• Stars
    star
    157
  • Rank 238,399 (Top 5 %)
  • Language
    Shell
  • Created almost 9 years ago
  • Updated over 8 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Instructions for hosting a Firefox Accounts instance on your own domain name

fxa-self-hosting

Instructions for hosting Mozilla Services on your own domain name. Services included so far:

  • General:

    • a simple nginx-based proxy
    • instructions for home-hosting using pagekite
    • instructions for configuring Firefox Desktop to use your self-hosted services
    • instructions for configuring Firefox OS to use your self-hosted services
  • Firefox Accounts, including:

    • fxa-content-server
    • fxa-profile-server
    • fxa-auth-server
    • fxa-oauth-server
    • browserid-verifier
    • fxa-auth-db-mysql
  • Firefox Sync, including:

    • syncserver (this includes tokenserver)
    • syncto (only required for Firefox OS)

Not sec-reviewed, use at own risk!

These scripts are not security-reviewed Mozilla software, and meant only for people who want to have some fun trying out self-hosting. Create an empty Firefox profile for trying it out, don't sync your main profile's data to it, it's not secure enough for that.

If you use this in production for your own personal data (including for instance all the passwords you saved in your browser), you will have to do your own security review, server hardening, and intrusion detection, and make sure to keep both your host server and the containers patched with security updates.

This is especially true if you want to use these scripts to host Firefox Accounts and linked services for other people besides yourself.

To give an example, the fxa-auth-db-mysql container connects to mysql using the root user and no password.

Also, the syncserver stores data just in-memory, so synced data is lost not only when you remove the syncserver container, but even if you just restart it.

If you find a security issue with these scripts (or other improvements), please [open a github issue] about it. Pull requests welcome! :)

Audience

This guide is intended for people with basic sysadmin experience, and not all the steps you will need to take (e.g. using ssh, obtaining a TLS certificate, installing server software) are spelled out in detail. If you're having any trouble, you can ask for help by mentioning me (michielbdejong) in the #fxa channel on irc.mozilla.org, or email me (michiel at mozilla dot com).

Architecture

The scripts in this self-hosting guide will create 9 containers: one TLS-offloading proxy, 6 services which run on various ports, and two supporting ones, which are not publically accessible:

                                   INTERNET
                                       |
                                       v
                          fxa-self-hosting/"proxy":1111,443,8000,9010,3030,5000
          _____________________________|______________________________
          |              |       |       |           |               |
          v              |       v       |           v               |
fxa-profile-server:1111  |  syncto:8000  |  fxa-content-server:3030  |
                         v               v                           v
              fxa-auth-server:443  fxa-oauth-server:9010        syncserver:5000
                         |               |                           |
                         |                \_________________________/
                         |                            |
                         v                            v
          fxa-auth-db-mysql/"httpd":3306    browserid-verifier/"verifier.local":5050

The lines indicate container linking. You can see these as the --link parameters in setup.sh. The various servers also communicate with each other via the internet (e.g. the syncto container will do a https request that goes out to the internet, comes back in to the proxy, and from there goes to the syncserver), and via the browser (e.g. the fxa-content-server serves up webpages that make XHR requests to several other services). You can see these relations as the -e SOME_URL = "https://$1:1234/" parameters in setup.sh:

 _________
/         \
|      fxa-content-server
|     /    |
^    |     v
|    | fxa-profile-server      syncto
|    v     |           |         |
|    |\    v           |         v
^    | fxa-auth-server |      syncserver
|    v     |           v
|     \    v           /
|      fxa-oauth-server
\________/

Prerequisites

For self-hosting (i.e. hosting an instance the Mozilla Services yourself, on a server that's connected to the internet), you will need:

  • A server with probably 1 or 2 Gigs of memory and Docker installed, and that's not doing anything yet that occupies port 443 (i.e. not hosting any websites), and with Docker installed.
  • A domain name or subdomain you control and can point to this server
  • A TLS certificate for this (sub-)domain. Once you have your server running and your (sub-)domainname pointed to it in DNS (wait for DNS propagation), you can get one for free from LetsEncrypt.

If you prefer to host the services on a computer in your house ("home-hosting"), then you need to make this computer addressable on the public internet. You can do this using a reverse proxy tunnel like Pagekite (see instructions below), or maybe with DynDNS.

