random memes }

isapi_reward preview

Something I started working on some time back with the aim of meeting a particular goal.

Easy deployment of Java applications means bundling a pure-Java web server (like Jetty, Tomcat, or Geronimo) so the web application is immediately able to run, without a existing web server.

Easy deployment also means simple first-class integration with IIS on Windows. There are a number distinct advantages to routing requests through IIS if you need Windows authentication, encryption, or compression - especially given that many organisations have standardized internally on Windows authentication as is built into IIS. If you are deploying a web application on a company intranet - and the organization is almost certainly using primarily Windows desktops - you really want to use Windows authentication.

With Apache you get pretty much everything you need to rewrite and forward requests in mod_rewrite and stock Apache. With IIS to get the same function - you need some help. Eventually isapi_reward is meant to meet that need, through a combination and URL rewrite and transparent request forwarding (rewrite and forward).

Fair warning: Request forwarding is not implemented in this version!

Routing all your requests through a single IIS server yields a number of benefits.

(None of which applies at present).

Less running on the IIS box means more requests can be handled by IIS. Microsoft has worked very hard to optimize IIS. It is not much of a stretch to expect a box running only IIS to be capable of handling requests from your entire organization. What is more, the configuration of the IIS-only box need change very little as new web applications are deployed - which translates into fewer compatibility problems and greater stability.

Imagine what it would be like if all your organizations web applications were available through a single (IIS) web server, and that web server never went down! By placing web applications on separate servers, you can upgrade individual applications without in any way disturbing other applications or the main IIS server.

There is some danger of improving the Netcraft scores for IIS :).

Again - request forwarding is not - YET - in this version of the code!

So why am I posting this when the original goal is as-yet unreached?

The reason for posting at this early stage because of a not quite expected side effect. I find that installing isapi_reward makes it easier to keep IIS tightly secured.

Turns out even with the just the basic URL-rewrite code working this is pretty useful. As a developer I would like to leave in place the default IIS installation with all the examples. At the same time I know that some of those examples - if left active - may be terribly insecure. By simply defining a request-routing map that blocks everything and allows only explicitly permitted URLs, I can easily block access to everything but the specific installed application I want to test. A simple edit to isapi_reward.ini absolutely controls which web applications are exposed, while leaving the IIS configuration completely intact! This is much easier and less error-prone that mucking around in the IIS configuration.

The installation program for isapi_reward sets up isapi_reward as both an ISAPI filter and extension, and will stop/start IIS as needed. There is some basic documentation in the install. This should be entirely safe to try, and should uninstall cleanly.

Note this is early code. On the other hand with 25-odd years of experience in software - much of the work focused on performance and security - there is a better than average chance I got things right.