Jitsi-Meet Videoconferencing on Ubuntu and nginx

Pre-requirements:

Standalone-Server
AMD 64Bit
Ubuntu 18.04.x LTS or Debian 10 Buster
Domain (e.g. konferenz.dedyn.io)
tested and recommended browser: Chromium Browser (alternative Firefox 74+), Desktop Client

Sources: Jitsi

Content:

1. Preparation and installartion (nginx)
2. Installation of Jitsi
3. Configuration of Jitsi


1. Preparation and installation (nginx)

Change into sudo mode first:

sudo -s

and prepare your server regarding neccessary sources and binaries:

apt install gnupg2 git lsb-release ssl-cert ca-certificates apt-transport-https tree locate software-properties-common dirmngr screen htop nano net-tools zip unzip curl ffmpeg ghostscript libfile-fcntllock-perl curl socat -y

Modify the hosts – file by adding your domain name:

nano /etc/hosts
127.0.0.1 localhost konferenz.dedyn.io

Attention!
The string konferenz.dedyn.io is a synonym and has to be replaced and substituted by your real domain name!

Add the following repositories to your servers software repository:

Only on an Ubuntu server:

apt-add-repository universe
echo "deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list

Only on a Debian-server:

echo "deb [arch=amd64] http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx" | tee /nginx.list

For both, as well on Ubuntu as on Debian:

echo "deb https://download.jitsi.org stable/" | tee /etc/apt/sources.list.d/jitsi.list

We add the acccording keys for jitsi and nginx to update and install the system .

curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
apt update && apt upgrade -y

To ensure, neither nginx nor apache is already installed we will purge it:

apt remove --purge nginx nginx-extras nginx-common nginx-full apache2 apache2-* -y --allow-change-held-packages

Now, we start installing the webserver nginx:

apt install nginx -y
systemctl enable nginx.service

Move the origin configuration and create a new oneCreate:

mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak && touch /etc/nginx/nginx.conf
nano /etc/nginx/nginx.conf

Copy all the following rows into the new and empty nginx.conf file:

user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on; use epoll;
}
http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 46.182.19.48 80.241.218.68 1.1.1.1 valid=15s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}

Save the file and create a new vHost-file to request your ssl certificates from Let’s Encrypt..

nano /etc/nginx/conf.d/http.conf
server {
        server_name konferenz.dedyn.io;
        listen 80 default_server;
        listen [::]:80 default_server;
        charset utf-8;
        root /var/www;
        location ^~ /.well-known/acme-challenge {
          default_type text/plain;
          root /var/www/letsencrypt;
        }
        location / {
                return 301 https://$host$request_uri;
        }
 }

Save the file and restart the webserver:

service nginx restart

Create the nginx folders

mkdir -p /etc/nginx/sites-available
mkdir -p /etc/nginx/sites-enabled
mkdir -p /etc/nginx/modules-enabled

and install the ufw firewall. Enable the firewall and open the ports for Jitsi-Meet as described here in detail: https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md#advanced-configuration

apt install ufw -y
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 4443/tcp
ufw allow 10000/udp
ufw logging medium && ufw default deny incoming && ufw enable && service ufw restart

Create the acmeuser to request your ssl certificates:

adduser acmeuser
usermod -a -G www-data acmeuser

Switch into the shell of the new acmeuser and install the acme-software:

su - acmeuser
curl https://get.acme.sh | sh
exit

Create the folders to store the certificates to:

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge /etc/letsencrypt/rsa-certs /etc/letsencrypt/ecc-certs
chmod -R 775 /var/www/letsencrypt /etc/letsencrypt && chown -R www-data:www-data /var/www/ /etc/letsencrypt

Switch back into the shell of the acmeuser again:

su - acmeuser

Request the ssl certificates as shown exemplarily:

acme.sh --issue -d konferenz.dedyn.io --keylength 4096 -w /var/www/letsencrypt --key-file /etc/letsencrypt/rsa-certs/privkey.pem --ca-file /etc/letsencrypt/rsa-certs/chain.pem --cert-file /etc/letsencrypt/rsa-certs/cert.pem --fullchain-file /etc/letsencrypt/rsa-certs/fullchain.pem

