Due to the popularity of Windows 2008 Server Core I have seen frequently questions about how to configure SSL on IIS7 with only command-line. Since I wandered that path few months back I thought of putting this article/guide together.
http://www.awesomeideas.net/post/2008/05/18/How-to-configure-SSL-on-IIS7-under-Windows-2008-Server-Core.aspx
IIS7 Mobile Admin is a simple web application to administer IIS7 remotely using a mobile phone browser. I provided few screenshots of IIS7 Mobile Admin in my previous blog post here http://www.awesomeideas.net/post/2008/03/04/IIS7-Mobile-Admin.aspx
And I promised to get it on codeplex for your download pleasure and finally it's ready and available
Project Home (Screenshots,FAQ) - http://www.awesomeideas.net/page/IIS7-Mobile-Admin.aspx
Download & Discussion - http://www.codeplex.com/iis7mobileadmin/
What are the features available in this release (called R1)?
Search Application Pools & Web Sites
- Application Pool
- Show Requests (Top 10 requests sort in descending order of 'Time Elapsed'
- Show Applications
- Recycle Application Pool
- TODO:Your wishes...
- Web Sites
- Show Configuration (Show all bindings for the website)
- Start Website
- Stop Website
- TODO:Your wishes
Get more screenshots on Project Home http://www.awesomeideas.net/page/IIS7-Mobile-Admin.aspx
I wanted to introduce something I’ve been working during last couple of weekends. Yes you guessed it “IIS7 Mobile Admin” to show some love to our web server administrators who keeps our Web 2.0 world up and running!
Ingredients
I would like to know what are some of the “must have” features you expect from this application.
(Keep in mind this is not developed to replace or even be on par with desktop IIS7 manager)
Please add your suggestions/comments/ideas under the following blog post and check out more screenshots.
http://www.awesomeideas.net/post/2008/03/04/IIS7-Mobile-Admin.aspx
Plan is to get this complete package (both binary & source) on http://www.codeplex.com by next weekend!
Picture is worth a “how many words do they say?” so a picture below showing how it looks when it runs inside Pocket IE in full-screen.
Hostable Web Core (known as HWC) is a new concept in IIS7 to host a website/webservice inside your own process. In short a smaller hosted version of IIS (an IIS7 express edition?).
This is accomplished by making a LoadLibrary call to load hwebcore.dll (%systemdrive%\Windows\System32\inetsrv\hwebcore.dll)
From IIS7 onwards you can administer IIS7 remotely using IIS Manager (through HTTPS). When you connect remotely you are actually connecting to a "Web Management Service" called WMSVC. This service uses HWC so that it's not dependent on IIS7 services directly.
I had some idea around building alternative UI for IIS7, but since WMSVC service calls are not publicly documented I didn't want to start using it since my application might break anytime. So HWC was a surprise to me but with a glitch. I'm too used to managed code that I haven't written C++ code from last 6years. During 1996-2000 C/C++ was my favorite language and then got into languages which are less fussy (VB/VB.net & C#).
But I had multiple challenges 1) Writing something in a language which I've not used for last 6 years. 2) Writing a windows service which I haven't done before.
Before diving into the code let's see limitations of HWC (Calling it limitation is wrong so let's say it's by design)
- Only one application pool
- Only one website/webservice
- Separate configuration file
- No monitoring like available for IIS7 application pools
- Require IIS7 to be installed
PS: Project files are in VS2008 but the application doesn't have any dependency with newer versions.
Ingredients of my WebCoreService.
- Native Windows Service which host HWC which provides install/uninstall options
- Good IIS7 configuration file (applicationHost.config) which contains all configuration required to run ASP/ASPX/ASMX... pages
- TODO: Web/WCF service hosted inside this service which publishes all the management API's for consumption
- TODO: Alternate client for managing IIS7
- Native Windows Service which host HWC. Below is a screenshot to see the options available using command-line
- All the configuration including where the website points to and what port it's hosting the site etc are mentioned in the configuration file called "WebCoreService.config". This is nothing but the actual applicationHost.config file after few of those things removed from it.
- This could be a good managed Webservice or WCF service which would expose management API's.
- How about a Mobile Client? which supports SMS (Texting). Just imagine sending a text message to recycle one of the application pool ?
Hosting management site running inside this?
These are only few of those possibilities though :) think crazy stuff and let me know.
How to RUN the service?
Extract the zip files with source and the binary files.
