1. FastCGI on IIS 7.0 Risman Adnan ISV Lead, Microsoft Indonesia
11/30/2017
FastCGI on IIS 7.0
Risman Adnan
ISV Lead, Microsoft Indonesia
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. IIS 7.0 Core Architecture

3. IIS6 Architecture refresher
Web garden (w3wp.exe)
Application Pool (w3wp.exe)
Worker Process
ISAPI Extensions
ISAPI Filters
Worker Process
ISAPI Extensions
ISAPI Filters
Worker Process
ISAPI Extensions
ISAPI Filters
Svchost.exe
Inetinfo.exe
IIS Admin
Service
WWW
Service
(w3svc)
Lsass.exe
FTP Service
Windows
Authentication
SMTP Service
SSL
metabase
NNTP Service
Winsock
HTTPAPI
User
Kernel
HTTP.SYS
TCPIP.SYS

4. IIS7 Architecture overview
Web garden (w3wp.exe)
Application Pool (w3wp.exe)
Worker Process
ISAPI Extensions
ISAPI Filters
Worker Process
ISAPI Extensions
ISAPI Filters
Worker Process
ISAPI Extensions
ISAPI Filters
Managed Mods
Managed Mods
Managed Mods
Configuration
(applicationhost.config)
Svchost.exe
Inetinfo.exe
IIS Admin
Service
WAS
Lsass.exe
FTP Service
Windows
Authentication
WWW
Service
(w3svc)
SMTP Service
SSL
IIS 7.0 was built on top of an already successful architecture, the configuration system in IIS 7.0 is significantly different than in previous versions of IIS, and builds on top of some (but not all) of the concepts of the .NET framework configuration system. Its scope spans across the entire web server platform (e.g. IIS, ASP.NET) and serves as the core of the all-new IIS 7.0 administration "stack".
metabase
NNTP Service
Winsock
HTTPAPI
User
Kernel
HTTP.SYS
TCPIP.SYS

5. IIS6 Request flow refresher
Server is monolithic: cant extend core features cant remove core features cant add features
Feature duplication between IIS and ASP.NET.
Features limited due to position in pipeline.
ASP.NET functionality not applied to IIS content types.
w3wp.exe
iiscore
aspnet_isapi.dll
handlers
cgi
static
file
Isapi
exts
IHttpModule Events
url map
begin req
determine handler
logging
auth’c req
custom errors
auth’z req
w3svc
Svchost.exe
compression
resolve cache
end req
authentication
handler map
update req cache
ISAPI Filter Notifications
handler exec
rel req state
To understand some of the improvements IIS7 delivers, lets review the IIS6 architecture.
Overview:
Mapping the out high-level components we have, kernel http driver, worker process activation and management service, and the server worker process
The IISCore provides request processing services, such as authentication, caching, logging, and various protocol support functionality. Requests can be handled by mapping them to either the static file handler, or an external handler such as CGI, or an ISAPI extension.
Low level ISAPI filter mechanism can be used to intercept all requests in several points during request processing. The server is monolithic. Request processing services are tightly integrated with the server core – cannot be removed, cannot be replaced with custom services.
Following an ASP.NET request through the server pipeline we observe the following:
Pipeline duality produces a lot of service duplication and overlap between IIS and ASP.NET pipeline, such as: url mapping, authentication, handler mapping. This means having to configure services in two different places and different ways, runtime overhead, loss of fidelity due to incompatibility and side effects.
ASP.NET functionality limited due to position in the server pipeline. Always run after IIS counterparts, no way to hook into low level ISAPI notifications. This would frequently necessitate complex and expensive ISAPI filter development. Follow static request through the server.
Separate pipelines result in the problem of not being able to apply all services to all content types. ASP.NET services cannot be applied to IIS content types (forms authentication for static files). ASP.NET mapped requests cannot get the benefit of IIS functionality, such as static file handler or ASP.
url map
log
IHttpHandlers
auth’c req
Trace.axd
PageHandler
Pre-proc headers
End net session
http.sys

