24 February 2009

The Chinese (Web Servers) Are Coming

The monthly release of the Netcraft survey is always good, since it generally shows the continuing dominance of Apache in the Web server field. But this month has something new and vaguely frightening:

In the February 2009 survey we received responses from 215,675,903 sites. This reflects a phenomenal monthly gain of more than 30 million sites, bringing the total up by more than 16%.

This majority of this month's growth is down to the appearance of 20 million Chinese sites served by QZHTTP. This web server is used by QQ to serve millions of Qzone sites beneath the qq.com domain.

QQ is already well known for providing the most widely used instant messenger client in China, but this month's inclusion of the Qzone blogging service instantly makes the company the largest blog site provider in the survey, surpassing the likes of Windows Live Spaces, Blogger and MySpace.

Got that? QQ's server QZHTTP just put on 20 million sites in the survey - enough seriously to dent both Apache and IIS (and making the latter look suddenly vulnerable to losing its second place).

Does this represent the dawn of a new (Web server) era?

What makes this all slightly troubling is that I don't know anything about QZHTTP: I presume it's not open souce, since I can't find any links to its code. But can anyone give me any more details, please? (Via @codfather.)

Follow me on Twitter @glynmoody

39 comments:

Anonymous said...

Has anybody considered the possibility that they have simply faked the HTTP header sent by their server? It is a common security practice to make server-sniffing more difficult (if a hacker doesn't know what OS/web server/version the host is running, they can't easily identify specific exploits). For all we know they could be running Apache or IIS.

Anonymous said...

Maybe QZHTTP is just a rebranded Apache. It is quite easy to have Apache deliver an alternative identifier, and it'd seem silly to build a new HTTP server from scratch unless you had both deep pockets and lofty goals.

Glyn Moody said...

@Tin @anon: true, although it would be an obvious thing to try cracking them assuming they were rebranded, so it's not that much of a defence.

Anyway, I'm working on this and will let you know when I find out more.

Unknown said...

An NMAP Scan on qq.com flags it as being Apache HTTPD. From my log: "PORT STATE SERVICE VERSION

80/tcp open http Apache httpd

|_ HTML title: 302 Found"

Glyn Moody said...

@Jason: thanks - but might that just be the front-end?

ElectraGlide said...

This vaguely has the smell of IBM midrange (iSeries etc.) and the server software packaged with the OS/400 operating system. Just before I semi-retired from the IS profession, IBM presented a long range executive briefing where they emphasized China as one of their three top tier target markets. Retail and Healthcare were the other two. Just a guess, but it sure fires a few of my remaining neurons.

Glyn Moody said...

Interesting thought - thanks.

Anonymous said...

i ran httprint on a selection of 111 sites in the qzone.qq.com domain, 107 were classified as 'thttpd'
3 as apache, 1 as IIS.

so, either it is a modified 'thttpd' or maybe a proxy, behind which happen to be many thttpd sites.

willem

numerophobe said...

It is likely rebranded or stock thttpd.

Based on the below.
Compare the output to the 400 error produced by a thttpd server
(Live example here: http://www.doupovec.cz/)

(Escaped for posting)
[root@andLinux ~]# nc qzone.qq.com 80
GET / NNNN/1.0

HTTP/1.1 400 Bad Request
Server: qhttpd
Connection: close
Content-Type: text/html
Content-Length: 235

[stripped]Your request has bad syntax or is inherently impossible to satisfy.
[stripped]

Glyn Moody said...

@itsme @numerophobe: thanks for your efforts

Craig said...

I'm inclined to think this is a Chinese-state-approved httpd. Probably reports every page served (and to whom) back to the central censorship infrastructure for checking.
Paranoia? Anywhere but China, it would be.

Anonymous said...

it's apache with a few proxies

user@host:~ $ curl -I www.qq.com
HTTP/1.0 200 OK
Date: Tue, 24 Feb 2009 21:48:08 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=120
Expires: Tue, 24 Feb 2009 21:50:08 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=GB2312
Age: 22
X-Cache: HIT from rainny.qq.com
Via: 1.0 rainny.qq.com:80 (squid/2.6.STABLE5)
Connection: close

Anonymous said...

I am not being racist here, but what purpose does it serve to be concerned about what the Chinese are doing? For the sake of curiosity maybe, but since their Internet is it's own entity - firewalled and regulated heavily - can China Internet really be considered part of the greater Internet? Should we be instead calling it The Greater China Intranet?

Glyn Moody said...

well my interest has to do with the impact of Chinese moves on Apache's position in the Web server market. It's also of interest to see what coding the Chinese are doing here - whether it's based on pre-existing code or new.

Anonymous said...

Keep in mind, they;re Chinese. So they care $hit about IP and licensing rights.
I bet they just stole Apache code and made "their own" thing on it.

Jamie said...

Slay me for this if you like, but we are talking about China here.

China, the country whose judges threw out Microsoft's lawsuits because it's fine that people were using pirated copies of windows. China, the country which has an unlicensed direct copy of Disneyland, Mickey Mouse and Pluto, albeit under different names, paying no royalties to Disney. China, the country where you can get any manner of ripoff gadget, from fake brand t-shirts to copied paper-sleeve DVDs to a fake iPhone before the iPhone's actual release.

