Windows Web Hosting, Web Technologies, etc
Posts tagged Windows Webhosting
Microsoft & Zend give PHP a kickstart on IIS .. FastCGI for IIS!
Nov 1st
Microsoft & Zend have partnered up to improve PHP performance on IIS (yet again!). Today on Bill Staples blog he talks about the great improvements being made: http://blogs.iis.net/bills/archive/2006/10/31/PHP-on-IIS.aspx and really goes in depth with a nice demo on performance improvements being made. He has some nice screen captures, etc.
For me though, the best part is that they’ve released an preview ISAPI for IIS6 which is available for download here: http://www.iis.net/default.aspx?tabid=1000051. This is more than just a download link page. They really give a nice intro into what FastCGI is and why it’s so cool. There’s also a step-by-step article on how to get FastCGI & IIS working together here: http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=1207
As many know, I’m a big advocate of IIS & Windows based hosting. We’ve based our company on it and have operated on IIS now for 8 years. I know that Microsoft is committed to the webhosting industry and providing a power webserver platform for us. I also enjoy opensource software and like to run PHP based applications. I know from my personal experience that PHP is both safe and stable and I feel running PHP on Windows/IIS is testiment to the power of IIS. I also believe there are too many self proclaimed “windows hosting experts” that don’t understand the technology and don’t take the time or effort to investigate it and simply proclaim “PHP is opensource, opensource is bad! Microsoft Microsoft Microsoft”. This is obvious from my earlier posts. I really hope these guys wake up and smell the coffee.
But, if you still think it’s not safe to run PHP on Windows and still want to listen to those guys that say running PHP is going to eat up too many resources and cause problems for your ASP.net sites and that you should only run Microsoft products on Microsoft products? Then that’s ofcourse your personal choice. Personally, I think you’re just burying your head in the sand with them! Honestly, take a look at sites like hotscripts.com and freshmeat.net and look at all the PHP based applications that are there. There are so many well written quality opensource (and commercial too) apps available that you’re foolish to limit yourself and not make use of these. As for me, I see this as Bill Staples (who’s title is: Microsoft’s Product Unit Manager for IIS), giving us a demo along side Andi Gutmans (one of the creators of PHP) of PHP running on Windows! Let’s see that’s opensource on Microsoft! YES!
For the my friends that tell me I’m crazy for running IIS and should use Apache, here’s your beloved PHP endorsing IIS!
For my friends that tell me “no Microsoft only wants you to run ASP.net on IIS” here’s Microsoft endorsing PHP! (oh yeah! opensource!).
I’m sorry guys but Microsoft is committed to making IIS THE best webserver platform on the Internet and is embracing PHP to get there! So yeah,once again WIMP (Windows, IIS, MySQL, PHP) is anything but wimpy and I am really looking forward to the final updates. (Which Zend is making opensource). So repeat after me: “I host on Microsoft Internet Information Server and I’m proud of it!”
Internet Explorer 7 & Firefox Search Provider support added at AppliedI.net
Oct 20th
The Applied Innovations Webhosting Support Knowledgebase (support.appliedi.net) sees as many as 35,000 pageviews a day and as such we’re constantly looking for new ways to increase it’s ease of use for our webhosting clientbase. Microsoft officially launched IE7 yesterday and we released our updated knowledgeable to coincide with the launch of IE7 and to leverage one of the newest features in IE7, the Search Provider.
By providing a custom Internet Explorer 7 Search Provider for our knowledgebase, our hosting clients can search the support knowledgebase directly from within Internet Explorer. We didn’t stop there though. With the current betas of Firefox 2.0 moving along nicely, we’ve made sure our search provider was compatible with Firefox 2.0 as well.
By integrating the AppliedI.net Support Knowledgebase search with their web browser our hosting clients will have easy access to perform a Full-Text search against one of the most thorough windows web hosting support references on the Internet.
Applied Innovations believes quick, accurate and friendly support is one of the most sought after features by any webhosting client and we work to always provide the best level of support possible be it through new and innovative search techniques, toll-free telephone support or Web based live chat.
