Microsoft Releases IIS FastCGI Module

Marcy writes "Microsoft has just announced the final release of the IIS FastCGI module for IIS 5.1 (XP), 6 (2003), and 7 (2008). This FastCGI module was built with collaboration from Zend, the creators of PHP, and is intended to solve the CGI on Windows problem." It's free as in beer.

Why bother?

[FictionPimp]

What's wrong with apache?

Re:Why bother?

[El+Lobo]

The only problem is that IIS7 and even II6 have so few critical vulnerabilities that Apache IS a nightmare in comparation. let's no talk about text file configuration....

Re:Why bother?

[marcovje]

That's because Microsoft is quite reluctant to label anything "Critical". Nearly all superficial bug amount comparisons falter because of different habits to rate a bug.

Microsoft probably things "Huh, the world didn't end? Ahh, then it probably isn't critical."

Re:Why bother?

[sydb]

What's wrong with text file configuration? Some people happen to like it. For good reasons, like:

• you see your config right there in front of you
  
• you can do scripted configuration using standard unix tools
  
• you can archive config files and see what they do just by looking at them
  
• you can run diffs against configs
  
• you can adopt your own standards for commenting changes
  
• you can put your config in an SCM tool
  

Just because you don't know how to do it doesn't mean it's not a huge advantage for those of us who do.

Re:Why bother?

[sqldr]

let's no talk text file configuration

Oh, not you as well. There's absolutely nothing wrong with text file configuration. There's a whole world of things wrong with a pointy-clicky GUI interface to a config in the registry when there's no other way to edit it.

How do you search a gui interface? How do you generate a gui config? How can you minimalise a gui config to the bare essentials? How do you upload/download a config and email it to someone? How do you edit the config without having to run remote desktop client? And of course, with clicky configs, if they haven't provided an option for something, then you can't do it. Sorry, "computer says no".

I'll admit that IIS hasn't had many vulnerabilities recently, but this is partly because it's got bugger all functionality. Most new vulnerabilities in apache are usually found in one if its thousands of modular extensions.

Lets not talk about using domain credentials for HTTP authentication (in fact, having your web server assume that's what you want to do), lets not talk about your configuration appearing all over active directory. Lets not talk about how server 2003 starts up every bloody service on the system on boot, giving you about 30 seconds to download the service packs before you get pwned by a virus. Lets not talk about how it took microsoft months to fix a serious user-affecting exploit in word, but yet, when they give a shit (like when DRM got cracked), they have a fix out in a matter of hours.

Personally, I use thttpd, because, er, I don't like the config format for apache. That's not because I don't like having my configs in readable text files, I just don't like the cludgy way that apache does it.

Re:Why bother?

[jimstapleton]

Actually, IIS does have text file configuration also - the metabase.

That's one thing I like about it - I can edit the text file OR use the GUI.

The caveat is the text-file is XML, the pro is that it's structure in such a way that it's not as painful to edit by hand as normal XML. Also, there's a log file in the same directory that produces really helpful error messages if you screw up editing it by hand.

Having used both, I find neither significantly better/easier to administrate. They are just different

Re:Why bother?

[El+Lobo]

True. And that's it's beauty. Do you want to edit it? Do it. There is also something called IIS Manager which is the GUI for that.

Re:Why bother?

[jimstapleton]

If I skip an answer, it's safe to say I can't give a good answer.

How do you search a gui interface?
Most have a series of tabs/menus that allow a drill-down type search. Sometimes things aren't in the most obvious places, but it's not that bad, and if you don't know the exact text of what you are looking for it's a lot easier than text files. If you know the exact text, then it is harder. It's nicer to have both (such as provided in IIS)

How can you minimalise a gui config to the bare essentials?
Turn off the options you don't want - same way you would in a command line.

How do you upload/download a config and email it to someone?
Depends, if the gui attaches to an file (a-la IIS), email the text file. If the GUI attaches to the registry, export the hive and attach it.

How do you edit the config without having to run remote desktop client?
Assuming there is a command line interface to the machine, you can edit the file the GUI controls with a text editor, if it is a text file. If it is registry, you can call tools in windows that allow you to query/write the registry, and if it is a proprietary binary, you are SOL unless they wrote a tool for it.

