Setting up a custom Weave 0.5 server

Weave is a synchronization engine from Mozilla Labs for all your browser information (settings, history, bookmarks, etc, etc). It is a free add-on for Firefox and you can freely use Mozilla's servers to store your information. This guide, however, is for anyone interested in setting up their own secure Weave server.

There are instructions on the Mozilla Labs places, but they are a bit scattered and it took some digging before I could get things working. Hopefully this guide will give a simple single locations for anyone interested.


For this guide I will assume PHP 5.1+, a working Apache 2 server with SSL, and MySQL (SQLite can easily be substituted here, it should be obvious where). As Mozilla notes, whatever web server you use, WebDAV can't be enabled on that server.

Server Configuration

First things, grab the latest version of the Weave Server from Mozilla Labs at in whichever format you prefer. Extract the files into a folder accessible by your web server. The "server" folder will be the web root, so we can go ahead an setup a virtual server configuration similar to the following example (replace the paths accordingly):


  DocumentRoot /var/www/weaveserver/server/

  ErrorLog /var/log/apache2/weave-error.log
  CustomLog /var/log/apache2/weave-access.log combined

  SSLEngine on
  SSLCertificateFile /path/to/server.cert.crt
  SSLCertificateKeyFile /path/to/server.cert.key

  <Directory "/var/www/weaveserver/server/">

    Options Indexes FollowSymLinks
    AllowOverride none
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Weave Server"
    AuthUserFile /path/to/auth/file
    require valid-user


  Alias /0.5 /var/www/weaveserver/server/0.5/index.php
  Alias /user/1 /var/www/weaveserver/server/user/1/index.php


As you can see from this Apache config, there are some file that need to be generated. Specifically, an SSL Certificate and key, and a basic authentication file. I will run through these briefly below, if you are good with generating these, just skip down a bit.

Generating a Self-Signed SSL Certificate

First, generate a key:

openssl genrsa -des3 -out server.key 1024

Generate a certificate signing request (CSR):

openssl req -new -key server.key -out server.csr

Optional – At this point you can remove the password from the key if you wish… please be aware of the security risks before doing this:

cp server.key server.key.pass
openssl rsa -in server.key.pass -out server.key

Finally, generate the certificate:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Make sure the Apache Virtual Host configuration paths match the locations of the key and certificate files.

Creating a Password File

Generate an htpasswd file using the following command:

htpasswd -c weaveserver.pwd

You will be prompted to enter a password for the user you created. Make sure to update the AuthUserFile path in the Apache Virtual Server config to point to this file.

Note: You need to have the same user name(s) and password(s) in the htpasswd file as you plan on having setup in the Weave user database table (covered later).

Database Setup

Create a new database and create the two tables as follows:

USE weave;

  `username` varbinary(32) NOT NULL default '',
  `collection` varbinary(64) NOT NULL default '',
  `id` varbinary(64) NOT NULL default '',
  `parentid` varbinary(64) default NULL,
  `predecessorid` varbinary(64) default NULL,
  `modified` decimal(12,2) default NULL,
  `sortindex` int(11) default NULL,
  `depth` tinyint(4) default NULL,
  `payload` longtext,
  `payload_size` int(11) default NULL,
  PRIMARY KEY  (`username`,`collection`,`id`),
  KEY `parentindex` (`username`,`collection`,`parentid`),
  KEY `modified` (`username`,`collection`,`modified`),
  KEY `weightindex` (`username`,`collection`,`sortindex`),
  KEY `predecessorindex` (`username`,`collection`,`predecessorid`),
  KEY `size_index` (`username`,`payload_size`)

  `username` varchar(32) PRIMARY KEY,
  `md5` varbinary(32),
  `email` varbinary(64),
  `status` tinyint,
  `location` text,
  `alert` text

That should be it for the database! Feel free to adjust the database name to your own liking, and be sure to grant select, select, insert, delete, and update permissions to whichever MySQL user you plan on accessing this with from weave. In case anyone forgot the grant syntax:

GRANT SELECT, INSERT, UPDATE, DELETE ON weave.* TO 'myuser'@'localhost';

If you are creating this user, be sure to set the password by adding " IDENTIFIED BY 'mypassword' " on the end of the above statement.

Weave Server Configuration

Navigate to the weaverserver/server/user/1 folder. Copy weave_user_constants.php.dist to weave_user_constants.php and set the following items:

define('WEAVE_STORAGE_ENGINE', 'mysql');
define('WEAVE_AUTH_ENGINE', 'mysql');
define('WEAVE_MYSQL_AUTH_HOST', '');
define('WEAVE_MYSQL_AUTH_DB', '');
define('WEAVE_MYSQL_AUTH_USER', '');
define('WEAVE_MYSQL_AUTH_PASS', '');

These settings are pretty obvious once you read over the comments. The first group of settings is for the database that stores the synchronized data, and just sets the type and connection information. The second is basically the same thing, but points to the database that has the table of users to authenticate against. The final setting above only needs to be set if you are using the same database to house both the storage and authentication data.

Now do essentially the exact same steps for weaveserver/server/0.5/default_constants.php.dist. That is, copy it over to default_constants.php and then edit the similar sections to set the connection strings for the authentication and storage database(s). The only difference is that instead of specifying the WEAVE_REGISTER_STORAGE_LOCATION, which will not exist, set the following line if both the authentication and store tables are in the same database:

define('WEAVE_SHARE_DBH', '1');

If you are using different databases, just leave this one alone. Also, you can easily use Sqlite as well by setting the various engine variables to sqlite and configuring the path to the stores (this is pretty self explanatory once you read through the constants files).


If you want to use CAPTCHA when creating an account, you will need to grab a public and private key from and make some changes to the Apache and Weaver Server configs. This is completely optional (just ignore the CAPTCHA field if you don't set this up when creating a new user).

Back in weaveserver/server/user/1/weave_user_constants.php set the following to 1:


Now copy weaveserver/server/misc/1/weave_misc_constants.php.dist to weave_misc_constants.php and add in your public and private keys. Finally, add an alias to your Apache config as follows:

Alias /misc/1/captcha_html /server/misc/1/captcha.php

Test It!

Now everything should be configured, so install the Weave add-on for Firefox if you haven't already ( At the time of writing this, the latest was 0.7.

Open a new tab in Firefox and type about:config and search for extensions.weave.clusterURL. Set this to your Weave Server URL (i.e. Make sure to include the trailing slash.

Now open weave and go to the user creation screen. At the bottom of the form box there is an option that says "Create my account with:," select "A custom Weave server" and input your server into the textbox below (i.e. – Again here, make sure you include a trailing slash as the underlying code doesn't check and append if needed.

If all goes well, you should be able to put in a username and have it tell you that it is available (if it says it is not available, and its not already in the database, check the log in the top right of the page under tools -> debug log to see what the problem is). If you didn't setup CAPTCHA, just leave it blank and create your user once you filled in an email and password. Now enter your pass phrase and you should be set! Select what you would like to sync and how, then either wait or manually kick off a sync by going to "Signed in as" -> "Sync now" in the upper right. If everything went correctly, your data should be sent over SSL and encrypted into your server's database.


blog comments powered by Disqus