Microsoft Releases IIS FastCGI Module

Marcy writes "Microsoft has just announced the final release of the IIS FastCGI module for IIS 5.1 (XP), 6 (2003), and 7 (2008). This FastCGI module was built with collaboration from Zend, the creators of PHP, and is intended to solve the CGI on Windows problem." It's free as in beer.

Why bother?

[FictionPimp (712802)]

What's wrong with apache?

Re:Why bother?

[El Lobo (994537)]

The only problem is that IIS7 and even II6 have so few critical vulnerabilities that Apache IS a nightmare in comparation. let's no talk about text file configuration....

Re:

[will_die (586523)]

If that comment could be trusted you would know that IIS7 uses a text file to store its configuration.

Re:

[El Lobo (994537)]

True. And that's it's beauty. Do you want to edit it? Do it. There is also something called IIS Manager which is the GUI for that.

Re:

[marcovje (205102)]

That's because Microsoft is quite reluctant to label anything "Critical". Nearly all superficial bug amount comparisons falter because of different habits to rate a bug.

Microsoft probably things "Huh, the world didn't end? Ahh, then it probably isn't critical."

Re:Why bother?

[sydb (176695)]

What's wrong with text file configuration? Some people happen to like it. For good reasons, like:

• you see your config right there in front of you
  
• you can do scripted configuration using standard unix tools
  
• you can archive config files and see what they do just by looking at them
  
• you can run diffs against configs
  
• you can adopt your own standards for commenting changes
  
• you can put your config in an SCM tool
  

Just because you don't know how to do it doesn't mean it's not a huge advantage for those of us who do.

Re:

[oliderid (710055)]

httpd.conf can be quite difficult the first time you see it. Somes distributions have even splitted it into different configuration files (OpenSuse). You can understand it if you run dozens of virtual hosts but splitting the default httpd.conf is absurd IMHO.

Anyway there are editing tools:
http://kochizz.sourceforge.net/ [sourceforge.net]
Looks promising.

But I have never used it (the only one I've tried: YaST HTTP server module was incomplete for taste, I couldn't configure properly webdav through it).

Re:Why bother?

[IgnoramusMaximus (692000)]

The other responder covered your ignorance of the IIS metabase. Perhaps you should actually look something before commenting on it.

I am starting to believe that you XML turkeys operate in some alternative Universe where diarrhea like this:

<?xml version ="1.0"?><configuration xmlns="urn:microsoft-catalog:XML_Metabase_V61_0"><MBProperty><IIS_Global Location ="." BINSchemaTimeStamp="10d5deca4057c401" ChangeNumber="642" HistoryMajorVersionNumber="14" SessionKey="9431b62980000002a0...1ca113" XMLSchemaTimeStamp="b036da01ab56c532"></IIS_Global><Location ="/" AdminACL="49634462f0000000a4000...419891"></IIS_ROOT> <IIsComputer Location ="/LM" EnableEditWhileRunning="1" EnableHistory="1" MaxBandwidth="4294967295" MaxHistoryFiles="10">
</IIsComputer>

... is considered "easy to read" and "easy to maintain". Note the lovely formatting (as it appears in the actual file - less a few newlines as Slashcode wraps the crap) due to some inane Microsoft MMC GUI tool used to generate the thing. Also note the profuse commentary (that is assuming that you actually could ever properly comment this spew as comments are not allowed within tags, even ignoring the fact that the imbecilic MMC tool would simply remove them on the next use).

I will leave it as an excercise to the reader to conclude which one of us is operating based on delusional, emotional attachment to insanely misused formats and which one has an actual experience with configuration files in real life.

As to Semdmail, may I remind you that the so-called "config" file is an actual machine code of a state driven processor around which Sendmail itself was constructed. Apples and oranges. And no, it was no more easy or harder to read then any stream of machine instructions for any other machine to be directly executed by it. It was never meant to be easily human-readable and its syntax is driven by the extremely demanding resource limitations at the time when original Sendmail was developed. The fact that it proved a maintenance nightmare (despite of its extreme power and flexibility as compared to regular config files) was a leading impetus behind Sendmail losing to other MTAs as years went on and extreme frugality with resources became secondary to ease of maintenance.