And of course, with clicky configs, if they haven't provided an option for something, then you can't do it. Sorry, "computer says no".

Yep, text-y configs you can't change things they don't give you options for either! That's a matter of programmer incompetance, and not specific to the interface.

Re:Why bother?

[morgan_greywolf]

Look, man, no one is ever going to take you seriously. You troll every Linux and Mac OS X article, and this post is clearly a flamebait, but to answer your post:

A comparison of critical vulnerabilities is an apples-to-oranges comparison between IIS and Apache. First off, IIS is more vulnerable because it only runs on one platform, Windows Server. This makes exploiting security bugs a known quantity. Security bugs in the OS aren't counted against IIS in many bugs counts, despite the fact that these security bugs often directly affect IIS and sometimes only IIS, despite the fact that IIS and the OS are essentially integral to one another.

Let's add to that the fact that Microsoft doesn't consider many security vulnerabilities to be 'critical'. Even some remotely-exploitable bugs that could lead to pwning the box aren't counted as 'critical' by Microsoft, because there is no known 'live' exploit for it.

Re:Why bother?

[sqldr]

Most have a series of tabs/menus that allow a drill-down type search.

That's not useful. I don't want to have to "drill down", I want to search for a keyword. Say I've got several hosts, and I want to see everything specifically relating to an IP address. I search for the text of the IP address. For beginners looking to change one option, complex GUIs are a mass of buttons and tabs, rather than something they can search for.

Turn off the options you don't want - same way you would in a command line.

I don't want to turn them off, I want to remove all reference to them.

If the GUI attaches to the registry, export the hive and attach it.

That's not useful. I want to mail the config so someone can read it, eg. paste my config to a newsgroup to ask a question when I'm stuck. The usual equivalent in windows-land is you spend days searching for stuff and getting dumb meaningless error messages ("please check that the domain controller is both locatable and contactable" - hey I know, Mr Paperclip, why don't YOU tell ME whether it was either unlocatable or uncontactable or both..), then eventually you find the answer on someone smug bloke's blog with a mugshot of him in the corner and 1000s of thankyou messages, rather than anywhere on MSDN. (incidentally, that error was nothing to do with the server being unlocatable or contactable, but being windows, I couldn't do a trace on it to find out where it was breaking, I just had to click "OK" and try something else).

Yep, text-y configs you can't change things they don't give you options for either!

Text-y configs usually have some level of scriptability, eg. "IfDefined" in apache. Syntax that might apply to one feature will usually apply to all features, making things a lot more versatile.
Another advantage of text configuration is that you can arrange the order of the file according to what's important. You can also add comments.

Re:Why bother?

[sqldr]

Apache ships with about 30. When there's a security hole in one of these extensions, they blame apache. IIS ships with about 2. When there's a security hole in an IIS extension, they blame the extension.

Re:Why bother?

[jimstapleton]

That's not useful. I don't want to have to "drill down", I want to search for a keyword. Say I've got several hosts, and I want to see everything specifically relating to an IP address. I search for the text of the IP address. For beginners looking to change one option, complex GUIs are a mass of buttons and tabs, rather than something they can search for.

And if the keyword(s) you think up aren't in there? If the author of the document hasn't provided enough notes. I've found cases like that in text files. In those situations, I would have vastly preferred a GUI.

Remember: You aren't everyone - Just because you can't find a use for something doesn't mean someone else can.

I don't want to turn them off, I want to remove all reference to them.

And if they are off in either case, who cares?
And what if the default is on - removing something could then turn it on. I have seen that in config files. For control purposes, it's better to have it there and set to precisely what you want than to ignore it and hope it goes away.


That's not useful. I want to mail the config so someone can read it, eg. paste my config to a newsgroup to ask a question when I'm stuck. The usual equivalent in windows-land is you spend days searching for stuff and getting dumb meaningless error messages ("please check that the domain controller is both locatable and contactable" - hey I know, Mr Paperclip, why don't YOU tell ME whether it was either unlocatable or uncontactable or both..), then eventually you find the answer on someone smug bloke's blog with a mugshot of him in the corner and 1000s of thankyou messages, rather than anywhere on MSDN. (incidentally, that error was nothing to do with the server being unlocatable or contactable, but being windows, I couldn't do a trace on it to find out where it was breaking, I just had to click "OK" and try something else).

