Why Is Apache Still Popular Even as Nginx Has Proven Its Mettle on Performance?

You may ask why Apache then? Well, because when a user modify some settings via dashboard, they change in .htaccess which does not expect a web server restart or super user permissions like you need with NGINX, for example.

Now you know why WordPress websites are getting hacked easier than other CMS-es...because they can apply changes in .htaccess on the fly, whereas with other web servers, you need root permissions, thus the extra layer of security.

When people ask these questions, do they think people are actively choosing to use the old technology? That's a huge misunderstanding. It's not an apache vs nginx decision. It's do nothing vs spend precious time on a side quest to upgrade. Opportunity cost is your answer.

And re: performance, keep in mind that very few applications are limited by the speed of their HTTP server. You first look at your application servers, networks, disks, databases. If your app is truly HTTP-bound, well you're probably not still using Apache! IOW the people who NEED to upgrade from apache for performance reason already have. For the rest, there is no incentive.

This was certainly true long ago in Apache HTTPD 2.2. They completely rewrite APR and as of the 2.4 branch it was on par with Nginx.

Some use Apache for a tighter integration with some modules such as PHP resulting is a slightly better security stance with PHP. Nginx makes heavy use of fcgi wrappers and there are a number of foot-guns people create when making their own applications just as PHP itself has a number of foot-guns.

I use both NGinx and Apache depending on what I am deploying and often have HAProxy in front of it on many nodes unless I am just serving static content and then it does not really matter. There is no one correct answer. What people use will depend on what they are doing and also what they are comfortable with. The arguments I have seen about Apache vs Nginx are on par with browser war arguments, cell phone arguments, favorite color and so on. Both NGinx and Apache have their share of design flaws and I have been in long heated arguments with the lead developers of both. People should use what they have the most experience with and can feel reasonably confident that they have done proper due diligence regarding security before performance. This is all unrelated to CVE counts but rather sysadmin PEBKAC [0] issues.

[0] - https://www.urbandictionary.com/define.php?term=PEBKAC

Technology should solve business problems. If the move from Apache to nginx isn’t going to solve an actual problem, it becomes technology for technology’s sake.

In some cases, squeezing out a little extra performance does matter, but for most sites, I don’t think it’s that big of a deal.