Setting up Jitsi Meet

jitsi meet | standalone | virtual host | image preparation | image usage

tested on ubuntu/bionic, debian/buster and as a docker instance

DNS

a CNAME also works

meet        IN A        x.x.x.x
*.meet      IN A        x.x.x.x
*.auth.meet IN A        x.x.x.x

and check

    host meet.$domain
    ping -c3 meet.$domain
    ping -c3 auth.meet.$domain

Sysprep

short hostname is fine here

grep --color=auto -E 'aes|avx|avx2' /proc/cpuinfo
vi /etc/hostname

HOST

same goes for static name resolution

vi /etc/hosts

INTERNAL-IP meet.localdomain meet

–or–

PUBLIC-IP   meet.DOMAIN.TLD meet

and check

hostname
hostname --long
dpkg-reconfigure tzdata

so far, everything should be clean (no service listens at all but SSH)

netstat -lntup

Setup

get ready

    apt update
    apt dist-upgrade -y
    apt autoremove --purge
    apt install wget gnupg1 htop lsb-release -y

    dpkg -l | grep gnupg # v1 in da place

proceed and eventually pre-install certbot already

    wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
    echo deb https://download.jitsi.org stable/ >> /etc/apt/sources.list
    apt update
    time apt install jitsi-meet certbot -y

    PROVIDE FQDN --- or meet-tmp in case you're preparing a docker image

    GENERATE CERTS (LE COMES LATER)

    # 2m8.697s on xc
    # 3m2.256s on xc
    # 4m24.133s on xc

DIY certs

push your certs over there e.g. into /etc/ssl/ and tweak NGINX

cp -pi /etc/nginx/sites-available/meet.angrycow.ru.conf /etc/nginx/sites-available/meet.angrycow.ru.conf.`date +%s`
vi /etc/nginx/sites-available/meet.angrycow.ru.conf

ssl_certificate /etc/ssl/meet.$domain.crt;
ssl_certificate_key /etc/ssl/meet.$domain.crt.key;

–or– when using dehydrated make it even simpler

    ssl_certificate /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;

built-in LE script

test that 80/tcp points there

    echo ok > /usr/share/jitsi-meet/ok.txt

remotely

    nmap -p 80,443 meet.$domain
    nmap -p 80,443 meet.$domain -Pn
    curl -i http://meet.$domain/ok.txt
    curl -i https://meet.$domain/ok.txt # not yet

and proceed with the LE script

    lsb_release -a
    /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh YOUR@EMAIL

Fixup

on Ubuntu, you need to comment out the first line

vi /etc/nginx/sites-available/DOMAIN.TLD.conf

#server_names_hash_bucket_size 64;

systemctl restart nginx

Ready to go

host meet.nethence.com
host auth.meet.nethence.com
host internal.auth.meet.nethence.com

prosodyctl check

service nginx status
service prosody status
service jicofo status
service jitsi-videobridge2 status

Acceptance

How good is the box handling the CPU load while encrypting multiple streams?…

htop

Maintenance

dpkg-reconfigure jitsi-meet-web-config
dpkg-reconfigure jitsi-videobridge2
dpkg-reconfigure jitsi-meet-prosody

service nginx restart
service prosody restart
service jicofo restart
service jitsi-videobridge2 restart

tail -n0 -F /var/log/* /var/log/*/*

Firewalling

we only need 80,443/tcp and 10000/udp — tune nftables accordingly.

Behind Docker-or-NAT

same goes for Docker or NAT, you only need to port-forward 80,443/tcp and 10000/udp.

Outgoing email

Don’t forget to setup outbound email.

Tuning

going for async here, it’s not like we really need to write anything for streaming sound and video

vi /etc/fstab

/dev/xvda1 / reiser4 async,noatime,nodiratime,txmod=wa,onerror=remount-ro,discard 0 1
proc /proc proc defaults 0 0
tmpfs /tmp tmpfs                rw,async,nodev,nosuid,noatime 0 0
#tmpfs /var/log/nginx tmpfs      rw,async,nodev,nosuid,noatime 0 0
tmpfs /var/log/jitsi tmpfs      rw,async,nodev,nosuid,noatime 0 0
#ubuntu -- noatime --> realtime

Additional notes

from scratch

apt purge jitsi*
apt autoremove --purge
rm -rf /var/www/html/
rm -rf /etc/jitsi/jicofo/
rm -rf /var/lib/prosody/
dpkg -l | grep ^rc

ssl

no need to tune — those are fine already

vi /etc/nginx/sites-enabled/meet.nethence.com.conf

    # default location
    #ssl_certificate /etc/ssl/meet.nethence.com.crt;
    #ssl_certificate_key /etc/ssl/meet.nethence.com.key;

    # self-signed
    #ssl_certificate /var/lib/prosody/meet.nethence.com.crt;
    #ssl_certificate_key /var/lib/prosody/meet.nethence.com.key;

    # let's encrypt
    ssl_certificate /etc/letsencrypt/live/meet.nethence.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/meet.nethence.com/privkey.pem;

and it even got reloaded already

systemctl status nginx
systemctl reload nginx

internal certs?