So you have to use a hive-querying tool (command line or GUI), as opposed to a text editor (command line or GUI). If you are asking the questions, the people will either be on Windows, or have WINE. So, text or hive, you need a tool to open it, and the people helping you will probably have the appropriate tools around.

Oh, and trust me, I've had similar obscure errors in Linux with text-configured files, where I had to find some smug RTFM bloke who finally realized what I wanted wasn't documented before helping and making me feel a moron for not be a mind reader.

Text-y configs usually have some level of scriptability, eg. "IfDefined" in apache. Syntax that might apply to one feature will usually apply to all features, making things a lot more versatile.

s/usually/somtimes/. I've seen way to many "option=value" style configs where there was no scriptability.
Oh, and, believe it or not, GUI can too. It's usually provided with a text box, and help box with how the scripting can be done. Admittedly it is more rare though.

Another advantage of text configuration is that you can arrange the order of the file according to what's important. You can also add comments.

And you can have files for commets with GUI configs.

The advantages you find in most GUIs:
(a) You don't have to run extra commands to find out if you screwed something up in the config - it'll tell you immediately
(b) It's a lot less likely to make a typographic error in the file it saves to, than you are hand editing.
(c) If you don't know the name of an option you are searching for, or the text the developer decided to associate with them, you can find it easier by exploring the GUI, since GUIs are typically organized in a theme-based hierarchy.

Each has their advantages. Some advantages are more important to some people than others. Because of this, neither is universally better, and both are quite useful.

I know in my case, when I administrate IIS, I use both the GUI and the text file. When I administrate apache, I use the text file, because that's all there is, but I wish there were a gui available many times, because I could get the job of changing a few options done a lot faster using that than searching up and down the text file.

Re:Why bother?

[PinkPanther]

And when I say excitement, I mean the fun of dealing with the buggiest, most backdoor-filled MS software ever created.

I don't understand your point. They don't mention Exchange once in this article.

Re:Why bother?

[oliderid]

httpd.conf can be quite difficult the first time you see it. Somes distributions have even splitted it into different configuration files (OpenSuse). You can understand it if you run dozens of virtual hosts but splitting the default httpd.conf is absurd IMHO.

Anyway there are editing tools:
http://kochizz.sourceforge.net/
Looks promising.

But I have never used it (the only one I've tried: YaST HTTP server module was incomplete for taste, I couldn't configure properly webdav through it).

Re:Why bother?

[toadlife]

Which version did you use?

IIS4 (and any version before that) = A joke
IIS5 = Very Featurefull, but tended to be unstable when loaded with buggy third party apps, and due to it's design was almost impossible to *properly* secure.
IIS6 = Complete rewrite from IIS5. The first secure version is IIS. Also MUCH faster and MUCH more stable. Extremely low discovered vulnerability count in the four years since it was released.
IIS7 = I have no experience with it, but I've heard it's better than IIS6.

Re:Why bother?

[IgnoramusMaximus]

The other responder covered your ignorance of the IIS metabase. Perhaps you should actually look something before commenting on it.

I am starting to believe that you XML turkeys operate in some alternative Universe where diarrhea like this:

<?xml version ="1.0"?><configuration xmlns="urn:microsoft-catalog:XML_Metabase_V61_0"><MBProperty><IIS_Global Location ="." BINSchemaTimeStamp="10d5deca4057c401" ChangeNumber="642" HistoryMajorVersionNumber="14" SessionKey="9431b62980000002a0...1ca113" XMLSchemaTimeStamp="b036da01ab56c532"></IIS_Global><Location ="/" AdminACL="49634462f0000000a4000...419891"></IIS_ROOT> <IIsComputer Location ="/LM" EnableEditWhileRunning="1" EnableHistory="1" MaxBandwidth="4294967295" MaxHistoryFiles="10">
</IIsComputer>

... is considered "easy to read" and "easy to maintain". Note the lovely formatting (as it appears in the actual file - less a few newlines as Slashcode wraps the crap) due to some inane Microsoft MMC GUI tool used to generate the thing. Also note the profuse commentary (that is assuming that you actually could ever properly comment this spew as comments are not allowed within tags, even ignoring the fact that the imbecilic MMC tool would simply remove them on the next use).

