In this guide we’ll setup and configure Jitsi together with JWT authentication, and moderated meetings to be able to host video conferences for several hundreds (thousands depending on your server) of users, with the capability to host webinars.

The last couple of years has been very productive in the open source area. More and more companies decided to go open-source, and with that many great new open-sourced (and free) options are available for both your company and private life day-to-day. One of those services are Jitsi - one of the best (if not the best) video conference software. A big bonus is that it’s free to use, and you can even run it on your own server! If you care about privacy and your integrity, Jitsi is something for you. Eager to begin? Well, let’s do it!

Install Jitsi

First of all, you need to install the Jitsi “base”. It’s super easy since the developers made the configuring of the packages very straight forward. We won’t reinvent the wheel here, so take a look at their own guide.

We’ll install Jitsi on Ubuntu 22.04 (minimal) and here’s a short summation of the steps.

Dependencies

sudo apt-get update && sudo apt-get install lshw net-tools apt-utils gnupg2 nginx-full apt-transport-https ufw -y

Prosody repository

curl -sL https://prosody.im/files/prosody-debian-packages.key | sudo tee /etc/apt/keyrings/prosody-debian-packages.key
echo "deb [signed-by=/etc/apt/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/prosody-debian-packages.list

Jitsi repository

curl -sL https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/jitsi-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | sudo tee /etc/apt/sources.list.d/jitsi-stable.list

More dependencies

sudo apt-get update && sudo apt-get install lua5.2 -y

Add ufw allow rules

This step is optional since you can control this in your gateway, and all the services that needs to be opened are automatically opened by Ubuntu. But, just to make sure, it could be a good idea to add this.

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 10000/udp
sudo ufw allow 22/tcp
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp
sudo ufw --force enable
sudo ufw status verbose

Kernel tuning

sudo sed -i "s|.*DefaultLimitNOFILE=.*|DefaultLimitNOFILE=65000|g" /etc/systemd/system.conf
sudo sed -i "s|.*DefaultLimitNPROC=.*|DefaultLimitNPROC=65000|g" /etc/systemd/system.conf
sudo sed -i "s|.*DefaultTasksMax=.*|DefaultTasksMax=65000|g" /etc/systemd/system.conf

Install Jitsi-meet

sudo apt-get install jitsi-meet -y

The recommended option here is to use Let’s Encrypt for TLS, and to be able to obtain a certificate you need 2 things:

  1. A domain i.e.
  2. Port 80/443 to be opened in your firewall/gateway

JWT authentication

Install and setup jitsi-meet-tokens

sudo apt install jitsi-meet-tokens

During the setup you will be asked to add your ID and SECRET. This could be anything, like a super long password i.e; 6TBGBuMaX8CpMtjqL53RgaqFCYSfhP2jR5RHDZLrQFzYBcPyG8. Remember, ID and SECRET should be different! Do not use our example password, create your own and save them in a secured place.

Disable auto-owner

sudo hocon -f /etc/jitsi/jicofo/jicofo.conf \
    set jicofo.conference.enable-auto-owner false

You may test your tokens on jitok, or jwt.io.

{
"aud": "jitsi",
"iss": "your token ID goes here",
"sub": "jitsi.yourdomain.com",
"room": "*"
}

Enable tokens

  1. Add allow_empty_token = true; in /etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua
VirtualHost "jitsi.yourdomain.com"
    authentication = "token" -- do not delete me
    allow_empty_token = true;
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="BX2ozBz6M4fGdGQUZ2uE2hpf7WB53FKhUy3yuyHHkTtQQERxRA"
    app_secret="k3ca7YAcKdQjqf4igQAqQtk3X8v4sUz3YFAJfBAuv3AhTTPnGH"

  1. Restart your services
sudo systemctl restart prosody.service
sudo systemctl restart jicofo.service

Moderated meetings

.env Config Micro-service

Generating key-pair can be done through OpenSSL:

sudo openssl genrsa -out keypair.pem 2048
sudo openssl rsa -in keypair.pem -pubout -out publickey.pem
sudo openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in keypair.pem -out moderated.der

Get the private_key_id for the .env file through this command

echo -n moderated.der | shasum -a 256

Change the publickey.pem name to the fetched private_key_id.

DEPLOYMENT_URL= url to the jitsi meet instance ex. https://jitsi.yourdomain.com/ (ending with a /)
PORT= Port for the microservice
PRIVATE_KEY_FILE= ex. path/to/key/moderated.der
PRIVATE_KEY_ID= for this instance it would be
'3c582c2fd86242e0a3655642607d548b5c271d4e1fe21ee7aa548438b3858640' as explained above
TARGET_TENANT= Tenant of your choice ex. moderated

Key Server

Next you’ll need to be able to serve the public key to the Jitsi instance. If you do not have a dedicated server for serving files, you could just set up a simple python HTTP server to test it out before creating a permanent solution.

Create a new folder and add the public key to it.

python3 -m http.server [PORT]

Jitsi Meet Configuration

Add the following global variables in the top section of /etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua either set this to * or specify the accepted issuer and audiences for the instance:

…
asap_accepted_issuers = {"*"};
asap_accepted_audiences = {"*"};
…

Then go to the Virtual-Host section and add/make sure the following is enabled:

VirtualHost "jitsi.yourdomain.com"
…
authentication = "token";
app_id=[SPECIFIED ON JITSI-MEET-TOKENS INSTALL];
asap_key_server=[URL_TO_KEY_SERVER];
allow_empty_token = true;

Don’t forget to comment out the app-secret section like this since we now are using public keys

-- app_secret="super-secret-string"

Modify the conference.jitsi.yourdomain.com component. Add muc_allowners to modules_enabled and set the allowners_moderated_subdomains to the target tenant you specified during the micro-service setup.

Component "conference.jitsi.yourdomain.com" "muc"
…
modules_enabled = {
"muc_allowners";
…
}
allowners_moderated_subdomains = { "moderated" }
…
sudo systemctl restart prosody && sudo systemctl restart jicofo && sudo systemctl restart jitsi-videobridge2

Download moderated meetings

  1. Clone the moderated meetings Git repository

    git clone https://github.com/jitsi/moderated-meetings.git
    
  2. Run the service

    npm run build && source .env && mvn spring-boot:run
    

Do you need help?

Now you should have Jitsi with JWT authentication and moderated meetings setup! If you need help, or are looking for someone that can host this for you, please contact Redpill Linpro - experts in Jitsi.

Daniel Hansson

at Redpill Linpro

The irony of insecure security software

It can probably be understood from my previous blog post that if it was up to me, I’d avoid products like CrowdStrike - but every now and then I still have to install something like that. It’s not the idea of “security software” per se that I’m against, it’s the actual implementation of many of those products. This post lists up some properties that should be fulfilled for me to happy to install such a product.

Free and ... [continue reading]

Thoughts on the CrowdStrike Outage

Published on July 23, 2024

Alarms made right

Published on June 27, 2024