Jitsi-meet

From ArchWiki
Jump to navigation Jump to search

Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. At the heart of Jitsi are Jitsi Videobridge and Jitsi Meet, which let you have conferences on the internet, while other projects from the community enable other features such as audio, dial-in, recording, and simulcasting.

Installation

Jitsi-meet consists of 4 main components:

  • jitsi-meet: the files for the webinterface, accessed via files served by a webserver
  • jitsi-videobridge: the video bridging service providing video streams to all participants
  • jicofo: the Jitsi conference focus determining who is speaking
  • Prosody: a free XMPP server serving as the base of the setup

A graphical overview of the interfaces to the user and towards each other is given here.

You can either use the git versions or the stable versions, you should not mix and match between them, the sets are as listed here:

Note: Configuration paths and services in jitsi-meet-binAUR, jitsi-videobridge-binAUR, and jicofo-binAUR packages differ and are explained in a separate section.
Note: You can follow the manual install guide which is mostly OS agnostic, the main change you have to make is in trusting the certificate, which you can do like so:
trust anchor /var/lib/prosody/auth.meet.example.com.crt

Configuration

Note: This configuration yields an open server for everyone to connect. Refer to the Jitsi philosophy for rationale. See tips section for authentication.

If your server name is example.com then a common choice for your jitsi will be meet.example.com, but you can choose freely. It is however strongly encouraged from security standpoint to host webapps on their own subdomain. You will need to update DNS record for your server with an entry of your chosen subdomain, in the above example meet. The remainder assumes that you have done this.

Also you should have SSL/TLS certificates for your meet.example.com domain, on how to obtain free certificates see certbot.

In the following, the following placeholders are used:

  • JITSIFQDN: your jitsi-meet domain, e.g. meet.example.com
  • SECRET1: password for the videobridge
  • SECRET2: password for the focus chooser
  • SECRET3: password for the authenticator

Passwords should be obtained in a safe way, e.g. via mktemp -u XXXXXXXX or via pwgen. Make sure to use different and safe passwords!

Configure prosody

prosody is a prerequisite and you will need to add a configuration to it for your Jitsi services. If you do not already have a prosody server set up, install prosody and lua52-sec now. The rest of the prosody configuration assumes you have a local install of prosody.

You can add the following config to a the prosody config file directly or include it from an external file.

/etc/prosody/prosody.cfg.lua
VirtualHost "JITSIFQDN"
    authentication = "anonymous"
    ssl = {
        key = "/var/lib/prosody/JITSIFQDN.key";
        certificate = "/var/lib/prosody/JITSIFQDN.crt";
    }
    modules_enabled = {
        "bosh";
        "pubsub";
    }
    c2s_require_encryption = false

VirtualHost "auth.JITSIFQDN"
    ssl = {
        key = "/var/lib/prosody/auth.JITSIFQDN.key";
        certificate = "/var/lib/prosody/auth.JITSIFQDN.crt";
    }
    authentication = "internal_plain"
    admins = { "focus@auth.JITSIFQDN" }

Component "conference.JITSIFQDN" "muc"

Component "jitsi-videobridge.JITSIFQDN"
    component_secret = "SECRET1"

Component "focus.JITSIFQDN"
    component_secret = "SECRET2"

Generate the certificates that prosody needs. This is interactive:

prosodyctl cert generate JITSIFQDN
prosodyctl cert generate auth.JITSIFQDN

Register the focus user:

prosodyctl register focus auth.JITSIFQDN SECRET3

Trust the certificate:

trust anchor /var/lib/prosody/auth.JITSIFQDN.crt

Then restart the prosody service (or start/enable prosody if it was just installed).

Configure jitsi-videobridge

The configuration for jitsi-videobridge

/etc/jitsi/videobridge/jitsi-videobridge.conf
flags="--host=localhost --domain=JITSIFQDN --port=5347 --secret=SECRET1"

If you want to have logging and sip communicator settings in the same folder you can do the following

/etc/jitsi/videobridge/jitsi-videobridge.conf
VIDEOBRIDGE_DEBUG_OPTIONS="-Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jitsi-videobridge -Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc
/etc/jitsi/videobridge/sip-communicator.properties
org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.JITSIFQDN/.*
org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443

and copy /opt/jitsi-videobridge/lib/logging.properties to /etc/jitsi/videobridge/logging.properties.

Then start/enable the jitsi-videobridge service.

Configure jicofo

/etc/jitsi/jicofo/jicofo.conf
flags="--host=localhost --domain=JITSIFQDN --secret=SECRET2 --user_domain=auth.JITSIFQDN --user_name=focus --user_password=SECRET3"

Then start/enable the jicofo service.

Configure jitsi-meet

/opt/jitsi-meet/config.js
var domainroot = "JITSIFQDN"
var config = {
        hosts: {
                domain: domainroot,
                muc: 'conference.'+domainroot,
                bridge: 'jitsi-videobridge.'+domainroot,
                focus: 'focus.'+domainroot
        },
        useNicks: false,
        bosh: '//'+domainroot+'/http-bind',
}

Configure nginx

Configure nginx with TLS as described in nginx#TLS and use the following configuration in the relevant server block for the Jitsi-meet components as shown in its documentation.

server {
    ...

