One place for hosting & domains

      How To Install Jitsi Meet on Ubuntu 20.04


      The author selected the Open Internet/Free Speech Fund to receive a donation as part of the Write for DOnations program.

      Introduction

      Jitsi Meet is an open source video-conferencing application based on WebRTC. A Jitsi Meet server provides multi-person video conference rooms that you can access using nothing more than your browser and provides comparable functionality to a Zoom or Skype conference call. The benefit of a Jitsi conference is that all your data only passes through your server and the end-to-end TLS encryption ensures that no one can snoop on the call. With Jitsi you can be sure that your private information stays that way.

      In this tutorial, you will install and configure a Jitsi Meet server on Ubuntu 20.04. The default configuration allows anyone to create a new conference room. This is not ideal for a server that is publicly available on the internet so you will also configure Jitsi Meet so that only registered users can create new conference rooms. After you have created the conference room any users can join as long as they have the unique address and the optional password.

      Prerequisites

      Before you begin this guide you’ll need the following:

      • One Ubuntu 20.04 server set up by following the Initial Server Setup with Ubuntu 20.04 tutorial, including a non-root sudo-enabled user. The size of the server you will need mostly depends on the available bandwidth and the number of participants you expect to be using the server. The following table will give you some idea of what is needed.
      • A domain name configured to point to your server. You can learn how to point domains to DigitalOcean Droplets by following the How To Set Up a Host Name with DigitalOcean tutorial. Throughout this guide, the example domain name jitsi.your_domain is used.

      When you are choosing a server to run your Jitsi Meet instance you will need to consider the system resources needed to host conference rooms. The following benchmark information was collected from a single-core virtual machine using high-quality video settings:

      CPUServer Bandwidth
      Two Participants3%30Kbps Up, 100Kbps Down
      Three Participants15%7Mbps Up, 6.5Mbps Down

      The jump in resource use between two and three participants is because Jitsi will route the call data directly between the clients when there are two of them. When more than two clients are present then call data is routed through the Jitsi Meet server.

      Log in to your server as the non-root, sudo-enabled user before starting Step 1.

      Step 1 — Setting the System Hostname

      In this step, you will change the system’s hostname to match the domain name that you intend to use for your Jitsi Meet instance and resolve that hostname to the localhost IP, 127.0.0.1. Jitsi Meet uses both of these settings when it installs and generates its configuration files.

      First, set the system’s hostname to the domain name that you will use for your Jitsi instance. The following command will set the current hostname and modify the /etc/hostname that holds the system’s hostname between reboots:

      • sudo hostnamectl set-hostname jitsi.your_domain

      The command that you ran breaks down as follows:

      • hostnamectl: A utility from the systemd tool suite to manage the system hostname.
      • set-hostname: Sets the system hostname.

      Check that this was successful by running the following:

      This will return the hostname you set with the hostnamectl command:

      Output

      jitsi.your-domain

      Next, you will set a local mapping of the server’s hostname to the loopback IP address, 127.0.0.1. Do this by opening the /etc/hosts with a text editor:

      Then, add the following line:

      /etc/hosts

      127.0.0.1 jitsi.your_domain
      

      This local mapping of your Jitsi Meet server’s domain name to 127.0.0.1 is important because your Jitsi Meet server uses several networked processes on your server that accept local connections on the 127.0.0.1 IP address from each other. These connections are authenticated and encrypted with a TLS certificate, which is registered to your domain name. Locally mapping the domain name to 127.0.0.1 makes it possible to use the TLS certificate for these local network connections.

      Your server now has the hostname that Jitsi requires when installed. In the next step, you will open the firewall ports that are needed by Jitsi and the TLS certificate installer.

      Step 2 — Configuring the Firewall

      When you followed the Initial Server Setup with Ubuntu 20.04 guide you enabled the UFW firewall and opened the SSH port. The Jitsi server needs some ports opened so that it can communicate with the call clients. Also, the TLS installation process needs to have a port open so that it can authenticate the certificate request.

      The ports that you will open are the following:

      • 80/tcp: Port used in the TLS certificate request.
      • 443/tcp: Port used for the conference room creation web page.
      • 4443/tcp 10000/udp: Ports that will transmit and receive the encrypted call traffic.

      Run the following ufw commands to open these ports:

      • sudo ufw allow 80/tcp
      • sudo ufw allow 443/tcp
      • sudo ufw allow 4443/tcp
      • sudo ufw allow 10000/udp

      Check that they were all added with the ufw status command:

      You will receive the following output if these ports are open:

      Output

      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 4443/tcp ALLOW Anywhere 10000/udp ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 4443/tcp (v6) ALLOW Anywhere (v6) 10000/udp (v6) ALLOW Anywhere (v6)

      The server is now ready for the Jitsi installation, which you will complete in the next step.

      Step 3 — Installing Jitsi Meet

      In this step, you will add the Jitsi stable repository to your server and then install the Jitsi Meet package from that repository. This will ensure that you are always running the latest stable Jitsi Meet package.

      First, download the Jitsi GPG key with the wget downloading utility:

      • wget https://download.jitsi.org/jitsi-key.gpg.key

      The apt package manager will use this GPG key to validate the packages that you will download from the Jitsi repository.

