├── Dockerfile ├── README.md ├── build.sh ├── fly.sh ├── nginx.conf └── setup.sh /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx 2 | COPY nginx.conf /etc/nginx/nginx.conf 3 | EXPOSE 1111 5000 8000 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fxa-self-hosting 2 | Instructions for hosting Mozilla Services on your own domain name. Services included so far: 3 | 4 | * General: 5 | * a simple nginx-based proxy 6 | * instructions for home-hosting using pagekite 7 | * instructions for configuring Firefox Desktop to use your self-hosted services 8 | * instructions for configuring Firefox OS to use your self-hosted services 9 | 10 | * Firefox Accounts, including: 11 | * fxa-content-server 12 | * fxa-profile-server 13 | * fxa-auth-server 14 | * fxa-oauth-server 15 | * browserid-verifier 16 | * fxa-auth-db-mysql 17 | 18 | * Firefox Sync, including: 19 | * syncserver (this includes tokenserver) 20 | * syncto (only required for Firefox OS) 21 | 22 | 23 | ## Not sec-reviewed, use at own risk! 24 | 25 | These scripts are *not* security-reviewed Mozilla software, and meant only for people who 26 | want to have some fun trying out self-hosting. Create an empty Firefox profile for trying it 27 | out, don't sync your main profile's data to it, it's not secure enough for that. 28 | 29 | If you use this in production for your own personal 30 | data (including for instance all the passwords you saved in your browser), you will 31 | have to do your own security review, server hardening, and intrusion detection, and 32 | make sure to keep both your host server and the containers patched with security 33 | updates. 34 | 35 | This is especially true if you want to use these scripts to host Firefox Accounts 36 | and linked services for other people besides yourself. 37 | 38 | To give an example, the fxa-auth-db-mysql container connects to mysql [using the 39 | root user and no 40 | password](https://github.com/michielbdejong/fxa-auth-db-mysql/blob/docker/docs/self-host.docker#L13). 41 | 42 | Also, the syncserver [stores data just in-memory](https://github.com/michielbdejong/fxa-self-hosting/issues/13), 43 | so synced data is lost not only when you remove the syncserver container, but even 44 | if you just restart it. 45 | 46 | If you find a security issue with these scripts (or other improvements), please 47 | [open a github issue] about it. Pull requests welcome! :) 48 | 49 | ## Audience 50 | 51 | This guide is intended for people with basic sysadmin experience, and not all the 52 | steps you will need to take (e.g. using ssh, obtaining a TLS certificate, installing 53 | server software) are spelled out in detail. If you're having 54 | any trouble, you can ask for help by mentioning me (michielbdejong) in the #fxa channel 55 | on irc.mozilla.org, or email me (michiel at mozilla dot com). 56 | 57 | ## Architecture 58 | 59 | The scripts in this self-hosting guide will create 9 containers: one TLS-offloading 60 | proxy, 6 services which run on various ports, and two supporting ones, which are not 61 | publically accessible: 62 | 63 | ```` 64 | INTERNET 65 | | 66 | v 67 | fxa-self-hosting/"proxy":1111,443,8000,9010,3030,5000 68 | _____________________________|______________________________ 69 | | | | | | | 70 | v | v | v | 71 | fxa-profile-server:1111 | syncto:8000 | fxa-content-server:3030 | 72 | v v v 73 | fxa-auth-server:443 fxa-oauth-server:9010 syncserver:5000 74 | | | | 75 | | \_________________________/ 76 | | | 77 | v v 78 | fxa-auth-db-mysql/"httpd":3306 browserid-verifier/"verifier.local":5050 79 | ```` 80 | 81 | The lines indicate container linking. You can see these as the `--link` parameters 82 | in `setup.sh`. The various servers also communicate with each other 83 | via the internet (e.g. the syncto container will do a https request that goes out to the internet, 84 | comes back in to the proxy, and from there goes to the syncserver), and via the browser 85 | (e.g. the fxa-content-server serves up webpages that make XHR requests to several other services). 