March 2021 update: the tutorial is still valid for the current Jitsi version but there are some new settings in the config file that are not up to date
As the Coronavirus spreads and more and more people are spending time at home, one of the most critical thing for many is to be able to keep in touch with family, friends and colleagues.
We at Ape Unit are used to remote and distributed work but the current situation meant that it was necessary to go above and beyond....
As we are involved in open source projects and since we already use Jitsi we opted to deploy an instance of Jitsi to use internally and since there have been a lot of demand on the Jitsi community forum about installation and configuration here is a step by step tutorial about how to run your own server.
Once you have completed the tutorial you will have your own Jisti server with authentication enabled.
Before you start
This tutorial assumes that you have basic knowledge about technical stuff in particular assumes that you are familiar with the linux shell, ssh, and dns.
The costs
The running cost of the setup varies depending on the server choice and the domain, in this case we'll be using a Hetzner cloud instance that starts from 2.49€/m
this being said, let's start!
#1. Setup a new server (with Hetzner)
Login (or create an account on Hetzner), then:
- go to the Cloud home
- choose the project you want (usually
Default) - Click on ADD SERVER
In the Create a Server page make sure to
- select the Ubuntu 20.04 as Image (point 2)
- add your public ssh key (point 7)
Then click on CREATE & BUY NOW
If you add your ssh key, make sure that it is enable in the ssh configuration of your machine (more on that here). If you do not add your ssh key, you'll receive an email with the root password to the server that you will have to change on first login. As a side note, public key authentication is preferable then password.
The server creation is going to take a minute or less, once completed take note of the IP address of the server.
#2. Point a domain to the newly created server
for this step, we'll assume that you already have a domain registered (you can grab one on namecheap. For this tutorial we will use the domain apeunit.test for our domain.
In your domain DNS configuration add the records:
- type:
A - host:
@ - value: IP Address (from the Hetzner server)
NOTE: it might take a few minutes for the DNS to propagate
#3. Jitsi installation
Now that the server is up and running, let's set it up!
If everything before has been successful you should be able to login to your server using:
$ ssh root@apeunit.test
The authenticity of host 'apeunit.test (10.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:Q1rLmH7vuBalRJGv7sasTJy+ZtS3yOf4A34artGjUI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'apeunit.test,10.0.0.1' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
root@server:~#
We can now proceed with Jitsi installation (documentation here)
First let's make sure that the system is up to date
apt update
apt upgrade -y
Then install nginx
apt install nginx -y
Now we can add the Jitsi repositories and install the Jitsi components. During the installation, you will be prompted for a domain to use, when it happens enter the domain you choose/registered at #2. The second question you'll be asked is if generate a self signed certificate or provide your own; choose the default (generate a self signed certificate)
echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | apt-key add -
apt update && apt install jitsi-meet -y
And finally, lets ask let's encrypt for a certificate for our domain
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
To verify that the installation was successful, open your browser and enter your domain in the address bar, Jitsi should be now up and running.
