DEV Community

Andrea Giacobino
Andrea Giacobino

Posted on • Updated on

Self-hosted Jitsi server with authentication

March 2021 update: the tutorial is still valid for the current Jitsi version but there are some new settings in the config file that are not up to date


As the Coronavirus spreads and more and more people are spending time at home, one of the most critical thing for many is to be able to keep in touch with family, friends and colleagues.

We at Ape Unit are used to remote and distributed work but the current situation meant that it was necessary to go above and beyond....

As we are involved in open source projects and since we already use Jitsi we opted to deploy an instance of Jitsi to use internally and since there have been a lot of demand on the Jitsi community forum about installation and configuration here is a step by step tutorial about how to run your own server.

Once you have completed the tutorial you will have your own Jisti server with authentication enabled.

Before you start

This tutorial assumes that you have basic knowledge about technical stuff in particular assumes that you are familiar with the linux shell, ssh, and dns.

The costs

The running cost of the setup varies depending on the server choice and the domain, in this case we'll be using a Hetzner cloud instance that starts from 2.49€/m

this being said, let's start!

#1. Setup a new server (with Hetzner)

Login (or create an account on Hetzner), then:

  • go to the Cloud home
  • choose the project you want (usually Default)
  • Click on ADD SERVER

In the Create a Server page make sure to

  • select the Ubuntu 20.04 as Image (point 2)
  • add your public ssh key (point 7)

Then click on CREATE & BUY NOW

If you add your ssh key, make sure that it is enable in the ssh configuration of your machine (more on that here). If you do not add your ssh key, you'll receive an email with the root password to the server that you will have to change on first login. As a side note, public key authentication is preferable then password.

The server creation is going to take a minute or less, once completed take note of the IP address of the server.

#2. Point a domain to the newly created server

for this step, we'll assume that you already have a domain registered (you can grab one on namecheap. For this tutorial we will use the domain apeunit.test for our domain.

In your domain DNS configuration add the records:

  • type: A
  • host: @
  • value: IP Address (from the Hetzner server)

NOTE: it might take a few minutes for the DNS to propagate

#3. Jitsi installation

Now that the server is up and running, let's set it up!
If everything before has been successful you should be able to login to your server using:

$ ssh root@apeunit.test
The authenticity of host 'apeunit.test (10.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:Q1rLmH7vuBalRJGv7sasTJy+ZtS3yOf4A34artGjUI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'apeunit.test,10.0.0.1' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
root@server:~#
Enter fullscreen mode Exit fullscreen mode

We can now proceed with Jitsi installation (documentation here)

First let's make sure that the system is up to date

apt update
apt upgrade -y
Enter fullscreen mode Exit fullscreen mode

Then install nginx

apt install nginx -y
Enter fullscreen mode Exit fullscreen mode

Now we can add the Jitsi repositories and install the Jitsi components. During the installation, you will be prompted for a domain to use, when it happens enter the domain you choose/registered at #2. The second question you'll be asked is if generate a self signed certificate or provide your own; choose the default (generate a self signed certificate)

echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list
wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
apt update && apt install jitsi-meet -y
Enter fullscreen mode Exit fullscreen mode

And finally, lets ask let's encrypt for a certificate for our domain

/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
Enter fullscreen mode Exit fullscreen mode

To verify that the installation was successful, open your browser and enter your domain in the address bar, Jitsi should be now up and running.