I will leave it as an excercise to the reader to conclude which one of us is operating based on delusional, emotional attachment to insanely misused formats and which one has an actual experience with configuration files in real life.

As to Semdmail, may I remind you that the so-called "config" file is an actual machine code of a state driven processor around which Sendmail itself was constructed. Apples and oranges. And no, it was no more easy or harder to read then any stream of machine instructions for any other machine to be directly executed by it. It was never meant to be easily human-readable and its syntax is driven by the extremely demanding resource limitations at the time when original Sendmail was developed. The fact that it proved a maintenance nightmare (despite of its extreme power and flexibility as compared to regular config files) was a leading impetus behind Sendmail losing to other MTAs as years went on and extreme frugality with resources became secondary to ease of maintenance.

Oh and your sanctimonious whining about "hopping into this century to drool at shiny but valueless stuff" does not help your cause either, as the basics of computer science remain unchanged since its very inception and they will remain firmly so even if our computers end up grown in vats out of quantum-mechanical nanomachines. And one of those fundamental, time-tested constants is the requirement for brevity, clarity and ability to comment extensively any configuration files, although untold numbers of misguided "innovators" have attempted to "improve" this in a countless number of ways, of which the XML insanity is but one of the later flops, standing atop of a heap of rotting carcasses of previous failures, which went by names such as "binary configuration databases" and "registry hives" and what not.

And so, long after your pet fad is gone, I am sure I will be having this same very conversation with some condescending accolyte of "Object Oriented Four Dimentional Cube, Buzzword Overloaded" config files or what not, who will snicker about how quaintly old-fashioned these fundamentals are, and that I should "get on with the times" to his new favourite, one-and-only, super-correct fad.

In short, your kind never learns.

I'll also note how you fail to mention any better alternatives in your inflammatory rant.

Quite a comedian you are. How about any other time-proven config file format used by just about any sane application? Bind, DHCP, SSH ... and on and on and on.

On a similar note, Python + PHP via FastCGI

[Bogtha]

One thing I've been keeping an eye on is WPHP. It's only alpha-quality at the moment, but it's basically a WSGI application (WSGI is the standard Python web application interface) with a FastCGI backend that runs PHP. With something like this, you can mix and match PHP and Python — for example, you could write an authentication handler in Python and link it to a legacy PHP application.

Re:Problem?

[Saint+Stephen]

"Forking" (launching) a process is much more expensive on Windows than it is on Linux. Windows NT is architected after VMS (in part because of Dave Cutler). Processes are expensive on windows.

Zend + MS

[thatskinnyguy]

This FastCGI module was built with collaboration from Zend, the creators of PHP, and is intended to solve the CGI on Windows problem. Glad to see that we all can get along.

free as in beer?

[Locutus]

so you're paying out the nose, ears, ass for Windows and MS IIS and you care about free fastCGI?

And IMO, it may be free as in beer but it's poisoned beer by virtue of where it plays.

LoB

Re:free as in beer?

[EricWright]

The "free as in beer" thing really annoys me. I've NEVER seen free beer, anywhere! I propose we all stop using this ridiculous phrase and start using "free as in air" instead.

Now, if there IS free beer being offered somewhere, just point me in the right direction.

Re:free as in beer?

[kie]

is this what you are looking for?
freebeer.org

Re:free as in beer?

[Thyamine]

That may be true in some respects, but all of my clients have Windows servers to some extent, and most have only Windows servers. To suggest that people would have to pay extra to set this up is a little silly. IIS is a component of Windows, so you get that for 'free' when you purchase whichever flavor of Windows server you choose. And yes, you are paying for the cost of IIS development somewhere in that Windows price, but when someone has the option of just turning on IIS on an underutilized box, or finding/buying a box to install linux and Apache on, the idea of price is a non-issue.

They already have IIS, and it takes 5 minutes to set it up. The cost of time alone on setting up a new box to run something else almost immediately negates the benefit in most IT manager's eyes when all they are seeing is consulting time to setup, manage, and maintain a linux box they know almost nothing about.

Re:free as in beer?

[suv4x4]

so you're paying out the nose, ears, ass for Windows and MS IIS and you care about free fastCGI?

As a PHP developer I care. I can convince someone to install a free official plugin by MS on his host, than convince him to buy something.
If it was paid, I'm sure, as any pointy haired management guy, he'd decide it's not important and run as CGI.
Then it's my fault it performs like crap.

