How To Install Firefox Sync Server 1.5 on Ubuntu

With Firefox 29, Mozilla introduced a new version of their sync protocol. While new things are (usually) nice, Firefox 29 and later versions of the browser is not compatible with the old versions of the sync protocol. The renders the Sync Server you installed following the guide I wrote useless. It’s time to install the new version of the Firefox Sync Server on your Ubuntu box.

This guide is based on Mozilla’s own installation and configuration instructions, with a few tweaks. My version of the guide will focus on installing the Sync Server behind Apache 2.2, simply because that’s my setup. If you need to know how to use Apache 2.4 or Nginx, please refer to Mozilla’s instructions.

A major change from the old version of the sync protocol is that the new one requires that you use Firefox Accounts for user authentication. With last year’s NSA and PRISM scandal in mind, this is a bad thing, because the authentication for your sync server now goes through a third party. The good news is that you can also run your own installation of a Firefox Accounts server, but this is not covered by this guide. I might eventually get around to write a guide for that as well, but if you’re in a hurry to run your own Firefox Accounts server and can’t wait for that to happen, you can follow Mozilla’s own installation and configuration instructions for the Firefox Accounts Server.

With all that in mind, let’s get started.

Building, configuring and running

The first thing you do is to install a few prerequisites. There’s a chance you might already have one or more of these installed, but the following command will make sure you have everything you need.

sudo apt-get install python-dev git-core python-virtualenv make gcc g++

Next, we pull the latest version of the sync server source code from Mozilla’s git repository on github and build it.

cd /opt
sudo git clone https://github.com/mozilla-services/syncserver
cd syncserver
sudo make build

The “make” command will download a few dependencies and build the server. This might all take a while, depending on the speed of your internet connection and how powerful your CPU is. When the build is complete, we can move on to configuring the sync server, which we’ll do by making changes to the syncserver.ini file. Open the file in your preferred text editor and make the following changes:

The public_url parameter is the client-visible URL for the service. So if your server is installed at a server using the IP address 192.168.1.222, you have to set the following value:

[syncserver]
public_url = http://192.168.1.222:5000/

By default the server will use an in-memory database for storage, meaning that any sync data will be lost on server restart. You will almost certainly want to configure a more permanent database, which can be done with the “sqluri” setting. The sync server can also use a MySQL database, but configuring setting up everything to get that to work is not covered by this guide.

[syncserver]
sqluri = sqlite:////opt/syncserver/syncserver.db

The server uses a “secret” to generate cryptographically-signed authentication tokens. Save the configuration file and exit your text editor and run the following command to generate a unique secret:

head -c 20 /dev/urandom | sha1sum

The result should be a long string of alphanumeric characters. Copy-paste the string into the secret parameter in the syncserver.ini file (your value will be different from the one in the example below):

[syncserver]
secret = db8a203aed5fe3e4594d4b75990acb76242efd35

We can now finally start the server. Exit the text editor and run the following command:

sudo local/bin/pserve syncserver.ini

The server is now running and will run until you tell it to stop by pressing CTRL+C.

Configuring Firefox

At the time of writing (Firefox 30), there’s no convenient way to configure Firefox to use a private sync server. You have to open a new window or tab in the browser and enter about:config in the address bar. Search for the “services.sync.tokenServerURI” in the available settings. If you can’t find that, search for “identity.sync.tokenserver.uri”. Change the value of whatever property you find to the address of your server with a path of “token/1.0/sync/1.5”.

For instance, with the settings we used above for the server, the complete value will be “http://192.168.1.222:5000/token/1.0/sync/1.5”.

Hopefully, Mozilla will change the way a custom sync server is configured in future versions of Firefox. Next, go to Settings -> “Sign in to Sync”. When signed in, Firefox should finally sync everything with your own sync server. As soon as Firefox starts syncing, you should see log messages appear in your console window. If nothing happens, you can enter about:sync-log in a browser or tab window’s address bar to check if there’s anything in Firefox’ client side sync logs.

If you want to sync Firefox on your Android phone with your personal sync server, you’re almost all out of luck. Right now, there’s no way to configure the Android version of Firefox to use another sync server than Mozilla’s own unless you compile the browser from source. Further details and updates may be found in Bug 1003877.