Below is a screen capture of what the Search Provider looks like in IE7
And also a screen capture of it running in Firefox 2.0
Why support PHP, PERL, MySQL, etc on shared Windows Hosting?
Oct 15th
Many Windows hosts today are proudly stating “we only support Microsoft technologies on Microsoft hosting” and they follow it up with such statements as “why support something that doesn’t have commercial support behind it? when there’s a problem who do you go to?” or “We don’t support these other scripting engines because they steal server resources and compromise server security”.
Not too long ago I made a post about running secure windows hosting, in that post I stated that the only way to truly run secure shared hosting is in a private sandbox using private users, this holds true for any shared hosting platform and not just windows. If proper permissions and process isolation are not put in place security and stability are at risk. What I didn’t really get into was what motivated my to create that post, it’s these misleading statements listed above that really piss me off so I cry, no, I scream “BULLSH*T!” (the word may offend some but these misleading, misguided statements offend me as much as that word offends you!). So the consuming looking for ASP or ASP.net hosting thinks “hey this is great! my site is never going to go down because my new host only supports ASP and ASP.net and they are all supported by the great and noble Microsoft. Let’s look at what they are really doing:
- They are giving you a false sense of security. You assume since they are strictly Microsoft everything is commercially supported and no problems are going to happen.
So what about joesdiscountgardentools.com that runs an ASP e-commerce store that uses an Access database engine oh and the whole thing was written by his little nephew while he was learning computer programming in grade school? Do you really think you’re server is going to be all that more stable just because it’s running only MS based apps/programs? Absolutely not! Anyone can write crap code and upload it to a $10/month or even a $400/month hosting account and the moment it starts causing problems it’s going to affect everyone.
(but earlier Jess you said you could setup the server to minimize the affects this guy’s site has on mine? yes at AppliedI.net we do, but it’s still a shared server and it could still affect you. We minimize this as far as we can but unless you’re on a private or dedicated server no one is going to be able to rule it out completely).
- They’re limiting your choices and impeding your site’s growth.
As an electrical engineer I learned how to program in 14 different programming and scripting languages on DOS, Windows, SunOS, Solaris, VAX, Linux, Intel, IBM, Motorola and AT&T microcontrollers/microprocessors, etc. I didn’t learn this because I wanted to brag (well partially I did) but I did this because I firmly believe in having the best tool to get the job done. I consider, C, Fortran, Unix Shell, Basic, etc all tools in my tool box, must like a carpenter has different hammers, screwdrivers, chisels, etc. The final analogy could be “sure you can drive a nail into a 2×4 with the back end of a crescent wrench but wouldn’t having a hammer be that much faster and more efficient? Who do you think will build the house fastest? The guy building the house with just a crescent wrench or the guy building the house with a full toolbox of tools? In Business (be it offline or online) the first guy to come along offering a complete solution and establish himself as such is generally going to be the guy to beat. PERL was around long before ASP, PHP long before ASP.net. I’m not going to argue which is better or why but I’m simply going to say if you head over to a script repository like www.hotscripts.com and do a search for a new application for your site (be it a forum, a live chat, a survey tool) you’re going to find a plethora of them and the most mature, well written and feature-rich app may not necessarily be built in ASP or ASP.net. Ofcourse you could always have one built to meet your needs but then how long is that going to take? I bet your competitor that supports PHP is going to have his up allot faster than your developer will have yours completed!! (cheaper too!)
- They are attempting to show a level of expertise in ASP & ASP.net and hiding the fact that they are probably unfamiliar with how to administer a windows hosting solution such that they can support PHP, PERL, etc.
My recommendation is use what you’re familiar with and don’t sacrifice your site’s performance or growth for someone else’s ego.
- They’re forcing you to build your application around their hosting instead of building their hosting to support your application. A well rounded, smartly built hosting infrastructure should not only be stable and secure but functional.
At AppliedI.net our windows hosting plans were designed from day one to support PERL on Windows and once PHP was mature they were extended to support PHP. ASP & ASP.net performance are not sacrificed either and although we support PHP Windows hosting and PERL windows hosting on the same plans as our ASP & ASP.net hosting we do it such that all platforms are secure and powerful.
