Support #718
Updated by Daniel Curtis over 7 years ago
{{>toc}}
This is a guide on how I installed the Firefox Auth, Content, and Sync components to form the Firefox Accounts Server on FreeBSD 10.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
pkg update && pkg upgrade -y
</pre>
* Install a few dependencies:
<pre>
pkg install portmaster sudo bash git gmp graphicsmagick redis gmake postfix python2 py27-virtualenv sqlite py27-sqlite3 gcc48 scrypt
</pre>
* Start and enable postfix and disable sendmail at boot:
<pre>
echo 'postfix_enable="YES"' >> /etc/rc.conf
echo 'sendmail_enable="NONE"' >> /etc/rc.conf
newaliases
service postfix start
</pre>
* Install node4 and npm2 from ports:
<pre>
portmaster www/node4 www/npm2
</pre>
* Install a couple node modules globally:
<pre>
npm install -g pm2 grunt
</pre>
* Add the Firefox Accounts user:
<pre>
mkdir -p /usr/local/www/fxa
pw groupadd fxa
pw adduser -n fxa -g fxa -d /usr/local/www/fxa -s /bin/sh -c "Firefox Accounts"
chown fxa:fxa /usr/local/www/fxa
</pre>
h2. Memcached Server
* Install memcached:
<pre>
pkg install memcached
</pre>
* Start and enable memcached at boot:
<pre>
echo 'memcached_enable="YES"' >> /etc/rc.conf
service memcached start
</pre>
h2. MySQL Database
* Install MariaDB:
<pre>
pkg install mariadb101-{client,server}
</pre>
* Start and enable MariaDB at boot:
<pre>
echo 'mysql_enable="YES"' >> /etc/rc.conf
service mysql-server start
</pre>
* Secure the mysql installation:
<pre>
mysql_secure_installation
</pre>
* Log into the MySQL console:
<pre>
mysql -u root -p
</pre>
#* Create the *fxauser* user with the SuperSecretPassword password and the *fxadb* database:
<pre>
CREATE USER 'fxauser'@'localhost' IDENTIFIED BY 'SuperSecretPassword';
CREATE DATABASE IF NOT EXISTS `fxadb` CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON `fxadb`.* TO 'fxauser'@'localhost';
</pre>
#* Create the *fxasyncuser* user with the SuperDuperPassword password and the *fxasyncdb* database:
<pre>
CREATE USER 'fxasyncuser'@'localhost' IDENTIFIED BY 'SuperDuperPassword';
CREATE DATABASE IF NOT EXISTS `fxasyncdb` CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON `fxasyncdb`.* TO 'fxasyncuser'@'localhost';
</pre>
#* Create the *fxaprofileuser* user with the SuperSuperPassword password and the *fxaprofiledb* database:
<pre>
CREATE USER 'fxaoauthuser'@'localhost' IDENTIFIED BY 'SuperOauthPassword';
CREATE DATABASE IF NOT EXISTS `fxaoauthdb` CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON `fxaoauthdb`.* TO 'fxaoauthuser'@'localhost';
</pre>
#* Create the *fxaprofileuser* user with the SuperSuperPassword password and the *fxaprofiledb* database:
<pre>
CREATE USER 'fxaprofileuser'@'localhost' IDENTIFIED BY 'SuperSuperPassword';
CREATE DATABASE IF NOT EXISTS `fxaprofiledb` CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON `fxaprofiledb`.* TO 'fxaprofileuser'@'localhost';
</pre>
#* Exit the mysql console:
<pre>
flush privileges;
exit
</pre>
h2. Install Accounts Server
* Switch to the fxa directory:
<pre>
cd /usr/local/www/fxa
</pre>
* Download the firefox auth server from GitHub:
<pre>
sudo -u fxa git clone https://github.com/mozilla/fxa-auth-server.git
cd fxa-auth-server
</pre>
* Install the auth server:
<pre>
sudo -u fxa npm install
</pre>
#* And test the auth server:
<pre>
sudo -u fxa npm start
</pre>
*NOTE*: Press Ctrl+C to stop the test server.
