mozilla

Revision 129579 of Setting up an update server

  • Revision slug: Mozilla/Setting_up_an_update_server
  • Revision title: Setting up an update server
  • Revision id: 129579
  • Created:
  • Creator: entie
  • Is current revision? No
  • Comment 33 words added

Revision Content

Creating a simple Firefox/Thunderbird update server with Apache and PHP

The goal of this document is to provide basic instructions on setting up your own update server.

Firefox provides update services by using a REST web service - it goes to a URL and if an XML file is present at that URL, that XML file describes the update that is available.

First, let's talk about the format of the URL. Here is the URL used for upgrading from Firefox 1.5 to Firefox 1.5.0.1 on Windows

https://aus2.mozilla.org/update/1/Fi...ase/update.xml

The URL format looks like this:

https://aus2.mozilla.org/update/1/%P...EL%/update.xml

Version 3

https://aus2.mozilla.org/update/3/%P...ON%/update.xml

This URL can be displayed in the browser via about:config as app.update.url, but to change it, you must create a new pref called app.update.url.override that contains your new value.

https://aus2.mozilla.org/update/1/%P...EL%/update.xml

The update channel can be only be changed by modifying the file channels-pref.js in the defaults/pref directory where Firefox is installed. It defaults to "release" for official Firefox builds. This can be used for beta's or custom builds, etc.

For our example, we are actually going to place the update.xml on the server in the fully qualified path specified by the update URL. So in the root of your web server, create the path:

update.dir/1/Firefox/1.5/2005111116/WINNT_x86-msvc/en-US/release

Place the file update.xml there:

<?xml version="1.0"?>
<updates>
    <update type="minor" version="1.5.0.1" extensionVersion="1.5.0.1" buildID="2006011112"  detailsURL="http://www.mozilla.com/firefox/releases/1.5.0.1.html">
        <patch type="complete" URL="http://download.mozilla.org/?product=firefox-1.5.0.1-complete&os=win&lang=en-US" hashFunction="SHA1" hashValue="510abd3fa73edb227c088bcd1fedd10f49dc395f" size="6324282"/>
        <patch type="partial" URL="http://download.mozilla.org/?product=firefox-1.5.0.1-partial-1.5&os=win&lang=en-US" hashFunction="SHA1" hashValue="e2e4871f753c9afdbfd60f55f769c656098846f5" size="768563"/>
    </update>
</updates>

Next, we have to configure our Apache server so that we can create a PHP file to handle the web service.

First in httpd.conf, ensure that AllowOverride is set to FileInfo for the root directory. Next, add the following to your .htaccess file (you might have to create it)

<FILES update>
ForceType application/x-httpd-php
</FILES>

This tells the web server to treat "update" as a PHP file. Now create the PHP file called update:

<?php
header("Content-type: text/xml");

$url_array=explode("/",$_SERVER["REQUEST_URI"]);
$noidea=$url_array[2];
$product=$url_array[3];
$version=$url_array[4];
$build_id=$url_array[5];
$build_target=$url_array[6];
$locale=$url_array[7];
$channel=$url_array[8];
// filename is totally ignored
$filename=$url_array[9];

$updatefile = "update.dir/$noidea/$product/$version/$build_id/$build_target/$locale/$channel/$filename";

if (file_exists($updatefile)) {
  $handle = fopen($updatefile, "r");
  $contents = fread($handle, filesize($updatefile));
  echo "$contents";
  fclose($handle);
} else {
echo '<?xml version="1.0"?>';
?>
<updates></updates>
<?
}

?>

Now if you go to the URL

http://localhost/update/1/Firefox/1....ase/update.xml

you should see XML.

If for some reason, you do not want to use the PHP file (for instance heavy traffic), just rename update to update.php and rename update.dir to update.

 

Security Considerations

You may notice that the default Firefox update URL above uses https and is served over SSL. SSL does put extra load on the server and you may be tempted to use normal HTTP -- don't!

Every user will ping the update server regularly whether there's an update or not (once a day by default). Any user who connects from outside your protected network--particularly from a public WiFi hotspot--can potentially have their connection hijacked and be fed a malicious update. SSL protects against this attack. The update.xml files are small, don't sweat the SSL overhead.

The large updates themselves can be safely served from a non-secure server because the update files contain a hash that the client will verify. The hash can be trusted only if the update.xml is served securely.