      Next, add the GPG key you downloaded to apt’s keyring using the apt-key utility:

      • sudo apt-key add jitsi-key.gpg.key

      You can now delete the GPG key file as it is no longer needed with this command:

      Now, you will add the Jitsi repository to your server by creating a new sources file that contains the Jitsi repository. Open and create the new file:

      • sudo nano /etc/apt/sources.list.d/jitsi-stable.list

      Add this line to the file for the Jitsi repository:

      /etc/apt/sources.list.d/jitsi-stable.list

      deb https://download.jitsi.org stable/
      

      Save and exit the editor.

      Finally, perform a system update to collect the package list from the Jitsi repository and then install the jitsi-meet package:

      • sudo apt update
      • sudo apt install jitsi-meet

      During the installation of jitsi-meet you will be prompted to enter the domain name (for example, jitsi.your-domain) that you want to use for your Jitsi Meet instance.

      Image showing the jitsi-meet installation hostname dialog

      Note: You move the cursor from the hostname field to highlight the <OK> button with the TAB key. Press ENTER when <OK> is highlighted to submit the hostname.

      You will then be shown a new dialog box that asks if you want Jitsi to create and use a self-signed TLS certificate or use an existing one if you have one:

      Image showing the jitsi-meet installation certificate dialog

      If you do not have a TLS certificate for your Jitsi domain select the first, Generate a new self-signed certificate, option.

      Your Jitsi Meet instance is now installed using a self-signed TLS certificate. This will cause browser warnings so you will get a signed TLS certificate in the next step.

      Step 4 — Obtaining a Signed TLS Certificate

      Jitsi Meet uses TLS certificates to encrypt the call traffic so that no one can listen to your call as it travels over the internet. TLS certificates are the same certificates that are used by websites to enable HTTPS URLs.

      Jitsi Meet supplies a script to automatically download a TLS certificate for your domain. Run this certificate installation script provided by Jitsi Meet at /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh with the following command:

      • sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

      The script prints the following information when you run it and asks you to supply an email address:

      Output

      ------------------------------------------------------------------------- This script will: - Need a working DNS record pointing to this machine(for domain jitsi.your_domain) - Download certbot-auto from https://dl.eff.org to /usr/local/sbin - Install additional dependencies in order to request Let’s Encrypt certificate - If running with jetty serving web content, will stop Jitsi Videobridge - Configure and reload nginx or apache2, whichever is used - Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks - Add command in weekly cron job to renew certificates regularly You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) by providing an email address for important account notifications Enter your email and press [ENTER]:

      This email address will be submitted to the certificate issuer https://letsencrypt.org and will be used to notify you about security and other matters related to the certificate. You must enter an email address here to proceed with the installation.

      The script will complete the installation and configuration of an SSL certificate for your Jitsi server without needing any more user input.

      The default configuration for Jitsi Meet is that anyone visiting your Jitsi Meet server homepage can create a new conference room. This will use your server’s system resources to run the conference room and is not desirable for unauthorized users. In the next step, you will configure your Jitsi Meet instance to only allow registered users to create conference rooms.

      Step 5 — Locking Conference Creation

      In this step, you will configure your Jitsi Meet server to only allow registered users to create conference rooms. The files that you will edit were generated by the installer and are configured with your domain name.

      The variable jitsi.your_domain will be used in place of a domain name in the following examples.

      First, open /etc/prosody/conf.avail/jitsi.your_domain.cfg.lua with a text editor:

      • sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua

      Edit this line:

      /etc/prosody/conf.avail/jitsi.your_domain.cfg.lua

              authentication = "anonymous"
      

      To

      /etc/prosody/conf.avail/jitsi.your_domain.cfg.lua

              authentication = "internal_plain"
      

      This configuration tells Jitsi Meet to force username and password authentication before allowing conference room creation by a new visitor.

      Then, in the same file, add the following section to the end of the file:

      /etc/prosody/conf.avail/your_domain.cfg.lua

      VirtualHost "guest.jitsi.your_domain"
          authentication = "anonymous"
          c2s_require_encryption = false
      

      This configuration allows anonymous users to join conference rooms that were created by an authenticated user. However, the guest must have a unique address and an optional password for the room to enter it.

      Here, you added guest. to the front of your domain name. For example, the correct name to put here for jitsi.your_domain is guest.jitsi.your_domain. The guest. hostname is only used internally by Jitsi Meet, you will never enter it into a browser or need to create a DNS record for it.

      Open another configuration file at /etc/jitsi/meet/jitsi.your_domain-config.js with a text editor:

      • sudo nano /etc/jitsi/meet/jitsi.your_domain-config.js

      Edit this line:

      /etc/jitsi/meet/your_domain-config.js

              // anonymousdomain: 'guest.jitsi.your_domain',
      

      To:

      /etc/jitsi/meet/your_domain-config.js

              anonymousdomain: 'guest.jitsi.your_domain',
      

      Again, using the guest.jitsi.your_domain hostname that you used previously. This configuration tells Jitsi Meet what internal hostname to use for the un-authenticated guests.

