Managing PHP and PHP Applications in IIS7

Fri, 01 Jun 2007 21:24:54 GMT

Last week I spoke at PHPConf in Moscow, Russia. I really enjoyed the experience - both the conference, and visiting Moscow. You can view the pictures here. I was asked by a couple people to summarize the presentation, which was about using Internet Information Server 7 to host PHP applications.

There are five main advantages to running PHP in IIS7: Configuration, Security, Extensibility, Management and Troubleshooting.

Configuration

IIS7 comes with a completely new configuration system that's based on a central file called applicationHost.config. This file is a well-organized, schema-based XML file that contains every configuration setting possible for IIS7.

There are times when configuring certain settings would be best accomplished at the web directory level. So the configuration elements in applicationHost.config can also be distributed to local web.config files stored in the directory of the web application.

For PHP developers that means they can deploy the configuration settings for their application along with the source files. For example, a PHP developer can configure the default document inside a local web.config file and then copy that web.config file to the server along with their application. That's a simple example, but it extends to other configuration settings such as handlers, modules, authentication, etc.

A server administrator can choose which settings get configured centrally and which ones can be delegated to local web.config files. It all adds up to a lot of flexibility in how a server and it's applications get configured.

Here are three great exercises you can go through to understand configuration and delegation a little better:

How to Use Configuration Delegation in IIS7

How to Use Locking in IIS7 Configuration

Understanding IIS7 Configuration Delegation

Security

The IIS team did a tremendous job in making IIS6 a secure platform to host web applications. However, you will be blown away with the completely new modular architecture for IIS7 and what it means for security.

Every piece of functionality in IIS7 is a module that can be added or removed. An interesting experiment you can walk thru is to remove every module from IIS7 and then make a request. The result is that the request gets denied, because the anonymous authentication module is removed. However, the server is unable to serve an error message because that module is also removed.

Here's the response:

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.0
Date: Thu, 31 May 2007 21:11:33 GMT
Content-Length: 0

If you add the anonymous authentication module back in, then you receive a 404 result because the static file module is not configured. Once you add this module back into the configuration, you now have a static file server and nothing else.

The point is that you can add only the modules you need for your scenario, creating the IIS7 server that is right for you. This means that you have the bare minimum surface area for attackers to target. You only need to patch your server when an update touches one of the modules you have configured.

A bare minimum PHP configuration could include Anonymous Authentication, Static Files (for images) and the FastCGI PHP Handler. You'll probably also want the Custom Error Module to show friendly 404 errors, etc.

Try it with one of these exercises:

How to Build a Custom, Reduced Footprint Web Server

Extensibility

This is where I think it gets really cool. One of the things I've always liked about PHP, is the practicality of developing on the platform. When creating a website, you'll often find there are already applications, components, etc that PHP developers around the world have made freely available. You can get up and running in a short period of time.

Although I don't believe the ASP.NET community has as many complete applications, there are still a plethora of ASP.NET components freely available to help in website development. In the past, these two worlds have been mutually exclusive.

In version 6 and earlier of IIS, the only way to extend the web server was by writing C++ code to create ISAPI extensions and filters. ASP.NET developers could create modules and handlers in C# or VB.NET, but these only applied to ASPX pages or other ASP.NET objects. For example, forms authentication is implemented as an HTTP module. We can use forms authentication to protect ASPX pages, but static HTML files and images in the same website would not be protected.

In IIS7, there is a new unified pipeline that allows managed (C#, VB.NET) and unmanaged (C++) modules to work side-by-side and apply to all requests. For the PHP developer, that means your options have just expanded. Not only can you make use of all the existing PHP code available in the world, but you can also make use of ASP.NET code written to extend IIS.

As an example, I did the following during my presentation at PHPConf:

Configured QDIG, a PHP image gallery application.
Added forms authentication by updating the web.config file and adding a Login.aspx and Register.aspx to the website. Of course, the membership database is generated by ASP.NET and the two ASPX files required only one element each.
Added a URL rewriting module to change the format of URLs and map those into the query string variables for QDIG. I used the module available here as a compiled assembly added to the bin directory in my QDIG application folder. There are a bunch of similar modules on the web.
Added the ImageCopyright handler described in this article. I added this handler in source code form to the App_Code directory. This added a copyright message to all the photos in my QDIG album.

Combined all together, I thought this made a very compelling example of using IIS7, ASP.NET and PHP together to quickly configure the functionality required for a complete application.

In addition to extending the IIS7 request pipeline, developers can also extend:

Configuration system - add new schema to the IIS7 configuration files. Not only will IIS7 be able to understand the new sections, but the command line tool will now be able to manipulate your new config sections.
IIS Management Tool - You can add new pages, dialogues and tree view items for the GUI management tool.
Diagnostics - there is a great diagnostics system in IIS7 that I'll discuss later which you can also extend, adding your own diagnostic information for your application.

An End to End Extensibility Example for IIS7 Developers

Management

The new IIS Manager is completely rewritten and organized in a much better way than previous versions. Not only can you manipulate IIS configuration using this GUI, but you can also manage ASP.NET settings including the users and roles in your membership store. And with third parties having the ability to extend the tool, you'll be able to manage many application settings from within this interface.

The IIS Manager leverages the HTTP protocol for remote administration which makes it a lot easier to use for administering hosted servers or servers behind a firewall.

In addition to the GUI management tool, there is also a new command-line utility called APPCMD. This tool can do everything the IIS Manager can accomplish, so you have complete control over your server from a console window.

Getting Started with IIS Manager

Remote Administration for IIS Manager

Getting Started with AppCmd exe

Troubleshooting & Diagnostics

The final area that is a huge improvement in IIS for PHP developers is in troubleshooting and diagnostics. There is nothing more frustrating than when performance degrades on your website and you can't figure out the reason. IIS7 gives you some great tools for diagnosing those issues.

The first one is new in-process state information that can be accessed thru IIS Manager, APPCMD, or programmatically from code. This gives you the ability to view current application domains, executing requests, process IDs for application pools, etc. You can do queries on the server to give you information like all of the requests that are currently running and taking longer than X seconds.

The second tool is Failed Request Tracing. When this feature is enabled, IIS collects vital information about every request in a buffer. If the request fails or meets some other condition that you determine, then the buffer is saved to disk so you can analyze the data. The data contains a list of every module that executed during the request and how much time the module took. It also contains overall information about the request critical to determining the cause of an issue in the application or IIS.

How to Access IIS7 RSCA Data

Troubleshooting Failed Requests using Tracing in IIS7

FastCGI and PHP

Last year, Microsoft announced a collaboration with Zend to make improvements to the hosting experience for PHP applications on Windows. On the Microsoft side, we've been working on a FastCGI module to resolve the issues encountered when hosting PHP as an ISAPI or CGI module on Windows. You'll be able to achieve much better performance using this module. It is available for IIS5 on Windows XP, IIS6 on Windows 2003 and IIS7 on Windows Vista. It will also be included as a component in IIS7 on Windows 2008.

On the Zend side of the collaboration, they have been working on fixing some of the issues with the PHP engine itself when running on Windows. They've really made a lot of progress. Make sure you are using the latest builds of PHP. You will see a performance improvement.

Using FastCGI to host PHP applications on IIS7