kaipee
Dabbler
- Joined
- Dec 20, 2014
- Messages
- 27
Basic instructions here, will tidy up/format later
Install Firefox Sync v1.5
Configure FFsync
Generate secure hash
Edit syncserver.ini
Start FFsync
Install NGINX
Configure NGINX
Edit
Start NGINX
Browse to https://YOUR_DOMAIN:YOUR_SSL_PORT/token/1.0/sync/1.5 and check it returns an output
Install Firefox Sync v1.5
Code:
pkg update pkg upgrade pkg install nano pkg install gmake pkg install python pkg install py27-pip pkg install py27-virtualenv pkg install py27-sqlite3 pkg install git mkdir -p /usr/local/www/ffsync mkdir -p /usr/local/www/ffsync/logs cd /usr/local/www/ffsync git clone https://github.com/mozilla-services/syncserver cd ./syncserver gmake serve
Configure FFsync
Generate secure hash
head -c 20 /dev/urandom | shasum
. Save this hash to be added to your ffsync config.Edit syncserver.ini
/usr/local/www/ffsync/syncserver/syncserver.ini
Code:
[server:main] use = egg:gunicorn host = 127.0.0.1 port = FFSYNC_PORT workers = 2 timeout =60 forwarded_allow_ips = * [app:main] use = egg:syncserver [syncserver] # This must be edited to point to the public URL of your server, # i.e. the URL as seen by Firefox. public_url = https://YOUR_DOMAIN:YOUR_SSL_PORT # This defines the database in which to store all server data. sqluri = sqlite:////tmp/syncserver.db (or wherever you want to save your DB) # This is a secret key used for signing authentication tokens. # It should be long and randomly-generated. # The following command will give a suitable value on *nix systems: # # head -c 20 /dev/urandom | sha1sum # # If not specified then the server will generate a temporary one at startup. secret = YOUR_SECRET_HASH # Set this to "false" to disable new-user signups on the server. # Only request by existing accounts will be honoured. allow_new_users = false # Set this to "true" to work around a mismatch between public_url and # the application URL as seen by python, which can happen in certain reverse- # proxy hosting setups. It will overwrite the WSGI environ dict with the # details from public_url. This could have security implications if e.g. # you tell the app that it's on HTTPS but it's really on HTTP, so it should # only be used as a last resort and after careful checking of server config. force_wsgi_environ = true # Uncomment and edit the following to use a local BrowserID verifier # rather than posting assertions to the mozilla-hosted verifier. # Audiences should be set to your public_url without a trailing slash. #[browserid] #backend = tokenserver.verifiers.LocalVerifier #audiences = https://localhost:5000
Start FFsync
/usr/local/www/ffsync/syncserver/local/bin/gunicorn --daemon --log-file=/usr/local/www/ffsync/logs/ffsync.log --paste /usr/local/www/ffsync/syncserver/syncserver.ini
Install NGINX
Code:
pkg install nginx mkdir -p /usr/local/etc/nginx/logs (put your logs here) mkdir -p /usr/local/etc/nginx/certs (put your SSL certs here) nano /etc/rc.conf nginx_enable="YES"
Configure NGINX
Edit
/usr/local/etc/nginx/nginx.conf
Code:
worker_processes 4; events { worker_connections 1024; multi_accept on; } http { include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; client_body_timeout 30; client_header_timeout 30; send_timeout 30; client_max_body_size 64m; error_log /usr/local/etc/nginx/logs/error.log warn; access_log /usr/local/etc/nginx/logs/access.log; gzip on; server_tokens off; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Xss-Protection "1; mode=block" always; server { listen YOUR_SSL_PORT ssl; server_name YOUR_SUB.DOMAIN.TLD localhost YOUR_SERVER_IP; ssl_certificate /usr/local/www/certs/YOUR_CERT.crt; ssl_certificate_key /usr/local/www/certs/YOUR_KEY.key; ssl_trusted_certificate /usr/local/www/certs/YOUR_BUNDLE.crt; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_stapling on; resolver 8.8.8.8; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_read_timeout 120; proxy_connect_timeout 10; proxy_pass http://127.0.0.1:FFSYNC_PORT/; } } }
Start NGINX
service nginx start
Browse to https://YOUR_DOMAIN:YOUR_SSL_PORT/token/1.0/sync/1.5 and check it returns an output
Last edited: