Please note, this is a STATIC archive of website developer.mozilla.org from November 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Setting up an update server

Creating a simple Firefox/Thunderbird update server with Apache and PHP

The goal of this document is to provide basic instructions on setting up your own update server.

Firefox provides update services by using a REST web service - it goes to a URL and if an XML file is present at that URL, that XML file describes the update that is available.

First, let's talk about the format of the URL. Here is the URL used for upgrading from Firefox 3.5.2 to Firefox 3.5.3:

Windows
https://aus2.mozilla.org/update/3/Fi...ult/update.xml
Mac OS X
https://aus2.mozilla.org/update/3/Fi...ult/update.xml

The URL format looks like this:

https://aus2.mozilla.org/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml

This URL can be displayed in the browser via about:config as app.update.url, but to change it, you must create a new string preference called app.update.url.override that contains your new value.

For our example, we are actually going to place the update.xml on the server in the fully qualified path specified by the update URL. So in the root of your web server, create the path:

mkdir -p update.dir/3/Firefox/3.5.2/20090729225027/WINNT_x86-msvc/en-US/release/Windows_NT\ 6.0/default/default

Grab the update.xml file from aus2.mozilla.org and place it under the lowest default directory:

<?xml version="1.0"?>
<updates>
    <update type="minor" version="3.5.3" extensionVersion="3.5.3" buildID="20090824101458" detailsURL="https://www.mozilla.com/en-US/firefox/3.5.3/releasenotes/">
        <patch type="complete" URL="https://download.mozilla.org/?product=firefox-3.5.3-complete&os=win&lang=en-US" hashFunction="SHA512" hashValue="f8abbaea98bd453b651c24025dbb8cea5908e532ca64ad7150e88778ccb77c0325341c0fecbec37f31f31cdf7e13955c28140725282d2ce7c4a37c89a25319a1" size="10728423"/>
        <patch type="partial" URL="https://download.mozilla.org/?product=firefox-3.5.3-partial-3.5.2&os=win&lang=en-US" hashFunction="SHA512" hashValue="20b133f1bd2025360bda8ef0c53132a5806dbd0606e0fe7c6d1291d1392532cc960262f87b0c7d4fbe8f9bc9fba64ed28ecd89b664c17f51f98acdd76b26ea6a" size="2531877"/>
    </update>
</updates>

If you would like to serve these builds from your server instead of download.mozilla.org, copy them to your server and edit the update.xml file to change the URLs.

Next, we have to configure your Apache server so that we can create a PHP file to handle the web service.

First in httpd.conf, ensure that AllowOverride is set to FileInfo for the root directory. Next, add the following to your .htaccess file (you might have to create it) in your root directory:

<FILES update>
ForceType application/x-httpd-php
</FILES>

This tells the web server to treat update as a PHP file. Now create the PHP file called update in your root directory:

<?php
header("Content-type: text/xml");
$path = preg_replace('/^\/update/', 'update.dir', urldecode($_SERVER["REQUEST_URI"]));
echo (file_exists($path)) ? file_get_contents($path) : '<?xml version="1.0"?><updates></updates>';
?>

Now if you go to the following URL, you should see the XML content.

https://localhost/update/3/Firefox/3.5.2/20090729225027/WINNT_x86-msvc/en-US/release/Windows_NT%206.0/default/default/update.xml

Finally, set the app.update.url.override preference to the following URL via about:config (or MCD), then choose Check for Updates from Help menu. You should get an update if available.

https://localhost/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml

Security Considerations

You may notice that the default Firefox update URL above uses HTTPS and is served over SSL. SSL does put extra load on the server and you may be tempted to use normal HTTP — don't!

Every user will ping the update server regularly whether there's an update or not (once a day by default). Any user who connects from outside your protected network--particularly from a public WiFi hotspot — can potentially have their connection hijacked and be fed a malicious update. SSL protects against this attack. The update.xml files are small, don't sweat the SSL overhead.

The large updates themselves can be safely served from a non-secure server because the update files contain a hash that the client will verify. The hash can be trusted only if the update.xml is served securely.

See Also

Document Tags and Contributors

Tags: 
 Contributors to this page: Kohei, entie, The Hunter, Dveditz, MKaply
 Last updated by: Kohei,