Follow these steps to setup the service (make sure you are doing this from an elevated command prompt)
- Create a folder called "TestPath" inside your "C:\inetpub\" folder
- Create 2 folder inside called "wwwroot" and "Logs"
- Drop "time.asp" and "time.aspx" pages inside the "wwwroot" folder
- Enable event logs notification from the service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WebCoreService]
Create a string key "EventMessageFile" and set value as full path to "sample.dll" under the bin folder
Create a DWORD key "TypesSupported" and give value of "00000007"
- Goto the folder where the EXE file resides "WebCoreService.EXE"
- Install the service using the following command
WebCoreService install
- Start the service using the following command
net start WebCoreService
- Browse to the page http://localhost:8080/time.asp
Bingo! Hostable webcore service is ready.
All the configuration mentioned above like folder path, port number etc can be modified inside the configuration file "WebCoreService.exe.config"
Do let me know if you have any questions or suggestions or even ideas !!!
Source & binary => http://code.msdn.com/hwc/
Here is another featured moved to kernel mode. Yea it's Windows Authentication which is by default configured to run in kernel mode.
To see the dialog right click on "Windows Authentication" and select "Advanced Settings..."
This applies to Windows 2008 build and not Vista RTM.
There are so many things which has changed in IIS7 for the better and one of them is about the way SSL works. Although IIS6 allowed kernel mode SSL (starting with Windows 2003 SP1) that wasn't the default option. As far as I know (AFAIK) not many customers used it or knew about it.
Starting with IIS7 kernel mode SSL is going to be the default setting and the only setting. This was primarily for performance reasons. So let us see how it differs.
IIS6 SSL request/response flow
1. Request
2. HTTP.SYS
3. HTTPFilter
4. HTTP.SYS
5. Worker process
6. HTTP.SYS
7. HTTPFilter
8. HTTP.SYS
9. Response |
(Encrypted Request from client)
(Kernel Mode driver for HTTP accepts the request)
(Sent to user mode service to decrypt)
(Decrypted request comes back)
(Sent decrypted request to W3Wp => IIS)
(Response comes back from IIS)
(Sent again to user mode to encrypt response)
(Encrypted response arrives from user mode)
(Encrypted response sent back to client) |
IIS7 SSL request/response flow
1. Request
2. HTTP.SYS
3. Worker process
4. HTTP.SYS
5. Response |
(Encrypted Request from client)
(Kernel Mode driver for HTTP accepts and decrypts using SChannel)
(Sent decrypted request to W3Wp => IIS)
(Response from IIS is encrypted using SChannel)
(Encrypted Response sent back to client) |
You know that context switching between kernel mode and user mode is expensive and this new design of how SSL processing is done inside kernel mode increases performance on IIS7.
IIS7 Rocks!!!
Although the title says webserver certificates the script is not limited to webserver certificates only.
This script is useful for admins to check expiry dates of server certificates and be prepared to renew or change them. In case if you have ideas of using this in your server environment and you need help in tweaking this script do let me know.
Please copy & paste script below into a file called "CertExpiryCheck.vbs" and run the script from command line like
C:\> cscript certexpirycheck.vbs [SubjectName]
C:\> cscript certexpirycheck.vbs sukak
* here "sukak" is subject name which usually would be your domain name (FQDN)
* Issued by also shows "sukak" in my case since the test was done using self issued certificate created using selfSSL.exe
'**************************************************
'* CertExpiryCheck.vbs
'* Enumerate certificates with day left for expiry
'**************************************************
Option Explicit
Dim SubjectName
If WScript.Arguments.Count > 0 Then
SubjectName = LCase(WScript.Arguments(0))
Else
CommandUsage
End If
Dim Store, Certificates, Certificate
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
Const CAPICOM_STORE_OPEN_READ_ONLY = 0
Set Store = CreateObject("CAPICOM.Store")
Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
Set Certificates = Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName, 0)
If Certificates.Count >0 Then
For Each Certificate in Certificates
'Certificate.display() 'If you want to see the Cert in UI
WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
WScript.Echo "Issued by " & Certificate.IssuerName
WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " & Certificate.ValidToDate
WScript.Echo "Days to expiry " & DateDiff("d",now(),Certificate.ValidToDate)
WScript.Echo
Next
Else
WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
End If
Set Certificates = Nothing
Set Store = Nothing
Sub CommandUsage
MsgBox "Usage: CertExpiryCheck.vbs [SubjectName] ", vbInformation,"CertExpiryCheck"
WScript.Quit(1)
End Sub
Just keep in mind you need capicom.dll to use this script. This comes default on Windows 2003 (I guess) but might need to be downloaded and registered on other platforms like Vista. Use regsvr32 capicom.dll to register it first before using the script.