86 | You can see these relations as 87 | the `-e SOME_URL = "https://$1:1234/"` parameters in [`setup.sh`](https://github.com/michielbdejong/fxa-self-hosting/blob/master/setup.sh): 88 | 89 | ```` 90 | _________ 91 | / \ 92 | | fxa-content-server 93 | | / | 94 | ^ | v 95 | | | fxa-profile-server syncto 96 | | v | | | 97 | | |\ v | v 98 | ^ | fxa-auth-server | syncserver 99 | | v | v 100 | | \ v / 101 | | fxa-oauth-server 102 | \________/ 103 | ```` 104 | 105 | ## Prerequisites 106 | 107 | For self-hosting (i.e. hosting an instance the Mozilla Services yourself, on a 108 | server that's connected to the internet), you will need: 109 | 110 | * A server with probably 1 or 2 Gigs of memory and Docker installed, and that's 111 | not doing anything yet that occupies port 443 (i.e. not hosting any websites), and with [Docker](https://docs.docker.com/engine/installation) installed. 112 | * A domain name or subdomain you control and can point to this server 113 | * A TLS certificate for this (sub-)domain. Once you have your server running and 114 | your (sub-)domainname pointed to it in DNS (wait for DNS propagation), you can 115 | get one for free from [LetsEncrypt](https://letsencrypt.org/). 116 | 117 | If you prefer to host the services on a computer in your house ("home-hosting"), 118 | then you need to make this computer addressable on the public internet. You can 119 | do this using a reverse proxy tunnel like Pagekite (see instructions below), or 120 | maybe with DynDNS. 121 | 122 | The reverse proxy tunnel needs to run on an addressable server, 123 | but it can be a much smaller (cheaper) one, and also, this reverse proxy tunnel 124 | will not store any of your data (the data would be in your house), and if configured 125 | correctly, it cannot eavesdrop on any of the traffic that goes through it (because 126 | TLS is terminated in your house, not at the proxy). 127 | 128 | Note that the same disclaimer 129 | applies, that these scripts have not been reviewed for security issues, so don't 130 | storing valuable data like your saved passwords is all at your own risk. 131 | 132 | ## Setup 133 | 134 | In these instructions, I use fxa.michielbdejong.com as the example subdomain on which 135 | all the services will be running (using various TCP ports). Replace this string with your 136 | own (sub-)domain name wherever you see it. Note that one of the services (fxa-auth-server) 137 | will be occupying port 443 (https://fxa.michielbdejong.com/), so if you already run your 138 | website or blog on your server, you will want to use an extra server, on a subdomain 139 | (I used fxa. in this case). 140 | 141 | ### Step 1: Getting the TLS certificate 142 | 143 | If you get your TLS certificate using LetsEncrypt, it will be saved to /etc/letsencrypt. 