    # set the root
    root /opt/jitsi-meet;
    index index.html;

    location ~ ^/([a-zA-Z0-9=?]+)$ {
        rewrite ^/(.*)$ / break;
    }

    location / {
        ssi on;
    }

    # BOSH
    location /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location /xmpp-websocket {
        proxy_pass http://localhost:5280/xmpp-websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        tcp_nodelay on;
    }
}

Then restart the nginx service.

Configuration for bin packages

Their configuration layout differs from the above, as the -bin packages use "config" naming for the configuration files instead of specific names like "jicofo.conf".

The webserver webroot is /usr/share/jitsi-meet.

Make sure to use the following settings:

/etc/jitsi/videobridge/config
JVB_OPTS="--apis=xmpp"
JVB_HOST=localhost
JVB_HOSTNAME=JITSIFQDN
JVB_SECRET=SECRET1
/etc/jitsi/jicofo/config
JICOFO_AUTH_DOMAIN=auth.JITSIFQDN
JICOFO_HOST=localhost
JICOFO_HOSTNAME=JITSIFQDN
JICOFO_SECRET=SECRET2
JICOFO_AUTH_PASSWORD=SECRET3

Tips and tricks

Running the server behind a NAT

The following ports need to be forwarded to your server:

HTTPS:

  • TCP/443

Jitsi Videobridge:

  • TCP/4443
  • UDP/10000

Jitsi gateway to SIP (Jigasi)

To interface the Jitsi-meet meetings with traditional SIP install jigasiAUR or jigasi-gitAUR and edit the prosody config:

/etc/prosody/prosody.cfg.lua
Component "callcontrol.JITSIFQDN"
    component_secret = "SECRET4"

fill the SIP access credentials (SIPUSER SIPSERVER and SIPPASSWORD)

/opt/jigasi/jigasi-home/sip-communicator.properties
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.ACCOUNT_UID=SIP\:"SIPUSER@SIPSERVER"
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PASSWORD=SIPPASSWORD
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_ADDRESS=SIPSERVER
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.USER_ID=SIPUSER

To change the default room name SIP is connecting to, change org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME in the above config.

Then edit the jigasi configuration

/etc/jitsi/jigasi/config
JIGASI_HOST=callcontrol.JITSIFQDN
JIGASI_HOSTNAME=jitsi-videobridge.JITSIFQDN
JIGASI_SECRET=SECRET4
JIGASI_OPTS=""
LOGFILE=/var/log/jitsi/jigasi.log
/opt/jitsi-meet/config.js
hosts.call_control = 'callcontrol.meet.jit.si'

and then start/enable jigasi.service.

Access restrictions for room creation

Note: The paths in this section refer to the stable or -git packages and might differ for the -bin packages.

To restrict video conference room creation to authenticated users, you can do the following steps. Note that participants to the meeting are still not authenticated!

Add authentication to the jitsi domain in prosody and add a new virtual host for guests:

/etc/prosody/prosody.cfg.lua
...
VirtualHost "JITSIFQDN"
    ...
    authentication = "internal_plain"

VirtualHost "guest.JITSIFQDN"
    authentication = "anonymous"
    c2s_require_encryption = false
...

Edit the config file for jitsi-meet:

/opt/config.js
var config = {
    hosts: {
            domain: 'JITSIFQDN',
            anonymousdomain: 'guest.JITSIFQDN',
            ...
        },
        ...
}

Add authentication for jicofo argument string:

/etc/jitsi/jicofo/jicofo.conf
-Dorg.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com

Then create the desired users via

   prosodyctl register <username> JITSIFQDN <password>

Only if you are using jigasi (if you do not know, you do not) edit the SIP interface to not allow anonymouse authentication:

/etc/jitsi/jigasi/sip-communicator.properties
org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

These steps are taken from this guide.

Log evaluation

For a publicly available IP address the above config leads to a public video conference server. To monitor server use one can use systemd logging to get an at least vague idea of the usage:

   journalctl --unit jicofo.service | grep "Created new focus" | cut -d" " -f7,8,16

shows all events of new chat room creation and

   journalctl --unit jicofo.service | grep "Disposed conference for room" | cut -d" " -f7,8,16

shows all events of chat room destruction.

Grepping for 'member' also gives you (anonymous!) information on the participants.

Running own STUN server

By default, Jitsi Meet uses STUN servers from jitsi.org. You can easily run your own STUN server using coturn and setting it in jitsi-meet's config.

Troubleshooting

Crash on user join

Add xmpp as as an argument to the --apis switch of videobridge, which is unset by default:

/etc/jitsi/videobridge/jitsi-videobridge.conf
JVB_OPTS="--apis=xmpp,"

Cannot disconnect from room / No other user present

This usually indicates issues between focus component and xmpp server:

  • If you enabled authentication other than anmonymous on your host in the VirtualHost section, requiring c2s_require_encryption set to false locally, make sure the global option is set to false, too:
/etc/prosody/prosody.conf.lua
...
c2s_require_encryption = false # Global
...
VirtualHost JITSIFQDN
    authentication "internal_plain"
    c2s_require_encryption = false # Local
    ...
  • Make sure to have the same domain name in jicofo.conf, jitsi-vidobridge.conf and always connect your browser to that domain and not to the plain IP address.

See also