Web Servers Review From the Network World Archive

Review

By Joel Snyder

07/31/95
     With the World-Wide Web taking off like a rocket, there's no need for 
anyone to be left on the launchpad. We looked at five enterprise-quality 
Web servers that can be used to open up corporate databases and distribute 
marketing and support information, and found some high-quality products 
that can meet the nonstop expectations of large organizations. 
     Commerce Server from Netscape Communications Corp. and WebSite from 
O'Reilly and Associates, Inc. stood out as the best general-purpose 
servers. Purveyor, from Process Software Corp., and WebStar, from Star-Nine 
Technologies (previouslyknown as MacHTTP from BIAP Systems), are more 
modest implementations that may be appropriate for smaller servers. 
NetPublisher, by Ameritech Library Services, fills a different niche, 
serving up large quantities of information with minimal setup. 
     Become a publisher
     After our experiences wrestling with public-domain Web servers, the 
level of professionalism in these products was a welcome (and astonishing) 
relief.
     None of the products took more than 10 minutes to get up and running. 
Some, such as O'Reilly's WebSite and Netscape's Commerce Server, have lots 
of configuration variables, all of which come with safe and well-documented 
defaults. Others are more "black box," installing with a minimum amount 
of fuss and making room for later configuration.
     Once we'd installed the software, our first task was to get some data 
onto the servers. All of the servers with the exception of NetPublisher 
used a traditional Web server model: HyperText Mark-up Language (HTML) 
files written by users stored in a directory on disk. HTML is the common 
syntax used to compose Web pages.
     Those four test servers, including the WebStar Macintosh server, were 
compatible with a tree of HTML files we got from an existing Web server.
     NetPublisher has a very different view of how to put information on 
the Web. It combines Web and Gopher servers with a publishing engine that 
automates the process of building tree-structured servers. To pre-sent 
information using NetPub-lisher, administrators build a hierarchical tree 
of document titles, giving bibliographic information such as author, title 
and document abstract. Each document title is linked to a text file. 
NetPublisher automatically generates Web pages as users navigate the 
publication's tree. NetPublisher also includes a Z39.50 server, the 
bibliographic information retrieval protocol used by libraries. 
     For users such as libraries and information kiosk designers, this 
structure is perfect. NetPub-lisher maintains complicated trees of 
information without muss or fuss and provides Gopher and Web clients with 
standard-looking documents. To add a pile of new information, it takes only 
a few clicks to make the entire site's structure change instantly, both 
from the Gopher and Web point of view. 
     Performance
     One strategic difference between public domain servers and commercial 
products should be performance. In theory, commercial servers should be 
able to handle high loads with reasonable response time.
     To validate that theory, we ran two sets of tests. We first asked for 
the same Web page 100 times in a row. We left the logging setting on so 
that each request would be logged by the server, a typical configuration 
choice. We also did a pretest on each server to load the domain name system 
(DNS) cache in order to give those servers that do a DNS query for each 
entry they log an opportunity to cache this information to maximize 
performance. If DNS deferral (a feature that defers DNS translation until 
the server is not busy) was available, we enabled it. To make this test as 
fair as possible, we ran Netscapes Commerce Server in clear-text, not 
en-crypted, mode. All NT servers were run on the same set of hardware and 
software. 
     The speediest server, by a wide margin, was Ameritech's NetPublisher, 
with an average latency of only 177 msec. Commerce Server and WebSite 
turned in almost identical performances at 376 and 377 msec, respectively, 
with Purveyor at 501 msec and WebStar giving quite poor performance at an 
average of 1,077 msec. WebStar actually performed worse than these numbers 
show because it refused about 10% of the connections under this "no-load" 
test, and we dropped those numbers from the statistics. 
     Once we established a baseline, we increased the load on the servers 
substantially. Each server was asked to serve the same page 1,000 times 
using 10 simultaneous connections. This load, although high, would not be 
unusual for a popular corporate server during peak usage. For servers that 
could be tuned for multiple connections, we selected a simultaneous 
connection value of 20, twice the intended test size, as more than adequate.