* Edit the development environment config file:
<pre>
vi .env.dev
</pre>
#* And adjust the config file accordingly:
<pre>
MYSQL_USER=fxauser
MYSQL_PASSWORD=SuperSecretPassword
MYSQL_DATABASE=fxadb
MYSQL_HOST=localhost
MYSQL_PORT=3306
MYSQL_SLAVE_USER=fxauser
MYSQL_SLAVE_PASSWORD=SuperSecretPassword
MYSQL_SLAVE_DATABASE=fxadb
MYSQL_SLAVE_HOST=localhost
MYSQL_SLAVE_PORT=3306
PUBLIC_URL=https://api.accounts.example.com
CONTENT_SERVER_URL=https://accounts.example.com
CUSTOMS_SERVER_URL=none
OAUTH_URL=https://oauth.accounts.example.com OAUTH_URL=oauth.accounts.example.com
LOCKOUT_ENABLED=true
LOG_FORMAT=pretty
LOG_LEVEL=info
RESEND_BLACKOUT_PERIOD=0
SIGNIN_CONFIRMATION_ENABLED=false
SIGNIN_CONFIRMATION_RATE=1
SMTP_HOST=mail.example.com
SMTP_PORT=25
SMTP_SECURE=false
SMTP_USER=no-reply@example.com
SMTP_PASS=SuperSecretMailPassword
SMTP_SENDER='Firefox Accounts <no-reply@example.com>'
SNS_TOPIC_ARN=disabled
STATSD_SAMPLE_RATE=1
TRUSTED_JKUS=http://127.0.0.1:8080/.well-known/public-keys,http://127.0.0.1:10139/.well-known/public-keys
VERIFICATION_REMINDER_RATE=1
VERIFIER_VERSION=0
SIGNIN_CONFIRMATION_FORCE_EMAIL_REGEX=/.+@example\.com$/
</pre>
* Start the server in dev MySQL store mode:
<pre>
sudo -u fxa npm run start-mysql
</pre>
*NOTE*: Press Ctrl+C to stop the test server.
#* A persistent deployment will require pm2:
<pre>
sudo -u fxa pm2 start npm --name fxa-auth -- run start-mysql
</pre>
h3. Auth Server Init Script
* Create a firefox auth server init script:
<pre>
vi /usr/local/etc/rc.d/fxa-auth
</pre>
#* and add the following
<pre>
#!/bin/sh
# PROVIDE: fxa-auth
# KEYWORD: shutdown
. /etc/rc.subr
: ${fxa_auth_path="/usr/local/www/fxa/fxa-auth-server"}
: ${fxa_auth_env="dev"}
name="fxa_auth"
start_cmd="${name}_start"
stop_cmd="${name}_stop"
fxa_auth_start() {
echo "Firefox auth server starting"
su - fxa -c "cd ${fxa_auth_path}; /usr/local/bin/pm2 start npm --name ${name} --env ${fxa_auth_env} -- run start-mysql; exit"
}
fxa_auth_stop() {
echo "Firefox auth server stopping"
su - fxa -c "/usr/local/bin/pm2 delete ${name}; exit"
}
run_rc_command "$1"
</pre>
* And make it executable:
<pre>
chmod +x /usr/local/etc/rc.d/fxa-auth
</pre>
* Start and enable firefox auth server at boot
<pre>
echo 'fxa_auth_enable="YES"' >> /etc/rc.conf
service fxa-auth start
</pre>
#* *NOTE*: If switching the Firefox Account server to production, use the following to start pm2 in the @prod@ environment:
<pre>
echo 'fxa_auth_env="prod"' >> /etc/rc.conf
service fxa-auth restart
</pre>
h2. Firefox Content Server
* Switch to the fxa directory:
<pre>
cd /usr/local/www/fxa
</pre>
* Download the firefox content server from GitHub:
<pre>
sudo -u fxa git clone https://github.com/mozilla/fxa-content-server.git
cd fxa-content-server
</pre>
* Generate a strong secret and copy the contents over to the secret parameter in the syncserver config:
<pre>
head -c 20 /dev/urandom | shasum db8a203aed5fe3e4594d4b75990acb76242efd35 -
</pre>
*NOTE*: Make sure to copy the output
* Create local content server config file:
<pre>
sudo -u fxa vi server/config/local.json
</pre>
#* And modify the following values:
