March 2021 update: the tutorial is still valid for the current Jitsi version but there are some new settings in the config file that are not up to date
As the Coronavirus spreads and more and more people are spending time at home, one of the most critical thing for many is to be able to keep in touch with family, friends and colleagues.
We at Ape Unit are used to remote and distributed work but the current situation meant that it was necessary to go above and beyond....
As we are involved in open source projects and since we already use Jitsi we opted to deploy an instance of Jitsi to use internally and since there have been a lot of demand on the Jitsi community forum about installation and configuration here is a step by step tutorial about how to run your own server.
Once you have completed the tutorial you will have your own Jisti server with authentication enabled.
Before you start
This tutorial assumes that you have basic knowledge about technical stuff in particular assumes that you are familiar with the linux shell, ssh
, and dns.
The costs
The running cost of the setup varies depending on the server choice and the domain, in this case we'll be using a Hetzner cloud instance that starts from 2.49€/m
this being said, let's start!
#1. Setup a new server (with Hetzner)
Login (or create an account on Hetzner), then:
- go to the Cloud home
- choose the project you want (usually
Default
) - Click on ADD SERVER
In the Create a Server page make sure to
- select the Ubuntu 20.04 as Image (point 2)
- add your public ssh key (point 7)
Then click on CREATE & BUY NOW
If you add your ssh key, make sure that it is enable in the ssh configuration of your machine (more on that here). If you do not add your ssh key, you'll receive an email with the root password to the server that you will have to change on first login. As a side note, public key authentication is preferable then password.
The server creation is going to take a minute or less, once completed take note of the IP address of the server.
#2. Point a domain to the newly created server
for this step, we'll assume that you already have a domain registered (you can grab one on namecheap. For this tutorial we will use the domain apeunit.test
for our domain.
In your domain DNS configuration add the records:
- type:
A
- host:
@
- value: IP Address (from the Hetzner server)
NOTE: it might take a few minutes for the DNS to propagate
#3. Jitsi installation
Now that the server is up and running, let's set it up!
If everything before has been successful you should be able to login to your server using:
$ ssh root@apeunit.test
The authenticity of host 'apeunit.test (10.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:Q1rLmH7vuBalRJGv7sasTJy+ZtS3yOf4A34artGjUI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'apeunit.test,10.0.0.1' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
root@server:~#
We can now proceed with Jitsi installation (documentation here)
First let's make sure that the system is up to date
apt update
apt upgrade -y
Then install nginx
apt install nginx -y
Now we can add the Jitsi repositories and install the Jitsi components. During the installation, you will be prompted for a domain to use, when it happens enter the domain you choose/registered at #2. The second question you'll be asked is if generate a self signed certificate or provide your own; choose the default (generate a self signed certificate)
echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
apt update && apt install jitsi-meet -y
And finally, lets ask let's encrypt for a certificate for our domain
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
To verify that the installation was successful, open your browser and enter your domain in the address bar, Jitsi should be now up and running.