      Next, open /etc/jitsi/jicofo/sip-communicator.properties:

      • sudo nano /etc/jitsi/jicofo/sip-communicator.properties

      And add the following line to complete the configuration changes:

      /etc/jitsi/jicofo/sip-communicator.properties

      org.jitsi.jicofo.auth.URL=XMPP:jitsi.your_domain
      

      This configuration points one of the Jitsi Meet processes to the local server that performs the user authentication that is now required.

      Your Jitsi Meet instance is now configured so that only registered users can create conference rooms. After a conference room is created, anyone can join it without needing to be a registered user. All they will need is the unique conference room address and an optional password set by the room’s creator.

      Now that Jitsi Meet is configured to require authenticated users for room creation you need to register these users and their passwords. You will use the prosodyctl utility to do this.

      Run the following command to add a user to your server:

      • sudo prosodyctl register user your_domain password

      The user that you add here is not a system user. They will only be able to create a conference room and are not able to log in to your server via SSH.

      Finally, restart the Jitsi Meet processes to load the new configuration:

      • sudo systemctl restart prosody.service
      • sudo systemctl restart jicofo.service
      • sudo systemctl restart jitsi-videobridge2.service

      The Jitsi Meet instance will now request a username and password with a dialog box when a conference room is created.

      Image showing the Jitsi username and password box

      Your Jitsi Meet server is now set up and securely configured.

      Conclusion

      In this article, you deployed a Jitsi Meet server that you can use to host secure and private video conference rooms. You can extend your Jitsi Meet instance with instructions from the Jitsi Meet Wiki.



      Source link

      Cómo instalar Jitsi Meet en Ubuntu 18.04


      El autor seleccionó a Open Internet/Free Speech Fund para recibir una donación como parte del programa Write for DOnations.

      Introducción

      Jitsi Meet es una aplicación de videoconferencias de código abierto basada en WebRTC.  Un servidor de Jitsi Meet ofrece salas de videoconferencia para varias personas a las que puede acceder sin necesidad de usar nada más que su navegador y ofrece una funcionalidad comparable a la de las llamadas de conferencia de Zoom o Skype.  El beneficio de las conferencias de Jitsi es que todos sus datos pasan únicamente a través de su servidor, y el cifrado TLS de extremo a extremo asegura que nadie pueda entrometerse en sus llamadas. Con Jitsi, puede asegurarse de que su información privada permanezca así.

      En este tutorial, instalará y configurará un servidor de Jitsi Meet en Ubuntu 18.04. La configuración predeterminada permite a cualquier persona crear una sala de conferencias nueva, lo que no es recomendable para los servidores disponibles en Internet, por lo tanto, también configurará Jitsi Meet para que solo usuarios registrados puedan crear salas de conferencias nuevas. Después de haber creado una sala de conferencias, todos los usuarios que tengan la dirección única, y la contraseña opcional, podrán unirse.

      Requisitos previos

      Para completar esta guía, necesitará lo siguiente:

      • Un servidor de Ubuntu 18.04 configurado conforme al tutorial Configuración inicial de servidores para Ubuntu 18.04, con un non-root sudo user. El tamaño del servidor que necesite dependerá, mayormente, del ancho de banda disponible y la cantidad de participantes que prevé que usen el servidor. La siguiente tabla le dará una idea de lo que se necesita.
      • Un nombre de dominio configurado para que apunte a su servidor. Para saber cómo apuntar dominios a Droplets de DigitalOcean, siga el tutorial Cómo configurar un nombre de host con DigitalOcean. En esta guía, se utiliza el nombre de dominio de ejemplo jitsi.your-domain.

      Cuando elija un servidor para ejecutar su instancia de Jitsi Meet, deberá considerar los recursos del sistema necesarios para alojar salas de conferencias. La siguiente información de referencia se obtuvo de una máquina virtual de un solo núcleo con ajustes de video de alta calidad:

      CPUAncho de banda del servidor
      Dos participantes3 %30 Kbps de subida, 100 Kbps de bajada
      Tres participantes15 %7 Mbps de subida, 6,5 Mbps de bajada

      El aumento en el uso de recursos entre dos y tres participantes se debe a que Jitsi redirige los datos de la llamada directamente entre los clientes cuando hay dos de ellos. Cuando hay más de dos clientes presentes, los datos de la llamada se redirigen a través del servidor de Jitsi Meet.

      Paso 1: Configurar el nombre de host del sistema

      En este paso, cambiará el nombre de host del sistema para que coincida con el nombre del dominio que quiere usar en su instancia de Jitsi Meet y resolverá ese nombre de host con la IP del host local: 127.0.0.1. Jitsi Meet utiliza estos dos ajustes al instalar y generar sus archivos de configuración.

      Primero, establezca el nombre de host del sistema con el nombre de dominio que utilizará en su instancia de Jitsi. El siguiente comando establecerá el nombre de host actual y modificará /etc/hostname, que mantiene el nombre de host entre reinicios:

      • sudo hostnamectl set-hostname jitsi.your-domain

      El comando que ejecutó se desglosa de la siguiente manera:

      • hostnamectl es un componente del conjunto de herramientas systemd que se utiliza para gestionar el nombre de host del sistema.
      • set-hostname establece el nombre de host del sistema.

