PHP Setup 1

[Olddogg]

I am trying to install PHP 5 on Windows IIS 6.0. I am using the installer to setup and configure the web server.

When I complete the installation it says that the installation has been successfully completed. However, when I try to access .php files from the server it says that they are 404... file not found.

Does the PHP installer not work for IIS 6.0?

Is there any other suggestions?

Thanks for the help.

 

[Tarwn]

I am not running PHP 5 on this machine, but one issue I always have with IIS 6 is that you have to activate things like PHP, Perl, ASP, etc. If you go into the IIS snap in from administrative tools, there is a section called "Extensions" (or something similar). Clicking on it should give you a screen on the right pane with all of the loaded extensions and whether thay are active or not.

Someone else may know more about this, but it's the first place I look anytime something doesn't work through IIS 6.

 

[jpadie]

you also get 404 errors in IIS if php doesn't start properly. for me this is almost always because i've forgotten to copy the dlls for mysql to the right directory (typically system32).

note also that for isapi mode you need to provide iUSR_machinename with execute permissions to various files in the php directory.

lastly i've also found problems with space names in the path to the isapi. if i have put php in, eg, the program files directory i always have to use the old eight character file and directory names.

 

[a6m1n0]

On windows 2003 server I would recommend using ISAPI mode. This requires a manual configuration of PHP5.

Directions:

Download the latest stable version of PHP5 and the PECL extenstions. Extract the contents of the PHP5 zip into any directory of your choosing. Extract the contents of the PECL extenstions into the ext directory you just created for PHP5. NOTE: Do not extract the contents into the directory you want to actually 'run' PHP5 from...it will intefere with the installation script I provide below.

Here is a batch file that I wrote that will helps me install PHP 5.1.4.4 on 2003 Server. To use it, create a text file and copy/paste the copde block below into this text file. Place this file in the same directory that you extracted the PHP5 zip file and rename to install.cmd. Now just double-click and follow instructions. Watch out for line wrap!

