Skip to main content

Self-Hosting Guide - Manual installation

Manual installation is not recommended

We recommend following the quick-install document. The current document describes the steps that are needed to install a working deployment, but steps are easy to mess up, and the debian packages are more up-to-date, where this document is sometimes not updated to reflect latest changes.

This describes configuring a server jitsi.example.com on a Debian-based distribution.
For other distributions you can adapt the steps (especially changing the dependencies package installations (e.g. for nginx) and paths accordingly) so that it matches your host's distribution.
You will also need to generate some passwords for YOURSECRET1, YOURSECRET2 and YOURSECRET3.

There are also some complete example config files available, mentioned in each section.

There are additional configurations to be done for a scalable installation.

Network description

This is how the network looks:

                   +                           +
| |
| |
v |
443 |
+-------+ |
| | |
| Nginx | |
| | |
+--+-+--+ |
| | |
+------------+ | | +--------------+ |
| | | | | | |
| Jitsi Meet +<---+ +--->+ prosody/xmpp | |
| |files 5280 | | |
+------------+ +--------------+ v
5222 ^ ^ 5222 10000
+--------+ | | +-------------+
| | | | | |
| jicofo +----^ ^----+ videobridge |
| | | |
+--------+ +-------------+

Install prosody

apt-get install prosody

Configure prosody

Add config file in /etc/prosody/conf.avail/jitsi.example.com.cfg.lua :

  • add your domain virtual host section:
VirtualHost "jitsi.example.com"
authentication = "anonymous"
ssl = {
key = "/var/lib/prosody/jitsi.example.com.key";
certificate = "/var/lib/prosody/jitsi.example.com.crt";
}
modules_enabled = {
"bosh";
"pubsub";
}
c2s_require_encryption = false
  • add domain with authentication for conference focus user:
VirtualHost "auth.jitsi.example.com"
ssl = {
key = "/var/lib/prosody/auth.jitsi.example.com.key";
certificate = "/var/lib/prosody/auth.jitsi.example.com.crt";
}
authentication = "internal_hashed"
  • add focus user to server admins:
admins = { "focus@auth.jitsi.example.com" }
  • and finally configure components:
Component "conference.jitsi.example.com" "muc"
Component "jitsi-videobridge.jitsi.example.com"
component_secret = "YOURSECRET1"
Component "focus.jitsi.example.com"
component_secret = "YOURSECRET2"

Add link for the added configuration

ln -s /etc/prosody/conf.avail/jitsi.example.com.cfg.lua /etc/prosody/conf.d/jitsi.example.com.cfg.lua

Generate certs for the domain:

prosodyctl cert generate jitsi.example.com
prosodyctl cert generate auth.jitsi.example.com

Add auth.jitsi.example.com to the trusted certificates on the local machine:

ln -sf /var/lib/prosody/auth.jitsi.example.com.crt /usr/local/share/ca-certificates/auth.jitsi.example.com.crt
update-ca-certificates -f

Note that the -f flag is necessary if there are symlinks left from a previous installation.

If you are using a JDK package not provided by Debian, as the ones from adoptjdk, you should also make your JDK aware of the new debian certificate keystore replacing or linking the JDK cacerts. Example, if you use JDK from adoptjdk:

cd /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/jre
ln -sf /etc/ssl/certs/java/cacerts lib/security/cacerts

Create conference focus user:

prosodyctl register focus auth.jitsi.example.com YOURSECRET3

Restart prosody XMPP server with the new config

prosodyctl restart

Install Nginx

apt-get install nginx

Add a new file jitsi.example.com in /etc/nginx/sites-available (see also the example config file):

server_names_hash_bucket_size 64;

server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl http2;
# tls configuration that is not covered in this guide
# we recommend the use of https://certbot.eff.org/
server_name jitsi.example.com;
# set the root
root /srv/jitsi-meet;
index index.html;
location ~ ^/([a-zA-Z0-9=\?]+)$ {
rewrite ^/(.*)$ / break;
}
location / {
ssi on;
}
# BOSH, Bidirectional-streams Over Synchronous HTTP
# https://en.wikipedia.org/wiki/BOSH_(protocol)
location /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# external_api.js must be accessible from the root of the
# installation for the electron version of Jitsi Meet to work
# https://github.com/jitsi/jitsi-meet-electron
location /external_api.js {
alias /srv/jitsi-meet/libs/external_api.min.js;
}
}

Add link for the added configuration

cd /etc/nginx/sites-enabled
ln -s ../sites-available/jitsi.example.com jitsi.example.com

Install Jitsi Videobridge

warning

This method is no longer supported. You can either install the JVB from https://download.jitsi.org/stable/ and follow these Instructions or clone the repo and build it manually.