The reverse proxy tunnel needs to run on an addressable server, but it can be a much smaller (cheaper) one, and also, this reverse proxy tunnel will not store any of your data (the data would be in your house), and if configured correctly, it cannot eavesdrop on any of the traffic that goes through it (because TLS is terminated in your house, not at the proxy).

Note that the same disclaimer applies, that these scripts have not been reviewed for security issues, so don't storing valuable data like your saved passwords is all at your own risk.

Setup

In these instructions, I use fxa.michielbdejong.com as the example subdomain on which all the services will be running (using various TCP ports). Replace this string with your own (sub-)domain name wherever you see it. Note that one of the services (fxa-auth-server) will be occupying port 443 (https://fxa.michielbdejong.com/), so if you already run your website or blog on your server, you will want to use an extra server, on a subdomain (I used fxa. in this case).

Step 1: Getting the TLS certificate

If you get your TLS certificate using LetsEncrypt, it will be saved to /etc/letsencrypt. Find your certificate there, and copy it to a convenient location on the server that will be running the services. Note that it's necessary to append chain.pem to cert.pem, so that the nginx proxy will present a convincing trust chain to https clients. In this case, I'm saving the cert in a newly created folder, /root/fxa-cert. If you used the certonly method, /etc/letsencrypt/live may not exist, but you can probably still find the .pem files in some folder under /etc/letsencrypt if the registration was successful:

cd /root
cp -r /etc/letsencrypt/live/fxa.michielbdejong.com ./fxa-cert
chmod -R ugo+r ./fxa-cert
cat ./fxa-cert/cert.pem ./fxa-cert/chain.pem > ./fxa-cert/combined.pem

Step 2 (home-hosting only): Set up your pagekite frontend

Replace 'secretsecretsecret' with the secret from your ~/.pagekite.rc file in the following command, and run it on the pagekite frontend (the server to which DNS for fxa.michielbdejong.com points):

pagekite.py --isfrontend --domain *:fxa.michielbdejong.com:secretsecretsecret --ports=80,1111,3030,5000,8000,443,9010
echo TODO: not use a http connection (?) to the frontend

Step 3: Run build.sh

The build.sh script from this repo will build the necessary Docker images. This will probably take up to half an hour, so grab a coffee. You should run this script regularly, for instance when a new patch version of node 0.10 becomes available.

Step 4: Run setup.sh

Running setup.sh fxa.michielbdejong.com (script in the root of this repo) will stop and destroy all running Docker containers, so don't run it on a server where you're also running some other Docker-based things. Make sure to run it with your own sub-domain instead of 'fxa.michielbdejong.com', of course. You may also want to convert this bash script to a docker-compose.yml file if that's your thing; the result will be the same.

The script assumes that ./fxa-cert/combined.pem and ./fxa-cert/privkey.pem exist.

Check if you see nine Docker containers running in docker ps -a and none of them exited. It can take a further 10 or 20 seconds before the fxa-content-server will start responding (you will see a 502 Bad Gateway page from the nginx proxy until then).

Step 5 (home-hosting only): Set up your pagekite backend

On MacOS, Docker runs inside a virtual machine, probably on 192.168.99.100. In any case, you can use your browser or a http tool like curl to test if https://192.168.99.100 is responding.

Run fly.sh fxa.michielbdejong.com from this repo, and maybe restart the pagekite frontend and backend (killing all pagekite processes from ps auxwww | grep pagekite in between) until there are no rejected duplicates and https://fxa.michielbdejong.com looks the same as https://192.186.99.100 (or whatever your Docker VM IP), and same for the https services on ports :1111, :3030, :5000, :8000, and :9010.