<pre>
{
"public_url": "https://accounts.example.com",
"fxaccount_url": "https://api.accounts.example.com",
"oauth_client_id": "98e6508e88680e1a",
"oauth_url": "https://oauth.accounts.example.com",
"profile_url": "https://profile.accounts.example.com",
"profile_images_url": "https://image.accounts.example.com",
"sync_tokenserver_url": "https://sync.accounts.gnetsolutions.net/token",
"client_sessions": {
"cookie_name": "session",
"secret": "8fe72cba641d5c4afbf54127a0fc7bb2cc6618d0",
"duration": 86400000
},
"env": "development",
"use_https": false,
"static_max_age" : 0,
"route_log_format": "dev_fxa",
"logging": {
"fmt": "pretty",
"level": "debug"
},
"static_directory": "app",
"allowed_parent_origins": ["/"],
"csp": {
"enabled": true,
"reportUri": "/_/csp-violation"
}
}
</pre>
* Backup the content config, and copy the development config over to the content config:
<pre>
sudo -u fxa cp server/config/content.json server/config/content.json.bak
sudo -u fxa cp server/config/local.json server/config/content.json
</pre>
* Install the content server:
<pre>
sudo -u fxa npm install
</pre>
* Test the content server:
<pre>
sudo -u fxa npm run start-remote
</pre>
*NOTE*: Press Ctrl+C to stop the test server.
#* A persistent deployment will require pm2:
<pre>
sudo -u fxa pm2 start npm --name fxa-content -- run start-remote
</pre>
h3. Content Server Init Script
* Create a firefox content server init script:
<pre>
vi /usr/local/etc/rc.d/fxa-content
</pre>
#* and add the following
<pre>
#!/bin/sh
# PROVIDE: fxa-content
# KEYWORD: shutdown
. /etc/rc.subr
: ${fxa_content_path="/usr/local/www/fxa/fxa-content-server"}
: ${fxa_content_env="dev"}
name="fxa_content"
start_cmd="${name}_start"
stop_cmd="${name}_stop"
fxa_content_start() {
echo "Firefox content server starting"
su - fxa -c "cd ${fxa_content_path}; /usr/local/bin/pm2 start npm --name ${name} --env ${fxa_content_env} -- run start-remote; exit"
}
fxa_content_stop() {
echo "Firefox content server stopping"
su - fxa -c "/usr/local/bin/pm2 delete ${name}; exit"
}
run_rc_command "$1"
</pre>
* And make it executable:
<pre>
chmod +x /usr/local/etc/rc.d/fxa-content
</pre>
* Start and enable firefox content server at boot
<pre>
echo 'fxa_content_enable="YES"' >> /etc/rc.conf
service fxa-content start
</pre>
h2. Install OAuth Server
* Switch to the fxa directory:
<pre>
cd /usr/local/www/fxa
</pre>
* Download the firefox oauth server from GitHub:
<pre>
sudo -u fxa git clone https://github.com/mozilla/fxa-oauth-server.git
cd fxa-oauth-server
</pre>
* Edit the development oauth server config:
<pre>
sudo -u fxa vi config/dev.json
</pre>
#* And modify the following parameters:
<pre>
"browserid": {
"issuer": "api.accounts.example.com",
...
},
"contentUrl": "http://accounts.example.com/oauth/",
"db": {
"driver": "mysql"
},
"mysql": {
"user": "fxaoauthuser",
"password": "SuperOauthPassword",
"database": "fxaoauthdb",
"host": "localhost",
"port": "3306"
},
</pre>
* Install the oauth server:
<pre>
sudo -u fxa npm install
</pre>
* Test the oauth server:
<pre>
sudo -u fxa npm start
</pre>
*NOTE*: Press Ctrl+C to stop the test server.
