At work we need a web server. Traditionally we have used IIS since we are almost 100% MS Based (besides a few G4's). It's time for a new webserver and I reccomended we use apache and linux rather than all MS software. The decision is still up in the air with the guys in charge, so my question to you guys is, what are the pros and cons of both? Obviously there is price and open vs. closed source. Other than these factors, which performs better, and which is more powerful in your guy's opinions? Does IIS have virtual hosts yet?

Ya, IIS6 has support for Virtual Hosts

I have the same arguments at my work. They are die hard, suicidal MS users. Even with Apache running over 60% of the worlds web sites...

Last week I was asked to get an apache server running with the Tomcat hook for Java (on Windows), So I did. It took me a couple days to figure out the jk2 module hook, but I got it and it worked great...then as soon as I had it working they decided they wanted it on IIS :rolleyes:
A week later I'm still trying to figure out how IIS hooks into it! All the documentation for IIS and Tomcat just right out sucks (even the apache tomcat on windows docs was awful!)

I'm sure the main problem I'm having is working with Windows IIS since I don't know or understand it very well (and don't want to!). But at least I understand Apache and can work with it.

Honestly, for ease of use, Apache wins hands down. IIS 'tries' to be easy, but that made it complicated and difficult to configure, for me at least.

Plus if you look around the web there are plenty of benchmark tests that show that Apache can handle load better then IIS, is faster to serve multiple pages simutaniously and doesn't cause the OS to crash when overloaded ;)
(I made that crash bit up, I don't know if it's true :D)

Thanks for the feedback! Just one more question, how are each in regards to security? This is the main issue that I should have put in my origional post. Pretty much, as I'm sure you've guessed, the more secure, the better.

I guess the general consensus (here at least) is that: "Running any webservices on MS products is like dropping your bar of soap on purpose in a prison shower..."

Anyway, keeping any server up to date at all times is the obvious part, but you will probably find that the IIS servers are more prone/vulnerable to malicious attacks.

Cheers :)

I agree with Choozo, it all depends on how active you are with keeping the latest patches and how well the security is managed. It's easy to make Linux and Windows secure, but it's even easier to let it go and not patch when new exploits become known...

A good administraitor knows these things and knows how to keep things running well.

Deciding on the webserver platform first is a big mistake. It's one that is made a lot.
It's far more important to identify what the webserver will be used for.
Simple web pages, Dynamic web pages, serving web interfaces for shrink wrapped applicatios, serving web bages for internally developed web pages. Security control(single sign-on) for desktop access, etc. Is the .NET framework mess going to be involved?

Then theres the whole database aspect also.

Making a decision after taking the intended use into account will make it much easier to decide.

Good Luck,

Originally posted by JoeyJoeJo
Thanks for the feedback! Just one more question, how are each in regards to security? This is the main issue that I should have put in my origional post. Pretty much, as I'm sure you've guessed, the more secure, the better.

I guess I should show you my apache log. Every day somebody (script kiddie or zombie) attempts an IIS exploit on my Linux/Apache server. I'm just now starting to drop their packets with iptables. I actually crashed my dad's work's IIS server once to prove that it sucks. IIS has the security record of a typical Microsoft product.

That was an interesting remark about the almost daily attempts to exploit IIS. This server will mainly be used to serve a basic web page written in mainly HTML with some javascript.

Originally posted by JoeyJoeJo
That was an interesting remark about the almost daily attempts to exploit IIS. He's not the only one. Starting late last night, in my access_log:

68.79.29.44 - - [29/May/2004:23:52:02 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1 <snip much, more hex-encoded shellcode meant to overrun an internal IIS WebDAV-related buffer>

<...>

68.76.189.179 - - [30/May/2004:03:26:06 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1 <again, much much more shellcode>

<...>

64.166.156.106 - - [30/May/2004:06:17:38 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 214
64.166.156.106 - - [30/May/2004:06:17:39 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 212
64.166.156.106 - - [30/May/2004:06:17:39 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222
<snip more attempted exploits of Nimda>

<...>

219.95.221.65 - - [30/May/2004:08:17:50 -0400] <the same WebDAV exploit>

<...>

68.10.170.147 - - [30/May/2004:12:12:03 -0400] <the last WebDAV exploit so far> Of course, it's also instructive to look at error_log:

[Sat May 29 23:52:02 2004] [error] [client 68.79.29.44] request failed: URI too long (longer than 8190)
[Sun May 30 03:26:06 2004] [error] [client 68.76.189.179] request failed: URI too long (longer than 8190)

<...>

[Sun May 30 06:17:38 2004] [error] [client 64.166.156.106] File does not exist: /var/www/htdocs/scripts
[Sun May 30 06:17:39 2004] [error] [client 64.166.156.106] File does not exist: /var/www/htdocs/MSADC
<snip more Nimda>

[Sun May 30 08:17:50 2004] [error] [client 219.95.221.65] request failed: URI too long (longer than 8190)
[Sun May 30 12:12:03 2004] [error] [client 68.10.170.147] request failed: URI too long (longer than 8190) The really dumb thing is, at least 2 of these machines are in close proximity to mine (judging by the IP address that their ISP handed out to them, anyway -- mine is currently in the 68.79 range).

I believe IIS is configured to be on by default on XP also, and if I'm right, that doesn't help either.

Originally posted by teeitup
Deciding on the webserver platform first is a big mistake. It's one that is made a lot.
It's far more important to identify what the webserver will be used for.
Simple web pages, Dynamic web pages, serving web interfaces for shrink wrapped applicatios, serving web bages for internally developed web pages. Security control(single sign-on) for desktop access, etc. Is the .NET framework mess going to be involved?

Then theres the whole database aspect also.

Making a decision after taking the intended use into account will make it much easier to decide.

Good Luck,

I agree with teeitup although I would put more emphasis on the db aspect rather than the code. Most code types have decent support under Apache (haven't tried the DOTNET support under Apache yet though (mono))

can't be that bad, if sites like microsoft uses IIS, it only got hacked a few times a month after it switched from BSD to windows
http://news.com.com/2100-1001-247716.html?legacy=cnet
http://arstechnica.com/news/posts/1085431607.html

Only a few times a month, huh. Wow, that increases my opinion of it immeasurably! :rolleyes:

Why is it that "only a few times a month" is even acceptable? How about never? How about the crack rates of sites that run Apache (i.e., almost never)?

Originally posted by bwkaz
Only a few times a month, huh. Wow, that increases my opinion of it immeasurably! :rolleyes:

Why is it that "only a few times a month" is even acceptable? How about never? How about the crack rates of sites that run Apache (i.e., almost never)?

sarcasm does not relate well in ascii