     The fastest on unloaded testing, NetPublisher, did downright poorly 
under load, with an average of 4099 msec. Netscape's Commerce Server did 
the best, responding to queries in an average of 471 msec. O'Reilly's 
WebSite also turned in an acceptable performance, slipping only to 592 
msec. Process' Purveyor and StarNine's WebStar both bit the dust under 
load, refusing some (Purveyor) or most (WebStar) connections. Because they 
were unable to complete the tests, no performance numbers were available.
     The urge to code
     If most Web sites look mind-numbingly similar, it's because the set of 
tools available in pure HTML are both few and blunt-edged. A Web site that 
provides only linked HTML documents may do a good job of spreading around 
simple information, but it fails to exploit the real promise of the Web. To 
build complex information systems on the Web requires programming: writing 
software that allows users with a Web client to run database queries, 
massage data or manipulate objects. Some Web servers make this task simple, 
while others complicate it beyond all reason.
     The common gateway interface (CGI) is the most common way for a Web 
server to interact with Web applications. Certain HTML commands will cause 
a Web server to call application programs running on the server. The 
interprocess communication between the Web server and the application 
typically uses the CGI, although there is nothing to keep a Web server from 
using a different interface. The CGI is invisible to the browser and is 
slightly different on all Web servers, but it is similar enough that most 
Web applications can be moved from server to server without a complete 
rewrite. 
     The best thought-out programming interfaces are built into Netscape's 
Commerce Server and O'Reilly's WebSite server. Process' Purveyor has a 
plain vanilla interface for programmers, while Ameritech's NetPublisher 
does not offer any documentation on its CGI - although a few sample 
programs, most of which have no source code, are provided as examples. 
StarNine's WebStar, on the Macintosh, encourages higher level programming 
environments such as AppleScript. 
     Netscape's Commerce Server includes a sophisticated application 
program interface (API) designed to let a Web programmer manipulate many 
aspects
of the server's behavior. Along with the standard CGI programming style, 
Commerce Server has hooks for programmers to handle authentication, 
security,
logging and other internal operational details. The Netscape API also 
supports the company's proposed extensions to HTML for more active 
participation of the server in pushing data out to the client. 
     Although Netscape's API is powerful, the documentation on what to do 
with it is thin. This reflects much of the philosophy of the Web, where 
most developers eagerly build on examples provided by someone else, even if 
they don't understand exactly what they're mimicking. Commercial use, 
though, requires a more thoughtful approach, such as what we found in 
WebSite. 
     WebSite has the greatest set of options for more standard programming 
interfaces. Along with a well-documented Windows CGI, WebSite allows 
designers to make use of a POSIX shell, the interpreted Perl language, and 
even old-style MS-DOS AUTOEXEC.BAT files and the MS-DOS 16-bit API.
     Almost 100 pages of documentation, along with sample programs covering 
everything from processing form data to interacting with Microsoft Access, 
made it easy for us to put together a few sample CGI programs. 
     Purveyor's documentation on CGI was limited to a scant page, although 
Process provided enough example programs to get us started. Similarly, 
NetPublisher simply mentions the fact that a CGI interface is supported, 
although no documentation other than on-line examples is included.
     StarNine's WebStar uses a completely different approach to Web 
programming. Its CGI-style interface talks to both AppleScript programs 
(the Macintosh version of a Unix shell script) and stand-alone 
applications. A small library of programming examples is provided. 
Documentation on WebStar's programming in- terface is adequate, although no 
hard copy is available; we had our choice of using the WebStar CD-ROM or an 
on-line version at StarNine's Web site. We understand the urge to keep 
things up-to-date, but a real set of documentation would have been nice. 
     Like Netscape's server, WebStar has an interface that allows control 
over the operation of the server. This interface uses AppleEvents, which 
allows remote program management of the server from anywhere in an 
AppleTalk network. 