@echo off
cls
REM PHP 5.1.4.4 Batch Installer
REM Author: R.Grady aka a6m1n0/YowZa
REM Written: 05/24/2006
REM Updated: 07/01/2006
if not "%OS%"=="Windows_NT" goto e00
setlocal
set drv=C:
set dir=php5
title=PHP 5.1.4.4 Batch Installer
echo Installing PHP 5.1.4.4 to %drv%\%dir%...
echo Checking to see if IIS6 installed...
sc query w3svc|find "FAILED">nul
if not %errorlevel% GTR 0 goto e01
echo TRUE
echo.
echo Checking to see if the service is running...
sc query w3svc|find /i "RUNNING">nul
if %errorlevel% GTR 0 goto chkver
echo TRUE
echo.
echo Need to stop IIS6 to install PHP properly.
echo Hold the Ctrl key and press C to Cancel, or
pause
echo Stopping IIS...
sc stop w3svc
:chkver
echo Checking for Windows 2003 Server...
set wver=0
ver|find /i "5.2.3790">nul
if %errorlevel% GTR 0 set wver=1
echo TRUE
echo.
echo Does %drv%\%dir% exist...
if exist %drv%\%dir% goto e1
echo FALSE
echo.
echo Creating directory %drv%\%dir%...
md %drv%\%dir%
echo Does %drv%\%dir% exist...
if not exist %drv%\%dir% goto e2
echo TRUE
echo.
echo Copying files to %drv%\%dir%...
xcopy *.* %drv%\%dir% /s /e /v /Y >nul
echo Does php.ini-recommended exist in %drv%\%dir%\...
if not exist %drv%\%dir%\php.ini-recommended goto e2
echo TRUE
echo.
REM Change working dir to setup dir
%drv%
cd\%dir%
echo Creating php.ini from php.ini-recommended...
if exist %drv%\%dir%\php.ini-recommended copy %drv%\%dir%\php.ini-recommended %drv%\%dir%\php.ini>nul
if not exist %drv%\%dir%\php.ini goto e3
echo DONE
echo Fix mime.magic location...
REM For some reason the default path is set
REM to the root of the php directory, but in
REM the ZIP download it is in phproot\extras\
REM go figure. Do not forget to enable in php.ini
if exist %drv%\%dir%\extras\magic.mime copy %drv%\%dir%\extras\magic.mime %drv%\%dir%\magic.mime>nul
echo DONE
echo Add INI Path to Registry...
if exist %drv%\%dir%\add2reg.reg del /q /f %drv%\%dir%\add2reg.reg
echo Windows Registry Editor Version 5.00>%drv%\%dir%\add2reg.reg
echo. >>%drv%\%dir%\add2reg.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\PHP]>>%drv%\%dir%\add2reg.reg
echo "IniFilePath"="%drv%\\%dir%">>%drv%\%dir%\add2reg.reg
if not exist %drv%\%dir%\add2reg.reg goto e4
regedit.exe /s %drv%\%dir%\add2reg.reg
if exist %drv%\%dir%\add2reg.reg del /q /f %drv%\%dir%\add2reg.reg
echo DONE
echo.
echo Add %drv%\%dir% to Path Enviroment Variable...
echo %PATH%|find /i "%drv%\%dir%">nul
if not %errorlevel% GTR 0 goto addext
echo Adding Enviroment Variable...
set tpath=%drv%\%dir%;%PATH%
setx Path "%tpath%" /M>nul
echo DONE
echo.
:addext
echo Add Application Path to IIS6 Extenstions...
if %wver% GTR 0 goto success
iisext /AddFile %drv%\%dir%\php5isapi.dll 1 PHP5 1 PHP5
echo DONE
goto success
:e00
echo.
echo Install Aborted: Incorrect Windows Version
goto end
:e01
echo.
echo Install Aborted: IIS is not installed
goto end
:e1
echo.
echo Install Aborted: %drv%\%dir% already exists
goto end
:e2
echo.
echo Install Aborted: Cannot find %drv%\%dir%
goto end
:e3
cd\
if exist %drv%\%dir% rd /s /q %drv%\%dir%
echo.
echo Install Aborted: Failed to create %drv%\%dir%\php.ini
goto end
:e4
cd\
if exist %drv%\%dir% rd /s /q %drv%\%dir%
echo.
echo Install Aborted: Failed to add INI path to registry.
goto end
:success
echo.
echo PHP5 Installation Completed Successfully
echo.
echo Things you still have to do:
echo.
echo  A. Make sure to add the script mapping to IIS
echo.
echo    1. Right-Click Web Sites in IIS MMC, click Properties.
echo    2. Click Home Directory tab
echo    3. Click Configuration button
echo    4. In Mappings, click Add button
echo    5. Add this info to the correct fields
echo.
echo    PATH   %drv%\%dir%\php5isapi.dll
echo    EXT    .php
echo    VERB   GET,HEAD,POST
echo.
echo    6.Click Ok, Ok, Apply, Ok
echo.
echo  B. Restart the server.
echo.
:end
endlocal
echo.
pause
exit

To configure my php.ini file, I found that this is the best guide available, and is what my batch installer is based on:

http://www.peterguy.com/php/install_IIS6.html

Additional notes:

You do not require IUSR permissions on any folder/file in the PHP directory if setup properly, but you will require proper permissions on temp and session directory. What finally worked for me is using the ACL found on %systemroot%\temp as a template for these directories. Pay VERY close attention to the special permissions.

-a6m1n0

Curiosity only kills cats.

 

[jpadie]

note also that for isapi mode you need to provide iUSR_machinename with execute permissions to various files in the php directory.

the above part of my post was wrong. apologies. i should have said for CGI mode (on NTFS).

at a minimum the IUSR_[machine] user needs read access to php.ini and the docroot and write access to session and temp directories (if they are not the same) as R Grady suggests

 

[a6m1n0]

at a minimum the IUSR_[machine] user needs read access to php.ini and the docroot and write access to session and temp directories

For an intranet server that has some exposure to the ineternet and is not a hosting server then your suggestion is fine I think. Noone can upload a root jumping script and browse your sessions directory.