144 | Find your certificate there, and copy it to a convenient location on the server that will 145 | be running the services. Note that it's necessary to append chain.pem to cert.pem, so that 146 | the nginx proxy will present a convincing trust chain to https clients. In this case, I'm 147 | saving the cert in a newly created folder, /root/fxa-cert. If you used the certonly method, 148 | /etc/letsencrypt/live may not exist, but you can probably still find the .pem files in some 149 | folder under /etc/letsencrypt if the registration was successful: 150 | 151 | ````bash 152 | cd /root 153 | cp -r /etc/letsencrypt/live/fxa.michielbdejong.com ./fxa-cert 154 | chmod -R ugo+r ./fxa-cert 155 | cat ./fxa-cert/cert.pem ./fxa-cert/chain.pem > ./fxa-cert/combined.pem 156 | ```` 157 | 158 | ### Step 2 (home-hosting only): Set up your pagekite frontend 159 | 160 | Replace 'secretsecretsecret' with the secret from your ~/.pagekite.rc file in the 161 | following command, and run it on the pagekite frontend (the server to which DNS 162 | for fxa.michielbdejong.com points): 163 | 164 | ````bash 165 | pagekite.py --isfrontend --domain *:fxa.michielbdejong.com:secretsecretsecret --ports=80,1111,3030,5000,8000,443,9010 166 | echo TODO: not use a http connection (?) to the frontend 167 | ```` 168 | 169 | ### Step 3: Run build.sh 170 | 171 | The `build.sh` script from this repo will build the necessary Docker images. This 172 | will probably take up to half an hour, so grab a coffee. You should run this script 173 | regularly, for instance when a new patch version of node 0.10 becomes available. 174 | 175 | ### Step 4: Run setup.sh 176 | 177 | Running `setup.sh fxa.michielbdejong.com` (script in the root of this repo) will 178 | stop and destroy all running Docker containers, so don't run it on a server 179 | where you're also running some other Docker-based things. Make sure to run it with 180 | your own sub-domain instead of 'fxa.michielbdejong.com', of course. You may also 181 | want to convert this bash script to a docker-compose.yml file if that's your 182 | thing; the result will be the same. 183 | 184 | The script assumes that `./fxa-cert/combined.pem` and `./fxa-cert/privkey.pem` exist. 185 | 186 | Check if you see nine Docker containers running in `docker ps -a` and none of them 187 | exited. It can take a further 10 or 20 seconds before the fxa-content-server will 188 | start responding (you will see a 502 Bad Gateway page from the nginx proxy until then). 189 | 190 | ### Step 5 (home-hosting only): Set up your pagekite backend 191 | 192 | On MacOS, Docker runs inside a virtual machine, probably on 192.168.99.100. In 193 | any case, you can use your browser or a http tool like curl to test if https://192.168.99.100 194 | is responding. 195 | 196 | Run `fly.sh fxa.michielbdejong.com` from this repo, and maybe restart the pagekite 197 | frontend and backend (killing all pagekite processes from `ps auxwww | grep pagekite` 198 | in between) until there are no rejected duplicates and https://fxa.michielbdejong.com 199 | looks the same as https://192.186.99.100 (or whatever your Docker VM IP), and same for 200 | the https services on ports :1111, :3030, :5000, :8000, and :9010. 