Oh and your sanctimonious whining about "hopping into this century to drool at shiny but valueless stuff" does not help your cause either, as the basics of computer science remain unchanged since its very inception and they will remain firmly so even if our computers end up grown in vats out of quantum-mechanical nanomachines. And one of those fundamental, time-tested constants is the requirement for brevity, clarity and ability to comment extensively any configuration files, although untold numbers of misguided "innovators" have attempted to "improve" this in a countless number of ways, of which the XML insanity is but one of the later flops, standing atop of a heap of rotting carcasses of previous failures, which went by names such as "binary configuration databases" and "registry hives" and what not.

And so, long after your pet fad is gone, I am sure I will be having this same very conversation with some condescending accolyte of "Object Oriented Four Dimentional Cube, Buzzword Overloaded" config files or what not, who will snicker about how quaintly old-fashioned these fundamentals are, and that I should "get on with the times" to his new favourite, one-and-only, super-correct fad.

In short, your kind never learns.

I'll also note how you fail to mention any better alternatives in your inflammatory rant.

Quite a comedian you are. How about any other time-proven config file format used by just about any sane application? Bind, DHCP, SSH ... and on and on and on.

Re:Why bother?

[sqldr (838964)]

let's no talk text file configuration

Oh, not you as well. There's absolutely nothing wrong with text file configuration. There's a whole world of things wrong with a pointy-clicky GUI interface to a config in the registry when there's no other way to edit it.

How do you search a gui interface? How do you generate a gui config? How can you minimalise a gui config to the bare essentials? How do you upload/download a config and email it to someone? How do you edit the config without having to run remote desktop client? And of course, with clicky configs, if they haven't provided an option for something, then you can't do it. Sorry, "computer says no".

I'll admit that IIS hasn't had many vulnerabilities recently, but this is partly because it's got bugger all functionality. Most new vulnerabilities in apache are usually found in one if its thousands of modular extensions.

Lets not talk about using domain credentials for HTTP authentication (in fact, having your web server assume that's what you want to do), lets not talk about your configuration appearing all over active directory. Lets not talk about how server 2003 starts up every bloody service on the system on boot, giving you about 30 seconds to download the service packs before you get pwned by a virus. Lets not talk about how it took microsoft months to fix a serious user-affecting exploit in word, but yet, when they give a shit (like when DRM got cracked), they have a fix out in a matter of hours.

Personally, I use thttpd, because, er, I don't like the config format for apache. That's not because I don't like having my configs in readable text files, I just don't like the cludgy way that apache does it.

Re:

[jimstapleton (999106)]

If I skip an answer, it's safe to say I can't give a good answer.

How do you search a gui interface?
Most have a series of tabs/menus that allow a drill-down type search. Sometimes things aren't in the most obvious places, but it's not that bad, and if you don't know the exact text of what you are looking for it's a lot easier than text files. If you know the exact text, then it is harder. It's nicer to have both (such as provided in IIS)

How can you minimalise a gui config to the bare essentials?
Turn off the

Re:Why bother?

[sqldr (838964)]

Most have a series of tabs/menus that allow a drill-down type search.

That's not useful. I don't want to have to "drill down", I want to search for a keyword. Say I've got several hosts, and I want to see everything specifically relating to an IP address. I search for the text of the IP address. For beginners looking to change one option, complex GUIs are a mass of buttons and tabs, rather than something they can search for.

Turn off the options you don't want - same way you would in a command line.

I don't want to turn them off, I want to remove all reference to them.

If the GUI attaches to the registry, export the hive and attach it.

That's not useful. I want to mail the config so someone can read it, eg. paste my config to a newsgroup to ask a question when I'm stuck. The usual equivalent in windows-land is you spend days searching for stuff and getting dumb meaningless error messages ("please check that the domain controller is both locatable and contactable" - hey I know, Mr Paperclip, why don't YOU tell ME whether it was either unlocatable or uncontactable or both..), then eventually you find the answer on someone smug bloke's blog with a mugshot of him in the corner and 1000s of thankyou messages, rather than anywhere on MSDN. (incidentally, that error was nothing to do with the server being unlocatable or contactable, but being windows, I couldn't do a trace on it to find out where it was breaking, I just had to click "OK" and try something else).