      Compruebe que el resultado sea correcto ejecutando lo siguiente:

      Esto devuelve el nombre de host que estableció con el comando hostnamectl:

      Output

      jitsi.your-domain

      A continuación, establecerá una asignación local del nombre de host a la dirección IP de bucle: 127.0.0.1. Hágalo abriendo el archivo /etc/hosts con un editor de texto:

      A continuación, añada la siguiente línea:

      /etc/hosts

      127.0.0.1 jitsi.your-domain
      

      Asignar el nombre de dominio de su servidor de Jitsi a 127.0.0.1 le permite utilizar varios procesos en red que aceptan conexiones locales los unos de los otros en la dirección IP 127.0.0.1. Estas conexiones se autentican y cifran con un certificado TLS, que se registra en su nombre de dominio. El hecho de asignar de forma local un nombre de dominio a 127.0.0.1 permite utilizar el certificado TLS para estas conexiones de red locales.

      Guarde y cierre su archivo.

      Ahora, su servidor tiene el nombre de host que Jitsi requiere para la instalación. En el siguiente paso, abrirá los puertos del firewall que requieren Jitsi y el instalador de certificados TLS.

      Paso 2: Configurar el firewall

      Cuando siguió la Guía de configuración inicial de servidores para Ubuntu 18.04, habilitó el firewall UFW y abrió el puerto SSH. El servidor de Jitsi requiere que algunos puertos estén abiertos para poder comunicarse con los clientes de las llamadas. Además, el proceso de instalación de TLS requiere un puerto abierto para poder autenticar la solicitud del certificado.

      Estos son los puertos que abrirá:

      • 80/tcp, que se utiliza en la solicitud del certificado TLS.
      • 443/tcp, que se utiliza para la página web de creación de salas de conferencias.
      • 4443/tcp y 10000/udp, que se utilizan para transmitir y recibir el tráfico cifrado de las llamadas.

      Ejecute los siguientes comandos ufw para abrir estos puertos:

      • sudo ufw allow 80/tcp
      • sudo ufw allow 443/tcp
      • sudo ufw allow 4443/tcp
      • sudo ufw allow 10000/udp

      Compruebe que todos se hayan añadido con el comando ufw status:

      Verá el siguiente resultado si los puertos están abiertos:

      Output

      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 4443/tcp ALLOW Anywhere 10000/udp ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 4443/tcp (v6) ALLOW Anywhere (v6) 10000/udp (v6) ALLOW Anywhere (v6)

      Ahora, el servidor está listo para la instalación de Jitsi, que realizará en el siguiente paso.

      Paso 3: Instalar Jitsi Meet

      En este paso, añadirá el repositorio estable de Jitsi a su servidor y, luego, instalará el paquete de Jitsi Meet desde ese repositorio. Esto garantiza que siempre ejecute el paquete estable de Jitsi Meet más reciente.

      Primero, descargue la clave GPG de Jitsi con la herramienta de descarga wget:

      • wget https://download.jitsi.org/jitsi-key.gpg.key

      El administrador de paquetes apt utilizará esta clave GPG para validar los paquetes que descargue del repositorio de Jitsi.

      A continuación, añada la clave GPG que descargó al conjunto de claves de apt usando la utilidad apt-key:

      • sudo apt-key add jitsi-key.gpg.key

      Ahora, puede eliminar el archivo de la clave GPG, dado que ya no lo necesita:

      Ahora, añadirá el repositorio de Jitsi a su servidor al crear un archivo de código fuente nuevo que contenga el repositorio de Jitsi. Abra y cree el archivo nuevo con su editor:

      • sudo nano /etc/apt/sources.list.d/jitsi-stable.list

      Añada esta línea al archivo para el repositorio de Jitsi:

      /etc/apt/sources.list.d/jitsi-stable.list

      deb https://download.jitsi.org stable/
      

      Guarde y salga del editor de texto.

      Por último, realice una actualización del sistema para recopilar la lista de paquetes del repositorio de Jitsi y, luego, instale el paquete jitsi-meet:

      • sudo apt update
      • sudo apt install jitsi-meet

      Durante la instalación de jitsi-meet, se le solicitará que ingrese el nombre del dominio que quiere utilizar en su instancia de Jitsi Meet (por ejemplo, jitsi.your-domain).

      Imagen que muestra el cuadro de diálogo del nombre de host de la instalación de jitsi-meet

      Nota: Mueva el cursor del campo de nombre de host para resaltar el botón <OK> con la tecla TAB. Presione ENTER cuando <OK> esté resaltado para confirmar el nombre de host.

      A continuación, se le mostrará un nuevo cuadro de diálogo que le preguntará si quiere que Jitsi cree y utilice un certificado TLS autofirmado o que utilice uno que ya tenga:

      Imagen que muestra el cuadro de diálogo del certificado de la instalación de jitsi-meet

      Si no tiene un certificado TLS para su dominio de Jitsi, seleccione la primera opción: Generate a new self-signed certificate (Generar un nuevo certificado autofirmado).