Hence, it's a good thing it's there, and free.

--

So, that's about step 1 in the "Make PHP devs become Windows devs".

Now step 2: driving the PHP crowd to .NET. They even have a PHP-to-C# converter, and there's a third party PHP compiler for .NET.

You know this is what they want right. While cooperating with Zend they kept bad mouthing PHP on MSDN and offering tutorials to switch to the superior .NET... Ok, ok.. apart from cost, gotta give 'em that: is IS far superior :P

Re:free as in beer?

[cronot]

Funny, yes. But I think there's a bit of truth in there. That notion of "Free as in beer" is really confusing when you're explaining free as in freedom vs. free as in beer to someone that is new to the concept.

Re:Free

[El+Lobo]

If it tastes bad, there are always other beers. Unfortunatly, I can't brew my own beer. Nobody I know is good enough at it either. Ans I won't want to taste a beer brewwed by a thousand hands, thank you very much.

Rasmus Lerdorf must be pissed today

[mshmgi]

Since when did Zend "create" PHP?

Re:Rasmus Lerdorf must be pissed today

[PHPfanboy]

Hi, I work for Zend (not in Marketing dept.) - this issue comes up every time it's written in the press or other interviews. It's not how we market ourselves, and every time we're quoted as "the creators of PHP" Zeev and Andi get hauled over the coals by the PHP development community. It's not the first time and probably not the last time this has happened. For the record, this is how Zend markets itself:

Zend is the PHP company.
Businesses utilizing PHP know Zend as the place to go for PHP expertise and sound technology solutions. Andi Gutmans and Zeev Suraski, two of Zend's founders, are key contributors to PHP and creators of the open source Zend Engine. Because of their internationally recognized authority, the company and its founders continue to play leadership roles in the PHP and open source communities, and are accountable for a central role in the explosive growth of PHP.
Slighty different, I think you'll agree.
Happy PHP'ing

Re:Rasmus Lerdorf must be pissed today

[MrMunkey]

True Rasmus did create PHP, but Zeev and Andi rewrote the PHP parser in PHP3 and later created the Zend Engine along side PHP4. I'm not sure if it was a typo or if it was a misconception by the author of the article, but I'd say Zeev and Andi would at least know what they are talking about.

http://en.wikipedia.org/wiki/Php

Re:Stop the insanity.

[deniable]

I was in a small shop where we already had IIS to run things like Outlook Web Access. IIS also made it easy to have integrated AD authentication and access controls, so we had single sign on.

Rather than running another box or supporting a VM image to run apache, it's easier just to make do with IIS. The point of this article is that MS is making IIS play better for people from the PHP/fcgi side of things.

We did however run the outside web server on apache on an ancient almost broken P166 and it ran well.

ah, php

[Jessta]

ah php, the unholy merger of c/c++, perl and java.

Re:Problem?

[gbjbaanb]

Its kind of a fallacy that 'forking' processes on Windows is significantly more expensive than forking them on Linux. I think it is somewhat more expensive, but that doesn't alter the fact that forking processes on linux is still expensive in the first place.

So, we needed ways to make things go faster - mod_php for example, that ran php scripts inside an apache process, but you still had to fork the apache process for each web request because of many thread-safety issues in php modules. This was also a security problem because every php script ran as the apache user. So the next idea was to start an apache process for each client and re-use it until that client disconnected (and stayed disconnected). This is the fastCGI approach.

With windows, you had 2 ways of running PHP scipts: as a CGI application (slow due to new processes all the time), and as an ISAPI (think of this as the equivalent of mod_php) module. The ISAPI one worked but you had the thread-safety issues of PHP to contend with (just like on Apache 2 that doesn't spawn worker processes).

In summary: nothing much to see, someone's just released fastCGI for IIS now so you have the same configuration options for IIS as you have for Apache.

Re:Problem?

[EvanED]

I think it is somewhat more expensive...

It's a lot more expensive. Some numbers MSR came up with while working on their research OS Singularity put process creation on Linux at ~700,000 cycles, just over 1 million on FreeBSD, and just under 5.4 million cycles on XP. Here's one source; slide 23.

I'm not arguing against your main point; I'm just pointing out that there is actually a huge difference between process creation time on the different systems.