Yep, text-y configs you can't change things they don't give you options for either!

Text-y configs usually have some level of scriptability, eg. "IfDefined" in apache. Syntax that might apply to one feature will usually apply to all features, making things a lot more versatile.
Another advantage of text configuration is that you can arrange the order of the file according to what's important. You can also add comments.

Re:

[jimstapleton (999106)]

That's not useful. I don't want to have to "drill down", I want to search for a keyword. Say I've got several hosts, and I want to see everything specifically relating to an IP address. I search for the text of the IP address. For beginners looking to change one option, complex GUIs are a mass of buttons and tabs, rather than something they can search for.

And if the keyword(s) you think up aren't in there? If the author of the document hasn't provided enough notes. I've found cases like that in text files.

Re:

[sqldr (838964)]

Apache ships with about 30. When there's a security hole in one of these extensions, they blame apache. IIS ships with about 2. When there's a security hole in an IIS extension, they blame the extension.

Re:Why bother?

[jimstapleton (999106)]

Actually, IIS does have text file configuration also - the metabase.

That's one thing I like about it - I can edit the text file OR use the GUI.

The caveat is the text-file is XML, the pro is that it's structure in such a way that it's not as painful to edit by hand as normal XML. Also, there's a log file in the same directory that produces really helpful error messages if you screw up editing it by hand.

Having used both, I find neither significantly better/easier to administrate. They are just different

Re:

[gbjbaanb (229885)]

I'm not sure whether you think IIS has a text file or not...

Still, for my fellow readers:

With IIS7, all IIS configuration is now stored in a simple XML file called applicationHost.config, which is placed by default in the \windows\system32\inetsrv\config directory

from an Apache v IIS blog entry [iis.net] that also discusses the fastCGI module.

Re:

[jimstapleton (999106)]

Yes, though the GP argued that it didn't, not that it did

II6 has something called metabase.xml. It's actually a fairly easy to edit XML file, compared to most XML config files I've seen too.

Re:

[PinkPanther (42194)]

And when I say excitement, I mean the fun of dealing with the buggiest, most backdoor-filled MS software ever created.

I don't understand your point. They don't mention Exchange once in this article.

On a similar note, Python + PHP via FastCGI

[Bogtha (906264)]

One thing I've been keeping an eye on is WPHP [pythonpaste.org]. It's only alpha-quality at the moment, but it's basically a WSGI application (WSGI is the standard Python web application interface) with a FastCGI backend that runs PHP. With something like this, you can mix and match PHP and Python — for example, you could write an authentication handler in Python and link it to a legacy PHP application.

Zend + MS

[thatskinnyguy (1129515)]

This FastCGI module was built with collaboration from Zend, the creators of PHP, and is intended to solve the CGI on Windows problem.

Glad to see that we all can get along.

free as in beer?

[Locutus (9039)]

so you're paying out the nose, ears, ass for Windows and MS IIS and you care about free fastCGI?

And IMO, it may be free as in beer but it's poisoned beer by virtue of where it plays.

LoB

Re:free as in beer?

[EricWright (16803)]

The "free as in beer" thing really annoys me. I've NEVER seen free beer, anywhere! I propose we all stop using this ridiculous phrase and start using "free as in air" instead.

Now, if there IS free beer being offered somewhere, just point me in the right direction.

Re:

[tttonyyy (726776)]

The "free as in beer" thing really annoys me. I've NEVER seen free beer, anywhere! I propose we all stop using this ridiculous phrase and start using "free as in air" instead.

Now, if there IS free beer being offered somewhere, just point me in the right direction.

Try this direction:

http://en.wikipedia.org/wiki/Gratis_versus_Libre#Free_as_in_free_beer_versus_free_as_in_free_speech [wikipedia.org]

Re:

[kie (30381)]

is this what you are looking for?
freebeer.org [freebeer.org]

Re:free as in beer?

