Using Firefox Sync Server with Nginx
@ Tony Cheneau | Wednesday, May 23, 2012 | 4 minutes read | Update at Wednesday, May 23, 2012

Recently, I tried to install the Sync Server on a NgInx server but the big Internet could not help me much, so I decided to write this blog entry in an attempt to complete the official documentation.

For those who don’t know, the Sync Server provides passwords, bookmarks and sessions synchronisation features between multiple running Firefox’s instances. In the past, I used other alternatives, such as SyncPlaces, but the lack of integration within Firefox finally pushed me away from this solution.

Setting up Firefox to use Mozilla Foundation’s Sync Server (i.e. as a client) is pretty straightforward and if you don’t mind being dependent of the Mozilla foundation, you might choose to upload your data to their server. Privacy should not be to much of a concern as they (supposedely) encode your personnal information before transfering it to the server. Still, if, like me, you decide to have your own Sync Server (say, for the sake of being independent) you can do so as it is open source. A first version of the Sync Server was in PHP, but thanks to Tarek Ziade a Python server now also exists. Today, only the Python version of the server will be of interest to us.

As I said in the intro, I found out that setting up the Sync Server using NgInx (and Gunicorn) can be tricky, especially when you are new to the tools (as I am).

In a way, you can see this page as a complement to the excellent [Sync Server documentation](http://docs.services.mozilla.com/howtos/run- sync.html).

So, let’s get started!

First, you need to download the Sync Server: 

hg clone https://hg.mozilla.org/services/server-full sync-server
cd sync-server
make build

In order to complete our installation with some important tools, you may want to type in the following command: 

./bin/pip install -U -i http://pypi.python.org/simple gunicorn
./bin/pip install -U -i http://pypi.python.org/simple pysqlite
./bin/pip install -U -i http://pypi.python.org/simple pastedeploy

These three commands will respectively install gunicorn (the Web Server Gateway Interface HTTP server we want to combine with Nginx), pysqlite (lightweight SQL database) and pastedeploy.

Now, let’s take a look at the configuration files. In the developpement.ini file, modify the server:main block so it looks like this:

[server:main]
use = egg:gunicorn#main
host = unix:syncserver.sock
use_threadpool = True
threadpool_workers = 60

This configuration will enable gunicorn to listen on the syncserver.sock socket file. You may want you syncserver.sock to be only read/write accessible to your NgInx server, either by relaxing the permission on the file, or by starting the gunicorn_paster with the same group as your Nginx server.

That’s it, this part is done. You can check that everything is in order by starting the Sync server. In the Sync server source directory, type the following: 

./bin/gunicorn_paster development.ini

It should output something similar to this:

2012-02-27 23:19:11 [16626] [INFO] Starting gunicorn 0.13.4
2012-02-27 23:19:11,623 INFO  [gunicorn.error] Starting gunicorn 0.13.4
2012-02-27 23:19:11 [16626] [INFO] Listening at: unix:syncserver.sock (16626)
2012-02-27 23:19:11,626 INFO  [gunicorn.error] Listening at: unix:syncserver.sock (16626)
2012-02-27 23:19:11 [16626] [INFO] Using worker: sync
2012-02-27 23:19:11,626 INFO  [gunicorn.error] Using worker: sync
2012-02-27 23:19:11 [16640] [INFO] Booting worker with pid: 16640
2012-02-27 23:19:11,629 INFO  [gunicorn.error] Booting worker with pid: 16640

On the NgInx side: 

# ... omitted for the sake of brievty ...

http {

	# ... omitted for the sake of brievty ...

	location /sync/ {
			rewrite  ^/sync(.+)$ $1 break;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header Host $http_host;
			proxy_redirect off;
			proxy_pass http://unix:/fullpathtoyour/syncserver.sock;
	}

	# ... omitted for the sake of brievty ...
	
}

Here you can witness some “rewrite” wizardery. I use it because we do not want your sync server to sit on the root of my website. If you want to use the sync server directly at the root of your website, you can remove it.

If you want to automate when the server starts, you could easily make a script out of it. I choose not too, so I won’t document that aspect. However, if you write one, I’ll be interested in knowing which solution you choose.

That’s it for today.

Copyright by Tony Cheneau

Everything about $me

My name is Tony Cheneau and I’m currently a devops (catchy title) at ANSSI.

I was previously occupying a postdoc position at the National Institute of Standards and Technology (also known as NIST), in the Advanced Network Technologies Division. This was a really entertaining job where my main research interests are focused on wireless applications over the Smart Grid and defining new security solution for these applications.

If you are interested in my education (or in hiring me), you can check out my very formal (and not so up to date) resume.pdf.