     Managing the strands 
     Management, configuration and logging capabilities are part of what 
separates "playware" from operational-quality
Web servers. Management interfaces to these servers ranged from the amazing 
sophistication of Netscape's Commerce Server to the minimalist approach of 
Ameritech's NetPublisher. 
     NetPublisher offered a graphical user interface to its few functions 
but not much in the way of management capabilities besides a simple 
ever-growing log. Net-
Publisher also was only manageable from the local console on the Windows NT 
system. Process's Purveyor stepped up in management capabilities, at least 
giving us log files in a format compatible with several public-domain 
applications for statistical analysis and trend reporting. 
     O'Reilly's WebSite adds support for some remote management, along with 
a more sophisticated set of management and logging features. WebSite allows 
the Web manager to keep a rolling set of logs, cycling from file to file 
either locally or across a TCP/IP connection. It also offers an invaluable 
debugging log. 
     Finally, WebSite can be set up as a "multihome" server, which lets 
intrepid Web publishers have multiple HyperText Transfer Protocol (HTTP) 
servers that provide different documents depending on the TCP/IP address 
specified by a client. For example, a single server could pretend to be 
both acme.com and foobar.com, returning different pages depending on which 
domain name was in the URL. This aids companies that wish to target 
information at different audiences without having to use more than one 
server.
     StarNine's WebStar doesn't offer all of the logging and management 
flexibility of WebSite, but it does let administrators manage the server 
remotely, either using the built-in WebStar administration program or on a 
roll-your-own basis with Apple-Events. These management interfaces are a 
step up from the management of WebStar's progenitor, MacHTTP, which 
re-quired administrators to edit a configuration file to make changes in 
the behavior of the server. 
     Netscape has the most innovative management interface in its Commerce 
Server. Rather than build a GUI, its product simply sends HTTP out a 
special TCP port to a Netscape browser. The Web manager fires up a copy of 
Netscape Navigator (no other browser will work), points it at the 
management port, supplies authentication information and manages the entire 
server using Navigator. This helps explain some of the more esoteric 
features Netscape added to Navigator: they're needed to handle the more 
sophisticated server management functions. Using TCP/IP as a connection 
protocol also lets administrators manage a server from anywhere on the 
Internet. 
     Management of Commerce Server is completely undocumented on one hand 
and totally open on the other: You can see all of the scripts used to 
manage the server and build your own GUI-based management interface - if 
you can figure out what Netscape is doing. This is a truly impressive 
demonstration of the power of client/server technology. Netscape employs 
Navigator as a real management and monitoring tool. The management 
interface walks you through complex steps, such as generation of a public 
key certificate for secure operation of the server. Other simpler 
management functions, such as customizing logging, are not as well thought 
out in Commerce Server as they are in WebSite.
     Cyberspace security
     The original Web design called for a three-tiered security mechanism 
with security realms, user groups within realms and users within the 
groups. Servers also add TCP/IP-based security to augment users and groups, 
allowing network managers to limit user access to server functions based on 
TCP/IP address or host name. Not every server we looked at provides the 
same security management functions. 
     Ameritech's NetPublisher had the least flexible security, allowing 
only TCP/IP addresses as a discriminator between users. WebStar and 
Commerce Server added users and host names, but didn't include the 
capability to configure groups or separate security realms. Purveyor added 
support for groups, and WebSite had the best security configuration 
capabilities, letting us define users, groups, realms, TCP/IP addresses and 
host names.
     Netscape's Commerce Server includes Netscape's vaunted Secure Sockets 
Layer (SSL) protocol, a strong competitive advantage for Web designers who 
need server authentication (client authentication using SSL is not 
supported) and data privacy and integrity assurances. Using SSL and 
Netscape Navigator's SSL-compatible browser, a client can assure itself 
that the server is who it says it is and that data passed between the 
client and the server is both intact and immune from alteration. 