[Thyamine (531612)]

That may be true in some respects, but all of my clients have Windows servers to some extent, and most have only Windows servers. To suggest that people would have to pay extra to set this up is a little silly. IIS is a component of Windows, so you get that for 'free' when you purchase whichever flavor of Windows server you choose. And yes, you are paying for the cost of IIS development somewhere in that Windows price, but when someone has the option of just turning on IIS on an underutilized box, or finding/buying a box to install linux and Apache on, the idea of price is a non-issue.

They already have IIS, and it takes 5 minutes to set it up. The cost of time alone on setting up a new box to run something else almost immediately negates the benefit in most IT manager's eyes when all they are seeing is consulting time to setup, manage, and maintain a linux box they know almost nothing about.

Re:

[suv4x4 (956391)]

so you're paying out the nose, ears, ass for Windows and MS IIS and you care about free fastCGI?

As a PHP developer I care. I can convince someone to install a free official plugin by MS on his host, than convince him to buy something.
If it was paid, I'm sure, as any pointy haired management guy, he'd decide it's not important and run as CGI.
Then it's my fault it performs like crap.

Hence, it's a good thing it's there, and free.

--

So, that's about step 1 in the "Make PHP devs become Windows devs".

Now step 2: d

Rasmus Lerdorf must be pissed today

[mshmgi (710435)]

Since when did Zend "create" PHP?

Re:Rasmus Lerdorf must be pissed today

[PHPfanboy (841183)]

Hi, I work for Zend (not in Marketing dept.) - this issue comes up every time it's written in the press or other interviews. It's not how we market ourselves, and every time we're quoted as "the creators of PHP" Zeev and Andi get hauled over the coals by the PHP development community. It's not the first time and probably not the last time this has happened. For the record, this is how Zend markets itself:

Zend is the PHP company.
Businesses utilizing PHP know Zend as the place to go for PHP expertise and sound technology solutions. Andi Gutmans and Zeev Suraski, two of Zend's founders, are key contributors to PHP and creators of the open source Zend Engine. Because of their internationally recognized authority, the company and its founders continue to play leadership roles in the PHP and open source communities, and are accountable for a central role in the explosive growth of PHP.

Slighty different, I think you'll agree.
Happy PHP'ing

ah, php

[Jessta (666101)]

ah php, the unholy merger of c/c++, perl and java.

FastCGI vs Proxy

[tcopeland (32225)]

Over on Linux, my perception is that FastCGI enjoyed a brief reawakening as it was (for a while) _the_ way to deploy Ruby on Rails apps with Apache. But now that seems to have changed to over to using Apache + mod_proxy_balancer + Mongrel [rubyforge.org].

One nice thing about mod_proxy_balancer is that it's easy to distribute the Mongrels across a couple of machines... and Apache will take them out of the loop if the machine goes down or they become unresponsive or whatever. Works for us [blogs.com], anyhow....

and in other news ...

[LorenzoV (106795)]

Zend gives aid and comfort to the enemy.

Methinks it's all over but the funeral for FOSS.

Re:Problem?

[Saint Stephen (19450)]

"Forking" (launching) a process is much more expensive on Windows than it is on Linux. Windows NT is architected after VMS (in part because of Dave Cutler). Processes are expensive on windows.

Re:

[rabtech (223758)]

"Forking" (launching) a process is much more expensive on Windows than it is on Linux. Windows NT is architected after VMS (in part because of Dave Cutler). Processes are expensive on windows.

This is true because Windows and the Win32 require threads and assume they exist; if you want to spin-off a lightweight operation you kick up a new thread. Although most Unix systems have OS threads these days that wasn't always the case - processes were the word of the day for a long time and still are in some ways.

Re:Problem?

[A nonymous Coward (7548)]

"architected" is not a word, since "architect" is not a verb

A. You're wrong. English is a living language. Any word that people understand as a verb is a verb. You understood what was written, therefore you are lying.

B. Your conclusion ("architected" is not a word) does not automatically follow from your premise (since "architect" is not a verb). Your logic is not logical.