Step 6: Configuring content server

Looking for a proper way to do this through env vars; until then:

docker exec -it -u root content /bin/bash
root@1e1dbee9b940:/home/fxa/fxa-content-server# apt-get update && apt-get install -yq vim
root@1e1dbee9b940:/home/fxa/fxa-content-server# vim ./server/config/local.json +9
-> change "YOU MUST CHANGE ME" to some random string (e.g. `pwgen 40 1`)
root@1e1dbee9b940:/home/fxa/fxa-content-server# exit

and restart the content and proxy containers (in that order, since the proxy container links to the content container):

docker restart content ; docker restart proxy

Step 7: Configuring syncserver

Looking for a proper way to do this through env vars; until then:

docker exec -it -u root sync /bin/bash
root@b5c1ba63de07:/home/app/syncserver# apt-get update && apt-get install -yq vim
root@b5c1ba63de07:/home/app/syncserver# vim ./local/lib/python2.7/site-packages/tokenserver/verifiers.py +85
-> edit verifier_url = "http://verifier.local:5050/v2"
root@b5c1ba63de07:/home/app/syncserver# exit

and restart the sync and proxy containers (in that order, since the proxy container links to the sync container):

docker restart sync ; docker restart proxy

Step 8: Creating your account

Sign up on https://fxa.michielbdejong.com:3030/, and instead of going to look for the verification email, run:

docker exec -it httpdb mysql -e "USE fxa; UPDATE accounts SET emailVerified=1;"

to mark your email address as verified.

NB: If you get https://fxa.michielbdejong.com:3030/unexpected_error, run localStorage.clear() in the console and hard-refresh.

Step 9: Configure Firefox Desktop

Edit the values in about:config like so:

Image about:config

Step 10: (Firefox OS only) Configure and build Gaia

In build/config/common-settings.json, edit:

And in build/config/phone/custom-prefs.js (assuming you're building for the phone), add:

There are also two prefs you need to change at the B2G level, but if you're using B2G-Desktop, you can change it in the /Applications/B2GDebug.app/Contents/Resources/defaults/pref/b2g.js file without having to rebuild all of B2G. The prefs to change are:

Debugging

If DNS hasn't propagated yet, you may need to spike /etc/hosts in the profile and verifier.local containers:

docker exec -u root -it verifier.local /bin/bash
docker exec -u root -it profile /bin/bash
-> echo 45.32.232.152 fxa.michielbdejong.com >> /etc/hosts

... or just wait for a bit. :)

To debug one of the containers, e.g. the one with container id ea298056cc in docker ps:

 docker exec -u root -it ea298056cc /bin/bash
 # add some console.log statements to the code
 docker restart ea298056cc
 docker restart proxy #and/or whichever containers link to the container you edited
 docker logs -f ea298056cc

You can also run a container interactively, check setup.sh for the startup params for each one.

Again, you will have to restart containers that link to the restarted one, for instance the main fxa-self-hosting proxy.

A nice tool for seeing the contents of your sync server is syncclient. Apart from following syncclient's readme instructions, make sure to edit syncclient/client.py like this:

-TOKENSERVER_URL = "https://token.services.mozilla.com/"
-FXA_SERVER_URL = "https://api.accounts.firefox.com"
+TOKENSERVER_URL = "https://fxa.michielbdejong.com:5000/token/"
+FXA_SERVER_URL = "https://fxa.michielbdejong.com"

And then try running commands like get_collection_counts, get_records history, or get_record crypto keys with it.

Disclaimer

Don't try this at home. This is a work-in-progress, hasn't been security-reviewed yet, and it's just not secure enough to host your valuable Firefox Sync data.

More Repositories

1

useraddress

tools for discovering things about user@host. for now, only webfinger and fakefinger are supported.
JavaScript
19
star
2

myfavouritesandwich

moved to https://github.com/unhosted/MyFavouriteSandwich.org
JavaScript
12
star
3

snickers

[SNI] offloader with Do[CKER] backend[S]. Starts containers just-in-time. Registers LetsEncrypt certs on-the-fly.
JavaScript
10
star
4

balimich

deprecated, see https://github.com/unhosted/unhosted/ instead
PHP
6
star
5

meute

Platform for building server-less web apps with per-user backends.
JavaScript
6
star
6

