Table of Contents
1. INSTALL ALL DEPENDENCIES
2. install MySQL database
3. SECURING THE MYSQL SERVER DEPLOYMENT
4. INSTALL THE SERVER
5. TESTING TIME
6. INSTALL APACHE2
7. CONFIGURE APACHE TO USE SSL
8. CONFIGURE THE FIREFOX BROWSER TO TALK TO THE SYNC SERVER
9.TEST THE SSL CONFIGURATIONS
For privacy and security reasons, you may want to create your own sync service, so get a cup of coffee and sit tight, I will show you how to build a Firefox Sync Server in a VPS. For the VirtualBox file please contact us.
1.Install all dependencies
First let install all the dependencies:
sudo apt-get update
sudo apt-get install python-dev git-core python-virtualenv libapache2-mod-wsgi
2. install MySQL database
After installing all the dependencies we will install the mySql database :
sudo apt-get update
sudo apt-get install mysql-server -y
You’ll be prompted to create a root password during the installation.
Choose a secure one and make sure you remember it, because you’ll need it later. Next, we’ll finish configuring MySQL.
3. Securing the MySQL server deployment
Enter password for user root:
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No: no
Using existing password for root.
Change the password for root ? ((Press y|Y for Yes, any other key for No) : no
By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No) : yes Success.
Normally, root should only be allowed to connect from ‘localhost’. This ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : yes Success.
By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : yes
– Dropping test database…Success
– Removing privileges on test database… Success.
Reloading the privilege tables will ensure that all changes made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : yes Success.
Testing MySQL :
Regardless of how you installed it, MySQL should have started running automatically. To test this, check its status.
systemctl status mysql.service
You’ll see output similar to the following:
Output● mysql.service - MySQL Community ServerLoaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enActive: active (running) since Wed 2016-11-23 21:21:25 UTC; 30min ago Main PID: 3754 (mysqld)Tasks: 28 Memory: 142.3MCPU: 1.994sCGroup: /system.slice/mysql.service└─3754 /usr/sbin/mysqld
If MySQL isn’t running, you can start it with:
sudo systemctl start mysql
This will prompt you for the root password you created in Step 2. You can press Y and then ENTER to accept the defaults for all the subsequent questions, with the exception of the one that asks if you’d like to change the root password.
Now let create the Database:
Create Databasemysql -u root -pthis will prompt you for the root password you created in Step 2CREATE DATABASE syncserver;GRANT ALL PRIVILEGES ON syncserver.* TO noobs IDENTIFIED BY "tech"; exit
4. Install the server
cd /optgit clone https://github.com/mozilla-services/syncserver cd syncservermake build
If you get this error :
The program 'make' can be found in the following packages: * make* make-guileTry: apt install <selected package>
then you should install the make module with apt-get install make. now do this again
If you get another error complaining about virtualenv …
then you need to install pip then install virtualenv with this command :
export LC_ALL="en_US.UTF-8" export LC_CTYPE="en_US.UTF-8" sudo dpkg-reconfigure locales
and choose your language…
sudo apt-get install python3-pip sudo pip3 install virtualenvmake build
Give the right permissions :
chown root:www-data -R /opt/syncserver chmod 750 -R /opt/syncserver
sudo make test
5. Testing Time
Configure the Sync Server
Change the following settings in /opt/syncserver/syncserver.ini in the section “[syncserver]”:
# Replace the domain name and port
public_url = https://your.domain.net/
sqluri = pymysql://noobs:[email protected]:3306/syncserver
# Generate a secret with "head -c 20 /dev/urandom | sha1sum" # and place it heresecret = YOURSECRET
6. Install apache2
We will install apache2 so you can handle the server behind apache for more security and load balance.