this cert does not seem to be updated by the LE/Jitsi sccript and remains self-signed

openssl x509 -in /var/lib/prosody/meet.nethence.com.crt -text -noout

the new one is over here

openssl x509 -in /etc/letsencrypt/live/meet.nethence.com/fullchain.pem -text -noout

Resources

Jitsi Downloads https://jitsi.org/downloads/

Index of /jitsi/ https://download.jitsi.org/jitsi/

FAQ https://jitsi.github.io/handbook/docs/faq

nat

Jitsi-meet + jibri behind NAT https://community.jitsi.org/t/jitsi-meet-jibri-behind-nat/19479/22 –> this works

Jitsi Custom Server/PortForwarding https://community.jitsi.org/t/jitsi-custom-server-portforwarding/19927

[jitsi-users] Jitsi meet behind a NAT https://community.jitsi.org/t/jitsi-users-jitsi-meet-behind-a-nat/11921

What concrete ports must be forwarded for Jitsi Meet server https://community.jitsi.org/t/what-concrete-ports-must-be-forwarded-for-jitsi-meet-server/25048

Firewall rules for allowing access to meet.jit.si https://community.jitsi.org/t/firewall-rules-for-allowing-access-to-meet-jit-si/73443/11

What Ports You Should Open to Run Jitsi Meet https://meetrix.io/blog/webrtc/jitsi/meet/what-port-your-should-open.html

Jitsi Meet and Firewalls https://meetrix.io/blog/webrtc/jitsi/jitsi-meet-and-firewalls.html

[jitsi-users] Corporate firewall settings to use Jitsi client and webapp meet.jit.si https://community.jitsi.org/t/jitsi-users-corporate-firewall-settings-to-use-jitsi-client-and-webapp-meet-jit-si/10220

Open ports NAT https://community.jitsi.org/t/open-ports-nat/17589

NAT port trouble https://community.jitsi.org/t/nat-port-trouble/31578/4

Jitsi Meet behind NAT https://community.jitsi.org/t/jitsi-meet-behind-nat/26260

Jitsi Meet Behind NAT & Advance Settings https://nimblecoders.in/jitsi-meet-behind-nat-advance-settings/

Jitsi Meet and Firewalls https://meetrix.io/blog/webrtc/jitsi/jitsi-meet-and-firewalls.html

[SOLVED] Jitsi-Meet behind NAT, no video https://community.jitsi.org/t/solved-jitsi-meet-behind-nat-no-video/24020

Jitsi behind NAT works without “Advanced Configuration”. Is it due to some changes on last revisions? https://community.jitsi.org/t/jitsi-behind-nat-works-without-advanced-configuration-is-it-due-to-some-changes-on-last-revisions/52839

Jitsi-Meet (Docker) behind NAT. External users worked, internal users after 30seconds get reconecting =( How fix it? https://www.gitmemory.com/issue/jitsi/docker-jitsi-meet/651/647046157

ports

Nginx, coturn & port 443 https://community.jitsi.org/t/nginx-coturn-port-443/27820

Previously working nginx config broke. Port 4444/443 https://community.jitsi.org/t/previously-working-nginx-config-broke-port-4444-443/37399

[jitsi-dev] Inventory of server-sided TCP/IP ports used by the stack https://community.jitsi.org/t/jitsi-dev-inventory-of-server-sided-tcp-ip-ports-used-by-the-stack/13834

Ports 5222, 5269, 5280, 5347 https://community.jitsi.org/t/ports-5222-5269-5280-5347/36862

Port Forwarding Troubles/ sip-communicator.properties necessary? #2708 https://github.com/jitsi/jitsi-meet/issues/2708

Which ports needs to be exposed to the internet? https://community.jitsi.org/t/which-ports-needs-to-be-exposed-to-the-internet/33112

Videobridge TCP harvester behind NAT: Chrome uses wrong candidate #6327 https://github.com/jitsi/jitsi-meet/issues/6327

multiplex

jitsi-meet/doc/debian/jitsi-meet/jitsi-meet.conf https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.conf#L6

How to migrate away from multiplexing and enable bridge websockets https://jitsi.org/multiplexing-to-bridge-ws-howto

fix: Don’t break those still using ALPN multiplex (Fixes #7794) #7796 https://github.com/jitsi/jitsi-meet/pull/7796

confidentiality

Jitsi Meet Security & Privacy https://jitsi.org/security/

WebRTC Sec. Arch. https://datatracker.ietf.org/doc/html/draft-ietf-rtcweb-security-arch-20

DTLS-SRTP Framework https://datatracker.ietf.org/doc/html/rfc5763

This is what end-to-end encryption should look like! https://jitsi.org/blog/e2ee/

What Is Jitsi and Is it More Secure Than Zoom? https://www.makeuseof.com/tag/jitsi-secure-zoom/

jitsi / jitsi-meet-electron https://github.com/jitsi/jitsi-meet-electron


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun