Re: [SOGo] sogo-connector update service
Hi Adi !
Thanks for sharing !
Sebastien
Le Mercredi, Mars 20, 2024 14:37 CET, "Adi Kriegisch" (a...@cg.tuwien.ac.at)
a écrit:
Thank you very much for reviving the possibility of an update service
for the Thunderbird plugin!
As a side note, running the service as a php script isn't necessary;
this can also be done with some mappings in nginx:
* create a map with the updates:
| # update service
| map $request_uri $update {
| default 0;
| '~*^/updates/available/?\?v=114.0.0' '{ "version": "115.0.0", "xpi":
"https://my-sogo-server/updates/sogo-connector-115.0.0.xpi; }';
| }
* use the map in a location:
| ## update service
| location /updates/available {
| access_log /var/log/nginx/sogo-update-access.log;
| error_log /var/log/nginx/sogo-update-error.log;
| default_type "";
| if ($update) {
| add_header Content-Type "application/json; charset=utf-8";
| return 200 $update;
| }
| if ($update = 0) {
| return 204 "No update";
| }
| }
* and serve the plugin's xpi file as well (I created an empty index.html
in that directory as well in order to disable file enumeration):
| location /updates {
| access_log /var/log/nginx/sogo-update-access.log;
| error_log /var/log/nginx/sogo-update-error.log;
| alias /var/www/sogo-connector;
| }
(you could also make sure to log $request_uri so that you are able to
see the original request in the log file, just in case you're
monitoring the extension versions out there in the wild)
* then, of course, you need the corresponding settings in your
custom-preferences.js:
| // update service
| bool_pref("app.update.auto", true);
| bool_pref("app.update.enabled", true);
| char_pref("sogo-connector.update.url", "https://my-sogo-server/updates/
available");
* in case you do run your internal services with your own certificate
authority and experience issues with the certificate issuer not being
built-in like this:
| addons.xpi WARN Download of
https://my-sogo-server/updates/sogo-connector-115.0.0.xpi failed:
| [Exception... "Certificate issuer is not built-in." nsresult: "0x80004004
(NS_ERROR_ABORT)"
You may get rid of that by force-pushing the following settings with
the plugin:
| force_bool_pref("security.enterprise_roots.enabled", true);
| // do not enforce certificates to be built-in for updates
| force_bool_pref("extensions.install.requireBuiltInCerts", false);
| force_bool_pref("extensions.update.requireBuiltInCerts", false);
As you can see from the code above, I built a plugin with version 114.0.0
in manifest.json in order to be able to test the upgrade procedure.
For a new version of the connector, adding a line to the map should be
sufficient. As there aren't too many releases of connector you'll only
collect a few more lines per year.
I hope this helps some of you that want to try to avoid running php
stuff on their sogo server.
all the best,
Adi
PS: Feedback on this very much welcome.
[SOGo] sogo-connector update service
Thank you very much for reviving the possibility of an update service
for the Thunderbird plugin!
As a side note, running the service as a php script isn't necessary;
this can also be done with some mappings in nginx:
* create a map with the updates:
| # update service
| map $request_uri $update {
| default 0;
| '~*^/updates/available/?\?v=114.0.0' '{ "version": "115.0.0", "xpi":
"https://my-sogo-server/updates/sogo-connector-115.0.0.xpi; }';
| }
* use the map in a location:
| ## update service
| location /updates/available {
| access_log /var/log/nginx/sogo-update-access.log;
| error_log /var/log/nginx/sogo-update-error.log;
| default_type "";
| if ($update) {
| add_header Content-Type "application/json; charset=utf-8";
| return 200 $update;
| }
| if ($update = 0) {
| return 204 "No update";
| }
| }
* and serve the plugin's xpi file as well (I created an empty index.html
in that directory as well in order to disable file enumeration):
| location /updates {
| access_log /var/log/nginx/sogo-update-access.log;
| error_log /var/log/nginx/sogo-update-error.log;
| alias /var/www/sogo-connector;
| }
(you could also make sure to log $request_uri so that you are able to
see the original request in the log file, just in case you're
monitoring the extension versions out there in the wild)
* then, of course, you need the corresponding settings in your
custom-preferences.js:
| // update service
| bool_pref("app.update.auto", true);
| bool_pref("app.update.enabled", true);
| char_pref("sogo-connector.update.url", "https://my-sogo-server/updates/
available");
* in case you do run your internal services with your own certificate
authority and experience issues with the certificate issuer not being
built-in like this:
| addons.xpi WARN Download of
https://my-sogo-server/updates/sogo-connector-115.0.0.xpi failed:
| [Exception... "Certificate issuer is not built-in." nsresult: "0x80004004
(NS_ERROR_ABORT)"
You may get rid of that by force-pushing the following settings with
the plugin:
| force_bool_pref("security.enterprise_roots.enabled", true);
| // do not enforce certificates to be built-in for updates
| force_bool_pref("extensions.install.requireBuiltInCerts", false);
| force_bool_pref("extensions.update.requireBuiltInCerts", false);
As you can see from the code above, I built a plugin with version 114.0.0
in manifest.json in order to be able to test the upgrade procedure.
For a new version of the connector, adding a line to the map should be
sufficient. As there aren't too many releases of connector you'll only
collect a few more lines per year.
I hope this helps some of you that want to try to avoid running php
stuff on their sogo server.
all the best,
Adi
PS: Feedback on this very much welcome.
