jitsi meet | standalone | virtual host | image preparation | image usage
tested on ubuntu/bionic, debian/buster and as a docker instance
a CNAME also works
meet IN A x.x.x.x *.meet IN A x.x.x.x *.auth.meet IN A x.x.x.x
and check
host meet.$domain
ping -c3 meet.$domain
ping -c3 auth.meet.$domain
short hostname is fine here
grep --color=auto -E 'aes|avx|avx2' /proc/cpuinfo vi /etc/hostname HOST
same goes for static name resolution
vi /etc/hosts INTERNAL-IP meet.localdomain meet
–or–
PUBLIC-IP meet.DOMAIN.TLD meet
and check
hostname hostname --long dpkg-reconfigure tzdata
so far, everything should be clean (no service listens at all but SSH)
netstat -lntup
get ready
apt update
apt dist-upgrade -y
apt autoremove --purge
apt install wget gnupg1 htop lsb-release -y
dpkg -l | grep gnupg # v1 in da place
proceed and eventually pre-install certbot already
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
echo deb https://download.jitsi.org stable/ >> /etc/apt/sources.list
apt update
time apt install jitsi-meet certbot -y
PROVIDE FQDN --- or meet-tmp in case you're preparing a docker image
GENERATE CERTS (LE COMES LATER)
# 2m8.697s on xc
# 3m2.256s on xc
# 4m24.133s on xc
push your certs over there e.g. into /etc/ssl/ and tweak NGINX
cp -pi /etc/nginx/sites-available/meet.angrycow.ru.conf /etc/nginx/sites-available/meet.angrycow.ru.conf.`date +%s` vi /etc/nginx/sites-available/meet.angrycow.ru.conf ssl_certificate /etc/ssl/meet.$domain.crt; ssl_certificate_key /etc/ssl/meet.$domain.crt.key;
–or– when using dehydrated make it even simpler
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
test that 80/tcp points there
echo ok > /usr/share/jitsi-meet/ok.txt
remotely
nmap -p 80,443 meet.$domain
nmap -p 80,443 meet.$domain -Pn
curl -i http://meet.$domain/ok.txt
curl -i https://meet.$domain/ok.txt # not yet
and proceed with the LE script
lsb_release -a
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh YOUR@EMAIL
on Ubuntu, you need to comment out the first line
vi /etc/nginx/sites-available/DOMAIN.TLD.conf #server_names_hash_bucket_size 64; systemctl restart nginx
host meet.nethence.com host auth.meet.nethence.com host internal.auth.meet.nethence.com prosodyctl check service nginx status service prosody status service jicofo status service jitsi-videobridge2 status
How good is the box handling the CPU load while encrypting multiple streams?…
htop
dpkg-reconfigure jitsi-meet-web-config dpkg-reconfigure jitsi-videobridge2 dpkg-reconfigure jitsi-meet-prosody service nginx restart service prosody restart service jicofo restart service jitsi-videobridge2 restart tail -n0 -F /var/log/* /var/log/*/*
we only need 80,443/tcp and 10000/udp — tune nftables accordingly.
same goes for Docker or NAT, you only need to port-forward 80,443/tcp and 10000/udp.
Don’t forget to setup outbound email.
going for async here, it’s not like we really need to write anything for streaming sound and video
vi /etc/fstab /dev/xvda1 / reiser4 async,noatime,nodiratime,txmod=wa,onerror=remount-ro,discard 0 1 proc /proc proc defaults 0 0 tmpfs /tmp tmpfs rw,async,nodev,nosuid,noatime 0 0 #tmpfs /var/log/nginx tmpfs rw,async,nodev,nosuid,noatime 0 0 tmpfs /var/log/jitsi tmpfs rw,async,nodev,nosuid,noatime 0 0 #ubuntu -- noatime --> realtime
apt purge jitsi* apt autoremove --purge rm -rf /var/www/html/ rm -rf /etc/jitsi/jicofo/ rm -rf /var/lib/prosody/ dpkg -l | grep ^rc
no need to tune — those are fine already
vi /etc/nginx/sites-enabled/meet.nethence.com.conf
# default location
#ssl_certificate /etc/ssl/meet.nethence.com.crt;
#ssl_certificate_key /etc/ssl/meet.nethence.com.key;
# self-signed
#ssl_certificate /var/lib/prosody/meet.nethence.com.crt;
#ssl_certificate_key /var/lib/prosody/meet.nethence.com.key;
# let's encrypt
ssl_certificate /etc/letsencrypt/live/meet.nethence.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meet.nethence.com/privkey.pem;
and it even got reloaded already
systemctl status nginx systemctl reload nginx
this cert does not seem to be updated by the LE/Jitsi sccript and remains self-signed
