WordPress on IIS

These are my notes for getting WordPress on IIS 10 (1809) on Windows Server 2019 Core working.  I ran into a problem with MySQL 8.0 so I reverted back to MySQL 5.6 until I can spend a little more time troubleshooting and document my experience.

[This is a running draft currently]

  1. Install and Configure: IIS 10 (1809)
    1. IIS Role
      1. Features > CGI, Dynamic Compression
    2. Configure IIS FastCGI parameters – can be done with Administration pack, but I’m running Core and did from commandline.
      1. %windir%\system32\inetsrv\appcmd set config -section:system.webServer/fastCgi /[fullPath='c:\{php_folder}\php-cgi.exe'].instanceMaxRequests:10000
      2. %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/fastCgi /+"[fullPath='C:\{php_folder}\php-cgi.exe'].environmentVariables.[name='PHP_FCGI_MAX_REQUESTS',value='10000']"
    3. GZIP (static/dynamic compression)
  2. Install and Configure: PHP 7.3
    1. Non-thread safe PHP 7.3 x64 installed to C:\PHP
    2. Needs VC15 redistributable (x64)
    3. Configure date.timezone, upload_tmp_dir, etc.
      1. Set permissions for tmp file location using icacls
        1. icacls tmppath /grant "IIS_IUSRS":(OI)(CI)F
  3. Install and Configure: MySQL Community Server 5.6.42
    1. Needs VC13 redistributable
    2. Configure bind-address for 127.0.0.1 in C:\ProgramData\MySQL\my.cnf
  4. Install and Configure WordPress
    1. Folder permissions required (IIS_IUSR) using icacls
      1. icacls websiteroot /grant "IIS_IUSRS":(OI)(CI)F
    2. Download latest ZIP
      1. Tip: PowerShell Extract-Archive latest.zip works great – seemed slow, but it worked.
    3. IIS Rewrites (2.1 is required – I used x64 download)
      1. Permissions
        1. Note:  example.com is the name of  a website I created in IIS, so permissions use the App Pool Identity.
        2.   icacls "C:\inetpub\example.com" /grant:r "IIS APPPOOL\example.com:(OI)(CI)(RX,W)" /T
        3. Some notes I need to revise:
          1. iis permissions setup
            
            icacls PATH /remove "UserOrGroup" /t (removes recursively)
            
            i use:
            icacls httproot /inheritance:d
            icacls httproot /remove "BUILTIN\Users" /t
            icacls httproot /grant "IIS APPPOOL\domain.com" (this will propagate via inheritance to httproot\*)
            
            
            icacls httproot /grant "IIS APPPOOL\domain.com:(OI)(CI)F" /t
            
            PS C:\inetpub\domain.com> icacls httproot
            httproot IIS APPPOOL\domain.com:(F)
            NT SERVICE\TrustedInstaller:(F)
            NT SERVICE\TrustedInstaller:(OI)(CI)(IO)(F)
            NT AUTHORITY\SYSTEM:(F)
            NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
            BUILTIN\Administrators:(F)
            BUILTIN\Administrators:(OI)(CI)(IO)(F)
            CREATOR OWNER:(OI)(CI)(IO)(F)
            
            
            create site
            authentication > anonymouse authentication > edit > change to Application Pool Identity > OK
            
            right click on site > manage > advanced > ensure application pool is selected for correct application pool (domain.com)
            
            application pools > right click domain.com pool > ensure Process Model section > Identity is set to ApplicationPoolIdentity
      2.         
                    
                        
                            
                                
                                
                            
                        
                    
                
        
  5. LetsEncrypt SSL
  6. benchmark
  7. Php 5.7 on old iis 7.5 (2008R2) vs new server (2019 core) with php 7.3

 

Error: This operation was blocked by role based access control settings or other network issue

I’m attempting to upload a file via Windows Admin Center and encountered the following error: Error: This operation was blocked by role based access control settings or other network issue.

Cursory search points to an issue with role-based access, so within Windows Admin Center dashboard, I hit the settings (bottom left) and choose Role Based Access Control.

In here, I attempt to apply Role Based Access Control (RBAC) and get the following error.

Couldn’t apply role-based access control to the computer. Error: The network path was not found.

Another cursory search leads me to think, via Windows Admin Center known issues, that it could be the Windows Defender Application Control (WDAC).  So for kludge purposes, I just decide to remove Windows Defender itself;  I’ll be utilizing a different security suite anyway whenever this makes it to production.

To remove Windows Defender completely from Server 2019 using powershell, I use the following command: Uninstall-WindowsFeature -Name Windows-Defender

Note:  This will require a reboot of your server.

After my server came back up, I again tried to apply Role Based Access Control and it failed with the same error.  Now I will dig in a little deeper and update this post soon with new information and hopefully a solution I’ve found.

Resolution

The firewall was the culprit — disabling it, Set-NetFirewallProfile -Profile domain,public,private -Enabled false, resolved the upload error.  I have not attempted to apply RBAC yet.

Tip:  Ensure PSRemoting is enabled on the target server as well as firewall rules are added.  From an elevated PowerShell prompt:

Enable-PSRemoting

Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

I also needed to allow port 445 as those two didn’t solve my issue:

New-NetFirewallRule -DisplayName “WAC File Upload” -Direction Inbound -Action Allow -Protocol TCP -Port 445 -RemoteAddress 192.168.1.100 -Profile Public,Domain,Private

The next error I get, and I’m not sure why yet, is the following AFTER uploading a file.  The file does upload and the file content is good, but I get the following notification error.

Failed to upload to C:\PHP\TEST. Error: QueryCache: Unable to refresh data; call createObservable() and fetch() first.

Cursory search shows not much info out there.  A couple GitHub repos with JSON file this string belongs in and some stuff for Excel / SQL linking.

When in doubt, procmon reboot.

Well, that didn’t work.  But uploads work, and I guess that’s good enough for Government work.

Ah wait.  I had a look at that error message again and it seemed “webbrowserish” (like jQuery or something) so I restarted my browser and I no longer get that error.

Success.

Windows Server 2019 Licensing Notes

Windows Server 2019 per-core licensing model requires a minimum of 8 cores per physical socket, with 16 total cores minimum licensed for a server.

Windows Server 2019 user CALs are required for every user accessing directly, or indirectly, the server.