C. Any grammer nazi who does not capitalize the first word in a sentence is a hypocrite.

D. Any grammar nazi who does not end sentences with a period is a hypocrite.

E. Any grammar nazi who complains that the "nazi" in "grammar nazi" should be capitalized does not understand how words can be used in a generic sense and thus no longer be proper names.

F. Grammar nazis suck.

Re:

[Pollardito (781263)]

"architected" is not a word, since "architect" is not a verb

A. You're wrong. English is a living language. Any word that people understand as a verb is a verb. You understood what was written, therefore you are lying.

who knew that George Bush posted on Slashdot?

Re:Problem?

[gbjbaanb (229885)]

Its kind of a fallacy that 'forking' processes on Windows is significantly more expensive than forking them on Linux. I think it is somewhat more expensive, but that doesn't alter the fact that forking processes on linux is still expensive in the first place.

So, we needed ways to make things go faster - mod_php for example, that ran php scripts inside an apache process, but you still had to fork the apache process for each web request because of many thread-safety issues in php modules. This was also a security problem because every php script ran as the apache user. So the next idea was to start an apache process for each client and re-use it until that client disconnected (and stayed disconnected). This is the fastCGI approach.

With windows, you had 2 ways of running PHP scipts: as a CGI application (slow due to new processes all the time), and as an ISAPI (think of this as the equivalent of mod_php) module. The ISAPI one worked but you had the thread-safety issues of PHP to contend with (just like on Apache 2 that doesn't spawn worker processes).

In summary: nothing much to see, someone's just released fastCGI for IIS now so you have the same configuration options for IIS as you have for Apache.

Re:Problem?

[EvanED (569694)]

I think it is somewhat more expensive...

It's a lot more expensive. Some numbers MSR came up with while working on their research OS Singularity put process creation on Linux at ~700,000 cycles, just over 1 million on FreeBSD, and just under 5.4 million cycles on XP. Here's [microsoft.com] one source; slide 23.

I'm not arguing against your main point; I'm just pointing out that there is actually a huge difference between process creation time on the different systems.

Re:

[Penguinisto (415985)]

Is it the same on Win2k3 Server?

Probably higher, considering the layers of security checks and "reducing the threat surface" whatnot which MSFT applied to IIS for Windows 2003 Server.

/P

Re:

[plague3106 (71849)]

I didn't mean to hurt your feelings or anything - There's a good reason why I qualified it as "probably" as opposed to "definitely".

Didn't hurt my feelings; even probably implies that you have good reason to believe something. Good reason, not "well this is how I view things." I'm just sick of /. modding up any crap someone tosses out on /. as it if were true. Bash MS, you get karma it seems, regardless of facts.

If such follies as UAC in Vista is any indication (and that's just the tip of one very bloate

Re:

[PitaBred (632671)]

And if you have, say, 100 visitors at the same time? That's 3 seconds just to start the processes, much less actually run anything. It's multiplicative ;)

Re:

[FooBarWidget (556006)]

Windows doesn't even support forking. You can start new processes, but forking the existing process is impossible. Even things like Cygwin only emulate it with threads.

Re:

[Karellen (104380)]

Even things like Cygwin only emulate [fork() on Windows] with threads.

Sorry, but that's bollocks.

Cygwin fork() does create a new process. It calls CreateProcess() and then copies the current process into the new one. See the relevant Cygwin API FAQ [cygwin.com] for a full explanation.

Re:

[Foolhardy (664051)]

Win32 doesn't support forking, but the NT kernel does [cygwin.com]. For that matter, by far most of the expense of starting a Win32 process on Windows is due to Win32 subsystem overhead, including compatibility database lookups, not the kernel. SFU [google.com] processes (that belong to the POSIX subsystem) and native processes [microsoft.com] (that belong to no subsystem) are MUCH cheaper, and incidentally support true kernel level copy-on-write fork.

Cygwin doesn't use the kernel's fork support because Cygwin is built upon on Win32. SFU can beca

Re:

[El Lobo (994537)]

If it tastes bad, there are always other beers. Unfortunatly, I can't brew my own beer. Nobody I know is good enough at it either. Ans I won't want to taste a beer brewwed by a thousand hands, thank you very much.

