In this guide we’ll setup and configure Jitsi together with JWT authentication, and moderated meetings to be able to host video conferences for several hundreds (thousands depending on your server) of users, with the capability to host webinars.
The last couple of years has been very productive in the open source area. More and more companies decided to go open-source, and with that many great new open-sourced (and free) options are available for both your company and private life day-to-day. One of those services are Jitsi – one of the best (if not the best) video conference software. A big bonus is that it’s free to use, and you can even run it on your own server! If you care about privacy and your integrity, Jitsi is something for you. Eager to begin? Well, let’s do it!
Install Jitsi
First of all, you need to install the Jitsi “base”. It’s super easy since the developers made the configuring of the packages very straight forward. We won’t reinvent the wheel here, so take a look at their own guide.
We’ll install Jitsi on Ubuntu 22.04 (minimal) and here’s a short summation of the steps. You can also use our install script which will do everything for you automatically. The script is still WIP as of 2023-03-08.
Dependecies
sudo apt-get update && sudo apt-get install lshw net-tools apt-utils gnupg2 nginx-full apt-transport-https ufw -y
Prosody repository
curl -sL https://prosody.im/files/prosody-debian-packages.key | sudo tee /etc/apt/keyrings/prosody-debian-packages.key echo "deb [signed-by=/etc/apt/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/prosody-debian-packages.list
Jitsi repository
curl -sL https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/jitsi-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | sudo tee /etc/apt/sources.list.d/jitsi-stable.list
More dependencies
sudo apt-get update && sudo apt-get install lua5.2 -y
Add UFW allow rules
This step is optional since you can control this in your gateway, and all the services that needs to be opened are automatically opened by Ubuntu. But, just to make sure, it could be a good idea to add this.
ufw allow 80/tcp ufw allow 443/tcp ufw allow 10000/udp ufw allow 22/tcp ufw allow 3478/udp ufw allow 5349/tcp ufw --force enable ufw status verbose
Kernel tuning
sed -i "s|.*DefaultLimitNOFILE=.*|DefaultLimitNOFILE=65000|g" /etc/systemd/system.conf sed -i "s|.*DefaultLimitNPROC=.*|DefaultLimitNPROC=65000|g" /etc/systemd/system.conf sed -i "s|.*DefaultTasksMax=.*|DefaultTasksMax=65000|g" /etc/systemd/system.conf
Install Jitsi-meet
apt-get install jitsi-meet
The recommended option here is to use Let’s Encrypt for TLS, and to be able to obtain a certificate you need 2 things:
1. A domain i.e. jitsi.yourdomain.com
2. Port 80/443 to be opened in your firewall/gateway
JWT authentication
Install and setup jitsi-meet-tokens
sudo apt install jitsi-meet-tokens
During the setup you will be asked to add your ID and SECRET. This could be anything, like a super long password i.e; 6TBGBuMaX8CpMtjqL53RgaqFCYSfhP2jR5RHDZLrQFzYBcPyG8. Remember, ID and SECRET should be different! Do not use our example password, create your own and save them in a secured place.
Disable auto-owner
hocon -f /etc/jitsi/jicofo/jicofo.conf \ set jicofo.conference.enable-auto-owner false
You may test your tokens on jitok, or jwt.io.
{ "aud": "jitsi", "iss": "your token ID goes here", "sub": "jitsi.yourdomain.com", "room": "*", "context": { "user": { } } }
Enable tokens
Change
allow_empty_token = true;
in
/etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua
And restart your services
systemctl restart prosody.service
systemctl restart jicofo.service
Moderated meetings
.env Config Microservice
Generating keypair can be done through openssl:
openssl genrsa -out keypair.pem 2048
openssl rsa -in keypair.pem -pubout -out publickey.pem
openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in keypair.pem -out moderated.der
Get the private_key_id for the .env file through this command
echo -n [NAME_OF_PRIVATE_KEY.der] | shasum -a 256
Change the publickey.pem name to the fetched private_key_id.
DEPLOYMENT_URL= url to the jitsi meet instance ex. https://jitsi.yourdomain.com/ (ending with a /) PORT= Port for the microservice PRIVATE_KEY_FILE= ex. path/to/key/moderated.der PRIVATE_KEY_ID= for this instance it would be '3c582c2fd86242e0a3655642607d548b5c271d4e1fe21ee7aa548438b3858640' as explained above TARGET_TENANT= Tenant of your choice ex. moderated
Key Server
Next you’ll need to be able to serve the public key to the Jitsi instance. If you do not have a dedicated server for serving files, you could just set up a simple python http.server to test it out before creating a permanent solution.
Create a new folder and add the public key to it.
python3 -m http.server [PORT]
Jitsi Meet Config
Add the following global variables in the top section of /etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua either set this to * or specify the accepted issuer and audiences for the instance:
… asap_accepted_issuers = {"*"}; asap_accepted_audiences = {"*"}; …
Then go to the VirtualHost section and add/make sure the following is enabled:
VirtualHost "[jitsi.yourdomain.com]" … authentication = "token"; app_id=[SPECIFIED ON JITSI-MEET-TOKENS INSTALL]; asap_key_server=[URL_TO_KEY_SERVER]; allow_empty_token = true;
Don’t forget to comment out the app-secret section like this since we now are using public keys
-- app_secret="super-secret-string"
Modify the conference.[jitsi.yourdomain.com] component. Add muc_allowners to modules_enabled and set the allowners_moderated_subdomains to the target tenant you specified during the microservice setup.
Component "conference.[jitsi.yourdomain.com]" "muc" … modules_enabled = { "muc_allowners"; … } allowners_moderated_subdomains = { "moderated" } …
sudo systemctl restart prosody && sudo systemctl restart jicofo && sudo systemctl restart jitsi-videobridge2
Download moderated meetings
git clone https://github.com/jitsi/moderated-meetings.git
Run the service
npm run build && source .env && mvn spring-boot:run
Do you need help?
Now you should have Jitsi with JWT authentication and moderated meetings setup! If you need help, or are looking for someone that can host this for you, please contact Redpill Linpro – experts in Jitsi.