Once we have verified that the installation is working properly, it is time to configure the firewall so not to leave your server exposed. For firewall we are going to use ufw:
ufw allow ssh
ufw allow http
ufw allow https
ufw allow 10000/udp
ufw enable
#4 Enable authentication for Jitsi
Enabling the authentication requires only to edit three files:
/etc/jitsi/meet/apeunit.test-config.js/etc/prosody/conf.avail/apeunit.test.cfg.lua/etc/jitsi/jicofo/sip-communicator.properties
NOTE: for the first two, change the
apeunit.testpart of the filename with your domain
The official documentation for secure domain explains the details of the changes, but here are the files already configured:
I've published the changed files here:
/etc/jitsi/meet/apeunit.test-config.js/etc/prosody/conf.avail/apeunit.test.cfg.lua/etc/jitsi/jicofo/sip-communicator.properties
but they have to be changed according to your domain name, here is how. First set a variable with your domain name:
export JITSI_DOMAIN="your_domain.com"
then update the meet configuration file:
curl https://gist.githubusercontent.com/noandrea/5ff6b212273af95103996c0e71f0cdf2/raw/d14979d5b31af324c5823b3d3c8683a6c762f518/apeunit.test-config.js -s | \
sed "s/apeunit.test/$JITSI_DOMAIN/g" \
> /etc/jitsi/meet/$JITSI_DOMAIN-config.js
then the prosody configuration file:
curl https://gist.githubusercontent.com/noandrea/5ff6b212273af95103996c0e71f0cdf2/raw/d14979d5b31af324c5823b3d3c8683a6c762f518/apeunit.test.cfg.lua -s | \
sed "s/apeunit.test/$JITSI_DOMAIN/g" | \
sed "s/JICOFO_SECRET/$(grep -e '^JICOFO_SECRET=.*' /etc/jitsi/jicofo/config | cut -d '=' -f2)/g" | \
sed "s/TURN_SECRET/$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8})/g" \
> /etc/prosody/conf.avail/$JITSI_DOMAIN.cfg.lua
and finally the sip communicator properties file:
echo "org.jitsi.jicofo.auth.URL=XMPP:$JITSI_DOMAIN" \
>> /etc/jitsi/jicofo/sip-communicator.properties
Once this part is completed it is now time to create your users, with the command prosodyctl register USER DOMAIN PASSWORD; in our example we can register the user jane with:
prosodyctl register jane $JITSI_DOMAIN janepwd
Currently there is no option to make users register themselves, you will have to create users by command line. Also not all the users need to have a password, only the ones that open a room.
To apply the changes last thing we have to do is to restart Jitsi services:
systemctl restart jicofo
systemctl restart jitsi-videobridge2
systemctl restart prosody
That's it! Now you can enjoy your private chat server thanks to the wonderful Jitsi!
Oldest comments (98)
Thanks for the tutorial.
I managed to get a Jitsi Meet server up on Azure. I can connect to it from a browser and from the Android Jitsi Meet app, but no sound or video is transmitted from user to user.
Any ideas?
hey Jakob, I haven't tried on Azure so I can't say what could be the issue, but it might be worth to check on the forum if somebody had the same problem.
On the server you can check for errors in the application logs (
/var/log/jitsi), if there is all fine the problem might lie in the Azure networking or on the client side.Hello Andrea,
Thanks for your suggestions.
After some trial and error I found this, which worked for me:
github.com/jitsi/jitsi-meet/issues...
Hello, I also managed to deploy this jitsi meet server and make it run on Azure. And I faced the same NAT network issue as you mentioned. I did the same hotfix updating sip-communicator.properties properties.
so far, so good. BUT I am running an issue when more than 3 people are in the videoconf.
I am wondering if I am having this problem bc the VN's hostname is linked to "....cloudapp.azure.com".
how did you configure the DNS server? u had the same prob?
thanks in advance
I just made a subdomain on one of my domains and pointed it to the Azure server IP via 2 A-records in the DNS, one www-record and one non-www-record.
Thanks for the tutorial. I have the following troubles:
when i try to restart the video bridge the following massage ist coming up:
"Failed to restart jitsi-videobridge.service: Unit jitsi-videobridge.service not found."
And on the server page i only see nginx standard page. What should i do to config nginx right?
NOOB :D
Good Day,
since yesterday they have changed jitsi-videobridge into jitsi videobridge2 so please check at first service jitsi-videobridge2 status. It should help.
Oh man, thanks so now the restart works BUT i still only see nginx when i open my server ip (domain ist not assinged yet), do i have to assing the url to make this thing work or should it also just work with the server ip
the tutorial is specifically written to configure jitsi with a domain name, but it should work if you use a IP address instead of a domain name (I haven't tried though).
thanks @timonek6 , I've updated the tutorial
No problem you are welcome, thanks for great job btw ;)
Many thanks for this tutorial :)
I experienced crashes when a second person joined a meeting and the solution was to keep the original line in jicofo sip-communicator.properties (or add the line you mention to the existing file). So the file looks something like:
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.MYDOMAIN.COM
org.jitsi.jicofo.auth.URL=XMPP:MYDOMAIN.COM
By the way, this is on Debian 10 with apache, so your mileage may vary. Maybe this helps someone else.