      Ahora, su instancia de Jitsi Meet está instalada con un certificado TLS autofirmado. Esto generará advertencias del navegador; por lo tanto, obtendrá un certificado TLS firmado en el siguiente paso.

      Paso 4: Obtener un certificado TLS firmado

      Jitsi Meet utiliza certificados TLS para cifrar el tráfico de las llamadas de modo que nadie pueda escucharlas mientras se transmiten por Internet. Los certificados TLS son los mismos que utilizan los sitios web para habilitar URL HTTPS.

      Jitsi Meet ofrece un programa para descargar de forma automática un certificado TLS para su nombre de dominio que utiliza la utilidad Certbot. Deberá instalar este programa para poder ejecutar la secuencia de comandos de instalación del certificado.

      Primero, añada el repositorio de Certbot a su sistema para asegurarse de tener la última versión de Certbot. Ejecute el siguiente comando para añadir el repositorio nuevo y actualizar su sistema:

      • sudo add-apt-repository ppa:certbot/certbot

      A continuación, instale el paquete certbot:

      Ahora, su servidor está listo para ejecutar el programa de instalación del certificado TLS proporcionado por Jitsi Meet:

      • sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

      Cuando ejecute la secuencia de comandos, se le presentará el siguiente mensaje que solicita una dirección de correo electrónico:

      Output

      ------------------------------------------------------------------------- This script will: - Need a working DNS record pointing to this machine(for domain jitsi.example.com) - Download certbot-auto from https://dl.eff.org to /usr/local/sbin - Install additional dependencies in order to request Let’s Encrypt certificate - If running with jetty serving web content, will stop Jitsi Videobridge - Configure and reload nginx or apache2, whichever is used - Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks - Add command in weekly cron job to renew certificates regularly You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) by providing an email address for important account notifications Enter your email and press [ENTER]:

      Esta dirección de correo electrónico se presentará al emisor de certificados https://letsencrypt.org y se utilizará para notificarlo sobre cuestiones de seguridad y otros asuntos relacionados con el certificado TLS. Debe ingresar una dirección de correo electrónico aquí para proceder con la instalación. La instalación se completará sin más mensajes.

      Cuando finalice, su instancia de Jitsi Meet estará configurada para utilizar un certificado TLS firmado para su nombre de dominio. La renovación de certificados también se realizará de forma automática, ya que el instalador colocó una secuencia de comandos de renovación en /etc/cron.weekly/letsencrypt-renew que se ejecutará cada semana.

      El instalador de certificados TLS utilizó el puerto 80 para verificar que su nombre de dominio esté bajo su control. Ahora que obtuvo el certificado, su servidor ya no necesita que el puerto 80 esté abierto, dado que el puerto 80 se utiliza para tráfico HTTP normal no cifrado. Jitsi Meet solo proporciona su sitio web a través de HTTPS en el puerto 443.

      Cierre este puerto en su firewall con el siguiente comando ufw:

      • sudo ufw delete allow 80/tcp

      Ahora, su servidor de Jitsi Meet está activo y disponible para realizar pruebas. Abra un navegador y diríjase al nombre de su dominio. Puede crear una sala de conferencias nueva e invitar a otros a unirse.

      Con la configuración predeterminada de Jitsi Meet, cualquier persona que visite la página de inicio de su servidor de Jitsi Meet puede crear una sala de conferencias nueva. Se utilizarán los recursos del sistema de su servidor para ejecutar las salas de conferencias, por lo que no es deseable que usuarios no autorizados puedan crearlas. En el siguiente paso, configurará su instancia de Jitsi Meet para que únicamente usuarios registrados puedan crear salas de conferencias.

      Paso 5: Bloquear la creación de conferencias

      En este paso, configurará su instancia de Jitsi Meet para que únicamente usuarios registrados puedan crear salas de conferencias. Los archivos que modificará fueron generados por el instalador y están configurados con su nombre de dominio.

      En los siguientes ejemplos, se utilizará la variable your_domain, en lugar de un nombre de dominio.

      Primero, abra sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua con un editor de texto:

      • sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua

      Modifique esta línea:

      /etc/prosody/conf.avail/your_domain.cfg.lua

      ...
              authentication = "anonymous"
      ...
      

      Con lo siguiente:

      /etc/prosody/conf.avail/your_domain.cfg.lua

      ...
              authentication = "internal_plain"
      ...
      

      Esta configuración le indica a Jitsi Meet que exija la autenticación de nombre de usuario y contraseña antes de permitirles a visitantes nuevos crear salas de conferencias.

      A continuación, en el mismo archivo, añada la siguiente sección al final:

      /etc/prosody/conf.avail/your_domain.cfg.lua

      ...
      VirtualHost "guest.your_domain"
          authentication = "anonymous"
          c2s_require_encryption = false
      

      Esta configuración permite que usuarios anónimos se unan a salas de conferencias creadas por usuarios autenticados. Sin embargo, para poder ingresar a una sala, los invitados deben contar con la dirección única y la contraseña opcional.

