Table des matières

Installing the container
- Installing nginx
Installation of JitsiMeet
Settings behind a NAT and for using with a dynamic IP
Enabling the authentication

Hosting and installing a server JitsiMeet

Difficulté

Moyen

This server provides you your own system for video conferencing. It should be available at URL “https://jitsi.mydomain.tld” and use a valid SSL certificate.
The server is a LCX contaienr running on Proxmox. It is placed behind an OPNSense which works as a reverse proxy (HAProxy).
The conf of OPNSense (incl. DNS etc…) is out of the scope of this tuto.
The jitsi machine must be reachable at ports 80 TCP, 443 TCP and 10000 UDP.

Installing the container

Installation of a container “Ubuntu 22” on the Proxmox. I set 2 Cores and 4GB RAM.
The next step (not mandatory) is to activate SSH on the container (more comfortable than using the Console of the Proxmox). ⇒ you know what to do….

Installing nginx

# apt-get install nginx

No config needed.

Installation of JitsiMeet

Following this tuto: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart

The hostname “jitsi” is given by the container name set in Proxmox. ⇒ check etc/hosts but don't modify!

# apt install software-properties-common
# apt-add-repository universe
# apt update

# curl -sL https://prosody.im/files/prosody-debian-packages.key -o /etc/apt/keyrings/prosody-debian-packages.key
# echo "deb [signed-by=/etc/apt/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/prosody-debian-packages.list
# apt install lua5.2

# curl -sL https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
# echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | tee /etc/apt/sources.list.d/jitsi-stable.list

# apt-get update
  
# apt install jitsi-meet

During the installation let Jitsi generate a self signed cert.
Reboot and “https://jitsi.mydomain.tld” should now display the welcome screen.

Settings behind a NAT and for using with a dynamic IP

NAT

The following extra lines need to be added to the file /etc/jitsi/videobridge/sip-communicator.properties with the internal and external IPs:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>   | at the beginning of the file
# org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES     | add # to comment this line

org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>       | at the end of the file

dynamic IP

Target: the current external IP must be present into the conf file in order that Jitsi runs correctly.
Following steps are therefore necessary by using a dynamic IP:

a script in order to compare the current external IP with the IP present into the conf file and to replace it if it has changed since last IP-check
run the script at bootup
run the script regularly

Finding the current external IP and enter it into the conf file

(this script comes from an internet forum… and is modified!)

 # nano  /etc/init.d/script_IP.sh

#!/bin/sh
 
### BEGIN INIT INFO
# Provides:          Nom du script
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Description courte
# Description:       Description longue
### END INIT INFO


DNSNAME="jitsi.domain.tld"                           ##### adjust according your settings

# get the actual IP from the Internet
IPint=$(curl ifcfg.me)

# get the configured IP of Jitsi
IPjitsi=$(grep 'NAT_HARVESTER_PUBLIC_ADDRESS' /etc/jitsi/videobridge/sip-communicator.properties |  grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+")

if [ "$IPjitsi" = "$IPint" ]
then
        echo "IP has not been changed!"
        exit 0
fi

#clear config
sed -i '/NAT_HARVESTER_PUBLIC_ADDRESS/d' /etc/jitsi/videobridge/sip-communicator.properties

#get IP and renew line
echo org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=$IPint >> /etc/jitsi/videobridge/sip-communicator.properties

#restart services
systemctl restart jicofo
systemctl restart prosody
systemctl restart jitsi-videobridge2

 # chmod +x /etc/init.d/script_IP.sh

run the script at bootup

Source: https://www.jbnet.fr/systeme/linux/debian-executer-un-script-au-demarrage-de-la-machine.html

# cd /etc/init.d 
# update-rc.d script_IP.sh defaults

run the script every hour

# nano /etc/cron.d/IP_jitsi

0 */1 * * * root /etc/init.d/script_IP.sh

When the script runs, it happens that Jitsi get interrupted (even if the IP is still current) ⇒ I run it only every hour to avoid frequent breakdowns of the communication. As the IP changes only 1x per day I think this is sufficient

Enabling the authentication

into /etc/prosody/conf.avail/jitsi.domain.tld.cfg.lua

VirtualHost "jitsi.domain.tld"
authentication = "internal_hashed"     | instad of jitsi-anonymous

... and add another virtualhost after it:

VirtualHost "guest.jitsi.domain.tld"
    authentication = "anonymous"
    c2s_require_encryption = false

into /etc/jitsi/jicofo/jicofo.conf add at the beginng:

jicofo {
  authentication: {
    enabled: true
    type: XMPP
    login-url: jitsi.domain.tld
  }

create the authenticated user

# prosodyctl register the_user jitsi.domain.tls the_password_of_the_user

or follow this tuto: https://crosstalksolutions.com/how-to-enable-jitsi-server-authentication/