Installing a Jitsi server

Overview

• This is a simple walkthough on how to host your own Jitsi server
• Detailed configuration will not be included in this paragraph, please check out their official documentation.
• I’m using Ubuntu 18.04 hosted on AWS, with Let’s Encrypt certificate, and Nginx preinstalled.

Issues I’ve encounterd

1. Java won’t truse self-signed certificate

   • Solution: You have to manually add your certificate (i.g. auth.meet.example.org) into Java keystore

     keytool -import -trustcacerts -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts \
     -storepass changeit -noprompt -alias <something you can remember> \
     -file <path to your cert file>

2. P2P works, but when 3rd people joined, lost vids and audio

   • Solution: Check docs provided by Jitsi
     1. You need to check your NAT settings, also make sure you’ve opened ports needed by Jitsi (443/TCP, 10000/UDP)
     2. If you’re using AWS to host Jitsi server, make sure your security group allows ports required by Jitsi.
     3. Check Jitsi logs to see if there’s more infomation on that.(i.g Certificate issues)

Steps

1. Add Jitsi repo

   echo 'deb https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list
   wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -

2. Open ports in you firewall.

   • If you are using AWS, add TCP/80,443, and UDP/10000 to your security group configuration.

   • Or if you’re using ufw

     sudo ufw allow 80/tcp
     sudo ufw allow 443/tcp
     sudo ufw allow 10000/udp

3. Use apt to install Jitsi

   sudo apt update
   sudo apt install apt-transport-https
   sudo apt install jitsi-meet

4. Add configuration to your Nginx/Apache

   • If you already have Nginx/Apache preinstalled before you install Jitsi, configs should be automatically added by Jitsi Installer.

   • Nginx Config Example:

     server_names_hash_bucket_size 64;
     
     server {
         listen 80;
         listen [::]:80;
         server_name <REPLACE_WITH_YOUR_URL>;
     
         location ^~ /.well-known/acme-challenge/ {
             default_type "text/plain";
             root         /usr/share/jitsi-meet;
         }
         location = /.well-known/acme-challenge/ {
             return 404;
         }
         location / {
             return 301 https://$host$request_uri;
         }
     }
     server {
         listen 443 ssl;
         listen [::]:443 ssl;
         server_name <REPLACE_WITH_YOUR_URL>;
     
         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         ssl_prefer_server_ciphers on;
         ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
     
         add_header Strict-Transport-Security "max-age=31536000";
     
         ssl_certificate <REPLACE_WITH_YOUR_CERTIFICATE>;
         ssl_certificate_key <REPLACE_WITH_YOUR_CERTIFICATE_KEY>;
     
         root /usr/share/jitsi-meet;
     
         # ssi on with javascript for multidomain variables in config.js
         ssi on;
         ssi_types application/x-javascript application/javascript;
     
         index index.html index.htm;
         error_page 404 /static/404.html;
     
         location = /config.js {
             alias /etc/jitsi/meet/<REPLACE_WITH_YOUR_URL>-config.js;
         }
     
         location = /external_api.js {
             alias /usr/share/jitsi-meet/libs/external_api.min.js;
         }
     
         #ensure all static content can always be found first
         location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
         {
             add_header 'Access-Control-Allow-Origin' '*';
             alias /usr/share/jitsi-meet/$1/$2;
         }
     
         # BOSH
         location = /http-bind {
             proxy_pass      http://localhost:5280/http-bind;
             proxy_set_header X-Forwarded-For $remote_addr;
             proxy_set_header Host $http_host;
         }
     
         # xmpp websockets
         location = /xmpp-websocket {
             proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
             proxy_set_header Host $http_host;
             tcp_nodelay on;
         }
     
         location ~ ^/([^/?&:'"]+)$ {
             try_files $uri @root_path;
         }
     
         location @root_path {
             rewrite ^/(.*)$ / break;
         }
     
         location ~ ^/([^/?&:'"]+)/config.js$
         {
             set $subdomain "$1.";
             set $subdir "$1/";
     
             alias /etc/jitsi/meet/<REPLACE_WITH_YOUR_URL>-config.js;
         }
     
         #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
         location ~ ^/([^/?&:'"]+)/(.*)$ {
             set $subdomain "$1.";
             set $subdir "$1/";
             rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
         }
     
         # BOSH for subdomains
         location ~ ^/([^/?&:'"]+)/http-bind {
             set $subdomain "$1.";
             set $subdir "$1/";
             set $prefix "$1";
     
             rewrite ^/(.*)$ /http-bind;
         }
     
         # websockets for subdomains
         location ~ ^/([^/?&:'"]+)/xmpp-websocket {
             set $subdomain "$1.";
             set $subdir "$1/";
             set $prefix "$1";
     
             rewrite ^/(.*)$ /xmpp-websocket;
         }
     }

5. Profit

   • Restart your HTTP server, and you should be able to access Jitsi with your designated URL.

6. Debugging

   • You can check logs under these paths, as they might include necessary information to debug your Jitst application.

     /var/log/jitsi/jvb.log
     /var/log/jitsi/jicofo.log
     /var/log/prosody/prosody.log

Stay safe everyone.