Running behind Apache 2.2

So now you have the Firefox Sync Server 1.5 up and running and Firefox is synchronizing with it successfully. But there are a few issues with the current configuration we need to address:

  • The communication channel is not encrypted, making it easy for a man in the middle to eavesdrop on you.
  • The server does not start automatically when you boot Ubuntu.
  • As it is started now, the server will stop when you log out.

All of these issue can be solved by running the sync server behind a web server and Mozilla has provided the necessary building block for us to do so. I’m assuming that you have Apache 2.2, mod_wsgi and mod_ssl installed and properly configured already. If you don’t and have no idea how to do that, there are plenty of other guides on the internet that can help you. Another assumption I make is that your sync server will be available on a valid domain, for instance example.com.

First, we need to create a file called syncserver in the directory /etc/apache2/sites-available. Then copy-paste the following into the file. Replace “example.com” with the hostname you will be using.

Order deny,allow
  Allow from all

  ServerName example.com
  DocumentRoot /opt/syncserver

  SSLEngine on
  SSLCertificateFile /etc/apache2/example.com.crt
  SSLCertificateKeyFile /etc/apache2/exampe.com.key

  WSGIProcessGroup sync
  WSGIDaemonProcess sync user=ffsync group=ffsync processes=2 threads=25 python-path=/opt/syncserver/local/lib/python2.7/site-packages/
  WSGIPassAuthorization On
  WSGIScriptAlias / /opt/syncserver/syncserver.wsgi
  CustomLog /var/log/apache2/example.com-access.log combined
  ErrorLog  /var/log/apache2/example.com-error.log

Next, we’ll create the necessary certificate files. Once again, replace “example.com” with whatever domain name you will be using. You can use the default values on all the prompts openssl gives you.

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/example.com.key -out /etc/apache2/example.com.crt

Then we have to change the value of the public_url parameter in the syncserver.ini file so it matches the new sync server address and protocol, which is HTTPS now, not HTTP.

[syncserver]
public_url = https://example.com/

Next, we create a local user to run the sync server and make sure the user has the rights to access the correct files.

sudo useradd -d /opt/syncserver/ -l -r -U ffsync
sudo chown -R ffsync:ffsync /opt/syncserver/

The final step on the server is to activate the new Apache configuration and restart everything to make sure Apache is able to actually start the sync server.

sudo a2ensite syncserver
sudo service apache2 restart

Configuring Firefox (again)

On the client side we now need to configure Firefox to accept our self signed certificate. This should have been as easy as to add a security exception, but I can’t for the life of me get it to work. I did find a workaround, however.

In Firefox, go to Options -> Advanced -> Certificates -> View Certificates. In the new windows, select the Servers tab, then click Add Exceptions. Enter the URL of your sync server and click Get Certificate. Make sure that the “Permanently store exception” checkbox is checked and click Confirm Exception. Next, click the Authorities tab, select your certificate in the list and click Edit trust. In the window that opens, check “This certificate can identify websites”, click OK and you’re all done.

Next, we have to disconnect from the previous sync server URL. Go to Options -> select the Sync tab and click Disconnect and then Continue. Then, we have to update the value of the services.sync.tokenServerURI parameter in about:config that we set earlier so that the new address is being used. In this example, the complete value will be “https://example.com/token/1.0/sync/1.5”.

Now open a new browser tab and go to https://example.com/token/1.0/sync/1.5. If you get a sec_error_ca_cert_invalid error you have to edit yet another value in about:config. Find security.use_mozillapkix_verification and set the value to false. If you don’t get an error, there is no need to change this value. This is at least an issue in Firefox 31, where the certificate verification changed, but might change again in later versions of Firefox.

The last step on the client side is to reconnect to the sync server. Just do it in the same way as you did earlier.

So there you have it. Your own Firefox Sync Server 1.5 running behind Apache over an SSL connection. Setting everything up is a major pain in the ass, wasn’t it? Firefox doesn’t exactly make it easy. I hope Mozilla starts to take privacy even more seriously in the future and make the process more stream lined.

Sources


Feedback

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.

Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.