      Aquí, añadió guest. adelante de su nombre de dominio. Por ejemplo, para jitsi.your-domain, ingresaría guest.jitsi.your-domain. El nombre de host con guest. solo lo utiliza Jitsi Meet de forma interna. Nunca lo ingresará en un navegador ni tendrá que crear un registro de DNS para él.

      Abra otro archivo de configuración en /etc/jitsi/meet/your_domain-config.js con un editor de texto:

      • sudo nano /etc/jitsi/meet/your_domain-config.js

      Modifique esta línea:

      /etc/jitsi/meet/your_domain-config.js

      ...
              // anonymousdomain: 'guest.example.com',
      ...
      

      Con lo siguiente:

      /etc/jitsi/meet/your_domain-config.js

      ...
              anonymousdomain: 'guest.your_domain',
      ...
      

      Una vez más, al usar el nombre de host guest.your_domain que utilizó antes, esta configuración le indica a Jitsi Meet el nombre de host interno que debe utilizar para los invitados no autenticados.

      A continuación, abra /etc/jitsi/jicofo/sip-communicator.properties:

      • sudo nano /etc/jitsi/jicofo/sip-communicator.properties

      Añada la siguiente línea para completar los cambios de configuración:

      /etc/jitsi/jicofo/sip-communicator.properties

      org.jitsi.jicofo.auth.URL=XMPP:your_domain
      

      Esta configuración apunta uno de los procesos de Jitsi Meet al servidor local que realiza la autenticación de usuarios que se requiere.

      Ahora, su instancia de Jitsi Meet está configurada para que únicamente usuarios registrados puedan crear salas de conferencias. Cuando se cree una sala de conferencias, cualquier persona podrá unirse sin necesidad de ser un usuario registrado. Lo único que necesitará es la dirección única de sala de conferencias única y la contraseña opcional establecida por el creador de la sala.

      Ahora que Jitsi Meet se configuró para que solo usuarios autenticados puedan crear salas, debe registrar esos usuarios y sus contraseñas. Usará la utilidad prosodyctl para hacerlo.

      Ejecute el siguiente comando para añadir un usuario a su servidor:

      • sudo prosodyctl register user your_domain password

      Los usuarios que añade aquí no son usuarios de sistema. Solo pueden crear salas de conferencias, pero no pueden acceder a su servidor mediante SSH.

      Por último, reinicie los procesos de Jitsi Meet para cargar la configuración nueva:

      • sudo systemctl restart prosody.service
      • sudo systemctl restart jicofo.service
      • sudo systemctl restart jitsi-videobridge2.service

      Ahora, la instancia de Jitsi Meet solicitará un nombre de usuario y una contraseña en un cuadro de diálogo para la creación de salas de conferencias.

      Imagen que muestra el cuadro de diálogo de nombre de usuario y contraseña de Jitsi

      Ahora, tiene un servidor de Jitsi Meet instalado y configurado de forma segura.

      Conclusión

      En este artículo, implementó un servidor de Jitsi Meet que puede utilizar para alojar salas de videoconferencias seguras y privadas. Puede ampliar su instancia de Jitsi Meet con instrucciones de la wiki de Jitsi Meet.



      Source link

      How To Install Jitsi Meet on Debian 10


      The author selected the Open Internet/Free Speech Fund to receive a donation as part of the Write for DOnations program.

      Introduction

      Jitsi Meet is an open-source video-conferencing application based on WebRTC. A Jitsi Meet server provides multi-person video conference rooms that you can access using nothing more than your browser and provides comparable functionality to a Zoom or Skype conference call. The benefit of a Jitsi conference is that all your data only passes through your server, and the end-to-end TLS encryption ensures that no one can snoop on the call. With Jitsi you can be sure that your private information stays that way.

      In this tutorial, you will install and configure a Jitsi Meet server on Debian 10. The default configuration allows anyone to create a new conference room. This is not ideal for a server that is publicly available on the internet so you will also configure Jitsi Meet so that only registered users can create new conference rooms. After you have created the conference room, any users can join, as long as they have the unique address and the optional password.

      Prerequisites

      Before you begin this guide you’ll need the following:

      • One Debian 10 server set up by following the Initial Server Setup with Debian 10 tutorial, including a non-root sudo-enabled user. The size of the server you will need mostly depends on the available bandwidth and the number of participants you expect to be using the server. The following table will give you some idea of what is needed.
      • A domain name configured to point to your server. You can learn how to point domains to DigitalOcean Droplets by following the How To Set Up a Host Name with DigitalOcean tutorial. Throughout this guide, the example domain name jitsi.your-domain is used.

      When you are choosing a server to run your Jitsi Meet instance you will need to consider the system resources needed to host conference rooms. The following benchmark information was collected from a single-core virtual machine using high-quality video settings:

      CPUServer Bandwidth
      Two Participants3%30Kbps Up, 100Kbps Down
      Three Participants15%7Mbps Up, 6.5Mbps Down

      The jump in resource use between two and three participants is because Jitsi will route the call data directly between the clients when there are two of them. When more than two clients are present then call data is routed through the Jitsi Meet server.

