Set up a PHP environment using IIS on a Windows instance -

When you deploy a PHP application on a Windows Elastic Compute Service (ECS) instance, you can integrate a non-thread-safe (NTS) version of PHP with the Internet Information Services (IIS) FastCGI Module to ensure website performance and security. This guide explains how to configure directory permissions and a dedicated application pool for your site.

How it works

This solution integrates the IIS FastCGI Module with the PHP interpreter to parse and serve PHP web pages. External requests are first filtered by the instance's Security Group. Then, IIS uses a Handler Mapping to forward .php requests to the php-cgi.exe process in the FastCGI process pool. IIS then returns the result to the client.

Core components

A user's browser sends an HTTP request over the public network to port 80 of the ECS instance.
IIS receives the HTTP request. If the request is for a .php file, the handler mapping rules in IIS forward the request to PHP's CGI executable (php-cgi.exe) through the FastCGI protocol.
The FastCGI module manages a pool of php-cgi.exe processes that receives requests and execute the corresponding PHP scripts.
The PHP interpreter executes the business logic and returns the generated HTML content or other data to IIS.
IIS returns the final result to the client as an HTTP response.

Procedure

The following steps use Windows Server 2022 as an example.

Step 1: Install IIS and the CGI module

Log on to the ECS instance.
1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.
2. Go to the details page of the target instance, click Connect, and select Workbench. Set the connection method to Terminal, enter the username and password, and then log on to the graphical terminal page.
In the taskbar search box, enter Server Manager and open it.
Select Add roles and features. In the wizard, click Next until you reach the Server Roles page, then select the Web Server (IIS) checkbox.
In the dialog box that appears, click Add Features and then click Next until you reach the Role Services page.
In the Role services list, expand Web Server > Application Development and select the CGI checkbox. Click Next and then click Install.
After the installation is complete, click Close.

Step 2: Install the PHP runtime environment

Download and install the required Microsoft Visual C++ Redistributable for PHP.
Go to the download page on the official PHP website. Select and download the VS17 x64 Non Thread Safe Zip package.
The IIS FastCGI Module uses a multi-process model where each process runs independently, eliminating the need for thread safety. The Non-Thread Safe (NTS) version of PHP omits these safety checks, offering better performance and greater stability in an IIS environment.
Extract the downloaded Zip package to a directory path that does not contain spaces, such as C:\php. This path will be your PHP installation directory.

Step 3: Configure PHP and IIS integration

Configure IIS to use the FastCGI protocol to call the PHP interpreter. This enables IIS to process .php files by forwarding requests to the PHP interpreter.

In the taskbar search box, enter Internet Information Services (IIS) Manager and open it.
In the left-side navigation pane, click the server hostname to open the server's feature view.
Double-click Handler Mappings. In the right-side Actions pane, click Add Module Mapping....
In the dialog box that appears, configure the following parameters:
- Request Path: *.php
- Module: FastCgiModule
- Executable (optional): C:\php\php-cgi.exe
  In the file selection dialog box, change the file type from .dll to .exe to find php-cgi.exe.
- Name: PHP via FastCGI
Click OK. In the confirmation dialog box that appears, click Yes to create the corresponding FastCGI application.

Step 4: Create and configure the website

Create a new website and configure a dedicated application pool and directory permissions for it.

Create a directory and configure permissions
Following the Principle of Least Privilege, IIS does not automatically grant permissions to new directories. You must manually grant read permissions to the IIS_IUSRS group. Failure to do so will result in a 403 or 500 error when you access the website.
1. In the taskbar search box, enter File Explorer and open it.
2. Create a root directory for your website, for example, C:\myphp.
3. Right-click the website's root directory, then select Properties > Security > Edit... > Add....
4. In the Enter the object names to select box, enter IIS_IUSRS, then click Check Names and OK.
5. Select the newly added IIS_IUSRS group and grant it the Read & execute, List folder contents, and Read permissions.
6. Click OK to save the permission settings.
Change the port of the default IIS website
The new website needs to use port 80, which the default IIS website (Default Web Site) already occupies.
1. In the taskbar search box, enter Internet Information Services (IIS) Manager and open it.
2. In the left-side navigation pane, expand the server hostname, then click Sites.
3. Select Default Web Site. In the right-side Actions pane, click Bindings....
4. Select the port binding, click Edit, change the port to another number (such as 8080), click OK, then click Close.
Add the website
1. In the left-side navigation pane, right-click the Sites node and select Add Website....
2. Configure the website information:
  - Site name: For example, MyPHP.
  - Physical path: The website's root directory, for example, C:\myphp.
  - Port: 80.
3. Click OK.

Step 5: Configure the security group and verify the setup

Create a test page to verify the environment configuration.

Configure a security group rule
To allow public network access to your website, open the web service port in the instance's Security Group.
1. Go to the ECS console - Instances and click the target instance ID to go to its details page.
2. On the instance details page, click the Security Groups tab, then click the ID of the target security group to open its details page.
3. In the list of inbound rules, click Add Rule, configure the following parameters, then save the rule.
  - Action: Allow
  - Protocol: Custom TCP
  - Source: 0.0.0.0/0
  - Destination (Current Instance): 80/80
Create a test page
In the website's root directory (for example, C:\myphp), create a file named index.php and add the following content:
```
<?php
    phpinfo();
?>
```
Access the test page
Open a web browser and go to http://<Public IP address of the instance>/index.php. If the page displays detailed PHP information, your environment is configured correctly.