Semaphor blog
Blog: Semaphor

A guide to setting up a Jitsi Meet server with seperate videobridges in 2022.

Introduction


Setting up a Jitsi Meet video conferencing server on Debian / Ubuntu can be as simple as running
$ apt install jitsi-meet
answering a few questions - and voilĂ ! You've get a professional video conferencing solution that can go toe-to-toe with the likes of Microsoft Teams and Zoom, but at a significantly lower cost (it's free!) and without any client-installation requirements. More importantly, the entire setup as well as all data traveling inside, is hosted by you and not seen by others.

While this installation method will suit your needs for proof-of-concept testing or smaller conferences, it is highly advised to separate the videobridge - Jitsi's video and audio stream component - to its own seperate bare-metal server for best performance. Installing Jitsi with a separate videobridge is not difficult, but requires careful setup. Before any packages are installed, observe the following sketch, which outlines one possible setup:


Drawing by Semaphor

Note that this setup includes two servers - colored light blue - and represent what you should achieve by following this guide. Let's observe both in more detail.

The Jitsi Meet server
This server will function just fine as a virtual machine, with the added benefit of the availability of snapshots! This feature will be especially useful when testing new component configurations down the line. The server contains three primary components (not to mention the plethora of extra components developed by the fantastic Jitsi community!).

Firstly, Nginx, the hugely popular and powerful open source lightweight web server / reverse proxy. Nginx will handle all incoming traffic to your Jitsi Meet server and should be accessible both via HTTP and HTTPS, i.e. the server should be listening on port 80 and 443. Mind you, this also means that one should have valid certificates present and accessible by Nginx on the server for TLS to work. Nginx will proxy forward HTTP requests to the appropriate components as well as serve the HTML content shown in the client browser.

Prosody is at the heart of Jitsi. It's an open source XMPP communication server which connects and authenticates all the components of Jitsi, allowing them to communicate with each other. It works by creating several "virtual hosts" built on different plugins written in Lua. The plugin approach creates a ton of room for customization and alteration. Whenever you need to include new plugins, create new components or setup authentication with external servers, Prosody is the place to start.

Whereas Prosody is the heart of the operation, Jicofo is the brains. Jicofo is a contraction of Jitsi Conference Focus and is responsible for managing media session between Jitsi participants and the videobridge. Whenever a new conference is created on the Jitsi Meet server, Jicofo connects to the instance and bridges the gap between participant and videobridge. At the same time, much of the underlying configuration in regards to health-monitoring of internal components is also handled by and configured in Jicofo.

While both the Videobridge and Jicofo authenticates via the Prosody component on port 5222, Prosody will internally also listen on port 5280 for Nginx proxy forwards. As the videobridge is separated from the Jitsi Meet server, containing Prosody, it is essential that Jitsi Meet Server can receive TCP traffic on port 5222 from the videobridge, such that the authentication can occur.

The external Videobridge
Compared to the Jitsi Meet Server, the videobridge - or just bridge - is quite simple and only contains the essential videobridge component, which is called jitsi-videobridge2. The bridge should be run on a bare-metal server for optimal performance. The videobridge component will export statistics used by Jicofo to manage video quality, participant focus etc. on port 9090, which is why it is important to allow TCP connection from the Jitsi Meet Server on port 9090. Mind you, conferences might work if this step is forgotten, but the lacking statistics will manifest as poor video / audio quality as well as participant connection info showing up as N/A (not available) during a meeting. In other words Jicofo will not have the necessary information to manage the conference. The videobridge also needs to have port(s) 10000(-20000) for udp traffic from the public for UDP traffic as these are used for media WebRTC traffic. It is possible to open port 443/tcp from the public on the videobridge as well, which can be used as a fallback port in situations where the client is not allowed to send UDP traffic, although UDP traffic is highly preferred.

Overview of components and ports


Jitsi Meet server
Components:
  • Nginx
  • Prosody
  • Jicofo
Ports:
  • Port 443/tcp open for public traffic
  • Port 80/tcp open for public traffic
  • Port 5222/tcp open for traffic from videobridge only

External Videobridge
Components:
  • jitsi-videobridge2
Ports:
  • Ports 10000-20000/udp open for public traffic
  • Port 9090/tcp open for traffic from Jitsi Meet Server only
  • ( Port 443/tcp open for public traffic )

Installation


This guide was tested to work on two servers running Debian 11.3 as of May 2022.
It is assumed that all commands are run as the super user.

