Creating a simple Firefox/Thunderbird update server with Apache and PHP
The goal of this document is to provide basic instructions on setting up your own update server.
Firefox provides update services by using a REST web service - it goes to a URL and if an XML file is present at that URL, that XML file describes the update that is available.
First, let's talk about the format of the URL. Here is the URL used for upgrading from Firefox 3.5.2 to Firefox 3.5.3:
- Mac OS X
The URL format looks like this:
This URL can be displayed in the browser via
app.update.url and to change it you must add a new default app.update.url default preference.
For our example, we are actually going to place the
update.xml on the server in the fully qualified path specified by the update URL. So in the root of your web server, create the path:
mkdir -p update.dir/3/Firefox/3.5.2/20090729225027/WINNT_x86-msvc/en-US/release/Windows_NT\ 6.0/default/default
update.xml file from aus2.mozilla.org and place it under the lowest
<?xml version="1.0"?> <updates> <update type="minor" version="3.5.3" extensionVersion="3.5.3" buildID="20090824101458" detailsURL="http://www.mozilla.com/en-US/firefox/3.5.3/releasenotes/"> <patch type="complete" URL="http://download.mozilla.org/?product=firefox-3.5.3-complete&os=win&lang=en-US" hashFunction="SHA512" hashValue="f8abbaea98bd453b651c24025dbb8cea5908e532ca64ad7150e88778ccb77c0325341c0fecbec37f31f31cdf7e13955c28140725282d2ce7c4a37c89a25319a1" size="10728423"/> <patch type="partial" URL="http://download.mozilla.org/?product=firefox-3.5.3-partial-3.5.2&os=win&lang=en-US" hashFunction="SHA512" hashValue="20b133f1bd2025360bda8ef0c53132a5806dbd0606e0fe7c6d1291d1392532cc960262f87b0c7d4fbe8f9bc9fba64ed28ecd89b664c17f51f98acdd76b26ea6a" size="2531877"/> </update> </updates>
If you would like to serve these builds from your server instead of download.mozilla.org, copy them to your server and edit the
update.xml file to change the URLs.
Next, we have to configure your Apache server so that we can create a PHP file to handle the web service.
httpd.conf, ensure that
AllowOverride is set to
FileInfo for the root directory. Next, add the following to your
.htaccess file (you might have to create it) in your root directory:
<FILES update> ForceType application/x-httpd-php </FILES>
This tells the web server to treat
update as a PHP file. Now create the PHP file called
update in your root directory:
<?php header("Content-type: text/xml"); $path = preg_replace('/^\/update/', 'update.dir', urldecode($_SERVER["REQUEST_URI"])); echo (file_exists($path)) ? file_get_contents($path) : '<?xml version="1.0"?><updates></updates>'; ?>
Now if you go to the following URL, you should see the XML content.
Finally, you must override the update server that Firefox uses by doing the following:
- (optional) Create a new profile
- Set "app.update.auto" to false (to prevent Firefox from checking the real update server before you can override it)
- Set "app.update.log" to true
Open the Scratchpad, switch to Browser context, and run
This pref cannot be set through about:config, you must do it through the Scratchpad.
Once you've changed the update server, open the Browser Console and check for updates (Help -> About). You should see output in the Browser Console that shows it talking to localhost as the update server. If Firefox is still using your old update server, you may need to delete
updates active-update.xml and updates.xml from your appdir and try again.
You may notice that the default Firefox update URL above uses HTTPS and is served over SSL. SSL does put extra load on the server and you may be tempted to use normal HTTP — don't!
Every user will ping the update server regularly whether there's an update or not (once a day by default). Any user who connects from outside your protected network--particularly from a public WiFi hotspot — can potentially have their connection hijacked and be fed a malicious update. SSL protects against this attack. The
update.xml files are small, don't sweat the SSL overhead.
The large updates themselves can be safely served from a non-secure server because the update files contain a hash that the client will verify. The hash can be trusted only if the
update.xml is served securely.