6. IIS7 Architecture W3wp.exe iiscore aspnet_isapi WAS w3svc http.sys
Unified request processing pipeline.
All services provided by self-contained modules
Modules can be managed or native
All services can apply to all requests
Native or Managed Handlers
iiscore
Native Handler
Managed IHttpHandler
aspnet_isapi
static file
isapi ext
*.aspx
trace.axd
IHttpModule Events
handlers
url map
cgi
static
file
Isapi
exts
Integrated pipeline
begin req
Native Module
IHttpModule
end
auth’c req
other
native modules
log
other
managed modules
Determine handler
update cache
auth’z req
WAS
w3svc
Svchost.exe
Isapi filter notifications
release state
resolve cache
end req
execute handler
url map
log
handler map
update req cache
pre-execute handler
acquire state
handler exec
rel req state
basic auth
url auth’z
IIS7 unifies the request processing pipelines of ASP.NET and IIS, to enable components developed in managed or native code to provide services with equal fidelity.
Observation> Single request processing pipeline, with a superset of request processing stages .
Observation> All functionality is factored out into modular components. Modules can be developed either using a new native API or the ASP.NET managed model. All IIS7 request processing functionality provided by either a managed or native module. You can decide what components are needed and add/remove them as necessary.
Follow a request through.
Observation> All services provided by modules can apply to all content types.
Example:
The application can define url access rules uniformly using url authorization, specifying them in terms of user roles that are obtained by the role manager module from a authorization role store in the backend. This authorization can be used to protect static content served by the static file handler, and CGI scripts.
auth’c req
End net session
map handler
digest auth
resolve cache
role mgr
IHttpHandlers
authorize
Pre-proc headers
windows auth
Trace.axd
forms auth
*.aspx
authenticate
begin
User
Kernel
http.sys
Tcpip.sys

7. Integrated pipeline
Unified request processing pipeline for both native and managed (ASP.NET) modules
All modules can provide services for all content types.
You can use ASP.NET forms authentication and url authorization to protect all content on the server
You can develop an ASP.NET module to append custom headers to static file requests.
Duplicate features unified
You can configure authorization, caching, and custom errors in one place.
Managed modules have full ordering flexibility
Managed modules can be intermixed with native modules as desired
The integrated pipeline model provided by IIS7.0 seeks to provide a unified view of the request processing pipeline, where both native and managed extensibility manifested as modules can execute side by side and can accomplish the same degree of functionality.
In the IIS7.0, the integrated pipeline presents a unified view. In this model, a request coming to IIS7.0 is processed in the single request pipeline, where both native and managed modules can provide request services with equal power. The request is then mapped to either a native or a managed handler.
In this mode, the following scenarios are possible:
ASP.NET Forms Authentication and Url Authorization can be used to provide internet ticket based authentication and access control for all resources on the server, including static files, CGI scripts, and ASP pages. (All services can apply to all content types).
A custom managed request filtering module can deny requests before any other module sees the request, by being the first to run in BeginRequest. (Managed modules have ordering fidelity with native modules)
A single custom errors configuration exists for a single native custom errors module. (Duplicate services unified).
IIS7.0 allows each worker process to be configured independently for either Integrated or Classic pipeline mode allowing for backward compatibility for applications that are unable to run properly in Integrated mode. This can be configured via the normal management UI and makes the following changes in the applicationhost.config file:
<system.applicationHost>
<applicationPools>
<add name="DefaultAppPool" />
<add name="Classic .NET AppPool" managedPipelineMode="Classic" />
<add name="AppPool2" managedPipelineMode="Integrated" />
<applicationPoolDefaults>
<processModel identityType="NetworkService" />
</applicationPoolDefaults>
</applicationPools>
</system.applicationHost>
Here we see that there are two application pools configured. The DefaultAppPool is inheriting its configuration from the applicationPoolDefaults section and the schema defaults which will cause it to run in Integrated pipeline mode under the NetworkService security context. The ‘Classic.NET AppPool’ will also run under the NetworkService context but will run in Classic pipeline mode.
Note: you can also explicitly specify “Integrated” for managedPipelineMode

