Setting up an update server

Creating a simple Firefox/Thunderbird update server with Apache and PHP

The goal of this document is to provide basic instructions on setting up your own update server.

Firefox provides update services by using a REST web service - it goes to a URL and if an XML file is present at that URL, that XML file describes the update that is available.

First, let's talk about the format of the URL. Here is the URL used for upgrading from Firefox 3.5.2 to Firefox 3.5.3:

Mac OS X

The URL format looks like this:

This URL can be displayed in the browser via about:config as app.update.url and to change it you must add a new default app.update.url default preference.

For our example, we are actually going to place the update.xml on the server in the fully qualified path specified by the update URL. So in the root of your web server, create the path:

mkdir -p update.dir/3/Firefox/3.5.2/20090729225027/WINNT_x86-msvc/en-US/release/Windows_NT\ 6.0/default/default

Grab the update.xml file from and place it under the lowest default directory:

<?xml version="1.0"?>
    <update type="minor" version="3.5.3" extensionVersion="3.5.3" buildID="20090824101458" detailsURL="">
        <patch type="complete" URL="" hashFunction="SHA512" hashValue="f8abbaea98bd453b651c24025dbb8cea5908e532ca64ad7150e88778ccb77c0325341c0fecbec37f31f31cdf7e13955c28140725282d2ce7c4a37c89a25319a1" size="10728423"/>
        <patch type="partial" URL="" hashFunction="SHA512" hashValue="20b133f1bd2025360bda8ef0c53132a5806dbd0606e0fe7c6d1291d1392532cc960262f87b0c7d4fbe8f9bc9fba64ed28ecd89b664c17f51f98acdd76b26ea6a" size="2531877"/>

If you would like to serve these builds from your server instead of, copy them to your server and edit the update.xml file to change the URLs.

Next, we have to configure your Apache server so that we can create a PHP file to handle the web service.

First in httpd.conf, ensure that AllowOverride is set to FileInfo for the root directory. Next, add the following to your .htaccess file (you might have to create it) in your root directory:

<FILES update>
ForceType application/x-httpd-php

This tells the web server to treat update as a PHP file. Now create the PHP file called update in your root directory:

header("Content-type: text/xml");
$path = preg_replace('/^\/update/', 'update.dir', urldecode($_SERVER["REQUEST_URI"]));
echo (file_exists($path)) ? file_get_contents($path) : '<?xml version="1.0"?><updates></updates>';

Now if you go to the following URL, you should see the XML content.


Finally, you must override the update server that Firefox uses by doing the following:

  • (optional) Create a new profile
  • Set "" to false (to prevent Firefox from checking the real update server before you can override it)
  • Set "app.update.log" to true
  • Open the Scratchpad, switch to Browser context, and run Services.prefs.getDefaultBranch(null).setCharPref("app.update.url", "http://localhost/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml").

    • This pref cannot be set through about:config, you must do it through the Scratchpad.

Once you've changed the update server, open the Browser Console and check for updates (Help -> About). You should see output in the Browser Console that shows it talking to localhost as the update server. If Firefox is still using your old update server, you may need to delete updates active-update.xml and updates.xml from your appdir and try again.

Security Considerations

You may notice that the default Firefox update URL above uses HTTPS and is served over SSL. SSL does put extra load on the server and you may be tempted to use normal HTTP — don't!

Every user will ping the update server regularly whether there's an update or not (once a day by default). Any user who connects from outside your protected network--particularly from a public WiFi hotspot — can potentially have their connection hijacked and be fed a malicious update. SSL protects against this attack. The update.xml files are small, don't sweat the SSL overhead.

The large updates themselves can be safely served from a non-secure server because the update files contain a hash that the client will verify. The hash can be trusted only if the update.xml is served securely.

See Also

Document Tags and Contributors

Last updated by: mdnwebdocs-bot,