Jitsi Meet is a free video conference application. It offers an open-source alternative to proprietary video conferencing applications, such as Skype or Zoom. Anyone can create an encrypted Jitsi video meeting by going to the Jitsi Meet website or installing the free Jitsi app.
The Jitsi Meet service can also be self-hosted. Using the open-source Jitsi Meet server, you can operate private, encrypted videoconferencing on the Internet, on a domain you control.
The following instructions show how to install the Jitsi Meet server on a VPS and configure authorization, so a username and password is required to create new meetings. These steps require an account with a VPS provider, such as Linode or Digital Ocean, and a registered domain name.
Create a Debian 9 VPS
Begin by creating a new VPS for your Jitsi Meet server. In the dashboard of your VPS provider, create a new virtual host running Debian 9, with at least 2 GB of RAM (recommended).
Create a Debian 9 VPS
Update DNS records
Upgrade and secure VPS
Configure firewall
Create a user with sudo rights
Disable root SSH
Add SSH key
Install Jitsi Meet server
Configure Prosody
Create a guest domain
Install module storage_memory
Create Jitsi anonymous domain
Configure Jicofo
Create Jitsi admin users
Restart services
Creating new meetings
In a browser
In the mobile app
Configure firewall
Create a user with sudo rights
Disable root SSH
Add SSH key
Create a guest domain
Install module storage_memory
In a browser
In the mobile app
For example, if you are using Linode, from your Linode dashboard, choose Create > Linode. Under Choose a Distribution, select Debian 9 and a Linode plan that offers 2 GB RAM.
Or, if you are using Digital Ocean, from your Digital Ocean dashboard, choose Create > Droplets. Under Distributions, choose Debian 9.12 x64 and a Droplet plan that offers 2 GB RAM.
Update DNS records
Add A/AAAA DNS records to your domain with the subdomain name and the IPv4/IPv6 address of your new VPS.
For example, to host Jitsi at video.mydomain.com, log in to your domain registrar account, and edit the DNS records for mydomain.com. Add two records for hostname video, one with the IPv4 address (the “A” record), and one with the IPv6 address (the “AAAA” record).
If you don’t want to use a subdomain (e.g., mydomain.com instead of video.mydomain.com), leave the hostname blank in the A/AAAA records.
Upgrade and secure VPS
Open a terminal or command prompt window. SSH to your VPS as the root user.
ssh [email protected]ipaddress
Update the package list and upgrade installed software.
apt update && apt -y upgrade
Install sudo and UFW (Uncomplicated Firewall).
apt install -y sudo ufw
Configure firewall
Configure UFW to allow TCP communication on the ports used by SSH, HTTP, and HTTPS, and to allow UDP traffic on port 10000.
ufw allow ssh ufw allow http ufw allow https ufw allow 10000/udp
Enable the firewall.
ufw enable
Set the hostname of the server to your FQDN, for example, video.mydomain.com.
hostnamectl set-hostname video.mydomain.com
Add the FQDN to your hosts file. Open the file /etc/hosts in a text editor, such as nano.
nano /etc/hosts
Find the line 127.0.0.1 localhost and append your FQDN.
127.0.0.1 localhost video.mydomain.com
Save the file and exit the editor. (In nano, press Ctrl+O, Enter to save the file, and Ctrl+X to exit.)
Create a user with sudo rights
Add a new user account. Replace myuser with your desired username.
adduser myuser
Add this user to the ‘sudo’ group, so it can run commands with sudo.
usermod -aG sudo myuser
Disable root SSH
Open the SSH daemon configuration file in a text editor.
nano /etc/ssh/sshd_config
Find the line PermitRootLogin yes, and change yes to no.
PermitRootLogin no
Save the file and exit the editor (Ctrl+O, Enter, Ctrl+X in nano).
Then, restart the SSH daemon.
systemctl restart sshd
Add SSH key
The following steps add an SSH key to the server to provide stronger security. These steps are optional, but recommended.
If you are still logged in to your SSH session, log out.
logout
If you do not have an existing SSH key, create one on your local machine. (If you have an existing key you want to use, skip this step.)
ssh-keygen
Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\neilg/.ssh/id_rsa):
Press Enter to use the default public/private key file names.
When prompted, choose a strong passphrase as an additional layer of security.
Enter passphrase (empty for no passphrase): This is my passphrase.
Transfer the key to your server using SSH. On Linux and macOS:
ssh-copy-id [email protected]ipaddress
On Windows 10:
cd %USERPROFILE%
type .ssh\id_rsa.pub | ssh [email protected]ipaddress “mkdir -p ~/.ssh; cat » ~/.ssh/authorized_keys”
Log in to the VPS using your SSH key.
When prompted, enter the key passphrase.
Next, disable password-based SSH authentication on the VPS. Open the SSH daemon configuration in a text editor.
sudo nano /etc/ssh/sshd_config
Find the line that reads #PasswordAuthentication yes. Change yes to no, and remove the # to uncomment the line.
PasswordAuthentication no
Save the file and exit the editor. Then, restart the SSH daemon.
sudo systemctl restart sshd
SSH logins are now restricted to users with the public and private key files who know the key passphrase.
As good practice, restrict access to the .ssh directory to your user only.
sudo chmod 600 ~/.ssh/*
sudo chmod 700 ~/.ssh
Install Jitsi Meet server
The following steps install the Jitsi Meet server package on your VPS.
First, enable installation of APT packages over HTTPS.
sudo apt install -y apt-transport-https
Add Jitsi to the list of APT repositories.
echo ‘deb https://download.jitsi.org stable/’ | sudo tee \ /etc/apt/sources.list.d/jitsi-stable.list
Download and install the public encryption key of the Jitsi repository.