Once we have verified that the installation is working properly, it is time to configure the firewall so not to leave your server exposed. For firewall we are going to use ufw:

ufw allow ssh
ufw allow http 
ufw allow https 
ufw allow 10000/udp
ufw enable
Enter fullscreen mode Exit fullscreen mode

#4 Enable authentication for Jitsi

Enabling the authentication requires only to edit three files:

  • /etc/jitsi/meet/apeunit.test-config.js
  • /etc/prosody/conf.avail/apeunit.test.cfg.lua
  • /etc/jitsi/jicofo/sip-communicator.properties

NOTE: for the first two, change the apeunit.test part of the filename with your domain

The official documentation for secure domain explains the details of the changes, but here are the files already configured:

I've published the changed files here:

but they have to be changed according to your domain name, here is how. First set a variable with your domain name:

export JITSI_DOMAIN="your_domain.com"
Enter fullscreen mode Exit fullscreen mode

then update the meet configuration file:

curl  https://gist.githubusercontent.com/noandrea/5ff6b212273af95103996c0e71f0cdf2/raw/d14979d5b31af324c5823b3d3c8683a6c762f518/apeunit.test-config.js -s | \
sed  "s/apeunit.test/$JITSI_DOMAIN/g" \
> /etc/jitsi/meet/$JITSI_DOMAIN-config.js
Enter fullscreen mode Exit fullscreen mode

then the prosody configuration file:

curl https://gist.githubusercontent.com/noandrea/5ff6b212273af95103996c0e71f0cdf2/raw/d14979d5b31af324c5823b3d3c8683a6c762f518/apeunit.test.cfg.lua -s | \
sed  "s/apeunit.test/$JITSI_DOMAIN/g" | \
sed  "s/JICOFO_SECRET/$(grep -e '^JICOFO_SECRET=.*' /etc/jitsi/jicofo/config | cut -d '=' -f2)/g" | \
sed  "s/TURN_SECRET/$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8})/g" \
> /etc/prosody/conf.avail/$JITSI_DOMAIN.cfg.lua
Enter fullscreen mode Exit fullscreen mode

and finally the sip communicator properties file:

echo "org.jitsi.jicofo.auth.URL=XMPP:$JITSI_DOMAIN" \
>> /etc/jitsi/jicofo/sip-communicator.properties
Enter fullscreen mode Exit fullscreen mode

Once this part is completed it is now time to create your users, with the command prosodyctl register USER DOMAIN PASSWORD; in our example we can register the user jane with:

prosodyctl register jane $JITSI_DOMAIN janepwd
Enter fullscreen mode Exit fullscreen mode

Currently there is no option to make users register themselves, you will have to create users by command line. Also not all the users need to have a password, only the ones that open a room.

To apply the changes last thing we have to do is to restart Jitsi services:

systemctl restart jicofo
systemctl restart jitsi-videobridge2
systemctl restart prosody
Enter fullscreen mode Exit fullscreen mode

That's it! Now you can enjoy your private chat server thanks to the wonderful Jitsi!

Top comments (98)

Collapse
 
jcornuz profile image
jcornuz

Many thanks for this tutorial :)

I experienced crashes when a second person joined a meeting and the solution was to keep the original line in jicofo sip-communicator.properties (or add the line you mention to the existing file). So the file looks something like:

org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.MYDOMAIN.COM
org.jitsi.jicofo.auth.URL=XMPP:MYDOMAIN.COM

By the way, this is on Debian 10 with apache, so your mileage may vary. Maybe this helps someone else.

Collapse
 
noandrea profile image
Andrea Giacobino

Thanks for the hint! I've run again the tutorial after the update and I am experiencing the same issue, I'll try to fix it and update the tutorial.

Collapse
 
noandrea profile image
Andrea Giacobino

The tutorial should be correct again :phew:

Collapse
 
tulasireddytulasi profile image
Tulasi Reddy

Need help,
where to add these below lines
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.MYDOMAIN.COM
org.jitsi.jicofo.auth.URL=XMPP:MYDOMAIN.COM

in Android Studio Java.

Collapse
 
matveevds profile image
matveevds • Edited

THANK YOU VERY MUCH!!!
YOU'RE THE BEST IN THE WORLD!!!
I want only an authorized user to be able to create conferences and be an administrator in them (this is done), and not authorized users can enter and participate in the conference.
Now access to the created conference requires authorization.
How to do it?

