Creating a simple Firefox/Thunderbird update server with Apache and PHP
The goal of this document is to provide basic instructions on setting up your own update server.
Firefox provides update services by using a REST web service - it goes to a URL and if an XML file is present at that URL, that XML file describes the update that is available.
First, let's talk about the format of the URL. Here is the URL used for upgrading from Firefox 3.5.2 to Firefox 3.5.3:
- Windows
https://aus2.mozilla.org/update/3/Fi...ult/update.xml
- Mac OS X
https://aus2.mozilla.org/update/3/Fi...ult/update.xml
The URL format looks like this:
https://aus2.mozilla.org/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
This URL can be displayed in the browser via about:config
as app.update.url
, but to change it, you must create a new string preference called app.update.url.override
that contains your new value.
For our example, we are actually going to place the update.xml
on the server in the fully qualified path specified by the update URL. So in the root of your web server, create the path:
mkdir -p update.dir/3/Firefox/3.5.2/20090729225027/WINNT_x86-msvc/en-US/release/Windows_NT\ 6.0/default/default
Grab the update.xml
file from aus2.mozilla.org and place it under the lowest default
directory:
<?xml version="1.0"?> <updates> <update type="minor" version="3.5.3" extensionVersion="3.5.3" buildID="20090824101458" detailsURL="https://www.mozilla.com/en-US/firefox/3.5.3/releasenotes/"> <patch type="complete" URL="https://download.mozilla.org/?product=firefox-3.5.3-complete&os=win&lang=en-US" hashFunction="SHA512" hashValue="f8abbaea98bd453b651c24025dbb8cea5908e532ca64ad7150e88778ccb77c0325341c0fecbec37f31f31cdf7e13955c28140725282d2ce7c4a37c89a25319a1" size="10728423"/> <patch type="partial" URL="https://download.mozilla.org/?product=firefox-3.5.3-partial-3.5.2&os=win&lang=en-US" hashFunction="SHA512" hashValue="20b133f1bd2025360bda8ef0c53132a5806dbd0606e0fe7c6d1291d1392532cc960262f87b0c7d4fbe8f9bc9fba64ed28ecd89b664c17f51f98acdd76b26ea6a" size="2531877"/> </update> </updates>
If you would like to serve these builds from your server instead of download.mozilla.org, copy them to your server and edit the update.xml
file to change the URLs.
Next, we have to configure your Apache server so that we can create a PHP file to handle the web service.
First in httpd.conf
, ensure that AllowOverride
is set to FileInfo
for the root directory. Next, add the following to your .htaccess
file (you might have to create it) in your root directory:
<FILES update> ForceType application/x-httpd-php </FILES>
This tells the web server to treat update
as a PHP file. Now create the PHP file called update
in your root directory:
<?php header("Content-type: text/xml"); $path = preg_replace('/^\/update/', 'update.dir', urldecode($_SERVER["REQUEST_URI"])); echo (file_exists($path)) ? file_get_contents($path) : '<?xml version="1.0"?><updates></updates>'; ?>
Now if you go to the following URL, you should see the XML content.
https://localhost/update/3/Firefox/3.5.2/20090729225027/WINNT_x86-msvc/en-US/release/Windows_NT%206.0/default/default/update.xml
Finally, set the app.update.url.override
preference to the following URL via about:config
(or MCD), then choose Check for Updates from Help menu. You should get an update if available.
https://localhost/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
Security Considerations
You may notice that the default Firefox update URL above uses HTTPS and is served over SSL. SSL does put extra load on the server and you may be tempted to use normal HTTP — don't!
Every user will ping the update server regularly whether there's an update or not (once a day by default). Any user who connects from outside your protected network--particularly from a public WiFi hotspot — can potentially have their connection hijacked and be fed a malicious update. SSL protects against this attack. The update.xml
files are small, don't sweat the SSL overhead.
The large updates themselves can be safely served from a non-secure server because the update files contain a hash that the client will verify. The hash can be trusted only if the update.xml
is served securely.