- They’re lying to you. When running PHP & PERL in the same worker process / app pool as your isolated site. Whether you use ASP, ASP.net, PHP or PERL they are all going to run in the same space and if they crash, they are going to take out just your website and not the whole server. They simply don’t know how to ( or unfamiliar with why you would ) isolate application pools. They didn’t mention Microsoft has worked with ActiveState to get PERL optimized on Windows or with the PHP developers to improve performance and stability of PHP on Windows did they? Truth is they have and these are very powerful scripting languages on Windows.
When it’s all said and done you need to decide if you want to use the best tool for the job or just the tools someone tells you to use. My recommendation is become educated on these matters, look into why someone says this does or doesn’t work and decide for yourself.
Which VPS platform is the fastest? Benchmarking Virtuozzo, VMWare and Microsoft Virtual Server on Windows.
Oct 1st
I’ve pulled the article until I have time to properly benchmark all three systems on identical hardware, hopefully after the holidays. Although I used different hardware, I firmly believe my numbers provided a reasonable estimate of what performance you would see using identical hardware. I’d had verbal feedback from others that in fact they saw similar results but nothing to substantiate those comments.
The differences between RAID, CPU’s, Drives, etc all tended to balance out in my opinion. I welcome anyone to take on this task as well as I’d love to have something to compare my numbers against and prove my numbers as wrong. So put your money where your mouth is and let’s see what you got.
PHP is not secure on Windows!
Sep 19th
Today I was told “PHP is not secure on Windows” and “if you ran PHP on a windows server your server would get hacked“. To add insult to injury, it was then implied that running PHP on your server would steal resources on your server that would otherwise be available to your ASP or ASP.net applications and that if you wanted to operate a serious website you would never run PHP on a windows server.
This article will hopefully provide you details on how to better configure your IIS6 shared hosting servers so that your server isn’t as vulnerable to being attacked and can run not only PHP but also ASP, ASP.net, PERL and any other scripting language you want while remaining secure, stable and fast! At Applied Innovations we’ve supported ASP & PERL on windows since our inception in 1998, PHP on windows since 1999 and ASP.net since the early pre 1.0 betas. We’ve watched these technologies all mature and develop and we’re proud to say that not only can you run these all on a windows based server but you can do it while remaining secure, stable and offering best in class reliability when run on Windows 2003 and IIS6.
The biggest problem with IIS6 and that everyone believes the Microsoft marketing (afterall, if Microsoft says it, it must be true) that “IIS6 is secure out of the box”. They then proceed to create their websites all sharing a single application pool and all running as “Network Service” the default identity for the default application pool. This IIS6 configuration may be secure for a single site on a single server out of the box and is without question more secure than it’s predecessors. However, for shared hosting where hundreds of websites share (read compete for) a single physical machine’s resources, then this base configuration needs a little work. Fortunately, Microsoft is committed to seeing it’s hosting partners excel in the hosting marketplace and provides us with the information on just how to do this.
Creating a secure shared hosting environment in IIS6
1. Application Isolation on Windows 2003 & IIS6. IIS6 allows for you to run each site in a separate application pool. By running each site in a unique application pool you’re able to isolate one site’s executing code from another. The advantage here is if each site is in a unique pool and something happens on one site that causes that pool to fail, only that pool is affected and meanwhile the rest of the sites on the server continue to run as if nothing every happened. An outstanding paper by Microsoft is available on this topic here: Configuring Application Isolation using Windows Server 2003 and IIS 6.0. This paper also explains how to take advantage of the new reliability and resource control features built into IIS6, such as rapid fail protection, memory limitations, automatic application shutdown and recycling, etc. You should read this paper before continuing. Did you finish reading it? Good now go back and read it again. There’s alot of information there.