Collapse
 
noandrea profile image
Andrea Giacobino

Thank you!
I am not sure if I understand the question correctly but if you want to disable anonymous access you can probably do it by removing the block

VirtualHost "guest.meet.apeunit.com"
    authentication = "anonymous"
    c2s_require_encryption = false

from the prosody config file in /etc/prosody/conf.avail

Collapse
 
ptdrow profile image
Pedro Villarroel

Hello,
I think that if you remove that block all users will require a host account, thus would be able to create the conferences by themselves. Instead I would change this block's authentication to "internal_plain" and add those guest accounts to prosody with that VirtualHost:

prosodyctl register guestjane guest.$JITSI_DOMAIN janepwd

Collapse
 
cantumwheat profile image
cantumwheat

Hi Andrea,

Thank-you so much for this tutorial too, I've successfully setup Jitsi with Prosody auth, but I seem to be running into the same problem as matveevds above.

Opening a new Jitsi room requires authentication by a registered prosody user as expected, however when I try accessing the newly created room from another device, I get presented with the login prompt again.

For some reason the configuration allowing anonymous users to join an existing room isn't working for me and by the sounds of things matveevds too.

Any help you could provide would be awesome, I take it that the config you've highlighted above is the key, and I can confirm that my conf.avail file contains this section.

Cheers and thanks again!

Thread Thread
 
noandrea profile image
Andrea Giacobino

I'll try to reproduce the problem and see if I can spot the problem.
Make sure though that you are using the same linux version mentioned in the tutorial (ubuntu 18.04) since there might be extra steps required on other platforms (like debian) as mentioned in the comments

Thread Thread
 
noandrea profile image
Andrea Giacobino

I re-run the tutorial on a fresh server and I cannot reproduce the issue,
I get prompted for authentication for the first user but once the first is in the others can join without pwd.
Maybe the logs will help you identify the problem?

Collapse
 
clangguth profile image
Christoph Langguth

Andrea, thank you very much for this fantastic howto!

This is outright the BEST tutorial to get started with a simple jitsi server.

Still, I do have two suggestions:

First, please add the modules that are enabled on the "main" VirtualHost to the "guest" VirtualHost as well. Otherwise, people could later unnecessarily run into the same problems as I did, when they try to enhance their server with TURN functionality - see this thread. And even if this functionality is not required, I don't see any downside to enabling the modules on the guest VServer (they're already enabled on the default VServer as well, anyway).

Second, since we are talking about authentication: By default, jitsi will automatically remember (or rather, accept client-side remembered) user credentials. To disable this behavior,

echo "org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true" >> /etc/jitsi/jicofo/sip-communicator.properties

This may or may not be what people want, but I think it's worth mentioning somewhere in the instructions.

Collapse
 
noandrea profile image
Andrea Giacobino

About the modules, good point! I will add them to the the sample config.

For the autologin, I consider it more like tuning then a simple installation and I prefer not to get too much into details but to keep it simple and straightforward

Thanks :)

Collapse
 
normand_nadon profile image
Normand Nadon

That is, by far, the best tutorial I have seen so far on running your own jitsi server!
Thanks a lot!

Would you happen to know if there is a way to also secure some chat rooms for logged-in audience only? (Not all rooms, only SOME rooms)

And, I am pushing here, but do you know of a method to use Azure 365 as an authentication provider with prosody?

Regards

-Normand

Collapse
 
noandrea profile image
Andrea Giacobino

Hi Normand, I'm glad you like it!

Would you happen to know if there is a way to also secure some chat rooms for logged-in audience only? (Not all rooms, only SOME rooms)

AFAIK no, you can't. But among trusted peers a long enough random string would be impossible to guess for an external person, and with the option enableWelcomePage: false, in the ...-config.js file there will be no trace on jitsi front page.

And, I am pushing here, but do you know of a method to use Azure 365 as an authentication provider with prosody?

I've read that it is possible to configure prosody with an OAuth provider, but that's all I know . sorry mate :)

btw, check the community forum, there you will likely find what your are looking for community.jitsi.org/

Collapse
 
normand_nadon profile image
Normand Nadon • Edited

Sorry to bother you again, but so far, you have been the most reliable source of information on Jitsi for me!