Once we have verified that the installation is working properly, it is time to configure the firewall so not to leave your server exposed. For firewall we are going to use ufw
:
ufw allow ssh
ufw allow http
ufw allow https
ufw allow 10000/udp
ufw enable
#4 Enable authentication for Jitsi
Enabling the authentication requires only to edit three files:
/etc/jitsi/meet/apeunit.test-config.js
/etc/prosody/conf.avail/apeunit.test.cfg.lua
/etc/jitsi/jicofo/sip-communicator.properties
NOTE: for the first two, change the
apeunit.test
part of the filename with your domain
The official documentation for secure domain explains the details of the changes, but here are the files already configured:
I've published the changed files here:
/etc/jitsi/meet/apeunit.test-config.js
/etc/prosody/conf.avail/apeunit.test.cfg.lua
/etc/jitsi/jicofo/sip-communicator.properties
but they have to be changed according to your domain name, here is how. First set a variable with your domain name:
export JITSI_DOMAIN="your_domain.com"
then update the meet configuration file:
curl https://gist.githubusercontent.com/noandrea/5ff6b212273af95103996c0e71f0cdf2/raw/d14979d5b31af324c5823b3d3c8683a6c762f518/apeunit.test-config.js -s | \
sed "s/apeunit.test/$JITSI_DOMAIN/g" \
> /etc/jitsi/meet/$JITSI_DOMAIN-config.js
then the prosody configuration file:
curl https://gist.githubusercontent.com/noandrea/5ff6b212273af95103996c0e71f0cdf2/raw/d14979d5b31af324c5823b3d3c8683a6c762f518/apeunit.test.cfg.lua -s | \
sed "s/apeunit.test/$JITSI_DOMAIN/g" | \
sed "s/JICOFO_SECRET/$(grep -e '^JICOFO_SECRET=.*' /etc/jitsi/jicofo/config | cut -d '=' -f2)/g" | \
sed "s/TURN_SECRET/$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8})/g" \
> /etc/prosody/conf.avail/$JITSI_DOMAIN.cfg.lua
and finally the sip communicator properties file:
echo "org.jitsi.jicofo.auth.URL=XMPP:$JITSI_DOMAIN" \
>> /etc/jitsi/jicofo/sip-communicator.properties
Once this part is completed it is now time to create your users, with the command prosodyctl register USER DOMAIN PASSWORD
; in our example we can register the user jane
with:
prosodyctl register jane $JITSI_DOMAIN janepwd
Currently there is no option to make users register themselves, you will have to create users by command line. Also not all the users need to have a password, only the ones that open a room.
To apply the changes last thing we have to do is to restart Jitsi services:
systemctl restart jicofo
systemctl restart jitsi-videobridge2
systemctl restart prosody
That's it! Now you can enjoy your private chat server thanks to the wonderful Jitsi!
Top comments (98)
Many thanks for this tutorial :)
I experienced crashes when a second person joined a meeting and the solution was to keep the original line in jicofo sip-communicator.properties (or add the line you mention to the existing file). So the file looks something like:
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.MYDOMAIN.COM
org.jitsi.jicofo.auth.URL=XMPP:MYDOMAIN.COM
By the way, this is on Debian 10 with apache, so your mileage may vary. Maybe this helps someone else.
Thanks for the hint! I've run again the tutorial after the update and I am experiencing the same issue, I'll try to fix it and update the tutorial.
The tutorial should be correct again :phew:
Need help,
where to add these below lines
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.MYDOMAIN.COM
org.jitsi.jicofo.auth.URL=XMPP:MYDOMAIN.COM
in Android Studio Java.
THANK YOU VERY MUCH!!!
YOU'RE THE BEST IN THE WORLD!!!
I want only an authorized user to be able to create conferences and be an administrator in them (this is done), and not authorized users can enter and participate in the conference.
Now access to the created conference requires authorization.
How to do it?
Thank you!
I am not sure if I understand the question correctly but if you want to disable anonymous access you can probably do it by removing the block
from the prosody config file in
/etc/prosody/conf.avail
Hello,
I think that if you remove that block all users will require a host account, thus would be able to create the conferences by themselves. Instead I would change this block's authentication to "internal_plain" and add those guest accounts to prosody with that VirtualHost:
prosodyctl register guestjane guest.$JITSI_DOMAIN janepwd
Hi Andrea,
Thank-you so much for this tutorial too, I've successfully setup Jitsi with Prosody auth, but I seem to be running into the same problem as matveevds above.
Opening a new Jitsi room requires authentication by a registered prosody user as expected, however when I try accessing the newly created room from another device, I get presented with the login prompt again.
For some reason the configuration allowing anonymous users to join an existing room isn't working for me and by the sounds of things matveevds too.
Any help you could provide would be awesome, I take it that the config you've highlighted above is the key, and I can confirm that my conf.avail file contains this section.
Cheers and thanks again!
I'll try to reproduce the problem and see if I can spot the problem.
Make sure though that you are using the same linux version mentioned in the tutorial (ubuntu 18.04) since there might be extra steps required on other platforms (like debian) as mentioned in the comments
I re-run the tutorial on a fresh server and I cannot reproduce the issue,
I get prompted for authentication for the first user but once the first is in the others can join without pwd.