I had written a sample to redirect all http traffic to https (secure) in September 2006 http://www.awesomeideas.net/post/2006/09/03/Redirecting-from-http-to-https-in-IIS7.aspx
In one of our internal discussion alias the question came up that this method does not work when SSL is forced on the website. Step 5 below handles that scenario by checking the "403.4 SSL required" response and handling it during OnEndRequest event.
So let us get into action (I'm using C# for this sample)
- Download and Install IIS7 Managed Module Starter Kit
(Not really a requirement but it would make developing IIS7 modules easier)
- Rename the default class name created to "redir.cs" and rename project/solution/namespace to "http2https"
- Add the following code in "Init" method
// register for the BeginRequest event
application.BeginRequest += new EventHandler(OnBeginRequest);
application.EndRequest += new EventHandler(OnEndRequest);
- Add the following method to implement "BeginRequest" event
//BeginRequest implementation
public void OnBeginRequest(Object sender, EventArgs e)
{
HttpApplication app = (HttpApplication)sender;
string HttpUrl = app.Request.Url.ToString();
if (HttpUrl.StartsWith("http:")) //Redirection done only if URL starts with http:
{
HttpUrl = HttpUrl.Replace("http:", "https:");
app.Response.Redirect(HttpUrl.ToString(), true); //Redirecting (http 302) to the same URL but with https
app.Response.End(); //We don't want to any further so end
}
}
-
Add the following method to implement "OnEndRequest" event
//This is for scenario where SSL is forced on the site
public void OnEndRequest(Object sender, EventArgs e)
{
HttpApplication app = (HttpApplication)sender;
if (app.Response.StatusCode == 403 && app.Response.SubStatusCode == 4)
{
string HttpUrl = app.Request.Url.ToString();
if (HttpUrl.StartsWith("http:"))
{
HttpUrl = HttpUrl.Replace("http:", "https:");
app.Response.Redirect(HttpUrl.ToString(), true);
app.Response.End();
}
}
- Make sure you have the following in your web.config inside configuration tag
<system.webServer>
<modules>
<add name="redir" type="http2https.redir" />
</modules>
</system.webServer>
Your http to https redirection sample is ready and also works if you force SSL!!!
How to deploy the HttpModule
There are multiple ways you can deploy this component (I'm assuming that it's being deployed for "default website")
Method 1
Create a folder called "App_Code" inside "%systemdrive%\inetpub\wwwroot"
Copy "redir.cs" file into "App_Code" folder
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"
Method 2
Create a folder called "bin" inside "%systemdrive%\inetpub\wwwroot"
Compile "redir.cs" into "redir.dll" and copy it into "bin" folder (to compile -> csc.exe /out:redir.dll /target:library redir.cs)
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"
If you open IIS7 UI and go to Modules you can see your HttpModule listed there.
Source code @ http://www.awesomeideas.net/page/IIS7-http2https.aspx
I was thinking to write an HttpModule for IIS7 and wanted a simple, useful and easily understandable scenario. Working with IIS customers for last 3 years one of those common scenario came into my mind, Redirecting http traffic to https. Although this is pretty straight forward requirement, till IIS6 it was difficult to achieve. Check the following KB 839357 (specifically for OWA scenario) which explains the cumbersome steps .
(If you are looking for same functionality in prior versions of IIS, find it at the bottom of this post)
HttpModules are not something new if you are an ASP.NET developer. But there are some differences. In IIS7 because of integrated pipeline, HttpModule applies to any request not just ASP.NET and that includes htm,jpg,asp,aspx,asmx,php,jsp...
So let us get into action (I'm using C# for this sample)
- Download and Install IIS7 Managed Module Starter Kit
(Not really a requirement but it would make developing IIS7 modules easier) - Rename the default class name created to "redir.cs" and rename project/solution/namespace to "http2https"
- Add the following code in "Init" method
// register for the BeginRequest event
application.BeginRequest += new EventHandler(OnBeginRequest);
- Add the following method to implement "BeginRequest" event
//BeginRequest implementation
public void OnBeginRequest(Object sender, EventArgs e)
{
HttpApplication app = (HttpApplication)sender;
string HttpUrl = app.Request.Url.ToString();
if (HttpUrl.StartsWith("http:")) //Redirection done only if URL starts with http:
{
HttpUrl = HttpUrl.Replace("http:", "https:");
app.Response.Redirect(HttpUrl.ToString(), true); //Redirecting (http 302) to the same URL but with https
app.Response.End(); //We don't want to any further so end
}
}
- Make sure you have the following in your web.config inside configuration tag
<system.webServer>
<modules>
<add name="redir" type="http2https.redir" />
</modules>
</system.webServer>
Your http to https redirection sample is ready!!!