Thanks for the hint! I've run again the tutorial after the update and I am experiencing the same issue, I'll try to fix it and update the tutorial.
The tutorial should be correct again :phew:
Need help,
where to add these below lines
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.MYDOMAIN.COM
org.jitsi.jicofo.auth.URL=XMPP:MYDOMAIN.COM
in Android Studio Java.
Thanks for your work! It works fine.
Are there any experiences, how many clients and romms this small cloudserver from Hetzner does allow at one time? We need a good-working solution for our school while the shutdown.
You are welcome!
I don't have hard numbers but I did check the server stats with 10/12 people connected, with one in screen-sharing: the server load was around 50%CPU / 0.5Mbps traffic and for the memory I don't remember but was not critical.
This was though with the previous version (till friday), I don't know how the new release performs yet, but I'll keep an eye on it and will report some numbers.
That is, by far, the best tutorial I have seen so far on running your own jitsi server!
Thanks a lot!
Would you happen to know if there is a way to also secure some chat rooms for logged-in audience only? (Not all rooms, only SOME rooms)
And, I am pushing here, but do you know of a method to use Azure 365 as an authentication provider with prosody?
Regards
-Normand
Hi Normand, I'm glad you like it!
AFAIK no, you can't. But among trusted peers a long enough random string would be impossible to guess for an external person, and with the option
enableWelcomePage: false,in the...-config.jsfile there will be no trace on jitsi front page.I've read that it is possible to configure prosody with an OAuth provider, but that's all I know . sorry mate :)
btw, check the community forum, there you will likely find what your are looking for community.jitsi.org/
Sorry to bother you again, but so far, you have been the most reliable source of information on Jitsi for me!
Do you happen to use the statistics part of jitsi-meet (the colibri thing)
The documentation seems to be written in ancient greek to my eyes and all I see is fellow nerds temporarily destroying their instance of jitsi-meet by trying to enable this feature, and I can't risk that at the moment. Our server is working 24/7 and serving our newly deployed elearning platform for hundreds of customers!
Also, if you have some experience with the jibri recorder, your feedback and guidance would be most appreciated!
No worries, but what is your elearning platform ?
Fantastic how-to Andrea. Super clear and worked on the first run. Thank you!
your guide has at least one error, you have to allow udp port 10000-20000 in your firewall for it to work probably!
also i dont think that it is a good idea (!!), even or especially in a crises where everyone is in a hurry, to suggest someone to download and use a configuration file from the internet without reviewing them, it may be easier in the first but admin needs to know what is configured (and best why) so please describe the changes in the config you have made step by step so everyone can comprehend them!
thanks
If you read the tutorial it is explicitly written the instruction to open port 10000/udp.
For the changes, in the tutorial I have linked the sources where the changes are explained,
since they are taken from the official documentation and just put together in this tutorial,
Also the configuration files are listed on github available for inspection from anyone.
And finally your are very much free not to use the tutorial :)
Hi, i get the error after login:
connection.GET_SESSION_ID_ERROR.
The login was accepted. And in the background i can see see videostream from my camera.
I can't reproduce the error and it is difficult to say what could be the reason,
but a good place to start is to search the community forum if someone has/d the same issue
you can also look into the logs to see if there are some obvious errors:
/var/log/prosody/var/log/jitsiHi, I just installed server on Debian 10 exactly step by step and encountered the same issue. I've found the sollution: go to /etc/prosody/conf.avail/.cfg.lua and change variables (twice in file):
storage = "none" to storage = "memory"
Restart the service: service prosody restart
And it should work.