h3. OAuth Server Init Script
* Create a firefox oauth server init script:
<pre>
vi /usr/local/etc/rc.d/fxa-oauth
</pre>
#* and add the following
<pre>
#!/bin/sh
# PROVIDE: fxa-oauth
# KEYWORD: shutdown
. /etc/rc.subr
name="fxa_oauth"
start_cmd="${name}_start"
stop_cmd="${name}_stop"
fxa_oauth_start() {
echo "Firefox oauth server starting"
su - fxa -c "cd /usr/local/www/fxa/fxa-oauth-server; /usr/local/bin/pm2 start npm --name ${name} -- start; exit"
}
fxa_oauth_stop() {
echo "Firefox oauth server stopping"
su - fxa -c "/usr/local/bin/pm2 delete ${name}; exit"
}
run_rc_command "$1"
</pre>
* And make it executable:
<pre>
chmod +x /usr/local/etc/rc.d/fxa-oauth
</pre>
* Start and enable firefox oauth server at boot
<pre>
echo 'fxa_oauth_enable="YES"' >> /etc/rc.conf
service fxa-oauth start
</pre>
h2. Install Profile Server
* Switch to the fxa directory:
<pre>
cd /usr/local/www/fxa
</pre>
* Download the firefox profile server from GitHub:
<pre>
sudo -u fxa git clone https://github.com/mozilla/fxa-profile-server.git
cd fxa-profile-server
</pre>
* Edit the development profile server config:
<pre>
sudo -u fxa vi config/dev.json
</pre>
#* And adjust the following values:
<pre>
{
"authServer": {
"url": "https://api.accounts.example.com"
},
"db": {
"driver": "mysql"
},
"logging": {
"fmt": "pretty",
"level": "all",
"debug": true
},
"img": {
"driver": "local"
},
"mysql": {
"user": "fxaprofileuser",
"password": "SuperSuperPassword",
"database": "fxaprofiledb",
"host": "localhost",
"port": "3306"
},
"oauth": {
"url": "https://oauth.accounts.example.com/v1"
},
"customsUrl": "none",
"publicUrl": "https://profile.accounts.example.com"
}
</pre>
* Install the profile server:
<pre>
sudo -u fxa npm install
</pre>
* Test the profile server:
<pre>
sudo -u fxa npm start
</pre>
*NOTE*: Press Ctrl+C to stop the test server.
h3. Profile Server Init Script
* Create a firefox profile server init script:
<pre>
vi /usr/local/etc/rc.d/fxa-profile
</pre>
#* and add the following
<pre>
#!/bin/sh
# PROVIDE: fxa-profile
# KEYWORD: shutdown
. /etc/rc.subr
name="fxa_profile"
start_cmd="${name}_start"
stop_cmd="${name}_stop"
fxa_profile_start() {
echo "Firefox profile server starting"
su - fxa -c "cd /usr/local/www/fxa/fxa-profile-server; /usr/local/bin/pm2 start npm --name ${name} -- start; exit"
}
fxa_profile_stop() {
echo "Firefox profile server stopping"
su - fxa -c "/usr/local/bin/pm2 delete ${name}; exit"
}
run_rc_command "$1"
</pre>
* And make it executable:
<pre>
chmod +x /usr/local/etc/rc.d/fxa-profile
</pre>
* Start and enable firefox profile server at boot
<pre>
echo 'fxa_profile_enable="YES"' >> /etc/rc.conf
service fxa-profile start
</pre>
h2. Firefox Sync Server
* Switch to the fxa directory:
<pre>
cd /usr/local/www/fxa
</pre>
* Get the latest version of the syncserver:
<pre>
sudo -u fxa git clone https://github.com/mozilla-services/syncserver.git
cd syncserver
</pre>
* Build the Sync Server:
<pre>
sudo -u fxa gmake build
</pre>
* Generate a strong secret and copy the contents over to the secret parameter in the syncserver config:
<pre>
head -c 20 /dev/urandom | shasum db8a203aed5fe3e4594d4b75990acb76242efd35 -
</pre>
*NOTE*: Make sure to copy the output
* Edit the syncserver config file:
<pre>
sudo -u fxa vi syncserver.ini
</pre>
#* And modify the following values:
<pre>
[syncserver]
public_url = https://sync.accounts.example.com/
sqluri = pymysql://fxasyncuser:SuperDuperPassword@localhost/fxasyncdb
secret = e48ee2c1a880c31100b5e3217a438f6c2d115b04
</pre>
* Test run the syncserver:
<pre>
sudo -u fxa gmake serve
</pre>
*NOTE*: Press Ctrl+C to stop the test server.