     Commerce Server's security does have a drawback: Either the server is 
encrypting data or it isn't. You can't serve up some information as plain 
text and provide other data in encrypted form. If you want to do that, you 
have to run two different servers on two different ports, which may be on 
the same machine. Netscape strongly suggests (and we concur) that you do 
that on two different machines, al-though the company grudgingly admits 
that you can do it all on the same machine if you want. 
     Other features
     A Web server that does little more than serve up HTML documents 
doesn't help the Web designer very much. Some servers, such as O'Reilly's 
WebSite and Process' Purveyor, have a wealth of features to give the 
designer a rich set of tools with which to build. Others, such as 
StarNine's WebStar and Netscape's Commerce Server, prefer to let the user 
community provide tools to extend the server. 
     NetPublisher's authoring ca-
pabilities are an excellent example of the kinds of built-in tools that 
these Web servers should be providing. Although many early adopters of Web 
technology feel quite comfortable hacking around in the depths of their 
servers, network managers buying server technology will appreciate all the 
help they can get. O'Reilly's WebSite also has WebView, a less ambitious 
authoring package, which lets the Web designer see all of the relationships 
between different Web documents. 
     Commerce Server comes with a basic feature called directory browsing, 
which lets the Web designer automatically publish an entire directory tree 
without having to explicitly build links and indices between them. Purveyor 
offers a similar feature, with WebSite taking the lead for a very 
sophisticated automatic directory browser. WebStar has a different view: 
Although they acknowledge the usefulness of directory browsing, the 
StarNine developers thought the security risks outweighed the benefits and 
declined to provide directory browsing using their server. 
     Searching full-text documents is a very useful and popular application 
for a Web server. O'Reilly's WebSite includes indexing and searching 
software, plus documentation on how to use it, as part of its base package. 
WebStar has built-in links to Apple's AppleSearch engine, a powerful 
full-text search system. NetPublisher doesn't offer full-text searching, 
but it does support (as an extra-cost option) the Z39.50 bibliographic 
information retrieval protocol as a way of searching for documents of 
interest. 
     Of course, the lack of a bundled search engine does not mean that 
users can't do full-text searches; it's just more work for the designer to 
find the right search applications and integrate them into the server. 
     Proxy service is yet another valuable feature available in some 
servers. It is technically a gateway function, not strictly related to Web 
service. To access proxy servers, users point their Web browsers at the 
proxy server as a gateway. The proxy server caches recently accessed 
documents in local storage. If two different clients request the same 
document via the proxy server, the second request is fulfilled from local 
storage instead of an additional retrieval over the Internet. Most popular 
browsers support the use of a proxy server as a gateway to the Web. 
     Although proxy servers are often thought of as a security feature, 
they're most valuable as a way to conserve precious network bandwidth. Any 
organization with more than a few dozen Web clients on its corporate LAN 
would be well served by the addition of a proxy server. Process' Purveyor 
includes a proxy server in the base product, while Netscape sells a proxy 
server as a separate product from their Web server. 
     Conclusions
     The two best all-around Web servers we looked at were O'Reilly's 
WebSite and Netscape's Commerce Server. WebSite had the greatest number of 
useful features and best documentation, while the Commerce Server offered 
the best opportunities for in-depth customization and secure data transfer. 
Both are packaged to help beginning Web managers and designers get started. 
O'Reilly has a definite price advantage, costing a third as much as 
Netscape's Communications Server, a lower end Web server without 
encryption, and a tenth as much as the Commerce Server. 
     While Process's Purveyor was adequate and its proxy server a big plus, 
skimpy documentation, unrealistic pricing, and some missing features push 
it to a distant third behind the other NT-based Web servers. Similarly, 
Ameritech's NetPublisher looks like a great idea for some markets, but the 
outrageously high price tag (almost 10 times the other products we looked 
at) is not justified by that strong of a feature set. 
     If a Macintosh platform is a must, StarNine's WebStar is an excellent 
server at a very fair price, though we were concerned about its performance 
under load. WebStar is not yet ready for corporate response time 
requirements.