With that stated, IMHO using IUSR perms is a shortcut and not real security. It is no opinion that it is one of the least secure methods of going about getting yourself a working installation of PHP5 in ISAPI mode. IUSR should *not* have access to these directories/files -- not in 2003 on IIS6 and especially if you are providing shared hosting services. It should have Users Group Special Permissions and Network Service Special Permissions defined -- identcal to the ones set on Windows\Temp.

I stumbled on this ACL configuration accidentaly to be honest. Well sort of...I noticed that in the php.ini if I did not set the Upload directory directive that by default PHP uses %systemroot%\TEMP ( Windows\Temp ). Uploads were working fine for me but when I looked in the sessions directory all I saw were zero KB session files. Session files were being created but there was no data in them and this is with IUSR Read/Write, and I'll be darned ( is that a word? ) if I give IUSR Modify/Full Control perms in a sensitive directory such as my php installation directory.

So, as a test I used the Windows\Temp ACL as a template to set the permissions on php5\sessions and Voila! All of a sudden everything was working beatifully. To complete the test I created two directories on a completely different drive -- sessions and uploads. I again used the ACL for %systemroot%\temp as a Template, defined these directories in the php.ini, restarted IIS, and again Voila! Works like a charm!

I have not seen this configuration suggested anywhere. This is just a product of paranoia and research as I can imagine a few ways to access directories that I should not have access to as IUSR. Imagine if a root jumping script kiddie accessed the sessions directory....maybe now you see my point.

An Administrator's best friend in defeating hack attempts is good security, but a little obfuscation goes a long way to. I say this as most Admins of windows servers are predicatable....IUSR perms on C:\PHP. Treat the PHP directory like you would C:\Windows, and move your upload and sessions directory *out* of C:\PHP. An additional technique would be to also name the PHP install directory to something other than 'PHP'. If you use the batch script I provided you can name the directory anything you want and install it on Drive K: and it will work fine -- that is if you configure your php.ini to match the custom settings.

Not trying to come down on you jpadie. I am just trying to make sure that anyone that reads this will be provided with the most secure method possible for installing PHP5 in ISAPI mode in Windows 2003 Server...at least the most secure I can get it without comprising PHP functionality.

Best Regards

-a6m1n0

Curiosity only kills cats.

 

[jpadie]

i'm just quoting the php manual and my experience (i develop on windows and deploy on *nix, and my win boxes are inaccessible from the 'net).

perhaps your comments above should be cross posted into the php manual comments if you feel strongly about them. and/or a tektiks FAQ, i'm sure users would benefit from your install script too.

whichever way you cut it, though, php needs access to certain directories. perhaps it would have been more precise for me to say that: the user under whose credentials the script is running needs read/write access to the temp and session directories (whatever they may be) and read access to php.ini and, under cgi, execute access at least to php-cgi.exe (the manual recommends execute access on the php directory but i'm not convinced this is necessary).

 

[a6m1n0]

Those are good suggestions indeed. If/When I find the time I might create an FAQ, but I am really considering starting a blog somewhere with this and other information. I am usually caught up in research and testing for various projects and don't have time to maintain such things. More recently though I am finding it hard to keep up with what information I have posted and on which forum so maybe I need to spend some time on this now to save time later.

Best Regards

-a6m1n0

Curiosity only kills cats.

 

[Tarwn]

Hit the new archive button on the right bar
I wish it had been there years ago, I keep remembering long posts I posted that I should have turned into FAQs or at least copied down the number somewhere so I could link back to them. Unfortunatly I can't find most of them now, the search screen doesn't seem to be my friend.

 

[a6m1n0]

Thanks Tarwn.

-a6m1n0

Curiosity only kills cats.