DemoRedlibreOrg

deprecated, see https://github.com/unhosted/unhosted/ instead
PHP
6
star
7

json-pretty

Simple module for producing nice JSON.
JavaScript
5
star
8

bogor-angkot-gtfs

A gtfs feed for public minibuses ("angkots") in Bogor, Indonesia.
JavaScript
4
star
9

editor-dropbox

To learn DropboxJS, i am porting remoteStorage.code to it
JavaScript
4
star
10

geth-rinkeby-docker

Docker image that runs the geth ethereum node against the current ("rinkeby") testnet for ethereum.
4
star
11

empty-solid-app

Empty Solid app
HTML
4
star
12

owncloud-owa

add open web apps to owncloud
PHP
4
star
13

solid-app-kit

A server that includes both a pod server and an app
JavaScript
3
star
14

subbit

Scripts and notes for investigating sub-bit units of information
JavaScript
3
star
15

gecko-dev

C++
3
star
16

resite

hosts a website off of the "reStore" remoteStorage server
JavaScript
3
star
17

mailtrap

Receive the startssl confirmation email with `docker run -d -p 25:25 --name mailtrap michielbdejong/mailtrap ; docker logs mailtrap`
JavaScript
3
star
18

michielbdejong.com

michielbdejong.com
HTML
2
star
19

wac-ldp-kit

A resource store for use in LDP-like servers such as Solid servers. Also usable as LDP server.
2
star
20

lnrpc-client

A gRPC client for the Lightning Network Daemon (LND), generated automatically from their lnrpc/rpc.proto file
JavaScript
2
star
21

indiehosters-docker-bash

deprecated, I now use https://github.com/michielbdejong/snickers instead
Shell
2
star
22

clp-cat

A combination of clp-packet and ws-cat. Use it as a debug tool, to talk to clp-frog or to ilp-node
JavaScript
2
star
23

kinto-encryption-example

JavaScript
2
star
24

unicurn

Contents of https://unicurn.com
HTML
2
star
25

ilp-frog

The dual of ilp-plugin-virtual, so a wrapper around ILP's Ledger Plugin Interface, that exposes the ILP RPC API
JavaScript
2
star
26

node-snitch

SNI-Triggered Certificate Hook: if a TLS cert is missing, it is fetched on-the-fly from LetsEncrypt.org.
JavaScript
2
star
27

get-lets-encrypt-servers

wrapper around GreenLock for creating a http (port 80) and https (port 443) server with on-the-fly LetsEncrypt registration
JavaScript
2
star
28

tripledoc

TypeScript
2
star
29

unhosted-android

example android client for unhosted storage
Java
2
star
30

bookkeeping.network

The HTML contents of https://bookkeeping.network
HTML
2
star
31

html-music-player

Music Player for remoteStorage
JavaScript
2
star
32

mashlib-as-an-app

Mashlib as an App
JavaScript
1
star
33

sync-engine

Wrapper around kinto.js to add fxsync-crypto as a RemoteTransformer
JavaScript
1
star
34

lirik-lagu

Some song texts from the Indonesian top 40, for language practice.
1
star
35

ilp-testnet-xrp

Some docs and wrapper code for running https://github.com/interledgerjs/ilp-plugin-xrp-escrow against the XRP testnet.
1
star
36

import.5apps.com

source code of https://import.5apps.com/
1
star
37

tagesklau

1
star
38

solid-bot-example

JavaScript
1
star
39

ilp-node

Interledger Connector, used for https://github.com/interledger/interledger/wiki/The-Interledger-Testnet-of-Testnets-(IToT)
JavaScript
1
star
40

website

The content of http://indiehosters.net/
CSS
1
star
41

charitywater

1
star
42

poddit

Forked from https://gitlab.com/vincenttunru/poddit/
HTML
1
star
43

opentabs

money without banks
JavaScript
1
star
44

backtofront

rapid prototyping tool for teleporting nodejs modules straight into your client-side namespace
JavaScript
1
star
45

whois

minimal whois server
JavaScript
1
star
46

testing-issues

just creating this repo to try to reproduce github notifications that point to a 404
1
star
47

clp-frog

like ilp-frog, but for clp. You need to add 'to' protocolData when sending calls. 'from' will be added when you receive them.
JavaScript
1
star
48

hoodie-xo

cross-origin hoodie app
JavaScript
1
star
49

social

quick example for Nick
JavaScript
1
star
50

mozcloud

Run your own Mozilla Cloud Services
JavaScript
1
star
51

documents

Documents used by the IndieHosters cyberfoundation
Shell
1
star
52

creds

https://creds.5apps.com/
JavaScript
1
star
53

photor

example of how to upload a photo to remoteStorage
1
star
54

browserid-session

a BrowserID-based session handler for https://github.com/fkooman/phpvoot
PHP
1
star
55