See Also

XULRunner:Application Update

Revision Source

<h3 name="Creating_a_simple_Firefox.2FThunderbird_update_server_with_Apache_and_PHP">Creating a simple Firefox/Thunderbird update server with Apache and PHP</h3>
<p>The goal of this document is to provide basic instructions on setting up your own update server.</p>
<p>Firefox provides update services by using a REST web service - it goes to a URL and if an XML file is present at that URL, that XML file describes the update that is available.</p>
<p>First, let's talk about the format of the URL. Here is the URL used for upgrading from Firefox 1.5 to Firefox 1.5.0.1 on Windows</p>
<p><a class=" link-https" href="https://aus2.mozilla.org/update/1/Firefox/1.5/2005111116/WINNT_x86-msvc/en-US/release/update.xml" rel="freelink">https://aus2.mozilla.org/update/1/Fi...ase/update.xml</a></p>
<p>The URL format looks like this:</p>
<p><a class=" link-https" href="https://aus2.mozilla.org/update/1/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/update.xml" rel="freelink">https://aus2.mozilla.org/update/1/%P...EL%/update.xml</a></p>
<p>Version 3</p>
<p><a class=" link-https" href="https://aus2.mozilla.org/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml" rel="freelink">https://aus2.mozilla.org/update/3/%P...ON%/update.xml</a></p>
<p>This URL can be displayed in the browser via about:config as app.update.url, but to change it, you must create a new pref called app.update.url.override that contains your new value.</p>
<p><a class=" link-https" href="https://aus2.mozilla.org/update/1/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/update.xml" rel="freelink">https://aus2.mozilla.org/update/1/%P...EL%/update.xml</a></p>
<p>The update channel can be only be changed by modifying the file channels-pref.js in the defaults/pref directory where Firefox is installed. It defaults to "release" for official Firefox builds. This can be used for beta's or custom builds, etc.</p>
<p>For our example, we are actually going to place the update.xml on the server in the fully qualified path specified by the update URL. So in the root of your web server, create the path:</p>
<pre>update.dir/1/Firefox/1.5/2005111116/WINNT_x86-msvc/en-US/release
</pre>
<p>Place the file update.xml there:</p>
<pre>&lt;?xml version="1.0"?&gt;
&lt;updates&gt;
    &lt;update type="minor" version="1.5.0.1" extensionVersion="1.5.0.1" buildID="2006011112"  detailsURL="http://www.mozilla.com/firefox/releases/1.5.0.1.html"&gt;
        &lt;patch type="complete" URL="http://download.mozilla.org/?product=firefox-1.5.0.1-complete&amp;os=win&amp;lang=en-US" hashFunction="SHA1" hashValue="510abd3fa73edb227c088bcd1fedd10f49dc395f" size="6324282"/&gt;
        &lt;patch type="partial" URL="http://download.mozilla.org/?product=firefox-1.5.0.1-partial-1.5&amp;os=win&amp;lang=en-US" hashFunction="SHA1" hashValue="e2e4871f753c9afdbfd60f55f769c656098846f5" size="768563"/&gt;
    &lt;/update&gt;
&lt;/updates&gt;
</pre>
<p>Next, we have to configure our Apache server so that we can create a PHP file to handle the web service.</p>
<p>First in httpd.conf, ensure that AllowOverride is set to FileInfo for the root directory. Next, add the following to your .htaccess file (you might have to create it)</p>
<pre>&lt;FILES update&gt;
ForceType application/x-httpd-php
&lt;/FILES&gt;
</pre>
<p>This tells the web server to treat "update" as a PHP file. Now create the PHP file called update:</p>
<pre>&lt;?php
header("Content-type: text/xml");

$url_array=explode("/",$_SERVER["REQUEST_URI"]);
$noidea=$url_array[2];
$product=$url_array[3];
$version=$url_array[4];
$build_id=$url_array[5];
$build_target=$url_array[6];
$locale=$url_array[7];
$channel=$url_array[8];
// filename is totally ignored
$filename=$url_array[9];

$updatefile = "update.dir/$noidea/$product/$version/$build_id/$build_target/$locale/$channel/$filename";

if (file_exists($updatefile)) {
  $handle = fopen($updatefile, "r");
  $contents = fread($handle, filesize($updatefile));
  echo "$contents";
  fclose($handle);
} else {
echo '&lt;?xml version="1.0"?&gt;';
?&gt;
&lt;updates&gt;&lt;/updates&gt;
&lt;?
}

?&gt;
</pre>
<p>Now if you go to the URL</p>
<p><a class=" external" href="http://localhost/update/1/Firefox/1.5/2005111116/WINNT_x86-msvc/en-US/release/update.xml" rel="freelink">http://localhost/update/1/Firefox/1....ase/update.xml</a></p>
<p>you should see XML.</p>
<p>If for some reason, you do not want to use the PHP file (for instance heavy traffic), just rename update to update.php and rename update.dir to update.</p>
<p> </p>
<h3 name="Security_Considerations">Security Considerations</h3>
<p>You may notice that the default Firefox update URL above uses https and is served over SSL. SSL does put extra load on the server and you may be tempted to use normal HTTP -- don't!</p>
<p>Every user will ping the update server regularly whether there's an update or not (once a day by default). Any user who connects from outside your protected network--particularly from a public WiFi hotspot--can potentially have their connection hijacked and be fed a malicious update. SSL protects against this attack. The update.xml files are small, don't sweat the SSL overhead.</p>
<p>The large updates themselves can be safely served from a non-secure server because the update files contain a hash that the client will verify. The hash can be trusted only if the update.xml is served securely.</p>
<h3 name="See_Also">See Also</h3>
<p><a href="/en/XULRunner/Application_Update" title="en/XULRunner/Application_Update">XULRunner:Application Update</a></p>
Revert to this revision