How to deploy the HttpModule
There are multiple ways you can deploy this component (I'm assuming that it's being deployed for "default website")
Method 1
Create a folder called "App_Code" inside "%systemdrive%\inetpub\wwwroot"
Copy "redir.cs" file into "App_Code" folder
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"
Method 2
Create a folder called "bin" inside "%systemdrive%\inetpub\wwwroot"
Compile "redir.cs" into "redir.dll" and copy it into "bin" folder (to compile -> csc.exe /out:redir.dll /target:library redir.cs)
Copy "web.config" file inside "%systemdrive%\inetpub\wwwroot"
If you open IIS7 UI and go to Modules you can see your HttpModule listed there.
Redirection options for prior versions of IIS below (you need to search for these)
- ASP.NET URL mapping capability (HttpContext.RewritePath)
- IIS v6.0 Resource Kit includes the UrlRemap tool
- IISRewrite
- ISAPI_Rewrite - includes a "lite" version available for free.
- Mod_Rewrite 2
- Ionic's ISAPI Rewrite Filter
When I was a developer (I mean employed as a developer, even now I develop applications, don’t get me wrongJ) before joining Microsoft, I used to get stuck with application issues; whether its process crashing, process not responding or high memory usage. There were not many options for me at that time but to review code for that page or form and figure out the cause myself.
If there was a tool which I can use to tear the process and see what is going on inside the process I would've saved a lot of my hours (or maybe days). Although Windows Debugging Tools (WinDBG) was available, it was not too easy to learn the commands or understand how all those stuff works when you have development timelines/deadlines (or is it death lines?) to be met.
Not many developers are aware of what kind debugging I’m gonna talk about. When ever we talk about debugging people assume that it’s live debugging using Visual Studio or so and put breakpoint and walking through the code. Huh! This would be a blessing if we can do the same thing in case of production servers, but on production server applications it’s a completely different ball game.
Think of a situation where customer has an issue on production box with IIS process
(Here IIS process is used just for illustration but below explained issues are true with any other multi-threaded process/service)
My Options (being little bit sarcastic)
- Send windows source code to customer and we will install Visual Studio to walk through the code and find what the issue is” You know I would loose my job. J
This kind of debugging works mostly for client applications
- What happens if I don’t really know when the issue happens?
I can employ a person who will sit in front of the server 24x7 watching for the issue to happen J
- What if the issue happens only for sometime and the issue vanishes?
By the time my monitoring person yawns, the issue would vanish J
- What happens if the issue only happens when a specific user sends a post request with some specific string in there which leads the IIS process to get stuck and block all requests?
Start writing “Debug.Print” or “Response.Write” kind of tracing to find out where it gets stuck. You might not finish your project anywhere in near future J
- Customer called on my mobile and is screaming because my website is not responding.
I need to run to the server (maybe even drive, since the server is in a remote place) to take a memory dumps.
All the above options are provided to understand how tools like DebugDiag help us to automate and make our life far better.
DebugDiag or Debug Diagnostic Tool is not the 1st tool but as far as I know would be the 5th generation of tool for doing post-mortem memory dump analysis. Most of those previous tools were were exclusively used by PSS and were not available on Microsoft Downloads.
Post mortem debugging simply means that we take a snapshot of the process memory when the issue happens and use either DebugDiag or WinDBG to figure out what was going on inside the process when the issue happened and find out the cause for the issue. Since this is technically challenging, it takes a lot of time. Some of our customers think that it's like looking into iislogs to find the request. Let me tell you that its mostly digging deep into thread stack, heap and other memory areas to find out what might’ve lead to the issue.
What is Debug Diagnostic Tool?
DebugDiag is a post mortem debugging tool which has analysis capabilities, so in simple words there is 3 parts for this tool.
- Capture memory dumps for different types of issues (Hang/Crash/Memory)
- Run basic analysis on the captured dumps and generates a report to understand the results. It also provides very good pointers to issues mostly for expert eyes.
- Exposes an object model which can be used to easily access the information available inside the memory dump file (memory dump file extensions are usually DMP / PDMP / MDMP)
What are the main components?
