From ArchWiki
Jump to navigation Jump to search

Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. At the heart of Jitsi are Jitsi Videobridge and Jitsi Meet, which let you have conferences on the internet, while other projects from the community enable other features such as audio, dial-in, recording, and simulcasting.


Jitsi-meet consists of severals components:

  • jitsi-meet: the files for the webinterface, accessed via files served by a webserver
  • jitsi-meet-prosody: the prosody plugins for jitsi
  • jitsi-meet-turnserver: the configs example to run a stun/turn server
  • jitsi-videobridge: the video bridging service providing video streams to all participants
  • jicofo: the Jitsi conference focus determining who is speaking
  • Prosody: a free XMPP server serving as the base of the setup

A graphical overview of the interfaces to the user and towards each other is given here.

You can either use the git versions, the nightly version or the stable versions.

It is possible to install them at the same time, but you will need to use separate port and several instances of prosody (the plugins cannot be scope by virtual host).

You need to choose between the normal or the bin version. The bin one conflicts with the normal version. (nightly and nightly-bin can be installed at the same time, but stable and nightly can be.)

Try to stick with only one of them:

Some packages install configs examples in /usr/share/doc, ensure to comment this line in /etc/pacman.conf:

#NoExtract = usr/share/gtk-doc/html/* usr/share/doc/*

You need those optionals packages to run a standalone server:


Note: This configuration yields an open server for everyone to connect. Refer to the Jitsi philosophy for rationale. See tips section for authentication.

If your server name is example.com then a common choice for your jitsi will be meet.example.com, but you can choose freely. It is however strongly encouraged from security standpoint to host webapps on their own subdomain. You will need to update DNS record for your server with an entry of your chosen subdomain, in the above example meet. The remainder assumes that you have done this.

Also you should have SSL/TLS certificates for your meet.example.com domain, on how to obtain free certificates see certbot.

In the following, the following placeholders are used:

  • JITSIFQDN: your jitsi-meet domain, e.g. meet.example.com
  • SECRET_JVB_USER: password for the videobridge
  • SECRET_FOCUS_USER: password for the authenticator

Passwords should be obtained in a safe way, e.g. via mktemp -u XXXXXXXX or via pwgen. Make sure to use different and safe passwords!

Config paths





Let us jitsi-meet components reach each other with local ip. It works even if your domain is behind a proxy like Cloudflare which does not return the real ip of the server.

In /etc/hosts: YOUR_DOMAIN auth.YOUR_DOMAIN

Configure prosody

prosody is a prerequisite and you will need to add a configuration to it for your Jitsi services. If you do not already have a prosody server set up, install prosody and lua52-sec now. The rest of the prosody configuration assumes you have a local install of prosody.

The package jitsi-meet-prosodyAUR provides a configuration you can easily customize:

cd /etc/prosody
mkdir conf.d
cp /usr/share/doc/jitsi-meet-prosody/prosody.cfg.lua-jvb.example conf.d/jitsi.cfg.lua

Then add this at the end of:

Include "conf.d/*.cfg.lua"

Customize your configuration:

# replace all occurences of jitmeet.example.com by JITSIFQDN
# replace all occurences of focusUser by focus
# then add or update those section

VirtualHost "JITSIFQDN"
    ssl = {
        key = "/etc/prosody/certs/JITSIFQDN.key";
        certificate = "/etc/prosody/certs/JITSIFQDN.crt";

VirtualHost "auth.JITSIFQDN"
    ssl = {
        key = "/etc/prosody/certs/auth.JITSIFQDN.key";
        certificate = "/etc/prosody/certs/auth.JITSIFQDN.crt";
    authentication = "internal_plain"
-- Proxy to jicofo's user JID, so that it does not have to register as a component.
Component "focus.JITSIFQDN" "client_proxy"
    target_address = "focus@auth.JITSIFQDN"

You need now to generate the certificate for JITSIFQDN and auth.JITSIFQDN.

If you use certbot, you can import the certificate with:

prosodyctl --root cert import /etc/letsencrypt/live

If you want to use self generated certs, you can use:

sudo -u prosody prosodyctl cert generate JITSIFQDN
sudo -u prosody prosodyctl cert generate auth.JITSIFQDN
mv /var/lib/prosody/*.{crt,cnf,key} /etc/prosody/certs/
trust anchor /etc/prosody/certs/JITSIFQDN.crt
trust anchor /etc/prosody/certs/auth.JITSIFQDN.crt
update-ca-trust # for java

Let us register the users jvb and focus:

prosodyctl register jvb auth.JITSIFQDN SECRET_JVB_USER
prosodyctl register focus auth.JITSIFQDN SECRET_FOCUS_USER
prosodyctl mod_roster_command subscribe focus.JITSIFQDN focus@auth.JITSIFQDN

Then restart prosody.service (or start/enable it if it was just installed).

Configure jitsi-videobridge

The configuration for jitsi-videobridge. Add -nightly or -git to /etc/jitsi-videobridge for nightly and git version.


