In this guide we’ll setup and configure Jitsi together with JWT authentication, and moderated meetings to be able to host video conferences for several hundreds (thousands depending on your server) of users, with the capability to host webinars.
The last couple of years has been very productive in the open source area. More and more companies decided to go open-source, and with that many great new open-sourced (and free) options are available for both your company and private life day-to-day. One of those services are Jitsi - one of the best (if not the best) video conference software. A big bonus is that it’s free to use, and you can even run it on your own server! If you care about privacy and your integrity, Jitsi is something for you. Eager to begin? Well, let’s do it!
Install Jitsi
First of all, you need to install the Jitsi “base”. It’s super easy since the developers made the configuring of the packages very straight forward. We won’t reinvent the wheel here, so take a look at their own guide.
We’ll install Jitsi on Ubuntu 22.04 (minimal) and here’s a short summation of the steps.
Dependencies
sudo apt-get update && sudo apt-get install lshw net-tools apt-utils gnupg2 nginx-full apt-transport-https ufw -y
Prosody repository
curl -sL https://prosody.im/files/prosody-debian-packages.key | sudo tee /etc/apt/keyrings/prosody-debian-packages.key
echo "deb [signed-by=/etc/apt/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/prosody-debian-packages.list
Jitsi repository
curl -sL https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/jitsi-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | sudo tee /etc/apt/sources.list.d/jitsi-stable.list
More dependencies
sudo apt-get update && sudo apt-get install lua5.2 -y
Add ufw allow rules
This step is optional since you can control this in your gateway, and all the services that needs to be opened are automatically opened by Ubuntu. But, just to make sure, it could be a good idea to add this.
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 10000/udp
sudo ufw allow 22/tcp
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp
sudo ufw --force enable
sudo ufw status verbose
Kernel tuning
sudo sed -i "s|.*DefaultLimitNOFILE=.*|DefaultLimitNOFILE=65000|g" /etc/systemd/system.conf
sudo sed -i "s|.*DefaultLimitNPROC=.*|DefaultLimitNPROC=65000|g" /etc/systemd/system.conf
sudo sed -i "s|.*DefaultTasksMax=.*|DefaultTasksMax=65000|g" /etc/systemd/system.conf
Install Jitsi-meet
sudo apt-get install jitsi-meet -y
The recommended option here is to use Let’s Encrypt for TLS, and to be able to obtain a certificate you need 2 things:
- A domain i.e.
- Port 80/443 to be opened in your firewall/gateway
JWT authentication
Install and setup jitsi-meet-tokens
sudo apt install jitsi-meet-tokens
During the setup you will be asked to add your ID and SECRET. This could be anything, like a super long password i.e; 6TBGBuMaX8CpMtjqL53RgaqFCYSfhP2jR5RHDZLrQFzYBcPyG8. Remember, ID and SECRET should be different! Do not use our example password, create your own and save them in a secured place.
Disable auto-owner
sudo hocon -f /etc/jitsi/jicofo/jicofo.conf \
set jicofo.conference.enable-auto-owner false
You may test your tokens on jitok, or jwt.io.
{
"aud": "jitsi",
"iss": "your token ID goes here",
"sub": "jitsi.yourdomain.com",
"room": "*"
}
Enable tokens
- Add
allow_empty_token = true;
in/etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua
VirtualHost "jitsi.yourdomain.com"
authentication = "token" -- do not delete me
allow_empty_token = true;
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
app_id="BX2ozBz6M4fGdGQUZ2uE2hpf7WB53FKhUy3yuyHHkTtQQERxRA"
app_secret="k3ca7YAcKdQjqf4igQAqQtk3X8v4sUz3YFAJfBAuv3AhTTPnGH"
- Restart your services
sudo systemctl restart prosody.service
sudo systemctl restart jicofo.service
Moderated meetings
.env Config Micro-service
Generating key-pair can be done through OpenSSL:
sudo openssl genrsa -out keypair.pem 2048
sudo openssl rsa -in keypair.pem -pubout -out publickey.pem
sudo openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in keypair.pem -out moderated.der
Get the private_key_id
for the .env
file through this command
echo -n moderated.der | shasum -a 256
Change the publickey.pem
name to the fetched private_key_id
.
DEPLOYMENT_URL= url to the jitsi meet instance ex. https://jitsi.yourdomain.com/ (ending with a /)
PORT= Port for the microservice
PRIVATE_KEY_FILE= ex. path/to/key/moderated.der
PRIVATE_KEY_ID= for this instance it would be
'3c582c2fd86242e0a3655642607d548b5c271d4e1fe21ee7aa548438b3858640' as explained above
TARGET_TENANT= Tenant of your choice ex. moderated
Key Server
Next you’ll need to be able to serve the public key to the Jitsi instance. If you do not have a dedicated server for serving files, you could just set up a simple python HTTP server to test it out before creating a permanent solution.
Create a new folder and add the public key to it.
python3 -m http.server [PORT]
Jitsi Meet Configuration
Add the following global variables in the top section of /etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua
either set this to *
or specify the accepted issuer and audiences for the instance:
…
asap_accepted_issuers = {"*"};
asap_accepted_audiences = {"*"};
…
Then go to the Virtual-Host section and add/make sure the following is enabled:
VirtualHost "jitsi.yourdomain.com"
…
authentication = "token";
app_id=[SPECIFIED ON JITSI-MEET-TOKENS INSTALL];
asap_key_server=[URL_TO_KEY_SERVER];
allow_empty_token = true;
Don’t forget to comment out the app-secret section like this since we now are using public keys
-- app_secret="super-secret-string"
Modify the conference.jitsi.yourdomain.com component. Add muc_allowners
to modules_enabled
and set the allowners_moderated_subdomains
to the target tenant you specified during the micro-service setup.
Component "conference.jitsi.yourdomain.com" "muc"
…
modules_enabled = {
"muc_allowners";
…
}
allowners_moderated_subdomains = { "moderated" }
…
sudo systemctl restart prosody && sudo systemctl restart jicofo && sudo systemctl restart jitsi-videobridge2
Download moderated meetings
-
Clone the moderated meetings Git repository
git clone https://github.com/jitsi/moderated-meetings.git
-
Run the service
npm run build && source .env && mvn spring-boot:run
Do you need help?
Now you should have Jitsi with JWT authentication and moderated meetings setup! If you need help, or are looking for someone that can host this for you, please contact Redpill Linpro - experts in Jitsi.