Apache vs IIS
Apache vs IIS is the most painful descission that lots of people struggle to make. And very often they regret about the descission made. This question is not simple comparison of pros and cons of Apache and IIS. It is laso involves debates on methodology of testing and overall system aproach. For example, If you go for IIS then you have to use Windows, while if you decided to go for Apache Web Server you have a right to choose between Unix, Linux and even different versions Windows.
That means that it does not make sense to try to make independent comparision of Apache and IIS. You should think about the end result you want to achive by using any web server, otherwise you will lose yourself in enormous amount of questions. For example, if you go with IIS on Windows machine, then you will be vulnarable against both IIS and Windows bugs and vulnarabilities. If you go with Apache on Windows then it would be other combination of issues and vulnarabilities. And obviously if you go with Apache on Linux then it is completely different set. As an example, Linux never suffered from nasty worms viruses at all. That give assurance agaist such issues, but it had vulnarabilities in older versions of OpenSSL.
Same thing applies to performance. Running IIS6 you would need a descent box to make Windows 2003 happy. If you run small to medium web site that is an overkill. Same performance result (e.g. reqests served per second) could be achived on Celeron/P-III 1GHz box running Ubuntu server and Apache.
Also you do not need to pay for OS and other lisences if you go for Apache and Linux that saves you quite a lot of money, but what the downside of it?
All these proves the point that it is not quite simple to get the answer for Apache vs IIS question. Let do it either way around. Let answer the quiestion "What I what to achieve in the result?" and this will lead as to the tools we need to choose to meet the target. Actually, it is similar to making a descission on what tool you are going to you to plant a tree: I need to plant a tree. So, I need to dig a hole. The tree is very small, so the hole should be relatively small. I can use scoop, shovel, excavator, TNT or nuke. What should I use?" The answer is quite obvious, because you know benifits and disadvanteges of these tools applied to the current task. Same thing applies to choose a web server platform and application to do the job.
Web server meant to serve HTTP and HTTPS requests. Main issues assosiated with such a task are : performance, stability setup and maintenance costs. Let's take a closer look on them.
Performance depends on:
web server application performacne
IIS 6 has approximatly same performance as Apache 2. Differencies are very minor. This item might be excluded from consideration. On the same piece of hardware stadart installation of Windows and Linux with GUI (X-server) are overall default system performance is also relativly same, unless you start tweaking the system. This is when the difference comes.
overall system performance
The web server does not need GUI (Graphical User Interface) to serve HTTP / HTTPS requestes efficiently. GUI consuming most of system resources. GUI in this case is a kind of overkill like TNT for diffing small hole: it will do the job, but it is excessive. Windows can not run without GUI, while Linux not only can. That is we having same piece of harware Linux (no GUI) + Apache combinetion is much faster then Windows (GUI) + IIS6 or Windows (GUI) + Apache.
Windows and most of Windows applications are compiled to be compatible with any x86 32 bit Pentium processor. Linux (including kernel) and all applications (including Apache) could compiled to utilize all features of particular processor installed in the box. This also significantly increases the performance.
Apache Software Foundation is not supporting 64 bit technology on Windows. So you can not use Windows64 + Apache combination. On 64-bits systems the choise is between Windows + IIS6 or Linux + Apache. Please, note, that thre is no 64 bit version of PHP4 and PHP5. In order to run PHP under IIS6 on 64 bit platform you have to play a lot with 32-bit emulation of IIS6 and making sure that all php exentions are loaded and executed in 32-bit mode.
System cosidered to be stable if it does not have any outages or unexpected slowdowns. Both platforms (Windows and Linux) and products (IIS6 and Apache) are mature enough and do not have any slowdowns if properly configured. That leaves us only wiht outages. Outages might accure by :
Both system and products are stable unless ystems are shared and in use by other applications that might result in unstability. In this case Linux has an advantage, because all Windows application are effectivly kernel extentions. This means, that doggy application might kill the whole system. In linux applications are separate from kernel and it is very unlikely that the doggy application will have any effect on the kernel as such.
This is a long and argubale story. Here is some facts:
- Windows and IIS6 has proprietry code. That means that in case of any vulnarability found a user hs to wait and live with vulnarable system untill Microsoft will fix the issue and realse a fix. There is noone else in the world who migth help. And as practice shows it is long lasting thing. For example IIS6 still has a vulnarability that has no patch issued. Linux and Apache are opensource products. This means that everyone has access to the source code and as soon as vulnarability has been found everyone who has appropriate level of knowledge can fix it. It results in very short fixing time. It is also true that the fix would be reviewed by thousands and thousands of Linux users in the world instead of small group of people in Microsoft Q.A. team.
- In the worth case scenario of hacking web server application it is still possible to get full system access with the highest priviledges by hacking IIS6. At the end of the days IIS6 has to run as process under LocalUser account. And noone can do anything about it. However, in the case of right system setup hacking Apache on Linux would result in access to the system very limited account that can not do anything accept running Apache.
- Apache 2 had more vulnarabilities then ISS6. However, IIS6 has more critical vulnarabilities that migth result of service falure or giving admin access to the hacker.
- Failure od Apache service on Linux won't effect system. All that is required to fix it is a small monitoring script that should restart Apache if it is not there. At the same ISS6 faulire might crash the kernel and kill the system.So monitoring script will not cover all the crashes, because it would die with the system and there is nothing to put it back.
- Is the case of sharing server resources with other applications you should think that there are enormous amounts of viruses written for Windows. That means you have to run antivirus software. This is an extra application that does not work to achive the target to serve HTTP / HTTPS requests, but sit in the system for unnessesury stablility reinforcment significantly consuming CPU and disk resources. Linux does not have any kind of system viruses and does not require any antivirus software. In fact there is no any system antivirus software at all, because there is no viruses to search for.
Costs could be divided into 3 major categories:
Windows setup costs include:
- more powerful hardware to run GUI and antivirus software
- Windows and IIS6 lisense for the server
Linux setup costs include:
- hardware only. It also should not be as powerfull as one for Windows to server same amount of requests.
- Optional Linux installation if you are looking for RedHat or Suse. But it is cheaper anyway and it is required only if you have some very specific requirements to go for commercial Linux release.
- maintenance costs
Windows maintenance costs include:
- Windows and IIS6 lisense for every developer and Q.A. engeneer box
Linux maintenance costs include:
- Optional commercial Linux support if you do not have in-home specialist. In this case you might significantly cut down or eliminate human resources costs
human resources costs
This applys to your system administrator slary or payments. Both systems able to download and install system and web server pathes (except Windows + Apache combination). So, once it is up and running it is unlikely requires any human intervention unless circumstancies change (load increase, attacks or hardware failure). It is easier and cheaper to find some Winodws administrator with little expirience, but it is not recommended. Lack of expirience in server administration usually results in extra costs and charges (e.g. support calls, ling downtimes, slowdown) or in the worth case you migth lose the system (successfull attack or inability to recover service after failure).
Expirienced system adminitrator costs aproximatly the same for both platforms. That means that both systems has same human resources costs. However, if you already have an administrator with expirience for some system it might be much cheaper to choose the system that fits his knowledge than hire another one.
As you see there are lot os pros and cons. And it really depends on you situation and budget.