      Step 1 — Setting the System Hostname

      In this step, you will change the system’s hostname to match the domain name that you intend to use for your Jitsi Meet instance and resolve that hostname to the localhost IP, 127.0.0.1. Jitsi Meet uses both of these settings when it installs and generates its configuration files.

      First, set the system’s hostname to the domain name that you will use for your Jitsi instance. The following command will set the current hostname and modify the /etc/hostname that holds the system’s hostname between reboots:

      • sudo hostnamectl set-hostname jitsi.your-domain

      The command that you ran breaks down as follows:

      • hostnamectl is a utility from the systemd tool suite to manage the system hostname.
      • set-hostname sets the system hostname.

      Check that this was successful by running the following:

      This will return the hostname you set with the hostnamectl command:

      Output

      jitsi.your-domain

      Next, you will set a local mapping of the server’s hostname to the loopback IP address, 127.0.0.1. Do this by opening the /etc/hosts file with a text editor:

      Then, add the following line:

      /etc/hosts

      127.0.0.1 jitsi.your-domain
      

      Mapping your Jitsi Meet server’s domain name to 127.0.0.1 allows your Jitsi Meet server to use several networked processes that accept local connections from each other on the 127.0.0.1 IP address. These connections are authenticated and encrypted with a TLS certificate, which is registered to your domain name. Locally mapping the domain name to 127.0.0.1 makes it possible to use the TLS certificate for these local network connections.

      Save and exit your file.

      Your server now has the hostname that Jitsi requires for installation. In the next step, you will open the firewall ports that are needed by Jitsi and the TLS certificate installer.

      Step 2 — Configuring the Firewall

      When you followed the Initial Server Setup with Debian 10 guide you enabled the UFW firewall and opened the SSH port. The Jitsi server needs some ports opened so that it can communicate with the call clients. Also, the TLS installation process needs to have a port open so that it can authenticate the certificate request.

      The ports that you will open are the following:

      • 80/tcp used in the TLS certificate request.
      • 443/tcp used for the conference room creation web page.
      • 4443/tcp,10000/udp used to transmit and receive the encrypted call traffic.

      Run the following ufw commands to open these ports:

      • sudo ufw allow 80/tcp
      • sudo ufw allow 443/tcp
      • sudo ufw allow 4443/tcp
      • sudo ufw allow 10000/udp

      Check that they were all added with the ufw status command:

      You will see the following output if these ports are open:

      Output

      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 4443/tcp ALLOW Anywhere 10000/udp ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 4443/tcp (v6) ALLOW Anywhere (v6) 10000/udp (v6) ALLOW Anywhere (v6)

      The server is now ready for the Jitsi installation, which you will complete in the next step.

      Step 3 — Installing Jitsi Meet

      In this step, you will add the Jitsi stable repository to your server and then install the Jitsi Meet package from that repository. This will ensure that you are always running the latest stable Jitsi Meet package.

      First, install the gnupg package that enables the system to manage GPG cryptographic keys:

      Next, download the Jitsi GPG key with the wget downloading utility:

      • wget https://download.jitsi.org/jitsi-key.gpg.key

      The apt package manager will use this GPG key to validate the packages that you will download from the Jitsi repository.

      Now, add the GPG key you downloaded to apt’s keyring using the apt-key utility:

      • sudo apt-key add jitsi-key.gpg.key

      You can now delete the GPG key file as it is no longer needed:

      Now, you will add the Jitsi repository to your server by creating a new source file that contains the Jitsi repository. Open and create the new file with your editor:

      • sudo nano /etc/apt/sources.list.d/jitsi-stable.list

      Add this line to the file for the Jitsi repository:

      /etc/apt/sources.list.d/jitsi-stable.list

      deb https://download.jitsi.org stable/
      

      Save and exit your editor.

      Finally, perform a system update to collect the package list from the Jitsi repository and then install the jitsi-meet package:

      • sudo apt update
      • sudo apt install jitsi-meet

      During the installation of jitsi-meet you will be prompted to enter the domain name (for example, jitsi.your-domain) that you want to use for your Jitsi Meet instance.

      Image showing the jitsi-meet installation hostname dialog

      Note: You move the cursor from the hostname field to highlight the <OK> button with the TAB key. Press ENTER when <OK> is highlighted to submit the hostname.

      You will then be shown a new dialog box that asks if you want Jitsi to create and use a self-signed TLS certificate or use an existing one you already have:

      Image showing the jitsi-meet installation certificate dialog

      If you do not have a TLS certificate for your Jitsi domain select the first, Generate a new self-signed certificate, option.

      Your Jitsi Meet instance is now installed using a self-signed TLS certificate. This will cause browser warnings, so you will get a signed TLS certificate in the next step.

      Step 4 — Obtaining a Signed TLS Certificate

      Jitsi Meet uses TLS certificates to encrypt the call traffic so that no one can listen to your call as it travels over the internet. TLS certificates are the same certificates that are used by websites to enable HTTPS URLs.

      Jitsi Meet supplies a program to automatically download a TLS certificate for your domain name that uses the Certbot utility. You will need to install this program before you run the certificate installation script.