Had the exact same issue (clean install of VPS - Debian 10 - Jitsi quick install followed by Andrea's steps). Changing the storage corrected the error (by a new one appeared, described and solved here).
Thank you for the excellent tutorial! 🙏🏻
Hmm, I can't seem to get this working. Whenever I go to the page, it says "This site can’t be reached" (ERR_CONNECTION_REFUSED). Any suggestions?
that looks like a DNS error, if you have set-up correctly the DNS to point to your server, it might take some time (few hours) for it the DNS record to propagate.
Strange. I use Cloudflare for my DNS and the “A” record has been set for a few days. Also, when I go to the IP of my Jitsi server, it says the same thing.
I see. It is difficult to guess in the dark what could be the problem, the meaning of ERR_CONNECTION_REFUSED suggests that there is nothing responding on that server.
As for the why you will have to dig a bit deeper.
The tutorial is made to work on a ubuntu 18.04 image from a Hetzner server, and all the steps are required to get it done, if you are on a different platform or have skipped some steps it might not work.
Hmm... I've installed non-secure-domain (On a different VM on the same dedicated host) Jitsi Meet and it worked on the same domain with the same DNS records. I'm selfhosting from my own server on ubuntu 18.04. I don't think I skipped any steps... I'll try it again just to be safe
Update: I got Prosody working after I switched hypervisors... just don't know what's wrong with it.
Update 2: Jitsi is working, but without authentication. I can not enter a password to password-protect a room, which leads me to think that there is no permissions altogether (no moderator rights or admin-to-create-a-room things, I guess they are managed by Prosody?)
Many thanks for that very easy and great tutorial!
I was surprised how well and easy that went and got my jitsi server running within 10 minutes and it works like a charme.
Many thanks for this great tutorial, it worked like a charm.
I got my Jitsi Server running within 15 minutes, without having much experience in that field!
(It's good to be remindet that the Let's Encrypt Certificate needs to be renewed every 3 months or set up to auto renew.)
THANK YOU VERY MUCH!!!
YOU'RE THE BEST IN THE WORLD!!!
I want only an authorized user to be able to create conferences and be an administrator in them (this is done), and not authorized users can enter and participate in the conference.
Now access to the created conference requires authorization.
How to do it?
Thank you!
I am not sure if I understand the question correctly but if you want to disable anonymous access you can probably do it by removing the block
from the prosody config file in
/etc/prosody/conf.availHi Andrea,
Thank-you so much for this tutorial too, I've successfully setup Jitsi with Prosody auth, but I seem to be running into the same problem as matveevds above.
Opening a new Jitsi room requires authentication by a registered prosody user as expected, however when I try accessing the newly created room from another device, I get presented with the login prompt again.
For some reason the configuration allowing anonymous users to join an existing room isn't working for me and by the sounds of things matveevds too.
Any help you could provide would be awesome, I take it that the config you've highlighted above is the key, and I can confirm that my conf.avail file contains this section.
Cheers and thanks again!
I'll try to reproduce the problem and see if I can spot the problem.
Make sure though that you are using the same linux version mentioned in the tutorial (ubuntu 18.04) since there might be extra steps required on other platforms (like debian) as mentioned in the comments
I re-run the tutorial on a fresh server and I cannot reproduce the issue,
I get prompted for authentication for the first user but once the first is in the others can join without pwd.
Maybe the logs will help you identify the problem?
Hello,
I think that if you remove that block all users will require a host account, thus would be able to create the conferences by themselves. Instead I would change this block's authentication to "internal_plain" and add those guest accounts to prosody with that VirtualHost:
prosodyctl register guestjane guest.$JITSI_DOMAIN janepwd
Such a handy tutorial. I poked around in the config files and had a hard time understanding the docs for Jitsi authentication. So I'm really happy it is up and running. While it seems to be working, after I submit the login form the login form presents itself again. If I refresh the page I'm allowed into the conference. I've looked at the logs which were empty. Any thoughts? Thanks again!
Thanks a lot for this.
And thanks to the community for the useful comments :)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.