Comments on: Per-site PHP configuration with IIS FastCGI http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/ IIS, FastCGI, PHP and other interesting stuff Sat, 12 May 2012 03:15:29 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: LaiQue http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-11912 LaiQue Sun, 19 Feb 2012 20:32:44 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-11912 Great Topic, Thanks for sharing Ruslany. I've a question about security and it is not related to this topic. When a php shell like C99 runs on windows, it can traversal from one directory to another directory or even one partition to another partition. How can we prevent it ? Great Topic, Thanks for sharing Ruslany.

I’ve a question about security and it is not related to this topic.
When a php shell like C99 runs on windows, it can traversal from one directory to another directory or even one partition to another partition. How can we prevent it ?

]]> By: ruslany http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-1805 ruslany Fri, 26 Mar 2010 00:01:13 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-1805 @igor: The php-cgi.exe will run under the appPoolUser identity - this is expected. But it will impersonate the web site user when performing any file system operations. This way for example you can have the same PHP process pool handling requests from multiple web sites and as long as the sites use different anonymous identities, the PHP scripts for those sites will not be able to read each other files because PHP will impersonate the site's user when reading or writing files. @igor: The php-cgi.exe will run under the appPoolUser identity – this is expected. But it will impersonate the web site user when performing any file system operations. This way for example you can have the same PHP process pool handling requests from multiple web sites and as long as the sites use different anonymous identities, the PHP scripts for those sites will not be able to read each other files because PHP will impersonate the site’s user when reading or writing files.

]]> By: igor http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-1694 igor Tue, 23 Feb 2010 20:57:52 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-1694 Hi, Thanks for the post. However I came to this page accidentally regarding another problem. As you said earlier in the comment: As usual, in shared hosting environment you would need to ensure that account that is used to run php-cgi.exe has minimal set of privileges. It is recommended that you turn on fastCGI impersonation for PHP. <b>That way php-cgi processes for each web site will be running in a security context of impersonated user for that site.</b> I have w2k3 se sp2 x32, FastCGI, PHP 5.2.12 (fastcgi.impersonate = 1). I have a web site with identity, let's say, <i>webUser<i>. The application pool for this web sites runs under, let's say, <i>appPoolUser</i> (part of IIS_WPG group). Web site works fine, but the one thing I can't understand is the following: 1. Worker process (w2wp.exe) starts under <i>appPoolUser</i> as expected. 2. php-cgi.exe start under the same <i>appPoolUser</i> identity (as per TaskManager). Why php-cgi.exe does not run under <i>webUser<i>? or am I missing something? Hi,

Thanks for the post. However I came to this page accidentally regarding another problem. As you said earlier in the comment:

As usual, in shared hosting environment you would need to ensure that account that is used to run php-cgi.exe has minimal set of privileges. It is recommended that you turn on fastCGI impersonation for PHP. That way php-cgi processes for each web site will be running in a security context of impersonated user for that site.

I have w2k3 se sp2 x32, FastCGI, PHP 5.2.12 (fastcgi.impersonate = 1). I have a web site with identity, let’s say, webUser. The application pool for this web sites runs under, let’s say, appPoolUser (part of IIS_WPG group). Web site works fine, but the one thing I can’t understand is the following:
1. Worker process (w2wp.exe) starts under appPoolUser as expected.
2. php-cgi.exe start under the same appPoolUser identity (as per TaskManager).

Why php-cgi.exe does not run under webUser? or am I missing something?

]]> By: ruslany http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-1337 ruslany Wed, 30 Sep 2009 22:29:09 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-1337 @Abdallah: Turned out that the problem is caused by semicolons at the end of the types declarations. If you remove those it should work. This will be fixed in the RTW release of the FastCGI Extension 1.5. @Abdallah: Turned out that the problem is caused by semicolons at the end of the types declarations. If you remove those it should work.

This will be fixed in the RTW release of the FastCGI Extension 1.5.