201 | 202 | ### Step 6: Configuring content server 203 | 204 | Looking for a proper way to do this through env vars; until then: 205 | 206 | ````bash 207 | docker exec -it -u root content /bin/bash 208 | root@1e1dbee9b940:/home/fxa/fxa-content-server# apt-get update && apt-get install -yq vim 209 | root@1e1dbee9b940:/home/fxa/fxa-content-server# vim ./server/config/local.json +9 210 | -> change "YOU MUST CHANGE ME" to some random string (e.g. `pwgen 40 1`) 211 | root@1e1dbee9b940:/home/fxa/fxa-content-server# exit 212 | ```` 213 | 214 | and restart the content and proxy containers (in that order, since the proxy container 215 | links to the content container): 216 | 217 | ````bash 218 | docker restart content ; docker restart proxy 219 | ```` 220 | 221 | ### Step 7: Configuring syncserver 222 | 223 | Looking for a proper way to do this through env vars; until then: 224 | 225 | ````bash 226 | docker exec -it -u root sync /bin/bash 227 | root@b5c1ba63de07:/home/app/syncserver# apt-get update && apt-get install -yq vim 228 | root@b5c1ba63de07:/home/app/syncserver# vim ./local/lib/python2.7/site-packages/tokenserver/verifiers.py +85 229 | -> edit verifier_url = "http://verifier.local:5050/v2" 230 | root@b5c1ba63de07:/home/app/syncserver# exit 231 | ```` 232 | 233 | and restart the sync and proxy containers (in that order, since the proxy container 234 | links to the sync container): 235 | 236 | ````bash 237 | docker restart sync ; docker restart proxy 238 | ```` 239 | 240 | ### Step 8: Creating your account 241 | 242 | Sign up on https://fxa.michielbdejong.com:3030/, and instead of going to look 243 | for the verification email, run: 244 | 245 | ````bash 246 | docker exec -it httpdb mysql -e "USE fxa; UPDATE accounts SET emailVerified=1;" 247 | ```` 248 | 249 | to mark your email address as verified. 250 | 251 | NB: If you get https://fxa.michielbdejong.com:3030/unexpected_error, run 252 | localStorage.clear() in the console and hard-refresh. 253 | 254 | ### Step 9: Configure Firefox Desktop 255 | 256 | Edit the values in about:config like so: 257 | 258 | ![Image about:config](https://cloud.githubusercontent.com/assets/408412/12393881/d144dd5a-bdf8-11e5-8cb6-fb0d233b1d99.png) 259 | 260 | ### Step 10: (Firefox OS only) Configure and build Gaia 261 | 262 | In build/config/common-settings.json, edit: 263 | 264 | * "identity.fxaccounts.reset-password.url": "https://fxa.michielbdejong.com:3030/reset_password", 265 | * "sync.fxa.audience": "https://fxa.michielbdejong.com:5000/", 266 | * "sync.server.url": "https://fxa.michielbdejong.com:8000/v1/", 267 | 268 | And in build/config/phone/custom-prefs.js (assuming you're building for the phone), add: 269 | 270 | * user_pref("identity.fxaccounts.auth.uri", "https://fxa.michielbdejong.com/v1"); 271 | 272 | 273 | There are also two prefs you need to change at the B2G level, but if you're using B2G-Desktop, 274 | you can change it in the /Applications/B2GDebug.app/Contents/Resources/defaults/pref/b2g.js 275 | file without having to rebuild all of B2G. The prefs to change are: 276 | 277 | * pref("identity.fxaccounts.remote.oauth.uri", "https://fxa.michielbdejong.com:9010/v1"); 278 | * pref("identity.fxaccounts.remote.profile.uri", "https://fxa.michielbdejong.com:1111/v1"); 279 | 280 | ## Debugging 281 | 282 | If DNS hasn't propagated yet, you may need to spike /etc/hosts in the profile and 283 | verifier.local containers: 284 | 285 | ````bash 286 | docker exec -u root -it verifier.local /bin/bash 287 | docker exec -u root -it profile /bin/bash 288 | -> echo 45.32.232.152 fxa.michielbdejong.com >> /etc/hosts 289 | ```` 290 | 291 | ... or just wait for a bit. :) 292 | 293 | To debug one of the containers, e.g. the one with container id ea298056cc in `docker ps`: 294 | 295 | ````bash 296 | docker exec -u root -it ea298056cc /bin/bash 297 | # add some console.log statements to the code 298 | docker restart ea298056cc 299 | docker restart proxy #and/or whichever containers link to the container you edited 300 | docker logs -f ea298056cc 301 | ```` 302 | 303 | You can also run a container interactively, check setup.sh for the startup params for each one. 304 | 305 | Again, you will have to restart containers that link to the restarted one, for instance 306 | the main fxa-self-hosting proxy. 