How you can contact me

My previous projects

  • SimpleRPL: an implementation of the Routing Protocol for Low-Power and Lossy Networks (RFC 6550)
  • NDprotector: an implementation of the Cryptographically Generated Addresses (RFC 3972) and the Secure Neighbor Discovery Protocol (RFC 3971)
  • and more on my GitHub page

Former research interest

During my PhD, I studied several aspects of the Link-Layer security. through the extended use of the Secure Neighbor Discovery protocol (RFC 3971 and RFC 3972).

Other of my previous research interests included MANEMO. MANEMO is the combination of multiple research areas:

  • MANET (Mobile Ad-Hoc Network) specifies how new dynamic routing protocols enable mobile node to route packets over Mobile Ad-Hoc Networks.
  • NEMO (Network Mobility or Network that Moves) defines a protocol similar to Mobile IP where a whole network is moving.
  • AUTOCONF defines an addressing scheme and corresponding solutions to allocate addresses inside a MANET.

Publications

Thesis

  • Tony Cheneau, « Amélioration des adresses CGA et du protocole SEND pour un meilleur support de la mobilité et de nouveaux services de sécurité (Enhancing CGA addresses and the SEND protocol for a better support of mobility application and new security services) », January 2011 manuscript slides

Journals

  • Tony Cheneau, Aymen Boudguiga, Maryline Laurent, « Significantly improved performances of the cryptographically generated addresses thanks to ECC and GPGPU », Computers & Security journal, Elsevier, Volume 29, pages 419-431, June 2010. pdf

Conferences

  • Tony Cheneau, Ranganathan Mudumbai, « Adaptive key management for wireless sensor networks », IEEE Global Communications Conference (GLOBECOM), Atlanta, USA, December 2013.
  • Tony Cheneau, Andrei V. Sambra, Maryline Laurent, « A Trustful Authentication and Key Exchange Scheme (TAKES) for Ad Hoc Networks », 5th International Conference on Network and System Security (NSS), Milan, Italy, September 2011. pdf
  • Tony Cheneau, Maryline Laurent, « Using SEND Signature Algorithm Agility and Multiple-Key CGA to Secure Proxy Neighbor Discovery and Anycast Addressing », 6th Conference on Network Architectures and Information Systems Security, La Rochelle, France, May 2011. pdf slides
  • Tony Cheneau, Maryline Laurent, « Étude des solutions de proxy Neighbor Discovery sécurisées et proposition basée sur la Signature Agility » (a study of secure proxy Neighbor Discovery solutions and proposition of a Signature Algorithm Agility based solution) , 5ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information, Menton , France, May 2010. pdf slides
  • Tony Cheneau, Aymen Boudguiga, Maryline Laurent-Maknavicius, « Amélioration des performances des adresses CGA et du protocole SEND: étude comparée de RSA et d’ECC/ECDSA » (Improving the CGA and SEND protocol performances: a comparative study of RSA and ECC/ECDSA), 4ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information, Luchon, France, (best student paper award), pages 139-156, in proceedings (SAR-SSI 2009) (ISBN: 978-2-7483-4833-0), June 2009. pdf proceedings slides
  • Tony Cheneau, Jean-Michel Combes, Une attaque par rejeu sur le protocole SEND » (A replay attack on the SEND protocol), 3ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information, Loctudy, France, pages 289-300, in proceedings (SAR-SSI 2008) (ISBN: 978-2-7483-3289-2), October 2008. pdf proceedings slides

Research Report

  • Aymen Boudguiga, Tony Cheneau, Maryline Laurent-Maknavicius, « Usage and Performance of Cryptographically Generated Addresses » TELECOM and Management SudParis, 08-014 LOR, 2008. zip

Internet Drafts

Back in time, I made some propositions inside the CGA and SEND maIntenance working (CSI) group:

  • draft-cheneau-csi-send-sig-agility-02 proposes a Signature Agility Solution to the SEND protocol (RFC3971). link
  • draft-cheneau-csi-ecc-sig-agility-02 on the previous draft and proposes to use Elliptic Curve Cryptography in CGA (RFC 3972) and SEND (RFC 3971). link

Teachings

During my PhD, I happened to give some lecture:

  • Data network (ingénieurs 1ère année)
  • Virtual Private Network (Master 2 CCN, Master spécialisé SSR et ingénieurs 3ème année)

Education

  • 2007-2011: PhD held at the Institut Télécom SudParis under the direction of Maryline Laurent. This PhD was funded by a grant of the ANR for the MobiSEND project.
  • 2007: Master 2 SSI (sécurité des systèmes informatiques), University of Paris XII, obtained with mention bien
  • 2006: Master 1 d’informatique (STIC - F3I), University of Poitiers, obtained with mention bien
  • 2005: Licence 3 d’informatique (TIS - parcours des réseaux), University of Poitiers, obtained with mention bien
  • 2004: DEUG MIAS (mathématiques et informatique en application en science), University of Poitiers
  • 2002: Baccalauréat S Sciences de l’Ingénieur, lycée E. Branly de Châtellerault (Poitiers academy), obtained with mention assez bien