Maybe the logs will help you identify the problem?
Andrea, thank you very much for this fantastic howto!
This is outright the BEST tutorial to get started with a simple jitsi server.
Still, I do have two suggestions:
First, please add the modules that are enabled on the "main" VirtualHost to the "guest" VirtualHost as well. Otherwise, people could later unnecessarily run into the same problems as I did, when they try to enhance their server with TURN functionality - see this thread. And even if this functionality is not required, I don't see any downside to enabling the modules on the guest VServer (they're already enabled on the default VServer as well, anyway).
Second, since we are talking about authentication: By default, jitsi will automatically remember (or rather, accept client-side remembered) user credentials. To disable this behavior,
echo "org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true" >> /etc/jitsi/jicofo/sip-communicator.properties
This may or may not be what people want, but I think it's worth mentioning somewhere in the instructions.
About the modules, good point! I will add them to the the sample config.
For the autologin, I consider it more like tuning then a simple installation and I prefer not to get too much into details but to keep it simple and straightforward
Thanks :)
That is, by far, the best tutorial I have seen so far on running your own jitsi server!
Thanks a lot!
Would you happen to know if there is a way to also secure some chat rooms for logged-in audience only? (Not all rooms, only SOME rooms)
And, I am pushing here, but do you know of a method to use Azure 365 as an authentication provider with prosody?
Regards
-Normand
Hi Normand, I'm glad you like it!
AFAIK no, you can't. But among trusted peers a long enough random string would be impossible to guess for an external person, and with the option
enableWelcomePage: false,
in the...-config.js
file there will be no trace on jitsi front page.I've read that it is possible to configure prosody with an OAuth provider, but that's all I know . sorry mate :)
btw, check the community forum, there you will likely find what your are looking for community.jitsi.org/
Sorry to bother you again, but so far, you have been the most reliable source of information on Jitsi for me!
Do you happen to use the statistics part of jitsi-meet (the colibri thing)
The documentation seems to be written in ancient greek to my eyes and all I see is fellow nerds temporarily destroying their instance of jitsi-meet by trying to enable this feature, and I can't risk that at the moment. Our server is working 24/7 and serving our newly deployed elearning platform for hundreds of customers!
Also, if you have some experience with the jibri recorder, your feedback and guidance would be most appreciated!
No worries, but what is your elearning platform ?
Thanks for the tutorial.
I managed to get a Jitsi Meet server up on Azure. I can connect to it from a browser and from the Android Jitsi Meet app, but no sound or video is transmitted from user to user.
Any ideas?
hey Jakob, I haven't tried on Azure so I can't say what could be the issue, but it might be worth to check on the forum if somebody had the same problem.
On the server you can check for errors in the application logs (
/var/log/jitsi
), if there is all fine the problem might lie in the Azure networking or on the client side.Hello Andrea,
Thanks for your suggestions.
After some trial and error I found this, which worked for me:
github.com/jitsi/jitsi-meet/issues...
Hello, I also managed to deploy this jitsi meet server and make it run on Azure. And I faced the same NAT network issue as you mentioned. I did the same hotfix updating sip-communicator.properties properties.
so far, so good. BUT I am running an issue when more than 3 people are in the videoconf.
I am wondering if I am having this problem bc the VN's hostname is linked to "....cloudapp.azure.com".
how did you configure the DNS server? u had the same prob?
thanks in advance
I just made a subdomain on one of my domains and pointed it to the Azure server IP via 2 A-records in the DNS, one www-record and one non-www-record.
Thanks for the tutorial. I have the following troubles:
when i try to restart the video bridge the following massage ist coming up:
"Failed to restart jitsi-videobridge.service: Unit jitsi-videobridge.service not found."
And on the server page i only see nginx standard page. What should i do to config nginx right?
