Self Hosted Jitsi Meet Instance

BACK

After all communication with friends and business partners had been switched to the Element Matrix Messenger and only a minimal proportion of e-mails was used, a separate Jitsi Meet instance had to be set up to host all communication components yourself. Jitsi Meet offers a lot of cool features on its own:

  • full voice and video communication
  • Desktop sharing, e.g. for presentations and support
  • Simply invite users to the conference via URL
  • Administrator and moderator approval for entering the room
  • Password to enter the room
  • Integrated chat
  • Blur Background (blur background)
  • Transport encryption (E2E in beta)
  • Does not collect user data

The Element Matrix Messenger integrates Jitsi Meet as a widget, which means that conferences can be held with all Element Matrix users on all Matrix servers. People who have not yet switched their communication to the Element Matrix Messenger can simply be invited via a link and then participate in the conference with the browser without any installation.

Anyone can try out Jitsi Meet immediately on the project server without logging in:

These instructions are aimed at people and companies who want to operate their own Jitsi Meet Instance for their communication partners.

Basic Debian setup

We start with a Debian 10 (Buster) minimum installation and activate the SSH daemon for us. The host name and the IP address should already be set correctly and there should be a DNS entry for the server in the form

jitsi.mydomain.tld A 3600-IP-address-of-the-server

give.

First we secure the access to the server accordingly. Like any good IT administrator, you will surely use a static IP address on the side of your PC or device. It’s best to set up ufw on the Debian server and then create the following rules as root:

ufw allow from your static IP / Netmask to any port 22
ufw allow from NocheineStatikIP / Netmask to any port 22
ufw enable
ufw status numbered

This allows access to the SSH service from the admin IP addresses. All other computers on the Internet cannot connect to port 22, which means that password brute force attacks are excluded and hacks of SSH access are largely impossible. If dynamic IP addresses are used on the admin side, then it is essential to secure access with a strongly secured VPN. A publicly accessible port 22 (SSH), like all other open admin ports, is a massive security hole that will eventually be used by hackers!

As root we also allow access to the ports used by Jitsi Meet:

ufw allow 80 / tcp
ufw allow 443 / tcp
ufw allow 4443 / tcp
ufw allow 10000 / udp
ufw status numbered

The status command should then output all rules in numbered form.

If everything is OK so far, we can now install the required software as root:

apt-get update
apt-get install gnupg wget
wget https://download.jitsi.org/jitsi-key.gpg.key
apt-key add jitsi-key.gpg.key
rm jitsi-key.gpg.key

Then add or create one with the vi of the file /etc/apt/sources.list.d/jitsi-stable.list add the following line:

vi /etc/apt/sources.list.d/jitsi-stable.list

deb https://download.jitsi.org stable/

Now the package lists have to be updated and Jitsi Meet installed:

apt-get update
apt-get install jitsi-meet

Simply answer the questions during setup, it is important to set the host name to match the DNS entry above. First, Jitsi Meet asks during setup for a self-signed certificate, which should be created. The Letsencrypt certificate will be created later.

Jitsi Meet uses certificates to encrypt communication and traffic so that nobody can overhear the transmission.

Then we install the Certbot for the free Letsencrypt certificates as root and install this and the certificate updates.

apt install certbot
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

Securing space creation

Now we want to make sure that only your own users can create rooms:

vi /etc/prosody/conf.avail/your_domain.cfg.lua

we change:

  • authentication = “anonymous” on
  • authentication = “internal_plain”

At the end we add the following in the same file. Change jitsi.yourdomain.tld according to DNS:

VirtualHost "guest.jitsi.yourdomain.tld"
authentication = "anonymous"
c2s_require_encryption = false

This allows guests to enter rooms, but not open any rooms.

Now we still have to make changes in the file /etc/jitsi/meet/jitsi.yourdomain.tld-config.js:

// anonymousdomain: 'guest.example.com',

on

anonymousdomain: 'guest.jitsi.yourdomain.tld',

The file etc / jitsi / jicofo / sip-communicator.

properties we add the following line:

org.jitsi.jicofo.auth.URL = XMPP:your_domain

Register user

With the command:

prosodyctl register username jitsi.yourdomain.tld password

you can create as many users as you want. They can then open rooms with a user and password. It is important to know that if you do not set up any permissions, everyone can use the Jitsi instance!

Finally, the Jitsi services must be restarted:

systemctl restart prosody.service
systemctl restart jicofo.service
systemctl restart jitsi-videobridge2.service
systemctl restart nginx

professional extras

Authentication against Matrix Synapse

There are extensions for this, which must be installed on the Matrix Synpase side:

and on the Jitsi side must:

to run. There will be a separate tutorial for this, whereby the perfect solution is probably the authentication of Matrix Synapse and Jitsi against an LDAP server. Further information will follow.

Nagios monitoring of the Jitsi instance

Cool Nagios check_jitsi module:

https://github.com/nbuchwitz/check_jitsi.git

This means that the current number of rooms and much more can be queried.

Assignment of the Jitsi instance

for all users of the Matrix Homeserver

Infolink: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md

Apache needs CORS / ACAO headers for the well-known functionality-

Header Set Access-Control-Allow-Origin "*"

/.well-known/matrix/client:

{
"im.vector.riot.jitsi": {
"preferredDomain": "jitsi.yourdomain.tld"
}
}

for individual clients

CONFIG.JSON for element-web, linux, windows, mac

Custom config.json in element user directory:

{
"brand": "Window Title",
"showLabsSettings": true,
"jitsi": {
"preferredDomain": "jitsi.example.org"
}
}

Place the logo in the folder /usr/share/jitsi-meet/images and change the following in the file interface_config.js:

DEFAULT_LOGO_URL: 'images / EURAFRIJ.png',
JITSI_WATERMARK_LINK: 'https://eurafri.com',

Matrix Synapse Setup Tutorial:

Enterprise Support


EURAFRI Matrix Group Chat

We look forward to active participation in the EURAFRI project and ask you to also visit the EURAFRI reception in the matrix.

https://matrix.to/#/#eurafri-reception:matrix.ctseuro.com

Your EURAFRI TEAM

Author: Karl M. Joch
(c) KMJ.at, Permission to publish the article on EURAFRI.com @20210519

BACK