Overview
The FastCGI support in IIS enables popular application frameworks that support FastCGI protocol to be hosted on the IIS web server in a high-performance and reliable way. FastCGI provides a high-performance alternative to the Common Gateway Interface (CGI), a standard way of interfacing external applications with Web servers that has been supported as part of the IIS feature-set since the very first release.
CGI programs are executables launched by the web server for each request in order to process the request and generate dynamic responses that are sent back to the client. Because many of these frameworks do not support multi-threaded execution, CGI enables them to execute reliably on IIS by executing exactly one request per process. Unfortunately, it provides poor performance due to the high cost of starting and shutting down a process for each request.
FastCGI addresses the performance issues inherent to CGI by providing a mechanism to reuse a single process over and over again for many requests. Additionally, FastCGI maintains compatibility with non-thread-safe libraries by providing a pool of reusable processes and ensuring that each process will only handle one request at a time.
This article contains:
Enabling FastCGI Support in IIS 7.0
To enable FastCGI on IIS 7.0
- Add CGI role service by going to Server Manager -> Roles -> Add Role Services. This enables both CGI and FastCGI services.
Install and Configure PHP
It is recommended to use a non-thread safe build of PHP with IIS 7.0 FastCGI. Non-thread safe build of PHP provides significant performance gains over the standard build by not doing any thread-safety checks, which are not necessary, since FastCGI ensures a single threaded execution environment.
Note: There is no installer package for non-thread safe build of PHP.
1. Download the latest non-thread safe binaries of PHP from http://www.php.net/downloads.php.
2. Unpack the files to a directory of your choice (e.g. C:\PHP). Rename the php.ini-recommended to php.ini.
3. Open php.ini file, then uncomment and modify settings as follows:
a. Set fastcgi.impersonate = 1. FastCGI under IIS supports the ability to impersonate security tokens of the calling client. This allows IIS to define the security context that the request runs under.
b. Set cgi.fix_pathinfo=1. cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's previous behavior was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not care what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting this to 1 will cause PHP CGI to fix it's paths to conform to the spec
c. Set cgi.force_redirect = 0.
d. Set open_basedir to point to a folder or network path where the content of the web site(s) is located.
4. To test if the PHP installation is successful, run the following from the command line prompt:
C:\PHP>php –info
If PHP was installed correctly and all its dependencies are available on the machine, then this command will output the current PHP configuration information.
Configure IIS 7.0 to Handle PHP Requests
In order for IIS 7.0 to host PHP applications, it is necessary to add a handler mapping that tells IIS to pass all requests for PHP files to PHP application framework via FastCGI protocol.
To add a handler mapping at a server level
1. Open IIS Manager and then select and open “Handler Mappings” at the server level:
2. Select “Add Module Mapping” action and specify the configurations settings as below:
3. Click OK. The dialog box appears asking if you want to create a FastCGI application for this executable. Click Yes.
4. Test that the handler mapping works correctly by creating a phpinfo.php file in the C:\inetpub\wwwroot folder that contains the following:
<?php phpinfo(); ?>.
5. Open a browser and navigate to http://localhost/phpinfo.php. If everything was setup correctly, then you see the standard PHP information page.
Alternatively, the above mentioned steps can be completed by using command line tool appcmd.
1. To create the FastCGI application process pool, run the following command:
C:\>%windir%\system32\inetsrv\appcmd set config /section:system.webServer/fastCGI /+[fullPath='c:\{php_folder}\php-cgi.exe']
2. After that, create the handler mapping:
C:\>%windir%\system32\inetsrv\appcmd set config /section:system.webServer/handlers /+[name='PHP_via_FastCGI',path='*.php',verb='*',modules='FastCgiModule',scriptProcessor='c:\{php_folder}\php-cgi.exe',resourceType='Either']
Note: If you are using a PHP version 4.X, instead of php-cgi.exe, you can use php.exe.
Best Practices for Configuring FastCGI and PHP
Security Isolation for PHP Web Sites
The recommendation for isolating PHP web sites in a shared hosting environment is consistent with all general security isolation recommendations for IIS 7.0. In particular, it is recommended to:
- Use one application pool per web site
- Use user account as an identity for application pool
- Configure anonymous user identity to use the application pool identity
- Ensure that FastCGI impersonation is enabled in php.ini file (fastcgi.impersonate=1)
For more details about security isolation in shared hosting environment, refer to Isolating Sites with Application Pools.
