Jitsi-meet
Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. At the heart of Jitsi are Jitsi Videobridge and Jitsi Meet, which let you have conferences on the internet, while other projects from the community enable other features such as audio, dial-in, recording, and simulcasting.
Installation
Jitsi-meet consists of 4 main components:
jitsi-meet: the files for the webinterface, accessed via files served by a webserverjitsi-videobridge: the video bridging service providing video streams to all participantsjicofo: the Jitsi conference focus determining who is speaking- Prosody: a free XMPP server serving as the base of the setup
A graphical overview of the interfaces to the user and towards each other is given here.
You can either use the git versions or the stable versions, you should not mix and match between them, the sets are as listed here:
- stable packages: jitsi-meetAUR, jitsi-videobridgeAUR, and jicofoAUR,
- stable packages built from deb binaries: jitsi-meet-binAUR, jitsi-videobridge-binAUR, and jicofo-binAUR.
- git packages: jitsi-meet-gitAUR, jitsi-videobridge-gitAUR, and jicofo-gitAUR,
trust anchor /var/lib/prosody/auth.meet.example.com.crt
Configuration
If your server name is example.com then a common choice for your jitsi will be meet.example.com, but you can choose freely. It is however strongly encouraged from security standpoint to host webapps on their own subdomain. You will need to update DNS record for your server with an entry of your chosen subdomain, in the above example meet. The remainder assumes that you have done this.
Also you should have SSL/TLS certificates for your meet.example.com domain, on how to obtain free certificates see certbot.
In the following, the following placeholders are used:
JITSIFQDN: yourjitsi-meetdomain, e.g.meet.example.comSECRET1: password for the videobridgeSECRET2: password for the focus chooserSECRET3: password for the authenticator
Passwords should be obtained in a safe way, e.g. via mktemp -u XXXXXXXX or via pwgen.
Make sure to use different and safe passwords!
Configure prosody
prosody is a prerequisite and you will need to add a configuration to it for your Jitsi services. If you do not already have a prosody server set up, install prosody and lua52-sec now. The rest of the prosody configuration assumes you have a local install of prosody.
You can add the following config to a the prosody config file directly or include it from an external file.
/etc/prosody/prosody.cfg.lua
VirtualHost "JITSIFQDN"
authentication = "anonymous"
ssl = {
key = "/var/lib/prosody/JITSIFQDN.key";
certificate = "/var/lib/prosody/JITSIFQDN.crt";
}
modules_enabled = {
"bosh";
"pubsub";
}
c2s_require_encryption = false
VirtualHost "auth.JITSIFQDN"
ssl = {
key = "/var/lib/prosody/auth.JITSIFQDN.key";
certificate = "/var/lib/prosody/auth.JITSIFQDN.crt";
}
authentication = "internal_plain"
admins = { "focus@auth.JITSIFQDN" }
Component "conference.JITSIFQDN" "muc"
Component "jitsi-videobridge.JITSIFQDN"
component_secret = "SECRET1"
Component "focus.JITSIFQDN"
component_secret = "SECRET2"
Generate the certificates that prosody needs. This is interactive:
prosodyctl cert generate JITSIFQDN
prosodyctl cert generate auth.JITSIFQDN
Register the focus user:
prosodyctl register focus auth.JITSIFQDN SECRET3
Trust the certificate:
trust anchor /var/lib/prosody/auth.JITSIFQDN.crt
Then restart the prosody service (or start/enable prosody if it was just installed).
Configure jitsi-videobridge
The configuration for jitsi-videobridge
/etc/jitsi/videobridge/jitsi-videobridge.conf
flags="--host=localhost --domain=JITSIFQDN --port=5347 --secret=SECRET1"
If you want to have logging and sip communicator settings in the same folder you can do the following
/etc/jitsi/videobridge/jitsi-videobridge.conf
VIDEOBRIDGE_DEBUG_OPTIONS="-Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=jitsi-videobridge -Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc
/etc/jitsi/videobridge/sip-communicator.properties
org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.JITSIFQDN/.* org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
and copy /opt/jitsi-videobridge/lib/logging.properties to /etc/jitsi/videobridge/logging.properties.
Then start/enable the jitsi-videobridge service.
Configure jicofo
/etc/jitsi/jicofo/jicofo.conf
flags="--host=localhost --domain=JITSIFQDN --secret=SECRET2 --user_domain=auth.JITSIFQDN --user_name=focus --user_password=SECRET3"
Then start/enable the jicofo service.
Configure jitsi-meet
/opt/jitsi-meet/config.js
var domainroot = "JITSIFQDN"
var config = {
hosts: {
domain: domainroot,
muc: 'conference.'+domainroot,
bridge: 'jitsi-videobridge.'+domainroot,
focus: 'focus.'+domainroot
},
useNicks: false,
bosh: '//'+domainroot+'/http-bind',
}
Configure nginx
Configure nginx with TLS as described in nginx#TLS and use the following configuration in the relevant server block for the Jitsi-meet components as shown in its documentation.
server {
...