Do you happen to use the statistics part of jitsi-meet (the colibri thing)
The documentation seems to be written in ancient greek to my eyes and all I see is fellow nerds temporarily destroying their instance of jitsi-meet by trying to enable this feature, and I can't risk that at the moment. Our server is working 24/7 and serving our newly deployed elearning platform for hundreds of customers!

Also, if you have some experience with the jibri recorder, your feedback and guidance would be most appreciated!

  • Regards
Thread Thread
 
noandrea profile image
Andrea Giacobino

No worries, but what is your elearning platform ?

Collapse
 
perikorese profile image
Jakob Smith

Thanks for the tutorial.

I managed to get a Jitsi Meet server up on Azure. I can connect to it from a browser and from the Android Jitsi Meet app, but no sound or video is transmitted from user to user.

Any ideas?

Collapse
 
noandrea profile image
Andrea Giacobino

hey Jakob, I haven't tried on Azure so I can't say what could be the issue, but it might be worth to check on the forum if somebody had the same problem.
On the server you can check for errors in the application logs (/var/log/jitsi), if there is all fine the problem might lie in the Azure networking or on the client side.

Collapse
 
perikorese profile image
Jakob Smith

Hello Andrea,

Thanks for your suggestions.

After some trial and error I found this, which worked for me:

github.com/jitsi/jitsi-meet/issues...

Thread Thread
 
zaistev profile image
zaistev

Hello, I also managed to deploy this jitsi meet server and make it run on Azure. And I faced the same NAT network issue as you mentioned. I did the same hotfix updating sip-communicator.properties properties.
so far, so good. BUT I am running an issue when more than 3 people are in the videoconf.
I am wondering if I am having this problem bc the VN's hostname is linked to "....cloudapp.azure.com".
how did you configure the DNS server? u had the same prob?
thanks in advance

Thread Thread
 
perikorese profile image
Jakob Smith

I just made a subdomain on one of my domains and pointed it to the Azure server IP via 2 A-records in the DNS, one www-record and one non-www-record.

Collapse
 
lollp profile image
lollp

Thanks for the tutorial. I have the following troubles:

when i try to restart the video bridge the following massage ist coming up:
"Failed to restart jitsi-videobridge.service: Unit jitsi-videobridge.service not found."

And on the server page i only see nginx standard page. What should i do to config nginx right?

NOOB :D

Collapse
 
timonek6 profile image
Timonek6

Good Day,
since yesterday they have changed jitsi-videobridge into jitsi videobridge2 so please check at first service jitsi-videobridge2 status. It should help.

Collapse
 
noandrea profile image
Andrea Giacobino

thanks @timonek6 , I've updated the tutorial

Thread Thread
 
timonek6 profile image
Timonek6

No problem you are welcome, thanks for great job btw ;)

Collapse
 
lollp profile image
lollp

Oh man, thanks so now the restart works BUT i still only see nginx when i open my server ip (domain ist not assinged yet), do i have to assing the url to make this thing work or should it also just work with the server ip

Thread Thread
 
noandrea profile image
Andrea Giacobino

the tutorial is specifically written to configure jitsi with a domain name, but it should work if you use a IP address instead of a domain name (I haven't tried though).

Collapse
 
klagio profile image
Klagio • Edited

Hi, but you do not have to change the file as below???

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=xxxxxxxxxxxxxxx
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=yyyyyyyyyyyyyy
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
COMMENTED OUT org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443

Collapse
 
noandrea profile image
Andrea Giacobino

I am not sure about what is that part you are referring to

Collapse
 
klagio profile image
Klagio • Edited

its by the instructions from jitsi-meet developers

github.com/jitsi/jitsi-meet/blob/m...