PHP Process Recycling Behavior
Make sure that FastCGI always recycles php-cgi.exe processes before the native PHP recycling kicks in. The FastCGI process recycling behavior is controlled by the configuration property instanceMaxRequests. This property specifies how many requests FastCGI process will process before recycling. PHP also has a similar process recycling functionality that is controlled by an environment variable PHP_FCGI_MAX_REQUESTS. By setting instanceMaxRequests to be smaller or equal to PHP_FCGI_MAX_REQUESTS, you can ensure that native PHP process recycling logic will never kick in.
To set these configuration properties use the following commands:
C:\>%windir%\system32\inetsrv\appcmd set config -section:system.webServer/fastCgi /[fullPath='c:\{php_folder}\php-cgi.exe'].instanceMaxRequests:10000
C:\>%windir%\system32\inetsrv\appcmd set config -section:system.webServer/fastCgi /+[fullPath='c:\{php_folder}\php-cgi.exe'].environmentVariables.[name=’PHP_FCGI_MAX_REQUESTS’, value='10000']
Note: If those parameters have not been set, then the following default settings are used: instanceMaxRequests = 200, PHP_FCGI_MAX_REQUESTS = 500 (on most PHP builds).
PHP Versioning
Many PHP applications may rely on functions or features available only in certain versions of PHP.
It is a common requirement in a shared hosting environment to support multiple versions of PHP on the same server. IIS 7.0 FastCGI handler fully supports running multiple versions of PHP on the same web server. For example, let’s assume that on your web server you plan to support PHP 4.4.8, PHP 5.2.1 and PHP 5.2.5 non-thread safe. To enable that, you must place corresponding PHP binaries in separate folders on files system (e.g. C:\php448\, C:\php521\ and C:\php525nts) and then create the FastCGI application process pools for each version:
C:\>%windir%\system32\inetsrv\appcmd set config /section:system.webServer/fastCGI /+[fullPath='c:\php448\php.exe']
C:\>%windir%\system32\inetsrv\appcmd set config /section:system.webServer/fastCGI /+[fullPath='c:\php521\php-cgi.exe']
C:\>%windir%\system32\inetsrv\appcmd set config /section:system.webServer/fastCGI /+[fullPath='c:\php525nts\php-cgi.exe']
Now, if you have 3 web sites (site1, site2, site3), where each site needs to use a different PHP version, you can define handler mappings on each of those sites to reference a corresponding FastCGI application process pool.
Note: Each FastCGI process pool is uniquely identified by a combination of fullPath and arguments properties.
C:\>%windir%\system32\inetsrv\appcmd set config site1 –section:system.webServer/handlers /+”..[name=’PHP448_via_FastCGI’,path=’*.php’,verb=’*’,modules=’FastCgiModule’,scriptProcessor=’c:\php448\php.exe’,resourceType=’Either’]
C:\>%windir%\system32\inetsrv\appcmd set config site2 –section:system.webServer/handlers /+”..[name=’PHP521_via_FastCGI’,path=’*.php’,verb=’*’,modules=’FastCgiModule’,scriptProcessor=’c:\php521\php-cgi.exe’,resourceType=’Either’]
C:\>%windir%\system32\inetsrv\appcmd set config site3 –section:system.webServer/handlers /+”..[name=’PHP525nts_via_FastCGI’,path=’*.php’,verb=’*’,modules=’FastCgiModule’,scriptProcessor=’c:\php525nts\php-cgi.exe’,resourceType=’Either’]
PHP Security Recommendations
The following recommendations describe how to tighten security of PHP in shared hosting environment. To make the recommended changes locate and open php.ini file and edit it as described below:
- Disable remote URL's for file handling functions:
- Set allow_url_fopen=Off
- Set allow_url_include=Off
- Disable register_globals:
- Restrict where PHP can read and write on a file system, e.g.:
- open_basedir="c:\inetpub\"
- Disable safe mode:
- safe_mode=Off
- safe_mode_gid=Off
- Limit script execution time:
- max_execution_time=30
- max_input_time=60
- Limit memory usage and file sizes:
- memory_limit=16M
- upload_max_filesize=2M
- post_max_size=8M
- max_input_nesting_levels=64
- Configure error messages and logging:
- display_errors=Off
- log_errors=On
- error_log="C:\path\of\your\choice"
- Hide presence of PHP:
PHP Session Settings
The file system location where PHP stores session data is controlled by session.save_path parameter in php.ini file. A general security recommedation is that each PHP-powered web site uses its own file system location for storing session data, or in other words, session.save_path parameter should use different paths for different web sites.
However, currently (as of PHP version 5.2.5) all PHP settings are configured globally in php.ini file and there is no clean way of configuring PHP settings per web site or directory if PHP is used with IIS via FastCGI. The only way that exists today for per-web site or per-directory configuration of PHP on Windows OS is by using Windows registry. Please refer to PHP documentation for more information about per-directory PHP configuration on Windows.
Comments