h2. Nginx
* Install nginx:
<pre>
pkg install nginx openssl
</pre>
* Generate dhparam file:
<pre>
openssl dhparam -out /usr/local/etc/nginx/dhparam.pem 4096
</pre>
* Start and enable nginx at boot:
<pre>
echo 'nginx_enable="YES"' >> /etc/rc.conf
service nginx start
</pre>
* Create a configuration directory to make managing individual server blocks easier
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Edit the main nginx config file:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks:
<pre>
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
worker_processes 1;
error_log /var/log/nginx-error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
h3. uWSGI
* Install uwsgi:
<pre>
pkg install uwsgi
</pre>
* Start and enable uwsgi at boot with additional arguments:
<pre>
echo 'uwsgi_enable="YES"' >> /etc/rc.conf
echo 'uwsgi_flags="-M -L --manage-script-name --mount /=/usr/local/www/fxa/syncserver/syncserver.wsgi"' >> /etc/rc.conf
service uwsgi start
</pre>
*NOTE*: Pay attention to the */=* preceding the actual path of the syncserver.wsgi file.
h3. Syncserver Nginx Config
* Add a *sync.accounts.example.com server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/sync.accounts.example.com.conf
</pre>
#* Add the following:
<pre>
server {
listen 80;
# listen 443 ssl;
server_name sync.accounts.example.com;
access_log /var/log/sync.accounts.example.com-access.log;
error_log /var/log/sync.accounts.example.com-error.log;
# ssl_certificate /usr/local/etc/letsencrypt/live/sync.accounts.example.com/fullchain.pem;
# ssl_certificate_key /usr/local/etc/letsencrypt/live/sync.accounts.example.com/privkey.pem;
# Configure Strong SSL
# ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_session_cache builtin:1000 shared:SSL:10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_prefer_server_ciphers on;
# ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
# add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
location / {
include uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi.sock;
}
## Add well-know location and allow connections from the internet
location ~ /.well-known {
allow all;
root /usr/local/www/nginx;
}
}
</pre>
h3. Content Server Nginx Config
* Add a *accounts.example.com server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/accounts.example.com.conf
</pre>
#* Add the following:
<pre>
server {
listen 80;
# listen 443 ssl;
server_name accounts.example.com;
access_log /var/log/accounts.example.com-access.log;
error_log /var/log/accounts.example.com-error.log;
# ssl_certificate /usr/local/etc/letsencrypt/live/accounts.example.com/fullchain.pem;
# ssl_certificate_key /usr/local/etc/letsencrypt/live/accounts.example.com/privkey.pem;
# Configure Strong SSL
# ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_session_cache builtin:1000 shared:SSL:10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_prefer_server_ciphers on;
# ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
# add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_read_timeout 120;
proxy_connect_timeout 10;
proxy_pass http://127.0.0.1:3030/;
}
## Add well-know location and allow connections from the internet
location ~ /.well-known {
allow all;
root /usr/local/www/nginx;
}
}
</pre>
h3. Auth Server Nginx Config
* Add a *api.accounts.example.com server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/api.accounts.example.com.conf
</pre>
#* Add the following:
<pre>
server {
listen 80;
# listen 443 ssl;
server_name api.accounts.example.com;
access_log /var/log/api.accounts.example.com-access.log;
error_log /var/log/api.accounts.example.com-error.log;
# ssl_certificate /usr/local/etc/letsencrypt/live/api.accounts.example.com/fullchain.pem;
# ssl_certificate_key /usr/local/etc/letsencrypt/live/api.accounts.example.com/privkey.pem;
# Configure Strong SSL
# ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_session_cache builtin:1000 shared:SSL:10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_prefer_server_ciphers on;
# ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
# add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_read_timeout 120;
proxy_connect_timeout 10;
proxy_pass http://127.0.0.1:9000/;
}
