Setting up Jitsi Meet

tested on ubuntu/bionic and debian buster

DNS

meet        IN CNAME france1
*.meet      IN CNAME france1
*.auth.meet IN CNAME france1

Sysprep

grep --color=auto -E 'aes|avx|avx2' /proc/cpuinfo
vi /etc/hostname

HOST

vi /etc/hosts

127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

51.159.95.239   HOST
51.159.95.239   meet.nethence.com meet
62.210.0.1      gw

hostname
hostname --long

Setup

in case you need to start from scratch

apt purge jitsi*
apt autoremove --purge
rm -rf /var/www/html/
rm -rf /etc/jitsi/jicofo/
rm -rf /var/lib/prosody/
dpkg -l | grep ^rc

get ready

apt update
apt full-upgrade
apt install wget gnupg htop

go!

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
echo -e \\ndeb https://download.jitsi.org stable/ >> /etc/apt/sources.list
apt update
apt install jitsi-meet

--> FQDN otherwise the letsencrypt script will complain later-on

--> choose self-signed for now and you will switch thereafter

apt install -y lsb-release
lsb_release -a
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

EMAIL

dpkg -l | grep certbot

this cert does not seem to be updated by the LE/Jitsi sccript and remains self-signed

openssl x509 -in /var/lib/prosody/meet.nethence.com.crt -text -noout

the new one is over here

openssl x509 -in /etc/letsencrypt/live/meet.nethence.com/fullchain.pem -text -noout

SSL

no need to tune - that should be fine already (updated by the LE/Jitsi script)

vi /etc/nginx/sites-enabled/meet.nethence.com.conf

    # default location
    #ssl_certificate /etc/ssl/meet.nethence.com.crt;
    #ssl_certificate_key /etc/ssl/meet.nethence.com.key;

    # self-signed
    #ssl_certificate /var/lib/prosody/meet.nethence.com.crt;
    #ssl_certificate_key /var/lib/prosody/meet.nethence.com.key;

    # let's encrypt
    ssl_certificate /etc/letsencrypt/live/meet.nethence.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/meet.nethence.com/privkey.pem;

and it even got reloaded already

systemctl status nginx
systemctl reload nginx

Fixup

on Ubuntu, you need to comment out the first line

vi /etc/nginx/sites-available/DOMAIN.TLD.conf

#server_names_hash_bucket_size 64;

systemctl restart nginx

Ready to go

host meet.nethence.com
host auth.meet.nethence.com
host internal.auth.meet.nethence.com

prosodyctl check

service nginx status
service prosody status
service jicofo status
service jitsi-videobridge2 status

Operations

service nginx restart
service prosody restart
service jicofo restart
service jitsi-videobridge2 restart

Acceptance

How good is the box handling the CPU load while encrypting multiple streams?…

htop

Maintenance

dpkg-reconfigure jitsi-meet-web-config
dpkg-reconfigure jitsi-videobridge2
dpkg-reconfigure jitsi-meet-prosody

Too many open ports

This is what’s listening altogether on localhost

25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
2222/tcp open  EtherNetIP-1
2812/tcp open  atmtcp
4444/tcp open  krb524
4445/tcp open  upnotifyp
5222/tcp open  xmpp-client
5269/tcp open  xmpp-server
5280/tcp open  xmpp-bosh
5347/tcp open  unknown
8888/tcp open  sun-answerbook

443/udp  open  https
5000/udp open  upnp

and this is what shows up remotely

80/tcp   open  http
443/tcp  open  https
2222/tcp open  EtherNetIP-1
4444/tcp open  krb524
4445/tcp open  upnotifyp
5222/tcp open  xmpp-client
5269/tcp open  xmpp-server
5280/tcp open  xmpp-bosh
8888/tcp open  sun-answerbook

443/udp   open          https
5000/udp  open          upnp
10000/udp open|filtered ndmp

another remote scan (top 1000 ports) reports

PORT     STATE         SERVICE      VERSION
80/tcp   open          http         nginx 1.14.2
443/tcp  open          ssl/http     nginx 1.14.2
5222/tcp open          xmpp-client?
5269/tcp open          xmpp-server?
5280/tcp open          xmpp-bosh?
8888/tcp open          http         Jetty 9.4.35.v20201120
9090/tcp open          http         Jetty 9.4.35.v20201120

Also worth a look

vi /etc/jitsi/videobridge/sip-communicator.properties

Firewalling

Let’s proceed with NFTABLES

    apt purge iptables
    apt install nftables

We need only 80,443,4444/tcp and 10000/udp

mv -i /etc/nftables.conf /etc/nftables.conf.dist
vi /etc/nftables.conf

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        iifname lo accept
        iifname != lo ip daddr 127.0.0.0/8 reject
        iifname != lo ip6 daddr ::1 reject

        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept

        # jitsi meet
        tcp dport 80 accept
        tcp dport 443 accept
        tcp dport 4444 accept
        udp dport 10000 accept

        ct state established,related accept
        #invalid
        reject
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        reject
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

systemctl start nftables
systemctl enable nftables
systemctl reload nftables
nft list ruleset

Outgoing email

Don’t forget to setup outgoing email.

Tuning

If you got slow IOPS, tune your fs and mount points a little bit

vi /etc/fstab

/dev/xvda1 / reiser4 defaults,noiversion,auto_da_alloc,noatime 0 1
proc /proc proc defaults 0 0
tmpfs /tmp tmpfs                rw,async,nodev,nosuid,noatime 0 0
#tmpfs /var/log/nginx tmpfs      rw,async,nodev,nosuid,noatime 0 0
tmpfs /var/log/jitsi tmpfs      rw,async,nodev,nosuid,noatime 0 0
#ubuntu -- noatime --> realtime

Resources

https://jitsi.org/downloads/ https://download.jitsi.org/jitsi/

manual install (TODO/Slackware)

https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-manual

firewalling

Server Installation for Jitsi Meet https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md

tuning

https://www.linuxliteos.com/forums/tutorials/fast-disk-io-with-ext4-howto/

https://blog.confirm.ch/mount-options-atime-vs-relatime/