- Debug Diagnostic Service (dbgsvc.exe)
- DebugDiag UI (debugdiag.exe)
- DebugDiag Host (dbghost.exe)
Debug Diagnostic Service
This is the service which is the heart of DebugDiag. Why should it be a service? In the past we used AD+ (Auto Dump+) for troubleshooting most of those debug scenarios. AD+ is executed from the command line and client side program. This simply means that it runs under the context of the logged-in interactive user.
Let’s take an example. Assume that we are trying to track an issue which happens intermittently, say for example process crash and it happens once in a week or month.
So we setup AD+ (KB 286350) from command prompt. Since this tool runs from command line if you logout from the console AD+ stops monitoring. So if your organization has multiple administrators who look after the server they need to be informed not to logout from the console till we track and get a good set of dumps for the issue. This becomes extremely difficult specially because we find out that someone did a logout only after the next issue occurrence and by then its too late. Then we start monitoring again and sleep till we get another repro. Keep in mind, in some cases a repro might take seconds, minutes, hours, days, weeks or even months.
Another issue with AD+ like tools is that you cannot use it through Terminal Service sessions which most of those administrators are too used to J
AD+ provides a lot of customization options and its powerful in that way, and it was “the” tool we used in the past (and I see people using it even now).
To get around the above mentioned issues DebugDiag runs as a service as “Local System” so that it’s not dependent on the logged on interactive user session.
So how do we configure this service since windows services cannot have UI?
DebugDiag UI
DebugDiag user interface is used to create rules for capturing different types of issues by creating rules and also the interface to run the analysis portion of the tool.
DebugDiag like I mentioned before (did I mention?), has a scripting host built-in using which we can customize and extend the features according to the requirements. The main script file called “DbgSVC.vbs” (we call it as controller script) is present in scripts folder inside installation folder. This script gets modified when you make changes in the UI related to Hang or Memory Leak rules. This script file contains (or exposes) some events which you can use to extend and customize the working of DebugDiag.
Open the Controller Script (“DbgSVC.vbs”) in notepad and see for yourself.
Rules are nothing but simple way of configuring DebugDiag to work according to your requirements for specific scenarios. Rules contains information about the location where you want the memory dumps files to be stored etc and also contains
Events you can further use. For example if you create Crash Rule, DebugDiag creates a script file called “CrashRule_IIS.vbs” in the scripts folder.
Open the Crash Rule Script (“CrashRule_IIS.vbs”) in notepad and see for yourself.
Now with DebugDiag you loose the functionality like we had in AD+ to run it from command line. Do we? Not really! Continue reading…
DebugDiag Host
So how do I know what’s available under the hood?
Go to Command prompt and type
C:\>dbghost /? (Obviously you should try from the installation folderJ)
I can analyze the dumps myself? Oh really?
DebugDiag provides analysis feature which you can use from the DebugDiag UI tab called “Advanced Analysis”. By default, right now we have scripts available for analyzing “Crash/Hang Analyzers” and “Memory Pressure Analysis”.
Analysis Scripts are nothing but .ASP pages inside “Scripts” folder which uses somewhat ASP kind of scripting style and uses VBScript to iterate through the structures inside the dumps (which is nicely exposed using an object model) and try to find out known issues or easily identifiable issues so that for simple issues troubleshooting can be done by yourself without calling MS PSS.
More to come which includes Script customization, specific steps to be taken for scenarios like Hang/Crash/Memory related issues etc...
So what is Appcmd.exe?
This is "one" command line tool to administer IIS7. In IIS6 several of admin task were done using several scattered VBS script files. This made it difficult to find out what script needs to be run for eg. to get list of worker processes.
So IIS7 is powered with Appcmd.exe which provides all the options you need to administer IIS7.
Following are the options/categories available from a high level
| SITE |
Administration of virtual sites |
| APP |
Administration of applications |
| VDIR |
Administration of virtual directories |
| APPPOOL |
Administration of application pools |
| CONFIG |
Administration of general configuration sections |
| WP |
Administration of worker processes |
| REQUEST |
Administration of HTTP requests |
| MODULE |
Administration of server modules |
| BACKUP |
Administration of server configuration backups |
| TRACE |
Working with failed request trace logs |
Lets see how we can use it with an example
When I installed LH Server Beta (I rebuild my box quite frequently) I wanted to see how it's like to have 1000 websites running on IIS7.
So I created 1000 websites on my box.
Good scenario to use Appcmd.exe and also my MS-DOS experience. No I'm not gone nutts to create it using the UI :)
Steps required
- Wanted separate folders for each website
- Wanted to use same IP address and port for all websites
- Type a command and leave the box to create all the websites
Keep in mind I'm not talking about Server but my desktop machine. Yea its got 2GB RAM though.