## Add well-know location and allow connections from the internet
location ~ /.well-known {
allow all;
root /usr/local/www/nginx;
}
}
</pre>
h3. OAuth Server Nginx Config
* Add a *oauth.accounts.example.com server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/oauth.accounts.example.com.conf
</pre>
#* Add the following:
<pre>
server {
listen 80;
listen 443 ssl;
# server_name oauth.accounts.example.com;
access_log /var/log/oauth.accounts.example.com-access.log;
error_log /var/log/oauth.accounts.example.com-error.log;
# ssl_certificate /usr/local/etc/letsencrypt/live/oauth.accounts.example.com/fullchain.pem;
# ssl_certificate_key /usr/local/etc/letsencrypt/live/oauth.accounts.example.com/privkey.pem;
# Configure Strong SSL
# ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_session_cache builtin:1000 shared:SSL:10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_prefer_server_ciphers on;
# ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
# add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_read_timeout 120;
proxy_connect_timeout 10;
proxy_pass http://127.0.0.1:9010/;
}
## Add well-know location and allow connections from the internet
location ~ /.well-known {
allow all;
root /usr/local/www/nginx;
}
}
</pre>
h3. Profile Server Nginx Config
* Add a *profile.accounts.example.com server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/profile.accounts.example.com.conf
</pre>
#* Add the following:
<pre>
server {
listen 80;
# listen 443 ssl;
server_name profile.accounts.example.com;
access_log /var/log/profile.accounts.example.com-access.log;
error_log /var/log/profile.accounts.example.com-error.log;
# ssl_certificate /usr/local/etc/letsencrypt/live/profile.accounts.example.com/fullchain.pem;
# ssl_certificate_key /usr/local/etc/letsencrypt/live/profile.accounts.example.com/privkey.pem;
# Configure Strong SSL
# ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_session_cache builtin:1000 shared:SSL:10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_prefer_server_ciphers on;
# ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
# add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_read_timeout 120;
proxy_connect_timeout 10;
proxy_pass http://127.0.0.1:1111/;
}
## Add well-know location and allow connections from the internet
location ~ /.well-known {
allow all;
root /usr/local/www/nginx;
}
}
</pre>
h3. Profile Image Server Nginx Config
* Add a *image.accounts.example.com server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/image.accounts.example.com.conf
</pre>
#* Add the following:
<pre>
server {
listen 80;
# listen 443 ssl;
server_name image.accounts.example.com;
access_log /var/log/image.accounts.example.com-access.log;
error_log /var/log/image.accounts.example.com-error.log;
# ssl_certificate /usr/local/etc/letsencrypt/live/image.accounts.example.com/fullchain.pem;
# ssl_certificate_key /usr/local/etc/letsencrypt/live/image.accounts.example.com/privkey.pem;
# Configure Strong SSL
# ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_session_cache builtin:1000 shared:SSL:10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_prefer_server_ciphers on;
# ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
# add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_read_timeout 120;
proxy_connect_timeout 10;
proxy_pass http://127.0.0.1:1112/;
}
## Add well-know location and allow connections from the internet
location ~ /.well-known {
allow all;
root /usr/local/www/nginx;
}
}
</pre>
* Restart nginx:
<pre>
service nginx restart
</pre>
h3. LetsEncrypt
* Install letsencrypt:
<pre>
pkg install py27-certbot
</pre>
* Create a directory for letsencrypt site configs:
<pre>
mkdir /usr/local/etc/letsencrypt/config
</pre>
* Create the *content* server letsencrypt config:
<pre>
vi /usr/local/etc/nginx/config/accounts.example.com.conf
</pre>
#* And add the following:
<pre>
domains = accounts.example.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = bob@example.com
text = True
agree-tos
authenticator = webroot
webroot-path = /usr/local/www/nginx
</pre>
* Create the *content* server SSL key and certificate:
<pre>
certbot certonly -c /usr/local/etc/letsencrypt/config/accounts.example.com.conf
</pre>
