Hey, did I say passwords? Wait, where are those stored? Do I really want some unknown server storing my passwords? Granted, the data is encrypted, but I have always felt better knowing I can touch the data physically- meaning storing it on my own server that I know about.
The Weave Server is the back end to this technology, and can be found at https://wiki.mozilla.org/Services/Sync and is relatively complicated to setup and requires Python. However, there is a project out there called Weave Minimal Server, which makes this all very easy for a few user's load, and really only requires a standard LAMP setup. The project page is here: http://tobyelliott.wordpress.com/2009/09/11/weave-minimal-server/ .
I initially ran into some frustrations getting it to work, so I decided to write up this post. Part of this is to also explain how to make it work on your home server where you only have one public IP address, and may already be using port 443, and are also using self-signed certificates. I believe that I came up with a good way for this to work while keeping the information transfer encrypted, and protecting your home server as well from outside attacks.
What you need:
- A Linux machine (or VM). It is probably possible to make this work with the Windows version of the Apache/PHP stack, but I am not even going there.
- PHP version 5.1 or higher, and Apache 2.0 or higher. This is important- I got stuck with lots of errors because I was running PHP 4.6. I was working on a CentOS 4.8 box, and that release does not have PHP 5 or Apache 2.0. I was able to upgrade the web stack from the CentOS Plus repository instead of rebuilding my server. Here is a reference to that: http://wiki.centos.org/AdditionalResources/Repositories/CentOSPlus/CentOSWebStack?highlight=%28webstack%29
- SQL Lite installed and the appropriate php library to support it
- JSON support and mbstring
- An Internet connection and router capable of port forwarding.
- Dynamic DNS set up (so that we can refer to your internal server via your always changing public dynamic IP address.
- Download and unpack the tarball where you want to run weave. This can be at the root of your webserver if you wish. Make sure the user Apache runs under has permissions to all the directory and containing files.
- Follow the README that is included. I will add some comments to it though:
- The /weave alias in the Apache config is fine, but I'd suggest putting that under your conf.d in it's own file instead (and this setup may vary based on your specific distribution of Linux). The reason for this is that I lock down the rest of my Apache server with the "Allow From" to my local LAN, but I want this one alias to be accessible from any IP. Example of etc/httpd/conf.d/weave.conf:
### Firefox Sync Stuff. Allow it from anywhere.
Alias /weave /usr/local/weave-firefox-sync/weave_minimal/index.php
Allow from all
</Location>I also should remind you to take a look at any directories/sites you have on your server already- if you don't want them available to the world, make sure you lock them down!
- Pointing FF at the URL in the README- it appears you don't need to be localhost, so from a remote machine is OK. Also, do not use https right now- we'll get to that soon. This step of going to the URL and entering the bogus user name and password is required to set up the initial database, and is never used again. And yes, you MUST use Firefox! You know you are successful if the file weave_db appears.
- To create users, run the create_user script, but, he means, run php create_user from the command line. This can not be done from a GUI.
- Don't do a client set up just yet.
- At this point we need to work on getting the server to serve out https (secure) sessions with a certificate. Though this all will work with plain http, it is just not good practice to send information with passwords over the Internet. If you have a fresh install of Linux and Apache, it is possible that it already has SSL configured and a self-signed certificate active. Here are the steps. We assume you have not purchased a certificate from a CA and all the default configurations of Apache are in place. The following was run on a CentOS 4.8 system.
- openssl req -new -key server.key -x509 -days 1825 -out /etc/httpd/conf/ssl.crt/server.crt
- service httpd restart
- There may be other steps to take, depending on your specific distribution.
- Browse to https://yourserver.yourdomain.com in Firefox. If you get a warning message like the following, you are successful.
|Note that the error is that it is a self-signed certificate. Go ahead and add the exception and permanently store it. This part of adding the exception is critical for the sync to work. Firefox has to know that the SSL certificate is legitimate.|
4. The client setup is pretty easy. You can use the GUI in the preferences (new account, other server), or type in about:config in the URL bar and go to services.sync.serverURL and type in the URL https://<your servername>/weave/ . Even if you type in the server URL here, you still have to go to the preferences and enter the user e-mail and password you set up above. After all that is saved, everything should start synchronizing now from within your LAN.
So, what if you want to sync computers or mobile phones (Droid) when off your home network? We need to make the URL accessible to the world. This simply is a matter of doing port forwarding on your router. It is impossible for me to list how to do every router, but most all of them have a way to do it, they just call it a different name sometimes. I use a Linux router and iptables, so it is a simple configuration file for the firewall for me. If you are not already using port 443, then just pass that on to your internal host IP. But, in my case I was already pointing 443 to another host on my LAN. In this case, pick a random port, and forward that to 443 on your host. Just be sure to configure the clients for the special port ( https://<your servername:12345>/weave/).
I hope this post helps, please leave comments, and I will update/clarify if necessary.