]]> By: Abdallah M. Gazal http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-1314 Abdallah M. Gazal Tue, 22 Sep 2009 09:35:55 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-1314 Hi, very nice article but with me i had to modify the fcgiext.ini manually (something wrong with the script) anyway my problem is, no matter what i do it always sees the first TYPE only, and cannot see the rest, i tried all types of syntax and yet always see the 1st entry, any idea why? Here is my code [Types] php:204766269=PHP STI-Travel; php:1341913653=PHP SakkaraPayment; php:628365814=PHP SakkaraToursIndia; [PHP STI-Travel] ExePath=C:\program files\PHP\php-cgi.exe EnvironmentVars=PHPRC:C:\Inetpub\wwwroot\STI-Travel.com\httpdocs [PHP SakkaraPayment] ExePath=C:\program files\PHP\php-cgi.exe EnvironmentVars=PHPRC:C:\Inetpub\wwwroot\Sakkarapayment.com\httpdocs [PHP SakkaraToursIndia] ExePath=C:\program files\PHP\php-cgi.exe EnvironmentVars=PHPRC:C:\Inetpub\wwwroot\SakkaraToursIndia.com\httpdocs Hi,

very nice article but with me i had to modify the fcgiext.ini manually (something wrong with the script) anyway my problem is, no matter what i do it always sees the first TYPE only, and cannot see the rest, i tried all types of syntax and yet always see the 1st entry, any idea why? Here is my code

[Types]
php:204766269=PHP STI-Travel;
php:1341913653=PHP SakkaraPayment;
php:628365814=PHP SakkaraToursIndia;

[PHP STI-Travel]
ExePath=C:\program files\PHP\php-cgi.exe
EnvironmentVars=PHPRC:C:\Inetpub\wwwroot\STI-Travel.com\httpdocs

[PHP SakkaraPayment]
ExePath=C:\program files\PHP\php-cgi.exe
EnvironmentVars=PHPRC:C:\Inetpub\wwwroot\Sakkarapayment.com\httpdocs

[PHP SakkaraToursIndia]
ExePath=C:\program files\PHP\php-cgi.exe
EnvironmentVars=PHPRC:C:\Inetpub\wwwroot\SakkaraToursIndia.com\httpdocs

]]> By: RuslanY Blog http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-846 RuslanY Blog Sat, 11 Jul 2009 07:23:56 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-846 <strong>Per-site PHP configuration with PHP 5.3 and IIS...</strong> About a year ago I wrote an article about how to enable per-site PHP configuration on IIS with FastCGI. The instructions in that article required some non-trivial manipulations of IIS and FastCGI configuration settings. At that time it was one of the p... Per-site PHP configuration with PHP 5.3 and IIS…

About a year ago I wrote an article about how to enable per-site PHP configuration on IIS with FastCGI. The instructions in that article required some non-trivial manipulations of IIS and FastCGI configuration settings. At that time it was one of the p…

]]> By: Kimio Tanaka http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-446 Kimio Tanaka Thu, 12 Mar 2009 12:16:37 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-446 Thank you for the other day. At last, I succeeded in Per-site PHP configuration with IIS7 FastCGI using GUI. http://iis.museum-in-cloud.com/wordpress/index.php/archives/87 Thank you for the other day.

At last, I succeeded in Per-site PHP configuration with IIS7 FastCGI
using GUI.

http://iis.museum-in-cloud.com/wordpress/index.php/archives/87

]]> By: shee http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-432 shee Sun, 08 Mar 2009 22:12:39 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-432 Thanks for sharing. Thanks for sharing.

]]> By: ruslany http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-14 ruslany Tue, 19 Aug 2008 02:05:08 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-14 s.r., you are correct. That was a typo - the correct path is %WINDIR%\system32\inetsrv\. Thanks for pointing that out - I've fixed the text now. s.r., you are correct. That was a typo – the correct path is %WINDIR%\system32\inetsrv\. Thanks for pointing that out – I’ve fixed the text now.

]]> By: s.r. http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/comment-page-1/#comment-13 s.r. Tue, 19 Aug 2008 00:27:57 +0000 http://ruslany.net/2008/07/per-site-php-configuration-with-iis-fastcgi/#comment-13 actually %WINDIR%\system32\inetpub\ is not right path Should be %WINDIR%\system32\inetsrv\ I didn't find inetpub folder in the system32 dir actually %WINDIR%\system32\inetpub\ is not right path
Should be %WINDIR%\system32\inetsrv\
I didn’t find inetpub folder in the system32 dir

]]>