Steps below
- Created a folder - E:\Websites
- I wrote a batch file (createsite.cmd) with the following
MD E:\Websites\Site%1
appcmd add site /name:"Site%1" /id:%1 /bindings:http/:*:80:site%1 /physicalPath:"E:\Websites\Site%1"
appcmd start site "Site%1"
- Now the command to trigger the batch file where my MS-DOS experience came handy
C:\FOR /L %i IN (2,1,5) DO createsite.cmd %i
FOR command is a batch file loop which simply works like 'for' loop in your favorite language
FOR /L %i IN (2,1,1000) DO createsite.cmd %i
is equivalent to the following in C
for ( i=2; i <= 1000; i++ )
createsite( i );
I started value of 'i' from 2 because "Default Website" has Site ID 1.
Hit enter and wait till the folders and websites are created for each iteration.
Bingo !!! 1000 websites ready to be administered or tested.
So the result would be
E:\Websites folder would have folders called Site2, Site3 etc... and in IIS there would be sites with name Site2, Site3 etc...
Lets revisit the appcmd command above once again
appcmd add site
/name:"Site%1" // website name
/id:%1 // Site ID
/bindings:http/:*:80:site%1 // site would have "All Unassigned" including host header with the site name
/physicalPath:"E:\Websites\Site%1" // Pointing to the physical folder for that site
appcmd start site "Site%1" // pretty straight forward, it starts the website
What else can I do to extend this scenario?
- Create Application Pools separately for each website
- Create a simple ASP page and drop it in every folder created
- Use TinyGET utility (available with IIS6 Resource Kit) to simulate request
Some other useful command options
Create Backup
C:\>appcmd add backup "backup before screwup"
BACKUP object "backup before screwup" added
List Backup
C:\>appcmd list backup
BACKUP "backup before screwup"
Restore from Backup
C:\>appcmd restore backup "backup before screwup"
Restored configuration from backup "backup before screwup"
Currently Executing Requests
C:\>appcmd list request
REQUEST "fa00000080000487" (url:GET /highcpu.asp, time:1903 msec, client:localhost)
Will add more of this later...
Before the boom of web and internet, HTTP was not so common is everyday life. When internet became more and more widely used, HTTP also grew in usage.
Basic web server serves static HTML type contents and then was the era in which there came several ways to extend the web server and its features. Because of the popularity of the web, on internet most of the companies connected to the web have port 80 (which is the default HTTP port) open on firewalls. Which simply means that to use HTTP most of the companies didn’t have restrictions and thereby became the default and uninterrupted way of global communication?
HTTP on Windows platform was initially used only by IIS for serving web sites. Gradually because of the simplicity and availability (of open port 80) of HTTP several other applications started using HTTP as a medium of transport. Then came the wave of all HTTP based protocols and having another protocol tunnel through HTTP.
RPC over HTTP (I would call it as “RPC through HTTP” rather) for Exchange and SQL to name a few. SQL started supporting HTTP so that you can expose a database over the web using HTTP and SQL queries can be executed using query string and the results returned as XML. Once, more and more application platforms started using HTTP, it became important that we have a uniform & consistent way on Windows platform to use HTTP protocol. So the kernel mode driver called HTTP.SYS was born. Since it’s a kernel mode driver, it gives us a lot of advantages (mainly on 64bit machines with a huge amount of memory for kernel mode caching and getting higher performance) and creates a layer which gives a consistent way of utilizing HTTP protocol. HTTP.SYS also provides API’s if we need to use HTTP protocol directly and bypass IIS. This route would obviously lack other features provided by IIS like health monitoring, easy management etc… but can be utilized for specific needs.
Next big leap – IIS7
Before we look at some of those upcoming features in IIS7, let us see what we lack till the current version of IIS i.e. IIS6.
· Delegation of administration (very important for website hosting and also for hosting department websites with its own admin)
· Extensibility (A thorough understanding of IIS is required in order to write high performance ISAPI Filters or Extensions)
· You can add features but not replace features
· Managing IIS was not possible when it comes to higher number of websites simply because the MMC style of interface is not efficient.
· Even if you use ASP.NET (handlers or modules) it works at a lower level than ISAPI Filters/Extensions.
· Debugging or tracing (A fair amount of tracing features were introduced in IIS6 and more with SP1 but still we resort to post-mortem dumps for 60% of our cases)
· XCopy deployment of websites.
