Somewhat OT: IIS and Apache

Ovid has asked for the wisdom of the Perl Monks concerning the following question:

Consumer alert: The following post deals with strong subject matter (IIS) and is not, strictly speaking, Perl related. Feel free to downvote at will. In the event of accidental ingestion, please seek professional help immediately.

After some discussion regarding dealing with taint checking while running IIS, our company has developed a different development model. I'm not completely satisfied with it, but it was the best compromise that we could all agree on.

All Perl/CGI development will occur on a Win2K box running Apache and using taint checking. Once unit testing is complete, the scripts will be moved to an identical staging server using IIS and ISAPI (losing the taint checking). System testing will occur there (as well as user beta testing). Once it's satisfactory, the programs will be published to the production server which has an identical configuration as the staging server.

My Concern

In theory, the Web server should be irrelevant. They should all implement the the protocols in the same fashion. In reality, Apache and IIS have subtle differences and we will need to be especially aware of them during development. For example: IIS 3.0, 4.0, and 5.0 all ignore the Set-Cookie: header on a redirect. If I try to redirect and need cookies, I'll need to switch to nph (non-parsed header) scripts. Apache does not have this issue. Are there other concerns that I should be aware of when switching from one Web server to another?

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on Somewhat OT: IIS and Apache

Replies are listed 'Best First'.
(Ovid) Re: Somewhat OT: IIS and Apache by Ovid (Cardinal) on Jun 05, 2001 at 20:24 UTC
This is primarily addressing the issues that MacLir and BigJoe brought up. If you read the post that I originally referred to, you would see that I'm aware of the issues that have been raised here. No, I don't like this development environment. I want all platforms identical. Also, I know that I can have taint checking under IIS. Unfortunately, that involves switching to straight CGI instead of ISAPI (as mentioned in the previous post), and we sacrifice performance. Rather than do that, we stick with ISAPI. Now, we could develop with CGI and IIS (instead of ISAPI and IIS), but then we have another problem: most of the idiots who used to be working here had no idea of how to develop Web sites. As a result, we have complete chaos that we are slowly reigning in. I've worked with the IS Director on this and with the company's limited resources, we've agreed that we will have one and only one development environment. Since some of our sites will run under Apache and some under IIS, we decided to pick the better of the two. The decision is actually a lot more involved than that, but this is the only way we felt we could get tight control. Later, as the development team is more disciplined,^* we'll hopefully be able to loosen the reigns and have a development environment which is more sane. Do I like this compromise? No. Would I do it this way if I had a choice? No. Do I call all the shots? No. However, I don't know that it's a bad decision. By forcing a single development environment and rigorous standards on how we move things into staging and then into production (instead of "hey, I'll just make a quick hack on the production server"), we gain a measure of control that the previous management staff never had. Yes, it means that there are other things that we lose, but we're getting those things back and finally getting a handle on these issues. Cheers, Ovid ^*For example, one guy I sit next to has a Web site which calls two copies of his checkout.cgi script. These copies are identical, he just didn't bother to update all of his links. I was fixing some problems on his site last night and couldn't figure out why my bug fixes weren't showing up. It really is a nightmare around here, but it's getting better. Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]
Re: Somewhat OT: IIS and Apache by sierrathedog04 (Hermit) on Jun 05, 2001 at 05:43 UTC
Yes, I would be concerned that authentication will break. IIS 4 on NT used built-in custom authentication that was based upon the underlying NT box's logins, and I doubt that has changed. Apache, on the other hand, does not use custom authentication unless you compile it in with special modules. Big difference. Update: Rewritten to focus on the authentication problem, which I view as the most serious one.	[reply]
Re: Somewhat OT: IIS and Apache by Maclir (Curate) on Jun 05, 2001 at 15:37 UTC
I have some serious difficulies with your company's development / testing / production staging environment. You state that: development will occur on a Win2K box running Apache and using taint checking. Once unit testing is complete, the scripts will be moved to an identical staging server using IIS and ISAPI Sorry, but having such significantly different environments between development / testing and production (including a different server api) negates much of your whole testing strategy. In all of the applications development I have managed, I have made sure the environments match - even to software versions. The bottom line - can you really have confidence that the difference in your environments can be covered?	[reply]
Re: Somewhat OT: IIS and Apache Possible Taint Mode fix by BigJoe (Curate) on Jun 05, 2001 at 16:25 UTC
Actually there is a way that you can turn taint checking on I believe. This will turn Taint check on all files with a certain extention. What you need to do is go into Internet Services Manager. Then click on the site you want to add this too. Next right click it and pick properties. Now pick "Home Directory". In here you will see a button for configuration. It is down towards the bottem. Find your .pl extension and edit it. The executable from ActiveState will look like: D:\Perl\bin\Perl.exe %s %s Change this line to look like this: D:\Perl\bin\Perl.exe %s %s -T This should allow you to do Taint mode. (Warning These steps are for a WinNT 4.0 Server. I don't have a 2k box to walk through on). --BigJoe Learn patience, you must. Young PerlMonk, craves Not these things. Use the source Luke.	[reply]