NOOB :D
Good Day,
since yesterday they have changed jitsi-videobridge into jitsi videobridge2 so please check at first service jitsi-videobridge2 status. It should help.
thanks @timonek6 , I've updated the tutorial
No problem you are welcome, thanks for great job btw ;)
Oh man, thanks so now the restart works BUT i still only see nginx when i open my server ip (domain ist not assinged yet), do i have to assing the url to make this thing work or should it also just work with the server ip
the tutorial is specifically written to configure jitsi with a domain name, but it should work if you use a IP address instead of a domain name (I haven't tried though).
Hi, but you do not have to change the file as below???
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=xxxxxxxxxxxxxxx
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=yyyyyyyyyyyyyy
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
COMMENTED OUT org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
I am not sure about what is that part you are referring to
its by the instructions from jitsi-meet developers
github.com/jitsi/jitsi-meet/blob/m...
BTW, you think your instructions should work with Ubuntu 20? I can try
Hello Klagio,
that's for servers behind NAT, the setup in the tutorial (hetzner) is not for NAT setup.
About ubuntu 20.04, last time I tried it did not work out of the box...
ahhh yes right.
Bummer, need to update to 20.4 because of another server, will have to figure out
I founf this guide
linuxbabe.com/ubuntu/install-jitsi...
Very good tutorial, and I'm in Linux server world but I achieved to install my own Jitsi server on Debian
I have registered users with "prosodyctl register jane $JITSI_DOMAIN janepwd" but how to list all the registered users to check who I have registered and who I haven't registered at the moment ?
I've looked after this information on web but no success for the moment.
Regards,
Michaël
that's a good question, I've found this solution so far:
Thank you, you're the best !!
Thank you so much for this tutorial.
I have been running into problem and that is every time I start a new meeting, It asks for the host to log in if not wait for the meeting to start and then I go log in and nothing happens. It goes right back to the first message asking the host to authenticate himself
please help. I have my server running Ubuntu 18.04 on Azure. Been able to get it up and running without the authentication but now that I want to authenticate. I doesn't work and I followed this tutorial cause it was so easy to understand.
Thanks
Hi @griff1n , Azure networking is different from Hetzner,
please check this comment, I hope it will helpful for you:
dev.to/perikorese/comment/mlgd
Yes. I have already seen this post and I have already fixed this issue. My problem is that every time I enter the user and password in the log in to host window. It says connecting and then reverts back to the "are you the hosts" message.
try looking into the prosody log in
/var/log/prosody
, prosody is the component that manages authentication, you should finds clues there.It works for me... in part.
I'm on Debian 10 Buster.
First, "service prosody status" complains about "portmanager: Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281"
I found a possible solution for this at discourse.diasporafoundation.org/t... - apparently the .cfg.lua file needs further editing.
Going on, I can become a moderator for a room.
In the room, participants can chat with each other.
However, the participants can't get audio or video from each other.
"tail -f /var/log/jitsi/jvb.log" shows me a SEVERE: [18] RecurringRunnableExecutor.run#230: The invocation of the method org.jitsi.videobridge.health.Health.run() threw an exception.
java.lang.NoClassDefFoundError: Could not initialize class org.jitsi.videobridge.sctp.SctpManager
Does anybody else here get the same on Debian 10 Buster or has a suggestion for me?
and thanks a lot Andrea, especially for remarking that "the Coronavirus spreads" and "one of the most critical thing for many is to be able to keep in touch with family, friends and colleagues." This is the part of your article that helps me the most, it is so appropriate.
Hi @ernestotorresin other people mentioned issues with Debian ( look for the reply from @josefhavel8 that might be helpful).
I strongly suggest though to check on the official forum where is more likely to find other people with the same issues and hopefully with a solution!
Yes, it looks like it works eventually.
For me the files to change compared to the standard installation on Debian 10 Buster were the ones proposed, plus /etc/jitsi/videobridge/config with the JVB_OPTS="--apis=xmpp,rest".
No need to go for the nightly builds.
However, I had to REBOOT the system a couple of times to remove stale configurations still showing up in the logs: this is the only CAVEAT so far.
Thanks a lot!
Some comments may only be visible to logged-in visitors. Sign in to view all comments.