resources below for all URL information). As far as we could tell, NCSA lagged a bit behind in speed of document service. In its marketing literature, Netscape claims superior benchmark results in its latest batch of http servers, a metric we'll refrain from reporting until SPEC, a benchmark standards group, settles on a universally accepted Web server benchmark.
Both Netsite and the SSL version of Apache support the Secure Sockets Layer, a method of server authentication that uses RSA public key cryptography. (Apache-SSL is freely available from A.L. Digital, Ltd. in London and Community Connexion in the U.S.) All three products allow password authentication and access restriction by domain name or IP address. Again, check our sidebar Tips for Web servers for pointers to user authentication tutorials on the Web. Netsite has added authentication for HTTP Put to its 2.0 servers, a feature unavailable in Apache or NCSA.
Documentation & support
Apache's online installation notes and documentation are good. More noteworthy, however, is the excellent support found on comp.infosystems.www.servers.unix, where many of the Apache development team, as well as assorted other httpd gurus, spend too much time. The information shared there is among the most valuable and helpful we've seen. Third-party support is also available from a number of companies. Netsite comes with one rather flimsy, general manual, plus a brief programmers guide to cgi and API writing. Phone and e-mail support is free for 90 days, after which you must purchase a support contract. (Go to Resources below to find the URL for an online FAQ and technical notes). Netscape also sports a newsgroup for server questions and information (see Resources). NCSA's httpd documentation is available online only. For questions not answered there, NCSA httpd HyperNews threaded discussion is frequented by NCSA guru-types who gladly answer questions (see Resouces).
Netscape recommends a configuration of at least 32 megabytes of RAM, 500 megabyte disk space, and a processor speed of 100-MHz or faster. Apache and NCSA make no recommendations, but we think those requirements are sane for reasonable service. We were amazed by Netsite's girth: The unpacked size of our Netsite directory was 62.85 megabytes, due to the various libraries, icons, and extras. Apache and NCSA were specks of dust by comparison, using a paltry 2 megabytes each. Apache used the least RAM per instance: 333 kilobytes. NCSA was second with 444 kilobytes, and Netsite came in at 548 kilobytes. Netscape's Web site says instance size will vary from about 200 to 500 kilobytes. Our performance columnist, Adrian Cockcroft, for example, used a special tool to measure the unshared RAM usage for Netsite and came up with 440 kilobytes. For information about optimizing your Web server's RAM usage per instance, see Cockcroft's performance column this month. The servers mentioned here are available from their vendors' respective Web sites. For more information about these and other servers, we've prepared some pointers to other reviews, feature comparisons, and lists of servers in the sidebars below.
If you have technical problems with this magazine, contact firstname.lastname@example.org
Scan your access and error log files regularly. Signs of suspicious activity might involve system commands (rm, login, chmod, etc.) or repeated attempts to access a password-protected document. Extremely long URL requests can indicate an attempt to overrun a program's input buffer.
Log as little information as possible. Turn DNS lookup off and do lookups later with a script. Log referrer URLs sparingly, if you need to know the origin of a consistent bad file request in the error logs, for example. There are search engines that can tell you who's linking you, such as Digital's AltaVista
Watch the load of CGI programs and other scripts. These can hog CPU and slow down the server.
Use a .html file as your default document, rather than a .cgi file. Serving a CGI program requires two expensive system calls.
Turn off the server's hostname resolution. This can significantly reduce the load on your DNS or NIS server. If you're doing logfile analysis that requires domain names, do lookups later with a script.
For fast performance and fewer security holes, don't load up your Web server with other services such as Listserv/Majordomo, FTP, mail, IRC, and news. Check Chuck Musciano's February Webmaster column for further tips and a more detailed explanation of standalone vs. inetd.
Maintenance & performance
ifconfigthat allows Solaris to support multiple IP addresses per interface. ftp://ftp.fwi.uva.nl/pub/solaris/solaris2.html
NCSA has a good list of security-related links related to security on the Web at http://hoohoo.ncsa.uiuc.edu/security/
Peter Galvin & Hal Pomeranz detail the steps necessary to set up a secure Web server in their April SunWorld Online column at http://www.sunworld.com/swol-04-1996/swol-04-security.html
Yahoo keeps a hefty list of log analysis tools at http://www.yahoo.com/Computers/World_Wide_Web/HTTP/Servers/Log_Analysis_Tools/, as well as many links to CGI scripts and information http://www.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/ CGI___Common_Gateway_Interface/
Apache's documentation can be found at http://www.apache.org/docs/
NCSA's documentation is at http://hoohoo.ncsa.uiuc.edu/docs/
Netscape's server documentation is at http://home.netscape.com/assist/support/server/
If you can't find information elsewhere, Usenet is often the best source for answers. Some newsgroups that address the topic of Web servers are comp.infosystems.www.providers and comp.infosystems.www.servers.unix
About the author
Max Airborne is a San Francisco-based Webmaster and technology writer. She would like to extend her thanks to Erin O'Neill and David Burnette for their patient assistance. Reach Max at email@example.com.