      First, install the certbot package with the following command:

      Your server is now ready to run the TLS certificate installation program provided by Jitsi Meet:

      • sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

      When you run the script you will be shown the following prompt for an email address:

      Output

      ------------------------------------------------------------------------- This script will: - Need a working DNS record pointing to this machine(for domain jitsi.example.com) - Download certbot-auto from https://dl.eff.org to /usr/local/sbin - Install additional dependencies in order to request Let’s Encrypt certificate - If running with jetty serving web content, will stop Jitsi Videobridge - Configure and reload nginx or apache2, whichever is used - Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks - Add command in weekly cron job to renew certificates regularly You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) by providing an email address for important account notifications Enter your email and press [ENTER]:

      This email address will be submitted to the certificate issuer https://letsencrypt.org and will be used to notify you about security and other matters related to the TLS certificate. You must enter an email address here to proceed with the installation. The installation will then complete without any further prompts.

      When it finishes, your Jitsi Meet instance will be configured to use a signed TLS certificate for your domain name. Certificate renewals will also happen automatically because the installer placed a renewal script at /etc/cron.weekly/letsencrypt-renew that will run each week.

      Your Jitsi Meet server is now up and running and available for testing. Open a browser and point it to your domain name. You will be able to create a new conference room and invite others to join you.

      The default configuration for Jitsi Meet is that anyone visiting your Jitsi Meet server homepage can create a new conference room. This will use your server’s system resources to run the conference room and is not desirable for unauthorized users. In the next step, you will configure your Jitsi Meet instance to only allow registered users to create conference rooms.

      Step 5 — Locking Conference Creation

      In this step, you will configure your Jitsi Meet server to only allow registered users to create conference rooms. The files that you will edit were generated by the installer and are configured with your domain name.

      The variable your_domain will be used in place of a domain name in the following examples.

      First, open /etc/prosody/conf.avail/your_domain.cfg.lua with a text editor:

      • sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua

      Edit this line:

      /etc/prosody/conf.avail/your_domain.cfg.lua

      ...
              authentication = "anonymous"
      ...
      

      To the following:

      /etc/prosody/conf.avail/your_domain.cfg.lua

      ...
              authentication = "internal_plain"
      ...
      

      This configuration tells Jitsi Meet to force username and password authentication before allowing conference room creation by a new visitor.

      Then, in the same file, add the following section to the end of the file:

      /etc/prosody/conf.avail/your_domain.cfg.lua

      ...
      VirtualHost "guest.your_domain"
          authentication = "anonymous"
          c2s_require_encryption = false
      

      This configuration allows anonymous users to join conference rooms that were created by an authenticated user. However, the guest must have a unique address and an optional password for the room to enter it.

      Here, you added guest. to the front of your domain name. For example, for jitsi.your-domain you would put guest.jitsi.your-domain. The guest. hostname is only used internally by Jitsi Meet. You will never enter it into a browser or need to create a DNS record for it.

      Open another configuration file at /etc/jitsi/meet/your_domain-config.js with a text editor:

      • sudo nano /etc/jitsi/meet/your_domain-config.js

      Edit this line:

      /etc/jitsi/meet/your_domain-config.js

      ...
              // anonymousdomain: 'guest.example.com',
      ...
      

      To the following:

      /etc/jitsi/meet/your_domain-config.js

      ...
              anonymousdomain: 'guest.your_domain',
      ...
      

      Again, by using the guest.your_domain hostname that you used earlier this configuration tells Jitsi Meet what internal hostname to use for the un-authenticated guests.

      Next, open /etc/jitsi/jicofo/sip-communicator.properties:

      • sudo nano /etc/jitsi/jicofo/sip-communicator.properties

      And add the following line to complete the configuration changes:

      /etc/jitsi/jicofo/sip-communicator.properties

      org.jitsi.jicofo.auth.URL=XMPP:your_domain
      

      This configuration points one of the Jitsi Meet processes to the local server that performs the user authentication that is now required.

      Your Jitsi Meet instance is now configured so that only registered users can create conference rooms. After a conference room is created, anyone can join it without needing to be a registered user. All they will need is the unique conference room address and an optional password set by the room’s creator.

      Now that Jitsi Meet is configured to require authenticated users for room creation you need to register these users and their passwords. You will use the prosodyctl utility to do this.

      Run the following command to add a user to your server:

      • sudo prosodyctl register user your_domain password

      The user that you add here is not a system user. They will only be able to create a conference room and are not able to log in to your server via SSH.

      Finally, restart the Jitsi Meet and Nginx processes to load the new configuration:

      • sudo systemctl restart prosody.service
      • sudo systemctl restart jicofo.service
      • sudo systemctl restart jitsi-videobridge2.service
      • sudo systemctl restart nginx

      The Jitsi Meet instance will now request a username and password with a dialog box when a conference room is created.

      Image showing the Jitsi username and password box

      Your Jitsi Meet server is now set up and securely configured.

      Conclusion

      In this article, you deployed a Jitsi Meet server that you can use to host secure and private video conference rooms. You can extend your Jitsi Meet instance with instructions from the Jitsi Meet Wiki.



      Source link