8. Module breakdown
A full description of all IIS7 modules is covered in the following tables, they have been broken down in to groups based on functionality:
Caching Modules
Compression Modules
Content Modules
Authentication Modules
Security Modules
Logging & Error Modules
Diagnostics Modules
Development Modules
IIS 7.0 Managed Modules

9. Development Modules
Development technologies offered as to execute code from that platform
Implements Managed Interfaces, etc.
Module Name
Description
Resource Location
IsapiModule
Implements ISAPI Extension Server Functionality
Inetsrv\isapi.dll
IsapiFilterModule
Implements ISAPI filter functionality
Inetsrv\filter.dll
CgiModule
Executes CGI processes to build response output.
Inetsrv\cgi.dll
FastCgiModule
Enables Fast CGI application frameworks like PHP be hosted on the IIS web server.
inetsrv\iisfcgi.dll
ConfigurationValidationModule
Implements configuration validation, e.g. if an application runs in integrated mode but has handlers or modules declared in the system.web section.
inetsrv\validcfg.dll
ManagedEngine
Connects the IIS core pipeline with the ASP.NET runtime and bridge between native and managed code in IIS 7.0
..\Framework\v \webengine.dll

10. Hosting PHP on Windows

11. Options for Hosting PHP on IIS
CGI
FastCGI
ISAPI
Invokes a process for each request.
Advantages
Easy to Configure
Stable Execution
Disadvantages
Slow due to I/O
Overhead of
Process Creation
Extension to CGI allowing reuse of a process.
Advantages
Easy to Configure
Faster than CGI
More stable than
PHP on ISAPI
Loaded as extension in process.
Advantages
Better Performance
Disadvantages
Many PHP
Applications are
not Thread-Safe

12. FastCGI for IIS6
Same FastCGI functionality as in IIS7, available as a separate download for IIS6 from the Microsoft download center
Fully supported by Microsoft
Walk-throughs demonstrating how to run popular PHP applications on Windows Server
See
Close collaboration with Zend Technologies
Improvements in PHP engine for IIS with contributions and collaboration back to PHP Community
Zend Core Available for Commercially Supported PHP

13. FastCGI in IIS6 and IIS7 FastCGI in IIS6 FastCGI in IIS7
Available today on Download Center
Available with Windows Server 2008 and Vista SP1
Delivered as a separate download from Windows Server 2003.
Delivered as part of IIS7. Users must install the CGI feature in IIS to enable FastCGI.
ISAPI extension
Native IIS7 module
Resources, forums, and reference material available on IIS.NET
Product help documentation, as well as resources on IIS.NET.
Configured via fcgiext.ini
Configured via the new XML-based configuration system in IIS7.
Fully supported by Microsoft
Supports PHP and other FastCGI frameworks

14. Advantages of PHP on IIS7
Modular architecture for reduced attack surface
XML-based configuration system
Remote management capability
Advanced diagnostics
Integration with WMS and Media Pack
Ability to extend IIS7 using managed code
PHP users who deployed to Apache in the past will be more comfortable with IIS7 than IIS6 due to the new configuration system and modular architecture.

15. FastCGI on IIS 7.0

16. FastCGI Design Goals What is FastCGI :
A language and server independent, scalable, open extension to CGI that provides high performance and persistence
A protocol for data interchange between a web server and a FastCGI application
The set of libraries that implement the protocol
Developed by Open Market in 96 as open solution
Design goals:
Speed!
Eliminate CGI’s weaknesses
Scalable
Persistent
Build on CGI’s strengths
Simple, Open Standard with an easy migration path
Server, Language, & OS independent
Server Isolation
Of course, the motivating factor behind the development of FastCGI was speed.
Allowing CGIs to run on backend machines was important.
CGI has some really good traits.. Want to keep those and dump the bads without adding unnecessary complexity.
Easy to migrate from CGI.
Web hosts want a solution that is isolated from the rest of their customers.
The ability to make use of other computing resources without having to manage them as directly exposed to the Internet.
Persistence from two angles, process persistence and data persistence.