Re:

[jimstapleton (999106)]

Well put.

Even as a often-self-brewer, there is something to be said for "it exists and works well, or at least well enough". It is often nice to not have to go through the effort of making it yourself (or improving it to your needs).

Turn about

[Dareth (47614)]

Sure we can do that, but first you need to tell us more about this horrible rumor about this evil daystar that burns us vamp... I mean us technical type folk who dare venture out in the daytime.

Re:Stop the insanity.

[deniable (76198)]

I was in a small shop where we already had IIS to run things like Outlook Web Access. IIS also made it easy to have integrated AD authentication and access controls, so we had single sign on.

Rather than running another box or supporting a VM image to run apache, it's easier just to make do with IIS. The point of this article is that MS is making IIS play better for people from the PHP/fcgi side of things.

We did however run the outside web server on apache on an ancient almost broken P166 and it ran well.

Re:Stop the insanity.

[Allador (537449)]

It's trivial on the apache side, and relatively easy on the iis side.

Config the machine to have two IPs.

On apache, set a Listen directive in the config file, to have it listen on IP1:80.

For IIS, run this:

c:\>httpcfg set iplisten -i IP2

By default, both apache and IIS will bind to every IP on the box. These methods let you have each listening on port 80 on their respective IPs.

The only 'hard' part on the IIS side is knowing that httpcfg exists and controls this. If you've ever setup wildcard ssl certs in windows you've been here.

The reason this is controlled through this command prompt on windows is due to the architecture of IIS.

There is a very small kernel-mode component that handles listening on the port and handing off to IIS. This is what you're configuring with httpcfg.

I believe Vista (and therefore Win 2008 Server) doesnt have httpcfg and uses something else (dont know what off the top of my head).

Re:Stop the insanity.

[tomknight (190939)]

Because some people live and work in the real world. Not everyone runs a webserver just to show off their Pokemon collection, some of us get paid money to do this sort of thing - and sometimes the people paying the money want to use Microsoft.

Re:Security

[LordLucless (582312)]

You're talking about a flaw in a apache's security model there, not PHPs. Apache runs as a single user. When it runs PHP as a module, then PHP runs as a single user. Same with Perl, or Ruby, or anything else that relies on a module interface as far as I know. If you use FastCGI (which this article is about, you may have noticed) then you can get it to suexec to a different user when it makes the CGI process, and you don't have the security problem you're whining about.

The bit about PHP admin scripts is application specific - nobody's forcing the authors to do it that way, and you can do the same with any other language. PHP has had it's flaws (register_globals and magic_quotes still give me the shivers), but if you're going to bitch about it, at least educate yourself first.

Re:Better late than never....

[jez9999 (618189)]

I have been considering this much of late.

I really want OSS to succeed, really. I love the philosophy, and hate the idea of MS being the 'Rome' of my lifetime (the empire that collapses, but only a long time after I die). However, I can't see it happening. This is because it feels like OSS has a natural tendency to stagnate when most developers think things are 'good enough'.

Where's a reliable FastCGI module for Apache? Where's a good config file format, and a GUI to edit it, for Apache? Where's a Linux distro with a GUI as intuative as Windows Explorer? Yes, I recently tried Ubuntu and was very disappointed that its GNOME GUI is *still*, in my opinion, leagues behind what MS and Apple have to offer.

OSS devs develop stuff they care about, to the level that they find acceptable. They generally don't take no shit from nobody, and if you want something done, you can do it yourself. Patch it. I love the theory, but the practice is this: people DON'T HAVE FUCKING TIME to patch it. Businesses often DON'T HAVE THE MONEY. OSS needs to adapt to a philosophy of developing stuff to be better even when they personally don't get much benefit from it, because otherwise businesses WILL just pay MS to get what they want. It sucks, but there you go.

"Hey, boss, we need to push out group policies over all machines on domains foo and bar. Windows has Group Policy Editor and Active Directory. We can do the same thing with Linux, but it will mean spending 5000 man hours developing, testing, and deploying scripts, because nobody has bothered to come up with a solution yet."

What would you choose for your business??