Do you really think they're going to develop an entire enterprise-level webserver on their own? Please. This is, at best, Apache with a few lines of code changed. Move along, nothing to see here.

Glyn Moody said...

@Jamie: well, that's what I'm interested in finding out about. You're right, it may well just be a dressed-up Apache; equally, there are lot of good coders in China these days, and Web servers aren't exactly new....

Unknown said...

I am an employee for Tencent, which runs qzone.qq.com and www.qq.com(The later is on Apache).

qzhttp is a proprietary web server owned by Tencent. It has nothing to do with Apache or any open source web server.

qzhttp has nothing to do with qhttpd either.

Glyn Moody said...

@HelloMarch - thanks for that info.

Could you please contact me at glyn.moody@gmail.com, because I'd like to write about this interesting area at greater depth. Thanks.

fotoflo said...

ID just like to point out that QQ has deep pockets and is always planning big things.

Glyn Moody said...

@fotoflo - do you think there's more coming?

PJR said...

I think people miss the point a bit..

First, qzhttp was what its client sites were running on, so hitting www.qq.com (etc) and getting back apache is no supprise (i mean seriously, did that give you anything but "oh im hitting the wrong site" - after all, netcraft is not that dumb)?

Secondly, if qq took apache, re-coded some of it or forked it and used it on their site as closed source they haven't committed any OSS crimes! You only have to provide source if you distribute a binary - providing a service using that binary is not distributing (this is true both of gpl and apache licenses). Learn your licenses!

But as has been pointed out, qzhttp is none of those things...

Anonymous said...

Of course, the Chinese would never be able to build their _own_ web server, now would they..?

Anonymous said...

Chinese aren't capable of innovations, everything they ever came up with are either stoled or faked, just like compass, printing, gun powder, and paper making... Oh did I mention that the Art of War is actually just a big state propaganda?

Of course the Chinese don't have the brains and capacities to develop their own web servers, because they are CHINESE!

Let's not forget that the Apache's license SPECIFICALLY STATED that it's alright for anyone to grab and modify its source code, except for the Chinese, in which case it becomes crime of stealing.

If they can't even steal right, never mind innovate.

Now, that's slightly troublesome and frightening to me...

Glyn Moody said...

I hope I didn't give the impression that I was troubled by the idea of Chinese innovation: I'm not. It's more the impact on Apache that concerns me (but there may not be any....)

Anonymous said...

Under the assumption that if they took Apache, they did not change much, Qzone is highly likely not to run Apache (neverminding the information was already given), and I base this statement upon the different order of HTTP Responde headers.

Anonymous said...

HellowMarch said:

"qzhttp is a proprietary web server owned by Tencent. It has nothing to do with Apache or any open source web server."

...and there is no melamine in Chinese milk.

Glyn Moody said...

OK, people, can we please keep this on the subject of Web servers?

Anonymous said...

So if "qzhttp is a proprietary web server owned by Tencent. It has nothing to do with Apache or any open source web server." there is one thing that really makes me wondering:

Why ?

What's the benefit for a company to create a new web server from scratch. I mean all the money tencent invested to create qzhttp could have been used further improving their other products, developing new products or starting marketing campaigns.
Any ideas ?

Glyn Moody said...

that's what I'm working on...

Anonymous said...

Perhaps motive can be found in a sense of national pride. Hyping a glittering market share in a technical field would inspire your collectivist vassals more than tanks in Tiananmen Square.

Glyn Moody said...

Yes, that's possible.

Glyn Moody said...

I don't think anyone is suggesting all Chinese people are bad, any more than all white people are stupid.

Clearly, there's misunderstanding on both sides: let's hope that the Internet can help to improve relations between peoples by allowing them to learn more about each other. I'm optimistic.

Alex Julien said...

Last time I checked, geeks were known for being meritocratic: if you've done something good/cool/smart/ass-kicking/1337, you get recognition. It doesn't matter that much if you are tall, handsome, a boy or a girl or how much money do you have in the bank... or if you are Chinese, for that matter.

So please stop the "come on... they are Chineeeese!" stuff, as if there could be no bright people in China as much as anywhere else.

The point here is to find out as many facts as we can about this web server: is it something else or just a rebranded Apache? (more support to HelloMarch's claims would be great) how is it licensed? how/where is it better/worse than others? why did they choose to build something new? (I don't get the reasoning behind this, but it's always possible).

It's about the MERITS of the software, not the predjudices of some commenters.

Nancy Harris said...

QZone boasts more than 200 million users. Indeed, a Facebook-like website specifically for Chinese college students launched by QZone in January 2009 already has 20 million users.

Glyn Moody said...

@Nancy: amazing - thanks for that.

Anonymous said...

""What's the benefit for a company to create a new web server from scratch. I mean all the money tencent invested to create qzhttp could have been used further improving""

ask that questions to the creator of lighttpd, nginx, httpd, etc. I think they all can you provide with one or more reasons... Apache et el isn't the answer to all problems.

Bobba said...

Is this new thing being used somewhere else? I got interested about it cause it seems to have taken a large chunk of apaches marketshare.

While we are at it - can i get it somewhere to test it out:P (too high hopes?:D)

Glyn Moody said...

@Bobba: unfortunately, this is still shrouded in mystery - the company never replied to my email....