Jitsi Meet Handbook

Jitsi Meet Handbook

  • Docs
  • Help

›Configuration

Getting Started

  • Introduction
  • Architecture
  • Security
  • FAQ
  • Community-run Jitsi Meet instances

User Guide

  • Overview
  • Join a Jitsi Meeting
  • Start a Jitsi Meeting
  • Share a Jitsi Meeting
  • Use Jitsi Meet on Mobile
  • Jitsi Meet for Google Calendar
  • Basic options
  • Advanced options

Developer Guide

  • Overview
  • Contributing Guidelines
  • Web

    • Start
    • Integrations
    • IFrame API

    Mobile

    • Start
    • Android SDK
    • iOS SDK

Self-Hosting Guide

  • Overview
  • Deployment

    • Debian/Ubuntu server
    • Docker
    • Manual installation

    Configuration

    • Authentication (Secure Domain)
    • Scalable setup
    • TURN setup
    • Speaker Stats
    • Video SIP gateway
    • Cloud API
  • Video Tutorials
  • FAQ
Edit

Secure Domain setup

It is possible to allow only authenticated users to create new conference rooms. Whenever a new room is about to be created, Jitsi Meet will prompt for a user name and password. After the room is created, others will be able to join from anonymous domain. Here's what has to be configured:

Prosody configuration

If you have installed Jitsi Meet from the Debian package, these changes should be made in /etc/prosody/conf.avail/[your-hostname].cfg.lua

Enable authentication

Inside the VirtualHost "[your-hostname]" block, replace anonymous authentication with hashed password authentication:

VirtualHost "jitsi-meet.example.com"
    authentication = "internal_hashed"

Replace jitsi-meet.example.com with your hostname.

Enable anonymous login for guests

Add this block after the previous VirtualHost to enable the anonymous login method for guests:

VirtualHost "guest.jitsi-meet.example.com"
    authentication = "anonymous"
    c2s_require_encryption = false

Note that guest.jitsi-meet.example.com is internal to Jitsi, and you do not need to (and should not) create a DNS record for it, or generate an SSL/TLS certificate, or do any web server configuration. While it is internal, you should still replace jitsi-meet.example.com with your hostname.

Jitsi Meet configuration

In config.js, the anonymousdomain options has to be set.

If you have installed jitsi-meet from the Debian package, these changes should be made in /etc/jitsi/meet/[your-hostname]-config.js.

var config = {
    hosts: {
            domain: 'jitsi-meet.example.com',
            anonymousdomain: 'guest.jitsi-meet.example.com',
            ...
        },
        ...
}

Jicofo configuration

When running Jicofo, specify your main domain in an additional configuration property. Jicofo will accept conference allocation requests only from the authenticated domain.

org.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com

If you have installed Jicofo from the Debian package, this should go directly on a new line in the /etc/jitsi/jicofo/sip-communicator.properties:

org.jitsi.jicofo.auth.URL=XMPP:jitsi-meet.example.com

When using token based authentication, the URL must use EXT_JWT as the scheme instead:

org.jitsi.jicofo.auth.URL=EXT_JWT:jitsi-meet.example.com

Create users in Prosody (internal auth)

Finally, run prosodyctl to create a user in Prosody:

sudo prosodyctl register <username> jitsi-meet.example.com <password>

and then restart prosody, jicofo and jitsi-videobridge2

systemctl restart prosody
systemctl restart jicofo
systemctl restart jitsi-videobridge2

Optional: Jigasi configuration

Enable Authentication

If you are using Jigasi, set it to authenticate by editing the following lines in /etc/jitsi/jigasi/sip-communicator.properties:

org.jitsi.jigasi.xmpp.acc.USER_ID=SOME_USER@SOME_DOMAIN
org.jitsi.jigasi.xmpp.acc.PASS=SOME_PASS
org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

Note that the password is the actual plaintext password, not a base64 encoding.

Debugging

If you experience problems with a certificate chain, you may need to uncomment the following line, also in sip-communicator.properties:

net.java.sip.communicator.service.gui.ALWAYS_TRUST_MODE_ENABLED=true
note

This should only be used for testing/debugging purposes, or in controlled environments. If you confirm that this is the problem, you should then solve it in another way (e.g. get a signed certificate for Prosody, or add the particular certificate to Jigasi’s trust store).

Last updated on 1/21/2021
← Manual installationScalable setup →
  • Prosody configuration
    • Enable authentication
    • Enable anonymous login for guests
  • Jitsi Meet configuration
  • Jicofo configuration
  • Create users in Prosody (internal auth)
  • Optional: Jigasi configuration
    • Enable Authentication
    • Debugging
Jitsi Meet Handbook
Docs
IntroductionUser GuideDeveloper GuideSelf-Hosting Guide
Community
Project Forum
More
Jitsi Meet on GitHubStarHandbook on GitHub
Follow @jitsinews
Copyright © 2021