-- Jitsi Meet server --

The first step is to install Nginx and Prosody to the Jitsi Meet server.
$ apt install nginx prosody
A valid certificate and key should now be transferred to the server. One (advisable) option would be use Let's Encrypt (LE) which is even an integrated option in the installation, as will be apparent in just a moment. While we recommend the use of LE, the process is beyond the scope of this guide and we will use our own [your_hostname].key and [your_hostname].crt files, which will be placed in /etc/ssl/. Wildcard certificates will also work just as well. Now, add the official Jitsi repository to your sources by first running the following command:
$ wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
followed by:
$  sudo sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list"
and of course:
$ sudo apt update
The next step is to install all the Jitsi resources used by Nginx:
$ apt install jitsi-meet-web jitsi-meet-web-config
Installing these packages will prompt the user some questions. The domain name should be the DNS resolvable name of your Jitsi Meet server, i.e. [your_hostname]. In regards to the certificates, you can either choose the Let's Encrypt option, but for this guide we choose "I will use my own certificate". This will further prompt the user to fill out the absolute path to the [your_hostname].key and [your_hostname].crt file on the server - by default the installation will assume these are located in /etc/ssl, but make doubly sure that the information is correct. When the installation is done, the "default" symlink in /etc/nginx/sites-enabled/ can be removed. You should now install the Prosody configuration package:
$ apt install jitsi-meet-prosody
The user will also be prompted to enter a videobridge secret. This will act as the password used by the external videobridge to authenticate with Prosody. Choose a password and write it down for later use. Finally install Jicofo:
$ apt install jicofo
which will install without any needed user interaction. Once Jicofo install you should restart all services to make sure that all updated configurations are applied:
$ systemctl restart prosody jicofo nginx 
At this point your Jitsi Meet server should be accessible via HTTPS - if not make sure that the location of the [your_hostname].crt and [your_hostname].key files matches the SSL configuration for your domain-specific Nginx configuration:
/etc/nginx/sites-available/[your_hostname].conf
If this is not the issue, attempt to debug Nginx using the syntax checker:
$ sudo nginx -t
If it did work - great! But don't celebrate too early, there is no bridge to host conferences on yet! Attempting to initiate a multi-participant meeting at this point will result in errors as Jicofo's bridge selector will have no options.

Before setting up the videobridge we will first prepare Nginx to locate the statistics exported on port 9090 used by Jicofo for media management. The protocol used to export these stats is called Colibri (Conference lightweight bridging) and the stats are transferred through a web socket initialized when a participant is assigned to a videobridge. Upon installing Jitsi-meet-web, the Jitsi webserver is configured with an upstream server called "jvb1". Just as well there is configured a colibri-ws (web socket) for jvb1. Both of these entries should be commented out - or removed entirely - as they are used for local videobridges, exporting on 127.0.0.1:9090. Instead we add an entry, or modify the original, like so:

    # colibri websocket(s) for videobridge(s)
    location ~ ^/colibri-ws/([0-9.]*)/(.*) {
        proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        tcp_nodelay on;
    }

This location will redirect incoming requests for the colibri statistics to port 9090 on the appropriate bridge. The reason we are using regex and not simply the IPv4 address of the videobridge, is to allow this location to redirect to multiple videobridges. Remember to reload Nginx after changes to the configuration file:
$ nginx -s reload
We are now ready to move on to the external videobridge server.

-- External Videobridge server --

Install the jitsi-videobridge2 package to the server:
$ apt install jitsi-videobridge2
The user will be prompted to enter the hostname of the Jitsi Meet Server, that is [your_hostname].