openssl x509 -in /var/lib/prosody/meet.nethence.com.crt -text -noout
the new one is over here
openssl x509 -in /etc/letsencrypt/live/meet.nethence.com/fullchain.pem -text -noout
Jitsi Downloads https://jitsi.org/downloads/
Index of /jitsi/ https://download.jitsi.org/jitsi/
FAQ https://jitsi.github.io/handbook/docs/faq
Jitsi-meet + jibri behind NAT https://community.jitsi.org/t/jitsi-meet-jibri-behind-nat/19479/22 –> this works
Jitsi Custom Server/PortForwarding https://community.jitsi.org/t/jitsi-custom-server-portforwarding/19927
[jitsi-users] Jitsi meet behind a NAT https://community.jitsi.org/t/jitsi-users-jitsi-meet-behind-a-nat/11921
What concrete ports must be forwarded for Jitsi Meet server https://community.jitsi.org/t/what-concrete-ports-must-be-forwarded-for-jitsi-meet-server/25048
Firewall rules for allowing access to meet.jit.si https://community.jitsi.org/t/firewall-rules-for-allowing-access-to-meet-jit-si/73443/11
What Ports You Should Open to Run Jitsi Meet https://meetrix.io/blog/webrtc/jitsi/meet/what-port-your-should-open.html
Jitsi Meet and Firewalls https://meetrix.io/blog/webrtc/jitsi/jitsi-meet-and-firewalls.html
[jitsi-users] Corporate firewall settings to use Jitsi client and webapp meet.jit.si https://community.jitsi.org/t/jitsi-users-corporate-firewall-settings-to-use-jitsi-client-and-webapp-meet-jit-si/10220
Open ports NAT https://community.jitsi.org/t/open-ports-nat/17589
NAT port trouble https://community.jitsi.org/t/nat-port-trouble/31578/4
Jitsi Meet behind NAT https://community.jitsi.org/t/jitsi-meet-behind-nat/26260
Jitsi Meet Behind NAT & Advance Settings https://nimblecoders.in/jitsi-meet-behind-nat-advance-settings/
Jitsi Meet and Firewalls https://meetrix.io/blog/webrtc/jitsi/jitsi-meet-and-firewalls.html
[SOLVED] Jitsi-Meet behind NAT, no video https://community.jitsi.org/t/solved-jitsi-meet-behind-nat-no-video/24020
Jitsi behind NAT works without “Advanced Configuration”. Is it due to some changes on last revisions? https://community.jitsi.org/t/jitsi-behind-nat-works-without-advanced-configuration-is-it-due-to-some-changes-on-last-revisions/52839
Jitsi-Meet (Docker) behind NAT. External users worked, internal users after 30seconds get reconecting =( How fix it? https://www.gitmemory.com/issue/jitsi/docker-jitsi-meet/651/647046157
Nginx, coturn & port 443 https://community.jitsi.org/t/nginx-coturn-port-443/27820
Previously working nginx config broke. Port 4444/443 https://community.jitsi.org/t/previously-working-nginx-config-broke-port-4444-443/37399
[jitsi-dev] Inventory of server-sided TCP/IP ports used by the stack https://community.jitsi.org/t/jitsi-dev-inventory-of-server-sided-tcp-ip-ports-used-by-the-stack/13834
Ports 5222, 5269, 5280, 5347 https://community.jitsi.org/t/ports-5222-5269-5280-5347/36862
Port Forwarding Troubles/ sip-communicator.properties necessary? #2708 https://github.com/jitsi/jitsi-meet/issues/2708
Which ports needs to be exposed to the internet? https://community.jitsi.org/t/which-ports-needs-to-be-exposed-to-the-internet/33112
Videobridge TCP harvester behind NAT: Chrome uses wrong candidate #6327 https://github.com/jitsi/jitsi-meet/issues/6327
jitsi-meet/doc/debian/jitsi-meet/jitsi-meet.conf https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.conf#L6
How to migrate away from multiplexing and enable bridge websockets https://jitsi.org/multiplexing-to-bridge-ws-howto
fix: Don’t break those still using ALPN multiplex (Fixes #7794) #7796 https://github.com/jitsi/jitsi-meet/pull/7796
Jitsi Meet Security & Privacy https://jitsi.org/security/
WebRTC Sec. Arch. https://datatracker.ietf.org/doc/html/draft-ietf-rtcweb-security-arch-20
DTLS-SRTP Framework https://datatracker.ietf.org/doc/html/rfc5763
This is what end-to-end encryption should look like! https://jitsi.org/blog/e2ee/
What Is Jitsi and Is it More Secure Than Zoom? https://www.makeuseof.com/tag/jitsi-secure-zoom/
jitsi / jitsi-meet-electron https://github.com/jitsi/jitsi-meet-electron