* Create the *auth* server letsencrypt config:
<pre>
vi /usr/local/etc/nginx/config/api.accounts.example.com.conf
</pre>
#* And add the following:
<pre>
domains = api.accounts.example.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = bob@example.com
text = True
agree-tos
authenticator = webroot
webroot-path = /usr/local/www/nginx
</pre>
* Create the *auth* server SSL key and certificate:
<pre>
certbot certonly -c /usr/local/etc/letsencrypt/config/api.accounts.example.com.conf
</pre>
* Create the *oauth* server letsencrypt config:
<pre>
vi /usr/local/etc/nginx/config/oauth.accounts.example.com.conf
</pre>
#* And add the following:
<pre>
domains = oauth.accounts.example.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = bob@example.com
text = True
agree-tos
authenticator = webroot
webroot-path = /usr/local/www/nginx
</pre>
* Create the *oauth* server SSL key and certificate:
<pre>
certbot certonly -c /usr/local/etc/letsencrypt/config/oauth.accounts.example.com.conf
</pre>
* Create the *profile* server letsencrypt config:
<pre>
vi /usr/local/etc/nginx/config/profile.accounts.example.com.conf
</pre>
#* And add the following:
<pre>
domains = profile.accounts.example.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = bob@example.com
text = True
agree-tos
authenticator = webroot
webroot-path = /usr/local/www/nginx
</pre>
* Create the *profile* server SSL key and certificate:
<pre>
certbot certonly -c /usr/local/etc/letsencrypt/config/profile.accounts.example.com.conf
</pre>
* Create the *profile image* server letsencrypt config:
<pre>
vi /usr/local/etc/nginx/config/image.accounts.example.com.conf
</pre>
#* And add the following:
<pre>
domains = image.accounts.example.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = bob@example.com
text = True
agree-tos
authenticator = webroot
webroot-path = /usr/local/www/nginx
</pre>
* Create the *profile image* server SSL key and certificate:
<pre>
certbot certonly -c /usr/local/etc/letsencrypt/config/image.accounts.example.com.conf
</pre>
* Create the *sync* server letsencrypt config:
<pre>
vi /usr/local/etc/nginx/config/sync.accounts.example.com.conf
</pre>
#* And add the following:
<pre>
domains = sync.accounts.example.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = bob@example.com
text = True
agree-tos
authenticator = webroot
webroot-path = /usr/local/www/nginx
</pre>
* Create the *sync* server SSL key and certificate:
<pre>
certbot certonly -c /usr/local/etc/letsencrypt/config/sync.accounts.example.com.conf
</pre>
* Now edit each of the nginx server block configs and *remove* all the commented out SSL parameters.
* Restart nginx:
<pre>
service nginx restart
</pre>
h2. Connect Firefox
In desktop Firefox, enter “about:config” in the URL bar, search for items containing “fxaccounts”, and edit them to use your self-hosted URLs:
* Use your auth-server URL to replace “api.accounts.firefox.com” in the following settings:
*# identity.fxaccounts.auth.uri
* Use your content-server URL to replace “accounts.firefox.com” in the following settings:
*# identity.fxaccounts.remote.signin.uri
*# identity.fxaccounts.remote.signup.uri
*# identity.fxaccounts.remote.force_auth.uri
*# identity.fxaccounts.settings.uri
* Use your content-server URL to replace “accounts.firefox.com” in the following settings:
*# identity.fxaccounts.remote.webchannel.uri
*# webchannel.allowObject.urlWhitelist
* Optionally, use your oauth- and profile-server URLs to replace “oauth.accounts.firefox.com" and "profile.accounts.firefox.com” in
*# identity.fxaccounts.remote.profile.uri
*# identity.fxaccounts.remote.oauth.uri
* To configure desktop Firefox to talk to your new Sync server, go to “about:config”, search for “identity.sync.tokenserver.uri” and change its value to the URL of your server with a path of “token/1.0/sync/1.5”:
*# identity.sync.tokenserver.uri: http://sync.example.com/token/1.0/sync/1.5
h2. Resources
* https://docs.services.mozilla.com/howtos/run-fxa.html
* https://docs.services.mozilla.com/howtos/run-sync-1.5.html
* https://github.com/mozilla/fxa-auth-server/
* https://github.com/mozilla/fxa-content-server/
* https://github.com/mozilla/fxa-oauth-server/
* https://github.com/mozilla/fxa-profile-server/