FastCGI vs Proxy

[tcopeland]

Over on Linux, my perception is that FastCGI enjoyed a brief reawakening as it was (for a while) _the_ way to deploy Ruby on Rails apps with Apache. But now that seems to have changed to over to using Apache + mod_proxy_balancer + Mongrel.

One nice thing about mod_proxy_balancer is that it's easy to distribute the Mongrels across a couple of machines... and Apache will take them out of the loop if the machine goes down or they become unresponsive or whatever. Works for us, anyhow....

and in other news ...

[LorenzoV]

Zend gives aid and comfort to the enemy.

Methinks it's all over but the funeral for FOSS.

Re:Stop the insanity.

[tomknight]

Because some people live and work in the real world. Not everyone runs a webserver just to show off their Pokemon collection, some of us get paid money to do this sort of thing - and sometimes the people paying the money want to use Microsoft.

Re:Problem?

[FooBarWidget]

Windows doesn't even support forking. You can start new processes, but forking the existing process is impossible. Even things like Cygwin only emulate it with threads.

Re:Security

[LordLucless]

You're talking about a flaw in a apache's security model there, not PHPs. Apache runs as a single user. When it runs PHP as a module, then PHP runs as a single user. Same with Perl, or Ruby, or anything else that relies on a module interface as far as I know. If you use FastCGI (which this article is about, you may have noticed) then you can get it to suexec to a different user when it makes the CGI process, and you don't have the security problem you're whining about.

The bit about PHP admin scripts is application specific - nobody's forcing the authors to do it that way, and you can do the same with any other language. PHP has had it's flaws (register_globals and magic_quotes still give me the shivers), but if you're going to bitch about it, at least educate yourself first.

Re:Problem?

[A+nonymous+Coward]

"architected" is not a word, since "architect" is not a verb

A. You're wrong. English is a living language. Any word that people understand as a verb is a verb. You understood what was written, therefore you are lying.

B. Your conclusion ("architected" is not a word) does not automatically follow from your premise (since "architect" is not a verb). Your logic is not logical.

C. Any grammer nazi who does not capitalize the first word in a sentence is a hypocrite.

D. Any grammar nazi who does not end sentences with a period is a hypocrite.

E. Any grammar nazi who complains that the "nazi" in "grammar nazi" should be capitalized does not understand how words can be used in a generic sense and thus no longer be proper names.

F. Grammar nazis suck.

Re:Problem?

[Karellen]

Even things like Cygwin only emulate [fork() on Windows] with threads.

Sorry, but that's bollocks.

Cygwin fork() does create a new process. It calls CreateProcess() and then copies the current process into the new one. See the relevant Cygwin API FAQ for a full explanation.

Re:Stop the insanity.

[vaderhelmet]

Apache does run on Windows. This seems to be widely overlooked. Everyone's primary reason for running IIS is "We have Windows". Seeing as they are both free, there must be some other reason for not using Apache. My guess would be lacking familiarity of and the learning curve to configure Apache.

Re:Problem?

[Penguinisto]

Is it the same on Win2k3 Server?

Probably higher, considering the layers of security checks and "reducing the threat surface" whatnot which MSFT applied to IIS for Windows 2003 Server.

/P

Better late than never....

[alexborges]

Congrats, Microsoft, you came in late for about a FULL DECADE and STILL people buy your crap. No matter how unethical is the fact that your "web" thing never did anything other than crash for no reason, spawn windows when anyone hit the webserver, and eat away all resources; people do bow unto you, take your crap and PAY FOR IT.

I can understand Microsoft very well. What ill never understand is its fanbois.

Re:Better late than never....

[jez9999]

I have been considering this much of late.

I really want OSS to succeed, really. I love the philosophy, and hate the idea of MS being the 'Rome' of my lifetime (the empire that collapses, but only a long time after I die). However, I can't see it happening. This is because it feels like OSS has a natural tendency to stagnate when most developers think things are 'good enough'.

Where's a reliable FastCGI module for Apache? Where's a good config file format, and a GUI to edit it, for Apache? Where's a Linux distro with a GUI as intuative as Windows Explorer? Yes, I recently tried Ubuntu and was very disappointed that its GNOME GUI is *still*, in my opinion, leagues behind what MS and Apple have to offer.