# Also uncomment this, if you install java15 (check with java -v). If possible use java8.

For MUC_NICKNAME, use uuidgen command:


Then start/enable jitsi-videobridge.service.

Configure jicofo

The configuration for jicofo. Add -nightly or -git to /etc/jitsi-videobridge for nightly and git version.

  // Look for xmpp > client
  xmpp {
    client {
      // Replace those 2 variables
      // remove the // if present to uncomment
      conference-muc-jid = conference.JITSIFQDN
      client-proxy = focus.JITSIFQDN

Then start/enable jicofo.service.

Configure jitsi-meet

The configuration for jitsi-meet webapps. Add -nightly or -git to /etc/jitsi-videobridge for nightly and git version.

var config = {
  hosts: {
    domain: 'JITSIFQDN',
    // ...
    muc: 'conference.JITSIFQDN'
  bosh: '//JITSIFQDN/http-bind',
  // ...

Configure nginx

Configure nginx with TLS as described in nginx#TLS.

Let us copy the provided example.

cd /etc/nginx
mkdir sites
cp /usr/share/doc/jitsi-meet/jitsi-meet.example sites/jitsi.conf

Then include it in your main config:

http {
    // ...
    // this should be placed near to the close bracket of the http block
    include sites/*.conf;

Then changes the jitsi config with your configuration:

server {
  # ...
  server_name YOUR_DOMAIN;

  # ...
  # use prosody path directly
  ssl_certificate /etc/prosody/certs/JITSIFQDN.crt;
  ssl_certificate_key /etc/prosody/certs/JITSIFQDN.key;
  # or use letencrypt path
  ssl_certificate /etc/letsencrypt/live/JITSIFQDN/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/JITSIFQDN/privkey.pem;

  # set the config path
  # replace alias /etc/jitsi/meet/jitmeet.example.com-config.js by
  location = /config.js {
    alias /etc/webapps/jitsi-meet/config.js;
  # ...
  location ~ ^/([^/?&:'"]+)/config.js$
    set $subdomain "$1.";
    set $subdir "$1/";
    alias /etc/webapps/jitsi-meet/config.js;

Then restart nginx.service.

Tips and tricks

Running the server behind a NAT

The following ports need to be forwarded to your server:


  • TCP/443

Jitsi Videobridge:

  • UDP/10000

Jitsi gateway to SIP (Jigasi)

To interface the Jitsi-meet meetings with traditional SIP install jigasiAUR or jigasi-gitAUR and edit the prosody config:

Component "callcontrol.JITSIFQDN"
    component_secret = "SECRET_JIGASI_USER"

fill the SIP access credentials (SIPUSER SIPSERVER and SIPPASSWORD)


To change the default room name SIP is connecting to, change org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME in the above config.

Then edit the jigasi configuration

hosts.call_control = 'callcontrol.meet.jit.si'

and then start/enable jigasi.service.

Access restrictions for room creation

To restrict video conference room creation to authenticated users, you can do the following steps. Note that participants to the meeting are still not authenticated!

Add authentication to the jitsi domain in prosody and add a new virtual host for guests:

-- change authentification of your domain
VirtualHost "JITSIFQDN"
    authentification = "internal_plain"

-- add guest virtual host to allow anonymous user to join your room
VirtualHost "guest.JITSIFQDN"
    authentication = "anonymous"
    c2s_require_encryption = false
    modules_enabled = {
        -- copy the content of the modules_enabled
        -- of the VirtualHost "JITSIFQDN"
        -- remove only the module "muc_lobby_rooms" of the list
        -- example:
        "ping"; -- Enable mod_ping

Edit the config file for jitsi-meet:

var config = {
  host: {
    // anonymous users need to use a dedicated muc without authentication
    anonymousdomain: 'guest.JITSIFQDN',

Add authentication for jicofo:


Then create the desired users via

prosodyctl register <username> JITSIFQDN <password>

Only if you are using jigasi (if you do not know, you do not) edit the SIP interface to not allow anonymous authentication:


These steps are taken from this guide.

Log evaluation

For a publicly available IP address the above config leads to a public video conference server. To monitor server use one can use systemd logging to get an at least vague idea of the usage:

# journalctl --unit=jicofo.service --grep="created new focus" | cut -d" " -f7,8,16

shows all events of new chat room creation and

# journalctl --unit=jicofo.service --grep="disposed conference for room" | cut -d" " -f7,8,16

shows all events of chat room destruction.

Grepping for 'member' also gives you (anonymous!) information on the participants.

Running own STUN server

By default, Jitsi Meet uses STUN servers from jitsi.org. You can easily run your own STUN server using coturn and setting it in jitsi-meet's config.


Check your logs

You can stop all service units (i.e., prosody.service, jitsi-videobridge.service, and jicofo.service), start them one at a time, and follow new messages in the journal for each service unit to see if something is wrong. Most problems are due to password or configuration issues.

If you have an upgrade from a very different version, or you mess up with your config, start other. It will be faster than trying to findout which part is wrong.

Ask help on Matrix rooms

You can join matrix rooms and ask help there:

See also