2. User Permission Isolation to Secure Applications. The second step to securing IIS is to not use the default application pool identity “Network Service” and instead create a unique user for each application pool. You’ll find that it’s still very common for most hosts to run IIS using the “Network Services” account. In fact still today almost every ASP.net developer when requesting you to adjust file permissions ask you to grant permissions to ASPNET (the user ASP.net runs under in Windows 2000 by default) or “network service” the Windows 2003 default user. The correct instructions should be “grant permissions to the user your Application Pool executes as”. The secure way to isolate your applications/sites is to create a unique user for each application pool and execute the pool as that user. This user will ONLY be used for executing this application pool and will not be used for anything else. You would then grant that user access controls (or ACLs) to only the files, directories and resources on the server that are absolutely required access by this user. The easiest way to do this is to assign the users as members of the IIS_WPG group and grant or deny permissions to the IIS_WPG group on the server resource. By tightening ACLs should one of your application pools be compromised and a hacker use it to attack the file system on your server they would be sandboxed and only allowed access to those areas on the server that the user of that application pool runs as or has access to. The key is is limiting the area exposed to being compromised. Additionally, by running each website as a unique user and only granting access to the website files for that particular website then should that one pool be compromised they would not be able to access the files of the other websites on that server. NOTE: you should never grant IIS_WPG access to a website’s wwwroot and instead grant it on a per user basis. Details on how to properly configure ACLs and what steps need to be taken can be found here: Using Isolation to Secure Applications (IIS 6.0).
If you followed the two steps above you’ll have isolated every website into their own application pool and you’ll have each site running as a unique user that only has access to it’s own files and minimum system resources, effectively sandboxing every website. You now have your server configured so that no one website can access the files or resources of any other website on your server. Should any one website become hacked and a hacker execute code, that code would not be able to affect any other site on the server and not be able to further compromise your server. This is a secure, sandboxed, hosting environment and anything less than this is not secure for shared hosting. Once you have a secure hosting environment you can then safely allow ASP, ASP.net, PHP, Perl or any other scripting engine you want (Provided you properly configure it). The key is that you’ll want these applications to run within the isolated application pool as the isolated application user for that site so that they remain sandboxed.
Unfortunately doing all of this will not make you invulnerable to getting hacked but will help to reduce the number of attack vectors that could result in your hosted websites getting hacked. Additionally, should a site get hacked you have now limited the impact on your server, regardless of what scripting language your web applications run under.
You’re also probably wondering what this has to do with running PHP under Windows securely? You see, it’s not the PHP programming language that gives PHP a bad name, it’s not Microsoft trying to slander PHP either, it’s the web developers that use PHP to write insecure web applications that are then executed on insecure web servers. It’s these insecure scripts on insecure servers that make people say PHP is not secure on Windows. If a website running a PHP application is hacked and the user that this site runs as has full access to all the other sites on that server, then you don’t have one compromised website but dozens of compromised websites!! This also isn’t a Windows only issue. These hackers know that web developers are lazy and like to grant world writeable to all folders and all files instead of specific pages or subfolders (Linux guys take note: CHMOD 777 -R is not a good thing!). Thus, I wrote this article because it’s widely assumed that PHP is not secure on windows hosting, when the truth is nothing is secure on windows hosting (even ASP and ASP.net) unless the hosting is secured first.
So is it the system administrator, the webmaster, the application developer, the language developers, the OS developers or the hacker squirreled away in the basement in his mommy’s house that’s at fault?
It’s everyone’s fault!
- the system administrator needs to secure his server and audit it regularly, keeping the scripting languages, OS, etc all patched and up to date.
- the webmaster needs to use secure passwords, maintain secure file permissions, keep his scripts and applications up to date.
- the application developer needs to keep his scripts secure and not vulnerable to common issues like SQL injection and cross site scripting attacks.
- the language developers need to always stay ahead of hackers, paying attention to hacking trends and not only fixing bugs and security holes but finding them and trying to compromise their own platforms before the hackers do.
- the hacker, well not much we can do with him but if we all do our part then these guys aren’t going to have sites to hack and eventually they’ll leave that basement and go find something useful to do with their time. World peace could be a start!
I’d love to hear what other’s have to say and welcome any and all feedback. My next article will address just why a windows web server running PHP and ASP.net is not just for hobbyists and can be done in a production web environment reliably, securely and still remain extremely stable. In the meantime if you’re looking for proof of this concept and want a stable, reliable windows hosting platform that allows you to run PHP4, PHP5, PERL, ASP, ASP.net 1.1 and ASP.net 2.0 , please visit Applied Innovations at www.appliedi.net .