OSS devs develop stuff they care about, to the level that they find acceptable. They generally don't take no shit from nobody, and if you want something done, you can do it yourself. Patch it. I love the theory, but the practice is this: people DON'T HAVE FUCKING TIME to patch it. Businesses often DON'T HAVE THE MONEY. OSS needs to adapt to a philosophy of developing stuff to be better even when they personally don't get much benefit from it, because otherwise businesses WILL just pay MS to get what they want. It sucks, but there you go.

"Hey, boss, we need to push out group policies over all machines on domains foo and bar. Windows has Group Policy Editor and Active Directory. We can do the same thing with Linux, but it will mean spending 5000 man hours developing, testing, and deploying scripts, because nobody has bothered to come up with a solution yet."

What would you choose for your business??

Re:Problem?

[Foolhardy]

Win32 doesn't support forking, but the NT kernel does. For that matter, by far most of the expense of starting a Win32 process on Windows is due to Win32 subsystem overhead, including compatibility database lookups, not the kernel. SFU processes (that belong to the POSIX subsystem) and native processes (that belong to no subsystem) are MUCH cheaper, and incidentally support true kernel level copy-on-write fork.

Cygwin doesn't use the kernel's fork support because Cygwin is built upon on Win32. SFU can because it runs parallel to Win32.

Re:Problem?

[rabtech]

"Forking" (launching) a process is much more expensive on Windows than it is on Linux. Windows NT is architected after VMS (in part because of Dave Cutler). Processes are expensive on windows. This is true because Windows and the Win32 require threads and assume they exist; if you want to spin-off a lightweight operation you kick up a new thread. Although most Unix systems have OS threads these days that wasn't always the case - processes were the word of the day for a long time and still are in some ways.

Re:Problem?

[PitaBred]

And if you have, say, 100 visitors at the same time? That's 3 seconds just to start the processes, much less actually run anything. It's multiplicative ;)

Re:Problem?

[Pollardito]

"architected" is not a word, since "architect" is not a verb

A. You're wrong. English is a living language. Any word that people understand as a verb is a verb. You understood what was written, therefore you are lying. who knew that George Bush posted on Slashdot?

Re:Stop the insanity.

[Allador]

It's trivial on the apache side, and relatively easy on the iis side.

Config the machine to have two IPs.

On apache, set a Listen directive in the config file, to have it listen on IP1:80.

For IIS, run this:

c:\>httpcfg set iplisten -i IP2

By default, both apache and IIS will bind to every IP on the box. These methods let you have each listening on port 80 on their respective IPs.

The only 'hard' part on the IIS side is knowing that httpcfg exists and controls this. If you've ever setup wildcard ssl certs in windows you've been here.

The reason this is controlled through this command prompt on windows is due to the architecture of IIS.

There is a very small kernel-mode component that handles listening on the port and handing off to IIS. This is what you're configuring with httpcfg.

I believe Vista (and therefore Win 2008 Server) doesnt have httpcfg and uses something else (dont know what off the top of my head).

Re:Problem?

[plague3106]

I didn't mean to hurt your feelings or anything - There's a good reason why I qualified it as "probably" as opposed to "definitely".

Didn't hurt my feelings; even probably implies that you have good reason to believe something. Good reason, not "well this is how I view things." I'm just sick of /. modding up any crap someone tosses out on /. as it if were true. Bash MS, you get karma it seems, regardless of facts.

If such follies as UAC in Vista is any indication (and that's just the tip of one very bloated iceberg), it's a pretty solid bet that MSFT simply tacked on more cycle-eating code to prevent break-ins.

And this has exactly what to do with Win2003 server? I can see you haven't actually used the product, so perhaps you should not comment on it with speculation. The OP posted some benchmarks at least. I at least work with Server 2003 everyday. Did you even check out the Server 2008 beta to see if this "safe bet" is as safe as you think?

In either case, don't complain to me - complain to Microsoft's marketing department, who went well out of their way to push that perception back when Windows Server 2003 launched (well, it came in second - right after the bazillion demonstrations showing how easy they made it to migrate for all the holdouts still using Windows NT 4.0).

Don't blame you for throwing out some statement for which you really have no basis in fact? I requested fact, you came back with your bias perceptions. Ya, I think I can blame you for that.