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo \ apt-key add -
Update your APT package list.
sudo apt update
Install the Jitsi Meet server.
sudo apt install -y jitsi-meet
When prompted for the hostname of the current installation, enter your FQDN, including the subdomain, if any.
Choose Generate a new self-signed certificate.
Next, replace the self-signed certificate with a trusted certificate provided by Let’s Encrypt.
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
When prompted, enter an e-mail address to receive alerts or notifications about your certificate.
Enter your email and press [ENTER]: [email protected]
Certificate generation should take less than a minute. When it’s done, your Jitsi Meet server is live on the Internet at your domain. You can create new meetings and invite users by sharing the meeting URL.
However, the application is not secure. Anyone who goes to your domain can create a new Jitsi meeting hosted on your server.
To prevent unauthorized access, the following steps enable authentication, so a username and password are required before a meeting is created.
Configure Prosody
Prosody is a component of Jitsi Meet that provides XMPP communication between users and the server. The following steps configure Prosody to authenticate users who create a Jitsi meeting.
Create a guest domain
On the VPS, switch user to root.
sudo su
Change to directory /etc/prosody/conf.avail/.
cd /etc/prosody/conf.avail/
Open the file fqdn.cfg.lua in a text editor.
nano video.mydomain.com.cfg.lua
In the VirtualHost section for your domain, change the authentication method from anonymous to internal_plain.
VirtualHost “video.mydomain.com” … authentication = “internal_plain” …
Above the existing VirtualHost section for your site, insert a new VirtualHost section. The name of this VirtualHost is guest.fqdn. For example, insert the following lines to create a new guest VirtualHost for the site video.mydomain.com.
VirtualHost “guest.video.mydomain.com” authentication = “anonymous” c2s_require_encryption = false modules_enabled = { “bosh”; “pubsub”; “ping”; “speakerstats”; “turncredentials”; “conference_duration”; }
Save the file and exit the editor. Then, exit the root account.
exit
Install module storage_memory
An optional Prosody module, storage_memory, enables a temporary memory storage for persistent information, including user session data. The module source code is available from Prosody’s Mercurial repository.
Install Mercurial on your VPS.
sudo apt install -y mercurial
Create a temporary directory and change to it.
mkdir ~/temp && cd ~/temp
Clone the prosody modules repository to a new directory, prosody_modules.
hg clone ‘https://hg.prosody.im/prosody-modules/' prosody-modules
Copy file mod_storage_memory.lua to directory /usr/lib/prosody/modules.
sudo cp prosody-modules/mod_storage_memory/*.lua /usr/lib/prosody/modules/.
Create a Jitsi anonymous domain
Configure Jitsi Meet to use an anonymous domain for users invited to a meeting.
Open the file /etc/jitsi/meet/fqdn-config.js in a text editor.
sudo nano /etc/jitsi/meet/video.mydomain.com-config.js
In the config variable, in the hosts key, add a new key named anonymousdomain, with the value guest.fqdn.
For example, if your guest domain is guest.video.mydomain.com, the entry should appear as follows. Note that the line ends in a comma.
var config = { … hosts: { … domain: ‘video.mydomain.com’, anonymousdomain: ‘guest.video.mydomain.com’, … }, … }
Save the file and close the text editor.
Configure Jicofo
Jicofo (Jitsi Conference Focus) is a component of Jitsi Meet that manages user sessions. The following steps configure Jicofo’s SIP (Session Initiation Protocol) to use XMPP authentication.
Open the file /etc/jitsi/jicofo/sip-communicator.properties in a text editor.
sudo nano /etc/jitsi/jicofo/sip-communicator.properties
Add a new line with the following configuration. Replace video.mydomain.com with your FQDN.
org.jitsi.jicofo.auth.URL=XMPP:video.mydomain.com
Save the file and exit the editor.
Create Jitsi admin users
Prosody administrative functions are accessed using the prosodyctl command (“Prosody control”).
To create a user/password for Jitsi Meet, run the command prosodyctl register username fqdn password.
sudo prosodyctl register alice video.mydomain.com secretpassword123
Repeat this command for any additional users you want to create.
Restart services
To apply the new configuration, restart the affected services.
Only users who create new meetings require an account. Connecting to an existing meeting does not require authorization.
sudo systemctl restart {prosody,jicofo,jitsi-videobridge2,nginx}
Now, only users with the correct username/password combination can create new meetings on your Jitsi server.
Creating new meetings
Follow these steps to create new meetings on your Jitsi server.
In a browser
On a laptop or desktop computer, open a browser to the address of your Jitsi server.
Under Start a new meeting, type a name for the meeting, and click Go.
This name appears in the URL you share with invitees. Meeting names are not case-sensitive.
Click I am the host.
Enter the Jitsi username and password you created, and click OK.
If authentication is successful, the conference goes live immediately.
In the mobile app
Get the Jitsi app for iOS at the App Store, or for Android at the Play Store.
You only need to authenticate once per browser session. To forget your current login, clear your browser cookies, see: How to enable, disable, view, or delete Internet cookies.
Open the Jitsi Meet app. Tap the menu button and choose Settings.
In settings, under Server URL, enter the domain of your Jitsi server.
Go back to the main app window. Enter a new meeting name, and tap create/join.
Tap OK.
Enter the Jitsi username and password you created, and tap OK.
If the app seems to freeze at “Connecting,” wait a few seconds for authentication to complete.
Related information
- How to work from home.
- List of self-hosted web applications and services.
- How to install Nextcloud on Ubuntu 18.04.
- Software help and support.