307 | 308 | A nice tool for seeing the contents of your sync server is 309 | [syncclient](https://github.com/mozilla-services/syncclient). Apart from following 310 | syncclient's readme instructions, make sure to edit `syncclient/client.py` like this: 311 | 312 | ````diff 313 | -TOKENSERVER_URL = "https://token.services.mozilla.com/" 314 | -FXA_SERVER_URL = "https://api.accounts.firefox.com" 315 | +TOKENSERVER_URL = "https://fxa.michielbdejong.com:5000/token/" 316 | +FXA_SERVER_URL = "https://fxa.michielbdejong.com" 317 | ```` 318 | 319 | And then try running commands like 320 | `get_collection_counts`, `get_records history`, or `get_record crypto keys` with it. 321 | 322 | # Disclaimer 323 | 324 | Don't try this at home. This is a work-in-progress, hasn't been security-reviewed yet, and it's 325 | just not secure enough to host your valuable Firefox Sync data. 326 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo Pulling Docker base images 4 | 5 | # For fxa-auth-db-mysql,fxa-auth-server,fxa-content-server,fxa-oauth-server,fxa-profile-server: 6 | docker pull node:0.10-slim 7 | docker build -t vladikoff/fxa-slim-image https://github.com/vladikoff/fxa-slim-image.git 8 | 9 | # For browserid-verifier: 10 | docker pull node:4.2.4 11 | 12 | # For syncserver: 13 | docker pull debian:7.4 14 | 15 | # For syncserver: 16 | docker pull python:2.7 17 | 18 | # For fxa-self-hosting: 19 | docker pull nginx 20 | 21 | echo Building images... 22 | 23 | docker build -f ./docs/self-host.docker -t fxa-content-server https://github.com/mozilla/fxa-content-server.git 24 | docker build -f ./docs/self-host.docker -t fxa-auth-server https://github.com/mozilla/fxa-auth-server.git 25 | docker build -f ./docs/self-host.docker -t fxa-auth-db-mysql https://github.com/mozilla/fxa-auth-db-mysql.git 26 | docker build -f ./docs/self-host.docker -t fxa-oauth-server https://github.com/mozilla/fxa-oauth-server.git 27 | docker build -t browserid-verifier https://github.com/mozilla/browserid-verifier.git#docker-improvements 28 | docker build -f ./docs/self-host.docker -t fxa-profile-server https://github.com/mozilla/fxa-profile-server.git 29 | docker build -t syncserver https://github.com/mozilla-services/syncserver.git 30 | docker build -t syncto https://github.com/mozilla-services/syncto.git 31 | docker build -t fxa-self-hosting https://github.com/michielbdejong/fxa-self-hosting.git 32 | -------------------------------------------------------------------------------- /fly.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | die () { 3 | echo >&2 "$@" 4 | exit 1 5 | } 6 | 7 | [ "$#" -eq 1 ] || die "1 argument required, $# provided" 8 | echo $1 | grep -E -q '^[a-z0-9\.]+$' || die "Argument $1 does not look like a domain name" 9 | 10 | echo Running pagekite backend for $1 11 | 12 | pagekite.py --frontend=$1:80 \ 13 | 192.168.99.100:1111 https://$1:1111 AND \ 14 | 192.168.99.100:3030 https://$1:3030 AND \ 15 | 192.168.99.100:5000 https://$1:5000 AND \ 16 | 192.168.99.100:8000 https://$1:8000 AND \ 17 | 192.168.99.100:443 https://$1:443 AND \ 18 | 192.168.99.100:9010 https://$1:9010 19 | -------------------------------------------------------------------------------- /nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | user nginx; 3 | worker_processes 1; 4 | 5 | error_log /var/log/nginx/error.log warn; 6 | pid /var/run/nginx.pid; 7 | 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | 14 | http { 15 | include /etc/nginx/mime.types; 16 | default_type application/octet-stream; 17 | 18 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 19 | '$status $body_bytes_sent "$http_referer" ' 20 | '"$http_user_agent" "$http_x_forwarded_for"'; 21 | 22 | access_log /var/log/nginx/access.log main; 23 | 24 | sendfile on; 25 | #tcp_nopush on; 26 | 27 | keepalive_timeout 65; 28 | 29 | #gzip on; 30 | 31 | ## fxa-profile-server: 32 | server { 33 | listen 1111 ssl; 34 | 35 | ssl_certificate /fxa-cert/combined.pem; 36 | ssl_certificate_key /fxa-cert/privkey.pem; 37 | location / { 38 | proxy_pass http://profile:1111; 39 | proxy_pass_header Access-Control-Allow-Origin; 40 | proxy_pass_header Access-Control-Allow-Methods; 41 | proxy_pass_header Access-Control-Allow-Headers; 42 | } 43 | } 44 | 45 | ## fxa-content-server: 46 | server { 47 | listen 3030 ssl; 48 | 49 | ssl_certificate /fxa-cert/combined.pem; 50 | ssl_certificate_key /fxa-cert/privkey.pem; 51 | location / { 52 | proxy_pass http://content:3030; 53 | proxy_pass_header Access-Control-Allow-Origin; 54 | proxy_pass_header Access-Control-Allow-Methods; 55 | proxy_pass_header Access-Control-Allow-Headers; 56 | } 57 | } 58 | 59 | ## syncserver: 60 | server { 61 | listen 5000 ssl; 62 | 63 | ssl_certificate /fxa-cert/combined.pem; 64 | ssl_certificate_key /fxa-cert/privkey.pem; 65 | location / { 66 | proxy_pass http://sync:5000; 67 | proxy_pass_header Access-Control-Allow-Origin; 68 | proxy_pass_header Access-Control-Allow-Methods; 69 | proxy_pass_header Access-Control-Allow-Headers; 70 | } 71 | } 72 | 73 | ## syncto: 74 | server { 75 | listen 8000 ssl; 76 | 77 | ssl_certificate /fxa-cert/combined.pem; 78 | ssl_certificate_key /fxa-cert/privkey.pem; 79 | location / { 80 | proxy_pass http://syncto:8000; 81 | proxy_pass_header Access-Control-Allow-Origin; 82 | proxy_pass_header Access-Control-Allow-Methods; 83 | proxy_pass_header Access-Control-Allow-Headers; 84 | } 85 | } 86 | 87 | ## auth: 88 | server { 89 | listen 9000 ssl; 90 | 91 | ssl_certificate /fxa-cert/combined.pem; 92 | ssl_certificate_key /fxa-cert/privkey.pem; 93 | location / { 94 | proxy_pass http://auth:9000; 95 | proxy_pass_header Access-Control-Allow-Origin; 96 | proxy_pass_header Access-Control-Allow-Methods; 97 | proxy_pass_header Access-Control-Allow-Headers; 98 | } 99 | } 100 | 101 | ## oauth: 102 | server { 103 | listen 9010 ssl; 104 | 105 | ssl_certificate /fxa-cert/combined.pem; 106 | ssl_certificate_key /fxa-cert/privkey.pem; 107 | location / { 108 | proxy_pass http://oauth:9010; 109 | proxy_pass_header Access-Control-Allow-Origin; 110 | proxy_pass_header Access-Control-Allow-Methods; 111 | proxy_pass_header Access-Control-Allow-Headers; 112 | } 113 | } 114 | 115 | include /etc/nginx/conf.d/*.conf; 116 | } 117 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | die () { 3 | echo >&2 "$@" 4 | exit 1 5 | } 6 | 7 | [ "$#" -eq 1 ] || die "1 argument required, $# provided" 8 | echo $1 | grep -E -q '^[-a-z0-9\.]