Visit https://download.jitsi.org/jitsi-videobridge/linux to determine the current build number, download and unzip it:

wget https://download.jitsi.org/jitsi-videobridge/linux/jitsi-videobridge-linux-{arch-buildnum}.zip
unzip jitsi-videobridge-linux-{arch-buildnum}.zip

Install JRE if missing:

apt-get install openjdk-8-jre

NOTE: When installing on older Debian releases keep in mind that you need JRE >= 1.7.

Create ~/.sip-communicator/sip-communicator.properties in the home folder of the user that will be starting Jitsi Videobridge:

mkdir -p ~/.sip-communicator
cat > ~/.sip-communicator/sip-communicator.properties << EOF
org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
# The videobridge uses 443 by default with 4443 as a fallback, but since we're already
# running nginx on 443 in this example doc, we specify 4443 manually to avoid a race condition
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443
EOF

Start the videobridge with:

./jvb.sh --host=localhost --domain=jitsi.example.com --secret=YOURSECRET1 &

Or autostart it by adding the line in /etc/rc.local:

/bin/bash /root/jitsi-videobridge-linux-{arch-buildnum}/jvb.sh --host=localhost --domain=jitsi.example.com --secret=YOURSECRET1 </dev/null >> /var/log/jvb.log 2>&1

Install Jitsi Conference Focus (jicofo)

Install JDK and Maven if missing:

apt-get install openjdk-8-jdk maven

NOTE: When installing on older Debian releases keep in mind that you need JDK >= 1.7.

Clone source from Github repo:

git clone https://github.com/jitsi/jicofo.git

Build the package.

cd jicofo
mvn package -DskipTests -Dassembly.skipAssembly=false

Run jicofo:

=======
unzip target/jicofo-1.1-SNAPSHOT-archive.zip
cd jicofo-1.1-SNAPSHOT-archive'
./jicofo.sh --host=localhost --domain=jitsi.example.com --secret=YOURSECRET2 --user_domain=auth.jitsi.example.com --user_name=focus --user_password=YOURSECRET3

Deploy Jitsi Meet

Checkout and configure Jitsi Meet:

cd /srv
git clone https://github.com/jitsi/jitsi-meet.git
cd jitsi-meet
npm install
make

NOTE: When installing on older distributions keep in mind that you need Node.js >= 12 and npm >= 6.

Edit host names in /srv/jitsi-meet/config.js (see also the example config file):

var config = {
hosts: {
domain: 'jitsi.example.com',
muc: 'conference.jitsi.example.com',
bridge: 'jitsi-videobridge.jitsi.example.com',
focus: 'focus.jitsi.example.com'
},
useNicks: false,
bosh: '//jitsi.example.com/http-bind', // FIXME: use xep-0156 for that
//chromeExtensionId: 'diibjkoicjeejcmhdnailmkgecihlobk', // Id of desktop streamer Chrome extension
//minChromeExtVersion: '0.1' // Required version of Chrome extension
};

Verify that nginx config is valid and reload nginx:

nginx -t && nginx -s reload

Running behind NAT

Jitsi Videobridge can run behind a NAT, provided that both required ports are routed (forwarded) to the machine that it runs on. By default these ports are TCP/4443 and UDP/10000.

If you do not route these two ports, Jitsi Meet will only work with video for two people, breaking upon 3 or more people trying to show video.

TCP/443 is required for the webserver which can be running on another machine than the Jitsi Videobrige is running on.

The following extra lines need to be added to the file ~/.sip-communicator/sip-communicator.properties (in the home directory of the user running the videobridge):

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>

Hold your first conference

You are now all set and ready to have your first meet by going to http://jitsi.example.com

Enabling recording

Jibri is a set of tools for recording and/or streaming a Jitsi Meet conference.