Php – Secure PHP on IIS 8.5

iisiis-8.5PHPphp-cgi

I'm using IIS 8.5 on Windows Server 2012 R2 to host ASP.NET and also PHP-Applications. Because there are a few different PHP-Apps, I want to restrict the access by using open_basedir. The problem: With the IIS PHP-Manager it's not possible to use a different php.ini file per vHost. So I found a custom solution: After PHP Manager has added the assignment of the php-handler, I modified the executable file as follow:

"C:\Program Files (x86)\PHP\v5.4.26\php-cgi.exe"|-c D:\Sites\my-domain.com

This is working, the vHost is using the php.ini file D:\Sites\my-domain.com\php.ini. But this solution looks a bit dirty to me. Is there a better way of setting a single php.ini file for each vHost?

Best Answer

+1 for @ahmelsayed his answer. But you can create multiple FastCGI applications in IIS, with different php.ini files easily with Appcmd. But only one handler/php.ini per application pool, see:

Set up two FastCGI applications:

Appcmd.exe set config /section:system.webServer/fastCGI
/+"[fullPath='c:\php5\php-cgi.exe', arguments='-c c:\php5\php.site1.ini'], 
maxInstances='0', idleTimeout='300', activityTimeout='70', 
requestTimeout='90', instanceMaxRequests='9999', 
protocol='NamedPipe', flushNamedPipe='False']" /commit:apphost

Appcmd.exe set config /section:system.webServer/fastCGI
/+"[fullPath='c:\php5\php-cgi.exe', arguments='-c c:\php5\php.site2.ini', 
maxInstances='0', idleTimeout='300', activityTimeout='70', 
requestTimeout='90', instanceMaxRequests='9999', 
protocol='NamedPipe', flushNamedPipe='False']" /commit:apphost

Each web site then can have its own Handler for .php, pointing to one of the php.ini files:

AppCmd.exe set config "site1.com" /section:system.webServer/handlers 
  "-+[name=`'PHP`',
    path=`'*.php`',
    verb=`'*`',
    modules=`'FastCgiModule`',
    scriptProcessor=`'c:\php5\php-cgi.exe|-c c:\php5\php.site1.ini`',
    resourceType=`'File`',
    allowPathInfo=`'true`',
    requireAccess=`'Script`']"

AppCmd.exe set config "site2.com" /section:system.webServer/handlers 
  "-+[name=`'PHP`',
    path=`'*.php`',
    verb=`'*`',
    modules=`'FastCgiModule`',
    scriptProcessor=`'c:\php5\php-cgi.exe|-c c:\php5\php.site2.ini`',
    resourceType=`'File`',
    allowPathInfo=`'true`',
    requireAccess=`'Script`']"

If you don't like the command line, you can click your way through IIS Manager of course :) BTW, assuming correct configured application pool identities and NTFS file permissions, I believe there is no need for open_basedir.

Edit: Two references: https://www.saotn.org/php-wincache-on-iis/ and https://www.saotn.org/custom-php-version-iis-express-webmatrix3/ to show how to add multiple FastCGI + PHP applications in IIS.

Related Topic