Now “few” of the highlights from IIS7 features list
· Delegation of administration to granular level (like attribute level) and users can be either from Active Directory / SAM (workgroup) or custom database
· You have managed and unmanaged API's to access IIS or for admin purposes (e.g. showing a list of pages currently running and how much CPU each of them are taking). This is possible in IIS6 with SP1 (Windows 2003 SP1) but with extra tools, but in IIS7 it’s available inside the MMC itself.
· You can search or book mark a website when you have too many sites, for easy administration.
· Now with the new Integrated Pipeline, you can write managed or unmanaged ISAPI
· A lot of tracing functionalities are included e.g. Failed Request Tracing etc... Even specifics like “only requests failed with authentication” etc...
· Since website related details (like default page etc...) are stored inside web.config (not necessarily ASP.NET application) you can deploy sites using XCopy and it simply works.
· You can enable admin service with a different secure port which can be used for administering IIS remotely (http). This is not an admin website like before but a separate service.
· You can replace existing IIS components by replacing the dll name in the application.config file. Example custom logging, custom authentication. This simply means that everything is pluggable and only required features are installed or loaded into the process. For example you don't want "Basic Authentication" you don't even install it. This would reduce attack surface and enables better performance also.
· My favorite feature, you can enable forms authentication with a single page (uses .NET 2.0) for htm / asp / asp.net / php / cgi / images or any application web site.
You can see some managed code snippets of IIS7 Admin API’s from the following link
http://blogs.msdn.com/carlosag/archive/2006/04/17/MicrosoftWebAdministration.aspx
Make sure you see the piece of code titled “Getting list of executing requests” which is my favorite.
Let us see how HTTP is extended to do more than serving static content.
When we talk about Windows Platform & HTTP, Microsoft product which comes to the picture is IIS. In the early days (and early versions of IIS) HTTP was primarily used for hosting websites and to enable people to use browsers to request those websites. So in essence IIS (or for that matter any web server) is built to serve “static” HTML pages with resources like images (referring to IIS2). But later versions of IIS provided ways to extend the web server in order to provide dynamically serving websites. In IIS world we call it as ISAPI Extensions. Hmmm... So what is ISAPI Filters then?
Let’s try to understand more about ISAPI Filters, ISAPI Extensions & Wildcard ISAPI Extensions to get more clarity.
ISAPI Filters
From the name itself you know that it’s something to do with filtering. Yea you got it right! So IIS exposes a set of notifications (IIS term for events) so that we can develop an ISAPI Filter (dll with a difference) to register for these notifications. When IIS triggers these notifications your ISAPI Filter DLL gets a chance to handle the data available for that specific notification.
Confused? Huh! Let me try with a hypothetical example then,
Assume that you have an ASP application and you don’t want your web users to know that it’s really ASP. So what can you do? Let them request .ASPX pages and we will change the extension to .ASP before IIS gets it for further processing. Good Idea?
Change all your links in the site to point to .ASPX extension. And when web users request “default.aspx” the ISAPI Filter would change the file requested to “default.asp” without the user’s knowledge and show off that you are running an ASP.NET application but under the hood it’s a legacy ASP application. J
How does this work or how is this implemented?
Like I mentioned before you need to use one of those ISAPI Filter notification called SF_NOTIFY_PREPROC (search on MSDN for more information). So what does that give us? When a request enters IIS and when IIS reads in the HTTP request header our ISAPI Filter gets a chance to access HTTP request header and if required we can modify it. So in our scenario, we would see that URL field in the header contains “default.aspx”. Yes you guessed it, we would change that URL to “default.asp” and let IIS know that it needs further processing. Cool deal hah!
Important piece of code from the ISAPI source provided below to show how easy it is
Char buffer[256]; DWORD buffSize = sizeof(buffer); BOOL bHeader = pHeaderInfo->GetHeader(pCtxt->m_pFC,"url",buffer,&buffSize); CString urlString(buffer); urlString.MakeLower(); if (urlString.Find(".aspx”) != -1) //we want to change this file’s extension { urlString.Replace(".aspx",".asp"); char *newUrlString= urlString.GetBuffer(urlString.GetLength()); pHeaderInfo->SetHeader(pCtxt->m_pFC, "url", newUrlString); //we’re done, now give it to IIS for further processing return SF_STATUS_REQ_HANDLED_NOTIFICATION; } |
ISAPI Extensions
So like I mentioned before a web server serves static pages, the dynamic features like ASP, ASP.NET, PHP etc happens because of ISAPI extensions. So the obvious is that ISAPI Extensions are a way to extend the Web Server to add more features to it.