+$' || die "Argument $1 does not look like a domain name" 9 | [ -f "./fxa-cert/combined.pem" ] || die "./fxa-cert/combined.pem does not exist" 10 | [ -f "./fxa-cert/privkey.pem" ] || die "./fxa-cert/privkey.pem does not exist" 11 | 12 | echo Creating syncserver-config 13 | mkdir -p syncserver-config 14 | # Adapted from https://github.com/mozilla-services/syncserver/blob/master/syncserver.ini 15 | cat < syncserver-config/syncserver.ini 16 | [server:main] 17 | use = egg:gunicorn 18 | host = 0.0.0.0 19 | port = 5000 20 | workers = 1 21 | timeout = 30 22 | 23 | [app:main] 24 | use = egg:syncserver 25 | 26 | [syncserver] 27 | force_wsgi_environ = true 28 | public_url = https://$1:5000/ 29 | audiences = https://$1:5000 30 | EOF 31 | 32 | echo Creating auth-config 33 | mkdir -p auth-config 34 | docker run -v `pwd`/auth-config:/config:rw \ 35 | fxa-auth-server \ 36 | bash -c "cd ./scripts/ && node ./gen_keys.js && cp ../config/*-key.json /config" 37 | 38 | echo Stopping all running Docker containers 39 | docker stop `docker ps -q` 40 | docker rm `docker ps -aq` 41 | 42 | echo Starting up services for $1 43 | 44 | cd ~/notes 45 | 46 | docker run -d \ 47 | -e "HOST=0.0.0.0" \ 48 | --name httpdb \ 49 | fxa-auth-db-mysql 50 | 51 | docker run -d \ 52 | --name verifier.local \ 53 | -e "IP_ADDRESS=0.0.0.0" \ 54 | -e "PORT=5050" \ 55 | browserid-verifier 56 | 57 | docker run -d \ 58 | --name profile \ 59 | -e "PUBLIC_URL=https://$1:1111" \ 60 | -e "AUTH_SERVER_URL=https://$1/v1" \ 61 | -e "OAUTH_SERVER_URL=https://$1:9010/v1" \ 62 | -e "IMG=local" \ 63 | -e "HOST=0.0.0.0" \ 64 | fxa-profile-server 65 | 66 | docker run -d \ 67 | --name syncto \ 68 | -e "SYNCTO_TOKEN_SERVER_URL=https://$1:5000/token/" \ 69 | syncto 70 | 71 | docker run -d \ 72 | --name content \ 73 | -e "PUBLIC_URL=https://$1:3030" \ 74 | -e "FXA_URL=https://$1" \ 75 | -e "FXA_OAUTH_URL=https://$1:9010" \ 76 | -e "FXA_PROFILE_URL=https://$1:1111" \ 77 | -e "REDIRECT_PORT=3031" \ 78 | fxa-content-server 79 | 80 | echo Sleeping to let services come up before linking 81 | sleep 5 82 | 83 | docker run -d \ 84 | --name sync \ 85 | --link="verifier.local" \ 86 | -v `pwd`/syncserver-config:/config:ro \ 87 | --entrypoint ./local/bin/gunicorn \ 88 | syncserver \ 89 | --paste /config/syncserver.ini 90 | 91 | docker run -d \ 92 | --name auth \ 93 | --link="httpdb" \ 94 | -v `pwd`/auth-config:/config:ro \ 95 | -e "IP_ADDRESS=0.0.0.0" \ 96 | -e "PUBLIC_URL=https://$1" \ 97 | -e "HTTPDB_URL=http://httpdb:8000" \ 98 | -e "OAUTH_URL=https://$1:9010" \ 99 | fxa-auth-server \ 100 | bash -c "cp /config/*-key.json ./config && node ./bin/key_server.js | node ./bin/notifier.js" 101 | 102 | 103 | docker run -d \ 104 | --link="verifier.local" \ 105 | --name oauth \ 106 | -e "PUBLIC_URL=https://$1:9010" \ 107 | -e "HOST=0.0.0.0" \ 108 | -e "CONTENT_URL=https://$1:3030/oauth/" \ 109 | -e "VERIFICATION_URL=http://verifier.local:5050/v2" \ 110 | -e "ISSUER=$1" \ 111 | fxa-oauth-server 112 | 113 | echo Sleeping to let services come up before linking 114 | sleep 5 115 | 116 | echo Setting up proxy 117 | 118 | docker run -d \ 119 | --name proxy \ 120 | --link="profile" \ 121 | -p 1111:1111 \ 122 | --link="content" \ 123 | -p 3030:3030 \ 124 | --link="sync" \ 125 | -p 5000:5000 \ 126 | --link="syncto" \ 127 | -p 8000:8000 \ 128 | --link="auth" \ 129 | -p 443:9000 \ 130 | --link="oauth" \ 131 | -p 9010:9010 \ 132 | -v `pwd`/fxa-cert:/fxa-cert \ 133 | fxa-self-hosting 134 | 135 | docker ps -a 136 | echo You should see 9 servers 137 | echo - fxa-self-hosting, 138 | echo - fxa-oauth-server, 139 | echo - fxa-auth-server, 140 | echo - fxa-content-server, 141 | echo - syncto, 142 | echo - syncserver, 143 | echo - fxa-profile-server, 144 | echo - browserid-verifier, 145 | echo - fxa-auth-db-mysql 146 | --------------------------------------------------------------------------------