17. FastCGI Handler Architecture
FastCGI process pool for PHP5
IIS Worker Process
FastCGI handler
ASP.NET
Static
FastCGI protocol over named pipes or TCP
Read Configuration
Authenticate
Authorize
Map Request
Handle Request
Send Response
Log Request
php-cgi.exe
FastCGI process pool for PHP4
Request queue
php.exe

18. FastCGI Handler 1 : Receiving requests in IIS WP 2 : Queieing requests
3 : Dispacthing and receiving response from FastCGI process
4 : Creating one or more FastCGI App Process
Its operation roughly breaks down into following actions:
Receiving requests in the IIS worker process (1)
Creating one or more FastCGI application processes (4)
Dispatching each request to one of the FastCGI application processes over a named pipe or TCP socket using the FastCGI protocol (3), and receiving a response from the FastCGI application process
Queueing requests when the maximum number of FastCGI application processes has been reached, and each is already processing a request. (3)

19. FastCGI Handler Mapping the FastCGI handler to process requests
Processing all URLs in a directory
Response buffering
64 bit support
Process Management
Create configured FastCGI application processes when needed.
Maintain a connection with each FastCGI application process during its lifetime
Monitor health of FastCGI application processes
Periodically recycle FastCGI processes
Detect when FastCGI processes exited / crashed, and recover gracefully
Terminate FastCGI processes
Queuing and request dispatching
Security model

20. FastCGI Protocol Support
Initialization
Request processing
FastCGI Roles
Error handling
Errors during FastCGI handler initialization
Errors during application initialization
Request processing errors
Rapid Failure Protection

21. FastCGI Roles Responder Authorizer Filter The fundamental FastCGI role
Functionally identical to CGI
Supported by all FastCGI capable servers
Authorizer
Provides a means of controlling access to a site, a page, or something in between
Typically, this involves some form of authentication, but this isn’t required
It has server dependent significance
Filter
Allows “processing” of a file before it is sent
Intended to support:
Format conversions
Dynamic documents (embedded code)
Applying templates: e.g. headers, footers, backgrounds
Conceptually this could support dynamic content chaining, but without server support has limited utility
The spec describes 4 roles.
The Filter Role conceptually allows the chaining of dynamic content.
There’s also a Logger role that isn’t described in the documentation, but mentioned in the headers. It allows for colocating logging –there’s better solutions like piped logs under Apache.

22. 11/30/2017
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. FastCGI Application Process
The FastCGI application process uses a FastCGI communication library to communicate via a transport mechanism to the calling process. On Windows, many application frameworks use the LibFcgi library from
The FastCGI application library typically supports the following transport mechanisms to the creating server:
Named Pipes (PHP, Ruby, Perl)
TCP (Python)

24. FastCGI Protocol All data is wrapped in the protocol
A simple standard header precedes every Protocol Data Unit (PDU)
The header describes the type of data and its length
PDU Types
Begin Request
Name-Value Stream
Stdin Stream
Stdout Stream
Stderr Stream
End Request
Reserved
Padding Length
Content Length
Request Id
PDU Type
Protocol Version
The Padding field allows the data alignments to be maintained at 8 byte boundaries for efficiency.
= one byte

25. Typical PDU Flow - To FastCGI Application
Begin
To FastCGI Application
NV {X}
NV Data
...
NV {0}
Stdin {X}
Stdin Data
...
Stdin {0}

26. Typical PDU Flow - From FastCGI Application
Stdout {X}
Stdout Data
To Web Server
...
Stderr {X}
Stderr Data
Stdout {X}
Stdout Data
Stdout {0}
Stderr {0}
End