first of all: thanks to all that helps/helped to develop the Pale Moon browser.
so! next you will find what I did to run my own sync server for Pale Moon 27.0.3 (language german).
the system I run the sync server is a debian 8 with a minimal xfce4 desktop. for this I used a debian 8 net install image and then I installed a minimal desktop. I also set up sudo and disabled su.
a) minimal desktop:
Code: Select all
apt-get install xorg lightdm lightdm-gtk-greeter xfwm4 xfdesktop xfconf xfce4-settings xfce4-session xfce4-panel xfce4-terminal libxfce4ui-utils gtk2-engines-xfce thunar thunar-volman thunar-archive-plugin gksu sudo build-essential firefox-esr geany geany-plugins synaptic xdg-user-dirs gtk-engines-murrine murrine-themes
Code: Select all
usermod -a -G sudo username
visudo (adapt the sudo line, so that I haven't to use password)
Code: Select all
reboot
Code: Select all
sudo -s
Code: Select all
apt-get install mariadb-server mariadb-client (tip: write down the password, so one can forget it)
apt-get install apache2
apt-get install php5 libapache2-mod-php5
apt-get install php5-mysqlnd php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
apt-get install php5-apcu
apt-get install phpmyadmin
further I change the settings of apache php5 and mysql to use utf-8 (search in the internet how to do that).
c) next I installed packages needed for the sync server:
Code: Select all
apt-get install libssl-dev python-mysqldb python-mysql.connector python-dev mercurial python-virtualenv libapache2-mod-wsgi libmysqlclient-dev python make
Code: Select all
useradd -d /usr/local/fsync -m -r -U -s /bin/false fsync
Code: Select all
usermod -a -G fsync www-data
Code: Select all
cd /usr/local/fsync
hg clone https://hg.mozilla.org/services/server-full (creates a folder server-full within the sync server software)
cd server-full
make build
Code: Select all
cd /usr/local/fsync
mkdir -p tmp
mkdir -p logs
Code: Select all
cd /usr/local
chown -R fsync.fsync fsync
find /usr/local/fsync -type d -exec chmod 2770 "{}" \; -exec setfacl -m u::rwX,g::rwX,o::--- "{}" \;
find /usr/local/fsync -type f -executable -exec chmod 770 "{}" \; -exec setfacl -m u::rwx,g::rwx,o::--- "{}" \;
find /usr/local/fsync -type f ! -executable -exec chmod 660 "{}" \; -exec setfacl -m u::rw-,g::rw-,o::--- "{}" \;
Code: Select all
create database fsync;
GRANT ALL PRIVILEGES ON fsync .* TO fsync@localhost IDENTIFIED BY 'PASSWORD';
flush privileges;
quit
Code: Select all
cd /usr/local/fsync/server-full
cp -p etc/sync.conf etc/sync.conf-orig
rm etc/sync.conf
cp -p etc/mysql.conf etc/sync.conf
cp -p development.ini development.ini-orig
cp -p sync.wsgi sync.wsgi-orig
Code: Select all
[captcha]
...
use_ssl = true
...
[storage]
...
sqluri = mysql://fsync:PASSWORD@localhost:3306/fsync (hint: PASSWORD one used when the database was created)
...
quota_size = 10240
...
[auth]
...
sqluri = mysql://fsync:PASSWORD@localhost:3306/fsync
[nodes]
fallback_node = https://fsync.example.com (hint: domain one had set up using dns provider)
...
[reset_codes]
backend = services.resetcodes.rc_sql.ResetCodeSQL
sqluri = mysql://fsync:PASSWORD@localhost:3306/fsync
create_tables = True
[keyexchange]
use_memory = true
Code: Select all
[DEFAULT]
debug = False
...
[handler_syncserver_errors]
...
args = ('/usr/local/fsync/logs/sync-error.log',)
...
Code: Select all
...
# setting up the egg cache to a place where apache can write
os.environ['PYTHON_EGG_CACHE'] = '/usr/local/fsync/tmp/python-eggs'
...
k) create virtaul apache2 host. in order to use https one needs a trusted certificate (for example comodo); I managed to use self signed certificates; in this case you have first to accept the self signed certificate in palemoon. start palemoon, use the url https://fsync.example.com, accept the self signed certificate, then go to the sync settings of palemoon.
create a self signed certificate:
Code: Select all
cd /etc/apache
mkdir -p ssl/fsync
cd /etc/apache2/ssl/fsync
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/fsync/fsync.example.com.cert (add the your domain, when asked for)
touch fsync.example.com.key
touch fsync.example.com.crt
cat fsync.example.com.cert (copy the key)
nano fsync.example.com.key (past in the key)
cat fsync.example.com.cert (copy the certificate)
nano fsync.example.com.crt (paste in the certificate)
Code: Select all
cd /etc/apache2/sites-available
Code: Select all
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName http://www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# the rewrite settings are added to the default debian virtual host 000-default.conf
# redirect www to non-www
RewriteEngine On
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^/(.*) http://%1/$1 [L,R=301]
# redirect http requests to https
RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI} [R=301,L][/color]
</VirtualHost>
Code: Select all
cp default-ssl.conf fsync.example.com-ssl.conf
Code: Select all
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName fsync.example.com
ServerAdmin webmaster@localhost
DocumentRoot /usr/local/fsync/server-full
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog /usr/local/fsync/logs/error.log
CustomLog /usr/local/fsync/logs/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/fsync/fsync.example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/fsync/fsync.example.com.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# added for the sync server
WSGIProcessGroup fsync
WSGIDaemonProcess fsync user=fsync group=fsync processes=2 threads=25 python-path=/usr/local/fsync/server-full/local/lib/python2.7/site-packages
WSGIPassAuthorization On
WSGIScriptAlias / /usr/local/fsync/server-full/sync.wsgi
# added for the sync server
<Directory /opt/weave>
Require all granted
</Directory>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Code: Select all
cd /etc/apache2/sites-available
a2enmod ssl
a2enmod rewrite
a2enmod wsgi
a2ensite fsync.example.com-ssl.conf
service apache2 restart
m) start the sync server as user fsync
Code: Select all
cd /usr/local/fsync/server-full
sudo -u fsync bin/paster serve development.ini &
nano /etc/hosts
Code: Select all
...
192.168.56.120 fsync.example.com
URL:
Code: Select all
https://fsync.example.com
remember: accept the self signed certificate!!!
URL:
Code: Select all
https://fsync.example.com/__heartbeat__
URL:
Code: Select all
https://fsync.example.com/weave-password-reset
URL:
Code: Select all
https://fsync.example.com/weave-delete-account
p) final: if one wouldn't that forgein users can use your sync server set in the sync.conf
Code: Select all
cd /usr/local/fsync/server-full
Code: Select all
...
allow_new_users = false
...
Kind Regards, go4pale