So once the requests surpass the ISAPI Filter and if the request is not for static page, IIS searches for an ISAPI extension which is mapped to the request file extension. If found the request is forwarded to that ISAPI Extension for further processing and returning a valid response back to the client.
Wildcard ISAPI Extensions (IIS6 specific)
Here we will talk about why we need this piece and what are we trying to achieve here. Yes you guessed it, Wildcard extensions comes in between ISAPI Filters & ISAPI Extensions, so that it can have the features of both ISAPI Filters & Extensions.
Request | IIS [ ISAPI Filter -> Wildcard Extension -> ISAPI Extension] | Response |
Before getting into details lets see the Pros & Cons of ISAPI Filters & ISAPI Extensions.
ISAPI Filters
Pros of ISAPI Filters
- Every request can be intercepted regardless of the file extension
- Filter notification allows us to enhance or replace some of the IIS features
- Custom Redirection or request filtering - SF_NOTIFY_PREPROC_HEADERS
- Custom Authentication – SF_NOTIFY_AUTHENTICATION
- Modify IIS log values – SF_NOTIFY_LOG
etc… (notification list documented on MSDN)
Cons of ISAPI Filters
- No Asynchronous support
- Uses IIS thread pool and cannot implement its own thread pool, so whatever processing of request is being done inside the filter should be completed quickly, otherwise chances are that IIS runs out of worker threads and users starts seeing errors like “Server too busy” or IIS gets into a hung state without responding to requests.
- No access to entity body (huh! its another term for HTTP request body)
ISAPI Extensions
Pros of ISAPI Extensions
- Gets the entire entity body (HTTP request body)
- Can implement custom thread pool
- Processing the request can be asynchronous
Cons of ISAPI Extensions
- Can handle only requests to specific extensions (because its mapped to specific file extension.
- Processing happens only after getting the complete request entity body.
Wildcard ISAPI Extensions
Pros of ISAPI Wildcard Extensions (hybrid of Filter & Extension)
- Every request can be intercepted regardless of the file extension
ISAPI Filters: Yes
ISAPI Extensions: No
- Implement custom thread pool
ISAPI Filters: No
ISAPI Extensions: Yes
- Asynchronous Processing
ISAPI Filters: No
ISAPI Extensions: Yes
- Handle entire request processing and return response to the client or hand over to an ISAPI Extension (according to the extension) for further processing.
ISAPI Filters: Yes
ISAPI Extensions: Yes
- Can get access to complete request entity body
ISAPI Filters: No
ISAPI Extensions: Yes
So from the above list you can see that Wildcard ISAPI Extension provides a way to get best of both worlds (ISAPI Filter & ISAPI Extension).
Most of my interactions in the past with customers, web developers and some of my prior colleagues, I have found that a larger percentage of them don't have a good understanding of how HTTP protocol works. This could be due to various reasons; some of them could be like
- Coming from windows application development background.
- Not getting enough time to go through the details due to project deadlines.
- Too difficult to get the meat out of HTTP RFC document because it’s too much to read.
This results in lot of confusions and also leads to low performance application development. So I thought I would help the readers of putting those confusions to rest and explain all these in simple and effective way. So, in essence this article is no rocket science, but HTTP basics which most of those HTTP/IIS experts left out thinking that it would not be necessary to be explained (Or maybe its there but I missed noticing it).
Is HTTP a popular protocol, Oh really?
The popularity of HTTP protocol is simply because it's a simple protocol when you try to understand it from grass root level. Because of the simplicity (huh, I think due to recent developments people have made it a little complex) HTTP is used extensively not just for serving HTML pages but in order to empower several applications to make it work on the web.
How does a simple HTTP response look like?
|
#include <iostream.h>
#include <windows.h>
int main (int argc, char** argv,char **envp)
{
cout << "Content-Type: text/html\r\n\r\n"; //Header
cout << "<h2>Hello World!</h2>" <<endl; //Body
return 1;
} |
How does HTTP works with authenticated request?
- Browser send GET request to IIS (remember 1st request is always anonymous)
- IIS returns 401 and provides WWW-Authenticate Header with the supported authentication methods
- According to authentication method Browser pop-up the dialog to enter credentials and then submits to IIS
- Credentials gets validated and if valid, your GET request is served with HTTP Status 200 (200 = success)
Why do we need sessions in HTTP?
Since HTTP is a connection-less protocol we need to provide a way to continue request-response process without having to create a ‘fresh’ newer connection for every request.
More Posts