# set the root
root /opt/jitsi-meet;
index index.html;
location ~ ^/([a-zA-Z0-9=?]+)$ {
rewrite ^/(.*)$ / break;
}
location / {
ssi on;
}
# BOSH
location /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# xmpp websockets
location /xmpp-websocket {
proxy_pass http://localhost:5280/xmpp-websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}
}
Then restart the nginx service.
Configuration for bin packages
Their configuration layout differs from the above, as the -bin packages use "config" naming for the configuration files instead of specific names like "jicofo.conf".
The webserver webroot is /usr/share/jitsi-meet.
Make sure to use the following settings:
/etc/jitsi/videobridge/config
JVB_OPTS="--apis=xmpp" JVB_HOST=localhost JVB_HOSTNAME=JITSIFQDN JVB_SECRET=SECRET1
/etc/jitsi/jicofo/config
JICOFO_AUTH_DOMAIN=auth.JITSIFQDN JICOFO_HOST=localhost JICOFO_HOSTNAME=JITSIFQDN JICOFO_SECRET=SECRET2 JICOFO_AUTH_PASSWORD=SECRET3
Tips and tricks
Running the server behind a NAT
The following ports need to be forwarded to your server:
HTTPS:
- TCP/443
Jitsi Videobridge:
- TCP/4443
- UDP/10000
Jitsi gateway to SIP (Jigasi)
To interface the Jitsi-meet meetings with traditional SIP install jigasiAUR or jigasi-gitAUR and edit the prosody config:
/etc/prosody/prosody.cfg.lua
Component "callcontrol.JITSIFQDN"
component_secret = "SECRET4"
fill the SIP access credentials (SIPUSER SIPSERVER and SIPPASSWORD)
/opt/jigasi/jigasi-home/sip-communicator.properties
net.java.sip.communicator.impl.protocol.sip.acc1403273890647.ACCOUNT_UID=SIP\:"SIPUSER@SIPSERVER" net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PASSWORD=SIPPASSWORD net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_ADDRESS=SIPSERVER net.java.sip.communicator.impl.protocol.sip.acc1403273890647.USER_ID=SIPUSER
To change the default room name SIP is connecting to, change org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME in the above config.
Then edit the jigasi configuration
/etc/jitsi/jigasi/config
JIGASI_HOST=callcontrol.JITSIFQDN JIGASI_HOSTNAME=jitsi-videobridge.JITSIFQDN JIGASI_SECRET=SECRET4 JIGASI_OPTS="" LOGFILE=/var/log/jitsi/jigasi.log
/opt/jitsi-meet/config.js
hosts.call_control = 'callcontrol.meet.jit.si'
and then start/enable jigasi.service.
Access restrictions for room creation
To restrict video conference room creation to authenticated users, you can do the following steps. Note that participants to the meeting are still not authenticated!
Add authentication to the jitsi domain in prosody and add a new virtual host for guests:
/etc/prosody/prosody.cfg.lua
...
VirtualHost "JITSIFQDN"
...
authentication = "internal_plain"
VirtualHost "guest.JITSIFQDN"
authentication = "anonymous"
c2s_require_encryption = false
...
Edit the config file for jitsi-meet:
/opt/config.js
var config = {
hosts: {
domain: 'JITSIFQDN',
anonymousdomain: 'guest.JITSIFQDN',
...
},
...
}
Add authentication for jicofo argument string:
/etc/jitsi/jicofo/jicofo.conf
-Dorg.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com
Then create the desired users via
prosodyctl register <username> JITSIFQDN <password>
Only if you are using jigasi (if you do not know, you do not) edit the SIP interface to not allow anonymouse authentication:
/etc/jitsi/jigasi/sip-communicator.properties
org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false
These steps are taken from this guide.
Log evaluation
For a publicly available IP address the above config leads to a public video conference server. To monitor server use one can use systemd logging to get an at least vague idea of the usage:
journalctl --unit jicofo.service | grep "Created new focus" | cut -d" " -f7,8,16
shows all events of new chat room creation and
journalctl --unit jicofo.service | grep "Disposed conference for room" | cut -d" " -f7,8,16
shows all events of chat room destruction.
Grepping for 'member' also gives you (anonymous!) information on the participants.
Running own STUN server
By default, Jitsi Meet uses STUN servers from jitsi.org. You can easily run your own STUN server using coturn and setting it in jitsi-meet's config.
Troubleshooting
Crash on user join
Add xmpp as as an argument to the --apis switch of videobridge, which is unset by default:
/etc/jitsi/videobridge/jitsi-videobridge.conf
JVB_OPTS="--apis=xmpp,"
Cannot disconnect from room / No other user present
This usually indicates issues between focus component and xmpp server:
- If you enabled authentication other than anmonymous on your host in the VirtualHost section, requiring
c2s_require_encryptionset to false locally, make sure the global option is set to false, too:
/etc/prosody/prosody.conf.lua
...
c2s_require_encryption = false # Global
...
VirtualHost JITSIFQDN
authentication "internal_plain"
c2s_require_encryption = false # Local
...
- Make sure to have the same domain name in jicofo.conf, jitsi-vidobridge.conf and always connect your browser to that domain and not to the plain IP address.