Leave the acmeuser shell:

exit

You will find the new certificates here:

ssl key file:
/etc/letsencrypt/rsa-certs/privkey.pem

ssl certificate file:
/etc/letsencrypt/rsa-certs/fullchain.pem

We remove the default configuration of nginx and restart the webserver once again.:

cd /etc/nginx/conf.d
mv default.conf default.conf.disabled && touch default.conf
service nginx restart
cd /

2. Installation of Jitsi-Meet:

If you start from scratch (no coturn/stun-server already in place) just issue the following statement to install jitsi-meet:

apt install jitsi-meet -y

If you have a coturn/stun-server already installed on this server just issue this statement instead:

apt install --no-install-recommends jitsi-meet -y

This string (–no-install-recommends) prevents jitsi-meet routine from modifying your coturn/stun server!

In the upcoming dialogues follow my examples:

Ersetzen Sie konferenz.dedyn.io mit Ihrer Domäne

First choose “I want to use my own certificate”:

Then paste the location of the private key file first and secondly the path of the certificate itselfs:

/etc/letsencrypt/rsa-certs/privkey.pem
privkey.pem – SSL Key

and

/etc/letsencrypt/rsa-certs/fullchain.pem
fullchain.pem – Zertifikat

Confirm with <OK>.

Wait few minutes and the installation will have finished without further interactions.

3. Jitsi_meet configuration:

Delete the default configuration

rm -f /etc/nginx/sites-enabled/<konferenz.dedyn.io>.conf

and move the file to the nginx conf.d folder:

mv /etc/nginx/sites-available/<konferenz.dedyn.io>.conf /etc/nginx/conf.d/
cd /etc/nginx/conf.d/
mv http.conf http.conf.disabled

Change the port in the vHost file /etc/nginx/conf.d/<konferenz.dedyn.io>.conf from 4444 to 443 and set the TLS version to TLS version 1.2:

nano /etc/nginx/conf.d/<konferenz.dedyn.io>.conf
[...]
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name konferenz.dedyn.io;

    ssl_protocols TLSv1.2;
[...]

Modify the stun server configuration:

nano /etc/jitsi/meet/<konferenz.dedyn.io>-config.js

substitute the block with google stun-server to e.g. the folowing ones:

stunServers: [
    { urls: 'stun.1und1.de:3478' },
    { urls: 'stun.t-online.de:3478' },
    { urls: 'stun.nextcloud.com:443' },
    { urls: 'stun.sipgate.net:3478' }
],

If you have your own coturn/stun-server as described e.g. here on this server, please substitute it accordingly and as exemplarily shown:

stunServers: [
    { urls: 'stun:konferenz.dedyn.io:5349' }
],

Only if you operate with your own coturn/stun-server on this server you have to make further ammendmends to the following file either:

nano /etc/prosody/conf.d/<konferenz.dedyn.io>.cfg.lua

Substitute this block:

turncredentials_secret = "Your-coturn/stun-secret";

turncredentials = {
{ type = "stun", host = "konferenz.dedyn.io", port = "5349" },
{ type = "turn", host = "konferenz.dedyn.io", port = "5349", transport = "udp" },
{ type = "turns", host = "konferenz.dedyn.io", port = "5349", transport = "tcp" }
};

Ensure the ports of your coturn/stun-server are forwarded/opened and the secret are the same on both sides: the coturn/stun-server and at jits-meet configuration files. Further public and non-google stun-server can be found here.

Restart jitsi-meet to enjoy your slef-hosted videoconferencing system:

service prosody restart && service jicofo restart && service jitsi-videobridge2 restart

To harden Jitsi please follow this link:
https://github.com/jitsi/jicofo/blob/master/README.md#secure-domain

If you operate behind a NAT follow this link:
https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md#advanced-configuration

Call your videoconference at https://konferenz.dedyn.io:

and install your mobile app for your preferred cell phone or tablet.


That’s it – enjoy your self hosted videoconferencing system!

If you are fine with this guide i would really appreciate your donation – thank you very much in advance!

My twins, my wife and me do really appreciate any donation!
My twins, my wife and me do really appreciate any donation!

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 15 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.