apt-get install apache2 -y
Configure Apache2, enable the WSGI module:
service apache2 restart
Create a new config file
and insert this
<VirtualHost *:80>ServerName firefoxsync.com Redirect / https://firefoxsync.com</VirtualHost> <VirtualHost *:443>ServerName firefoxsync.com DocumentRoot /opt/syncserverWSGIProcessGroup syncWSGIDaemonProcess sync user=www-data group=www-data processes=2 threads=25 python-path=/opt/syncserver/local/lib/python2.7/site-packages/WSGIPassAuthorization OnWSGIScriptAlias / /opt/syncserver/syncserver.wsgiSSLEngine OnSSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.keyCustomLog /var/log/apache2/access_sync.log combined ErrorLog /var/log/apache2/error_sync.logLogLevel warn</VirtualHost><Directory /opt/syncserver>Require all granted </Directory>
Enable the config file and restart Apache2:
ln -s /etc/apache2/sites-available/firefoxsync.com.conf /etc/apache2/sites- enabled/firefoxsync.com.conf
service apache2 restart
7. configure apache to use SSL
Let enable module a2enmod ssl
Then we restart apache
you will get an error :
SSLCertificateFile: file ‘/etc/apache2/ssl/server.crt’ does not exist or is empty
We have to create a self-signed SSL Certificate :
Step 1: Generate a Private Key
go to cd /etc/apache2/ mkdir sslcd ssl/openssl genrsa -des3 -out server.key 1024
Enter pass phrase for server.key:
Step 2: Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
example of response you can take
Country Name (2 letter code) [AU]:DEState or Province Name (full name) [Some-State]:DELocality Name (eg, city) :municOrganization Name (eg, company) [Internet Widgits Pty Ltd]:golos Organizational Unit Name (eg, section) :okaCommon Name (e.g. server FQDN or YOUR name) :ADAZAEmail Address :[email protected] enter the following 'extra' attributes to be sent with your certificate requestA challenge password :An optional company name :
Step 3: Remove Passphrase from Key
cp server.key server.key.orgopenssl rsa -in server.key.org -out server.key enter the pass again.
Step 4: Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt/etc/init.d/apache2 restart
8. Configure the Firefox browser to talk to the sync server
In your Mac or PC edit the host file and
sudo nano /etc/hosts
Where 220.127.116.11 is the VPS ip address.
Now go to this file nana /opt/syncserver/syncserver/__init__.py and change it like this:
from this :
# If the environ does not match public_url, requests are almost certainly # going to fail due to auth errors. We can either bail out early, or we# can forcibly clobber the WSGI environ with the values from public_url. # This is a security risk if you've e.g. mis-configured the server, so# it's not enabled by default.application_url = request.application_urlif public_url != application_url:if not request.registry.settings.get("syncserver.force_wsgi_environ"): msg = "n".join(("The public_url setting doesn't match the application url.", "This will almost certainly cause authentication failures!"," public_url setting is: %s" % (public_url,)," application url is: %s" % (application_url,),"You can disable this check by setting the force_wsgi_environ","option in your config file, but do so at your own risk.", ))logger.error(msg)raise _JSONError([msg], status_code=500) request.scheme = p_public_url.scheme request.host = p_public_url.netloc request.script_name = p_public_url.path.rstrip("/")
To this :
# If the environ does not match public_url, requests are almost certainly # going to fail due to auth errors. We can either bail out early, or we
# can forcibly clobber the WSGI environ with the values from public_url. # This is a security risk if you’ve e.g. mis-configured the server, so
# it’s not enabled by default.
if p_public_url.port not in (None, 80, 443):
port_str = str(p_public_url.port) if request.host_port != port_str:
if request.host_port in (None, “80”, “443”): request.host = p_public_url.netloc application_url = request.application_url
Save and close
go to cd /opt/syncserver and run this command :
If it fail check the error:
If it ok then go and restart apache:
tail -f /var/log/apache2/error_sync.log
To check if there is errors.
Now go to Firefox and type firefoxsync.com you will get your connection is not secure click advanced:
The certificate is not trusted because it is self-signed!
Click add exception and then confirm.
You should get this message : “it works!”
Now everything is working 🙂
Let change the url of sync server in Firefox so it will contact our own server in the VPS go to about:config
Search for identity.sync.tokenserver.uri. and replace value with https://firefoxsync.com/token/1.0/sync/1.5 http://sync.example.com/token/1.0/sync/1.5 https://firefoxsync.com/token/1.0/sync/1.5
Now let sign in and sync !
9.Test the SSL configurations
See the video :