BTW, you think your instructions should work with Ubuntu 20? I can try

Thread Thread
 
noandrea profile image
Andrea Giacobino

Hello Klagio,
that's for servers behind NAT, the setup in the tutorial (hetzner) is not for NAT setup.
About ubuntu 20.04, last time I tried it did not work out of the box...

Thread Thread
 
klagio profile image
Klagio

ahhh yes right.

Bummer, need to update to 20.4 because of another server, will have to figure out

Thread Thread
 
klagio profile image
Klagio
Collapse
 
m_fou profile image
Michael Fournier

Very good tutorial, and I'm in Linux server world but I achieved to install my own Jitsi server on Debian

I have registered users with "prosodyctl register jane $JITSI_DOMAIN janepwd" but how to list all the registered users to check who I have registered and who I haven't registered at the moment ?

I've looked after this information on web but no success for the moment.

Regards,
Michaël

Collapse
 
noandrea profile image
Andrea Giacobino

that's a good question, I've found this solution so far:

ls -l /var/lib/prosody/*/accounts/*
Collapse
 
m_fou profile image
Michael Fournier

Thank you, you're the best !!

Collapse
 
griff1n profile image
Griff1n

Thank you so much for this tutorial.

I have been running into problem and that is every time I start a new meeting, It asks for the host to log in if not wait for the meeting to start and then I go log in and nothing happens. It goes right back to the first message asking the host to authenticate himself

please help. I have my server running Ubuntu 18.04 on Azure. Been able to get it up and running without the authentication but now that I want to authenticate. I doesn't work and I followed this tutorial cause it was so easy to understand.

Thanks

Collapse
 
noandrea profile image
Andrea Giacobino

Hi @griff1n , Azure networking is different from Hetzner,
please check this comment, I hope it will helpful for you:

dev.to/perikorese/comment/mlgd

Collapse
 
griff1n profile image
Griff1n

Yes. I have already seen this post and I have already fixed this issue. My problem is that every time I enter the user and password in the log in to host window. It says connecting and then reverts back to the "are you the hosts" message.

Thread Thread
 
noandrea profile image
Andrea Giacobino

try looking into the prosody log in /var/log/prosody, prosody is the component that manages authentication, you should finds clues there.

Collapse
 
ernestotorresin profile image
ErnestoTorresin

It works for me... in part.

I'm on Debian 10 Buster.

First, "service prosody status" complains about "portmanager: Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281"
I found a possible solution for this at discourse.diasporafoundation.org/t... - apparently the .cfg.lua file needs further editing.

Going on, I can become a moderator for a room.

In the room, participants can chat with each other.

However, the participants can't get audio or video from each other.

"tail -f /var/log/jitsi/jvb.log" shows me a SEVERE: [18] RecurringRunnableExecutor.run#230: The invocation of the method org.jitsi.videobridge.health.Health.run() threw an exception.
java.lang.NoClassDefFoundError: Could not initialize class org.jitsi.videobridge.sctp.SctpManager

Does anybody else here get the same on Debian 10 Buster or has a suggestion for me?

and thanks a lot Andrea, especially for remarking that "the Coronavirus spreads" and "one of the most critical thing for many is to be able to keep in touch with family, friends and colleagues." This is the part of your article that helps me the most, it is so appropriate.

Collapse
 
noandrea profile image
Andrea Giacobino

Hi @ernestotorresin other people mentioned issues with Debian ( look for the reply from @josefhavel8 that might be helpful).
I strongly suggest though to check on the official forum where is more likely to find other people with the same issues and hopefully with a solution!

Collapse
 
ernestotorresin profile image
ErnestoTorresin • Edited

Yes, it looks like it works eventually.
For me the files to change compared to the standard installation on Debian 10 Buster were the ones proposed, plus /etc/jitsi/videobridge/config with the JVB_OPTS="--apis=xmpp,rest".
No need to go for the nightly builds.
However, I had to REBOOT the system a couple of times to remove stale configurations still showing up in the logs: this is the only CAVEAT so far.

Thanks a lot!

Some comments may only be visible to logged-in visitors. Sign in to view all comments.