Installation of Jitsi Meet
Once I took care of my Matrix-Synapse server I also wanted to upgrade the OS of my Jitsi Meet server - which of course would force me to re-install everything. Getting a basic Jitsi setup running is quite easy. However, each time I install it I’m struggling with the right sequence of steps and I’m trying to remember what I’m usually customizing. So I’m putting it down here now.
For this setup I assume you are running Ubuntu 20.04 LTS as operating system and there is a valid DNS record for your domain pointing to your server. You will find Jitsi’s documentation here.
Prerequisites
Repositories
Once the operating system is installed and you did some basic hardening (sshd settings, users, fail2ban, firewall, etc.) we can start by adding two new software repositories: one for Prosody and of course for Jitsi itself:
- Prosody:
1 2 3
$ apt install wget curl $ wget https://prosody.im/files/prosody-debian-packages.key -O /usr/share/keyrings/prosody-keyring.gpg $ echo "deb [signed-by=/usr/share/keyrings/prosody-keyring.gpg] https://packages.prosody.im/debian focal main" > /etc/apt/sources.list.d/prosody.list
- Jitsi:
1 2 3
curl https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg $ echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" > /etc/apt/sources.list.d/jitsi.list $ apt update
Install software
UPDATE: as of April 2022 Jitsi seems not compatible with Prosody 0.12, so replace prosody
with prosody-0.11
below!
Let’s install some packages which will be required (snapd and fuse are optional, but required if you’d like to install certbot for generating ssl certificates):
1
$ apt install openjdk-11-jre apt-transport-https coturn nginx prosody snapd fuse
Install cerbot:
1
2
$ snap install core; snap refresh core
$ snap install --classic certbot
Get SSL certificates
Open firewall ports 80 and 443 for nginx. If you’re using ufw:
1
2
$ ufw allow 80/tcp
$ ufw allow 443/tcp
…and get the certificates (certonly
: this will not modify your nginx config):
1
$ certbot certonly --nginx
Additional firewall ports
We need to open some additional firewall ports for Coturn:
1
2
3
$ ufw allow 10000/udp
$ ufw allow 3478/udp
$ ufw allow 5349/tcp
systemd limits
Check some limits:
1
2
3
$ systemctl show --property DefaultLimitNPROC
$ systemctl show --property DefaultLimitNOFILE
$ systemctl show --property DefaultTasksMax
Each command should return at least 65000
. If not edit /etc/systemd/system.conf
and reload systemd:
1
$ systemctl daemon-reload
Install Jitsi
Finally install Jitsi:
1
$ apt install jitsi-meet
You will have to enter your domain name at some point. Choose “I want to use my own certificate” when asked for SSL certificates. You will then have to enter the path to your key and certificate file manually. (Let’s Encrypt usually stores them here: /etc/letsencrypt/live/<YOUR_DOMAIN>/
). Jitsi packages will then take care of configuring nginx, coturn and prosody.
Configuration
Though everything should work by now, it’s probably not a bad idea to do a little tweaking…
nginx
As it’s quite unlikely you need the “default” site, you can just remove it:
1
$ unlink /etc/nginx/sites-enabled/default
I tend to set server_tokens off;
in /etc/nginx/nginx.conf
and also remove TLSv1 TLSv1.1
from ssl_protocols
line.
Coturn
By default coturn will run with root privileges which I consider a bad idea. To change that, add
1
2
proc-user=turnserver
proc-group=turnserver
to /etc/turnserver.conf
, then change ownership and mode:
1
2
$ chgrp turnserver /etc/turnserver.conf
$ chmod 640 /etc/turnserver.conf
Of course now coturn has no access to SSL certificates anymore. You could either work with acl or you could just copy certificate and key to another location and make them readable for the group “turnserver”. Of course you have to remember to copy certificates again as soon as you renew them. I would not alter permissions of the original Let’s Encrypt files though. Do not forget to set the new path in /etc/turnserver.conf
as well (cert=
and key=
).
Jitsi
Customizing Jitsi is a little annoying as some stuff will be overwritten on each update. You can for example replace the “welcome” image, located at /usr/share/jitsi-meet/images/welcome-background.png
with something you like, but you will lose that as soon as Jitsi will be updated. I think they will put more options into the configuration files in /etc/jitsi
in the future. Alterations made there will not be overwritten then.
If you would like to restrict access to your Jitsi instance simply follow their secure domain guide. It used to be quite a mess but now it works fine.
Restart services
As last step you’ll have to either restart each service…
1
$ for i in nginx coturn prosody jicofo jitsi-videobridge2; do systemctl restart $i; done
…or simply reboot your server (will be good to check whether everything’s coming up upon reboot anyway).
That’s it :-)