myhoodieapp

JavaScript
1
star
56

cellmaster

Install script and offloader for running a cell on one Debian Jessie server
Shell
1
star
57

ilp-plugin-mirror-v1

Version of https://github.com/michielbdejong/ilp-plugin-mirror that works with LPI v1 instead of LPI v2
JavaScript
1
star
58

ilp-plugin-bells-10

[proxy package](https://github.com/npm/npm/issues/5499#issuecomment-71089080) for ilp-plugin-bells version 10
JavaScript
1
star
59

tosdr

redirect tosdr.org -> tos-dr.info
1
star
60

ilp-java-example

Simple example of ILP forwarded payments sender / connector / receiver in Java
Java
1
star
61

ilp-plugin-lightning

Work-in-Progress! :)
JavaScript
1
star
62

filebrowser

a filebrowser that demonstrates use of the 'root' module of remoteStorage.js
1
star
63

lamp

remoteStorage-2012.04 on lamp
PHP
1
star
64

show-tripledoc-problem

show tripledoc problem
TypeScript
1
star
65

ocm-stub

Stub server for testing Open Cloud Mesh (OCM) https://github.com/cs3org/OCM-API
JavaScript
1
star
66

ilp-plugin-http-oer

Simple peer-to-peer plugin that POSTs ILP packets over HTTP
TypeScript
1
star
67

plandoc

Fork of https://gitlab.com/vincenttunru/plandoc.git
TypeScript
1
star
68

solid-open-with

File browser that implements 'Open with ...' experience
HTML
1
star
69

hnet

a decentralized and anonymous database
JavaScript
1
star
70

coyote

Simple nodejs tool that helps services to migrate from one IP address to another
JavaScript
1
star
71

buggerall

JavaScript
1
star
72

email

the app i use for email. pretty basic, but it works! :)
JavaScript
1
star
73

jacks-todo-app

Jack's todo app
JavaScript
1
star
74

fizno

hackathon project for http://freedomhack.in/
Shell
1
star
75

letter-shop

an example shop where you can pay via Interledger
JavaScript
1
star
76

solid-chat-pane

The chat pane from the Solid databrowser
JavaScript
1
star
77

solid-text-editor

Simple Solid text editor
HTML
1
star
78

php-oauth

PHP OAuth v2 Authorization Server
PHP
1
star
79

bedouin-crm

Federated CRM for minion servers
JavaScript
1
star
80

mail

untested; also: Don't use this as your mailserver without overwriting all the passwords and regenerating the dovecot cert!
Shell
1
star
81

docker-activator

ensure a Docker container is started (for use in socket activation proxies)
JavaScript
1
star
82

fxsync-webcrypto

Uses WebCrypto to decrypt data from Firefox Sync 1.5
HTML
1
star
83

devbox

A Docker image I use as my devbox
JavaScript
1
star
84

minimalcircuits

experiments to investigate why computation takes time
JavaScript
1
star
85

consent-receipt

demo of how a signup page can allow users to download a receipt of the consent they gave
1
star
86

video

a repo for video files
1
star
87

solid-testsuite

Java
1
star
88

expenses

bookkeeping of donations received
JavaScript
1
star
89

demo-vc-consumer

Related to https://github.com/Vinnl/demo-vc
1
star
90

pledger

A postmarking ledger
1
star
91

ilp-benchmark

Benchmarking tool for ILP nodes
JavaScript
1
star
92

minion

Reconciler agent for configuration management. Similar to salt-minion.
1
star
93

audio-buffer

A very simple example showing how to use an audio buffer in Web Audio API
1
star
94

ToS-DR

Term of Service; Didn't Read
JavaScript
1
star
95

onepager

1
star
96

php-relmeauth-service

RelMeAuth service to authenticate users using their profile URL and existing (social) network logins
PHP
1
star
97

gaia-calculator

Cloned from https://marketplace.firefox.com/downloads/file/278526/calculator-2-2.0.3.zip
1
star
98

useraddress-redirector

Redirect useraddress.net to michielbdejong.github.io/useraddress
HTML
1
star
99

ffos-push

1
star
100

accordion

Tool to work out positions on 30-button Club System Accordion
1
star