Once the package is installed change into the jitsi-videobridge2 directory, located at /etc/jitsi/videobridge. Start by editing jvb.conf and replace accordingly:

videobridge {
    http-servers {
        public {
            port=9090
        }
    }
    websockets {
        server-id="[videobridge_ip]"                              
        enabled=true
        domain="[your_hostname]:443"
        tls=true
    }
}
Note that the server-id is the IP(v4) address of the Videobridge and not the Jitsi Meet server. The server-id is excatly what will be matched in the regex part of the Nginx config above. Next we must make sure that the videobridge can authenticate with prosody. Edit sip-communicator.properties and once again replace accordingly:
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443

org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
                                                                                                                 
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=[your_hostname]
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.[your_hostname]
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=[videobridge_secret]
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.[your_hostname]
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=[bridge_nickname]
org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
The videobridge_secret is the password you've written down earlier, which was set while installing Jitsi on the main server. If you've forgotten this password or for some other reason need to change it, fret not, it is as simple as running:
$ prosodyctl passwd jvb@auth.[your_hostname]
on the Jitsi Meet server, where Prosody is installed. The USERNAME and PASSWORD are the credentials used by the external videobridges to authenticate with Prosody on the main server. The bridge_nickname must be unique for each bridge. It is recommended to set this to something easily identifiable if you plan to connect several external bridges. Note that presently we have disabled certificate verification, but we will fix this shortly. Finally edit the file simply named config and remove, or comment out, all lines except for the last line JAVA_SYS_PROPS='....'. Restart the videobridge:
$ systemctl restart jitsi-videobridge2
and make sure the service boots successfully by tailing the jvb.log located in /var/log/jitsi/. Look for a line that says "org.eclipse.jetty.server.Server.doStart: Started @XXXXms" - the bridge has booted successfully! If not, go through the configurations above again. Usually the reason can be found in the jvb.log - SASL authentication errors informs that the supplied credentials in sip-communicator are wrong, in case of certificate errors make sure you've properly turned of verification as before...

At this point you should have a functioning Jitsi Meet instance with a seperate videobridge! As a final step let us import the certificates from the main server to the external videobridge, such that we can enable certificate checking. The certificates in question are located in the /etc/prosody/certs directory and are named [your_hostname].crt and auth.[your_hostname].crt - transfer these to the videobridge (you can put them in the /etc/jitsi/videobridge directory). Once they are located on the bridge we will use the command "keytool" to import them into Java's trusted keystore:
$ keytool -importcert -cacerts -file [your_hostname].crt -alias [unique_alias]
$ keytool -importcert -cacerts -file auth.[your_hostname].crt -alias [unique_alias]
The cacerts keystore will be password protected, the default password is "changeit" - yes really. The choice of alias is not hugely important, but needs to be unique and you should assign them a logical name. Once the certificates are imported, set the DISABLE_CERTIFICATE_VERIFICATION setting to false, restart the videobridge and observe that the service boots successfully.

If all goes well you are now the proud owner of a self-hosted Jitsi Meet server with a seprate Videobridge! You should make sure that Jitsi meetings work with more than two participants (optionally you can open the same meeting in three browser tabs). Meetings with three or more participants will be the "final exam" of your setup, as Jitsi will be forced to use a Videobridge depending on your peer-2-peer connection settings. You should also make sure that participant stats are visible to all participants, these can be found by hovering your cursor above another participant's connection icon in a meeting - note that stats will need a short time to integrate at the very beginning of a meeting before the are displayed, this should take around ~5-10 seconds after establishing connection to a bridge.

Adding a new bridge is as simple as following the Videobridge-part of the guide for each new addition, just remember to give your new bridge a unique name! All bridges use the same username and password to authenticate with Prosody. Please know that this guide is not meant to be the end-all solution to running a separate-bridge Jitsi Meet setup, but this has been working with great success for our use-case. Make sure to check out the GitHub page for the project, as the application is ever-evolving! (Link below) and feel free to comment with questions or corrections.

I plan to do a follow-up guide for setting up authentication using JSON web tokens, stay tuned!

This blogpost was not possible without the great Jitsi community:
https://community.jitsi.org/t/tip-websocket-and-the-additional-jvbs/95117
https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-scalable/
https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-manual/
https://meetrix.io/blog/webrtc/jitsi/jitsi-meet-and-firewalls.html

--> https://github.com/jitsi



23-05-2022 12:34

0 Comments

Read - Add comment