The following instructions were tested as working on Ubuntu 16.04.6 LTS, though other linux variants may also work. Additionally, the instructions installed the following Jitsi versions.
dpkg -l | grep jitsi
ii jitsi-meet 2.0.4468-1
ii jitsi-meet-prosody 1.0.4025-1
ii jitsi-meet-web 1.0.4025-1
ii jitsi-meet-web-config 1.0.4025-1
ii jitsi-videobridge2 2.1-183-gdbddd169-1
Before you get started on the steps below, make sure you have already done the following:
You need to decide what your meeting server host name will be before you begin. The Jitsi installation process, as well as the rest of this guide, will reference this name throughout. This guide will assume you are an admin on an example domain called mycompany.scom.
1. Login to your Ubuntu server and update the hostname to what you decided above:
sudo vi /etc/hosts
Edit the line with “127.0.0.1” adding the host name meet.mycompany.com
127.0.0.1 localhost meet.mycompany.com
Add the same meet.mycompany.com hostname to the hostname file:
sudo vi /etc/hostname
2. Prepare to install Jitsi – More help can be found here https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md
apt-add-repository universe &&
echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list &&
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add - &&
sudo apt-get install apt-transport-https &&
sudo apt-get update
If you have your own SSL certificates, copy the key and cert onto your server. During the next step, the Jitsi installation process will ask you where they are located. If you do not have any ssl certs yet, thats okay, you can use the LetsEncrypt script create and install new SSL certificates.
3. Install Jitsi
When prompted, enter your meeting server hostname, Example: meet.mycompany.com (don’t use the .scom)
sudo apt-get -y install jitsi-meet
During the Jitsi installation process, you will be asked about the location of your SSL certificates for HTTPS (https is required). If you have not already, copy the key and cert to the server and provide these locations when prompted. If you do not have any ssl certs yet, thats okay, choose the “self-signed” certification option. The next section will explain how you can use the LetsEncrypt script to create and install new SSL certificates.
After installation is complete, you should have a working Jitsi Meet server. You should be able to point your browser to your servers IP address (or public subdomain, if you already set one up). Example: https://126.96.36.1996 or https://meet.mycompany.com
If you chose the “self-signed” certification option, for now, you will have to ignore the SSL certificate errors to see the site; we will fix these later in this guide.
If you installed your own ssl certificates, skip down to “6. CONFIGURE & INSTALL GABRIEL.”
However, if you chose the “self-signed” option during the Jitsi installation process, you need to use the LetsEncrypt script to install new certificates. Jitsi will not work without https.
In order for this script to work, your server MUST be accessible from the internet (at least for now). The host name “meet.mycompany.scom” needs to resolve to your server’s IP address. This means that you will need to create a public subdomain for “meet.mycompany.com” in order for the script to pass the challenge stage. After you run this script, you can remove the public subdomain; we will not need it. Instead, we will use a Gabriel secure CNAME record that will match the SSL certificate.
Run the SSL script and follow the prompts.
1. Install Gabriel – More help can be found here: https://www.gabrielsecure.com/forum-root/topic/how-to-install-gabriel-on-linux/
When prompted, enter your Gabriel user name “www.mycompany.scom” and provide “meet” as the device name. This will make your full Gabriel username on the server “meet.www.mycompany.scom”
wget https://deb.myvirnetx.com/installers/gabriel_cmd && chmod +x gabriel_cmd && sudo ./gabriel_cmd
2. Secure Jitsi web ports using Gabriel Secure Gateway
Jitsi uses ports 80, 443 and 10000. You need to create a Secure Gateway mapping for port 80 and 443, but do not map port 10000 in the same way. Port 10000 is secured in step 4, below.
Secure port 80:
gabriel_cmd localservice add --name "port80" --dest_address 127.0.0.1 --dest_port 80 --mapped_port 80 --vpn_only_access=1 --allow_remote=1
Secure port 443:
gabriel_cmd localservice add --name "port443" --dest_address 127.0.0.1 --dest_port 443 --mapped_port 443 --vpn_only_access=1 --allow_remote=1
The result of the above should look like this:
tcp443 443 -> 127.0.0.1:443 (vpn-only: True, allowRemote: True)
tcp80 80 -> 127.0.0.1:80 (vpn-only: True, allowRemote: True)
3. Grant Secure Gateway Access
The previous step only created the Secure Gateway mappings for port 80 and 443. Initial access for new ports is limited to the creator only, the “www.mycompany.scom” user in this example. You need to also grant access for other users or domains. You will need to grant each user or domain access to these ports. Lets start by granting access to our entire domain:
gabriel_cmd localservice addgroup --name "tcp443" --domain "mycompany.scom"
Groups for tcp443:
4. Secure Jitsi’s Audio/Video port 10000 (UDP)
You will need to expose port 10000 over the VPN using a simple modification to the ini file
sudo vi /home/gabriel/.gabriel/HKCU_registry.ini
Change “LocalVpnOnlyUdpPorts=” –> “LocalVpnOnlyUdpPorts=10000”
5. Test Jitsi over Gabriel – https://meet.mycompany.scom
You should now have a working Jitsi Meet server, secured by Gabriel. You should be able to point your browser to https://meet.mycompany.scom or https://meet.www.mycompany.scom – Since you are accessing the website using a URL that does not match the SSL certs, you will still see a cert error. The next step will resolve this issue.
✓ You should now be able to access https://meet.mycompany.com and no longer see the SSL certificate error.
The last step is to lock the server down. We do not want any other access to our meeting server outside of Gabriel.
1. If you have not already, you can remove the public subdomain record you created in step 5 (if applicable)
2. Update Jitsi Interfaces to bind to Gabriel only
sudo vi /etc/jitsi/videobridge/sip-communicator.properties
Add new line “org.ice4j.ice.harvest.ALLOWED_INTERFACES=gsp”
3. Update the nginx webserver to listen on localhost only
sudo vi /etc/nginx/sites-available/meet.mycompany.com.conf
Change “listen 80;” –> “listen 127.0.0.1:80;”Change “listen 443 ssl;” –> “listen 127.0.0.1:443 ssl;”
sudo vi /etc/nginx/sites-available/default
Change “listen [::]:80 default_server;” –> “listen meet.www.mycompany.scom:80 default_server;”
1. Restart Gabriel & Jitsi Services using the following command.
sudo systemctl restart gabriel && sleep 20 && service nginx restart && service jitsi-videobridge2 restart && service prosody restart && service jicofo restart
Note: Gabriel needs to be running before Jitsi is started
2. Restart Jitsi Only
service nginx restart && service jitsi-videobridge2 restart && service prosody restart && service jicofo restart
3. Monitor Jitsi Logs
tail -F /var/log/jitsi/jicofo.log
tail -F /var/log/prosody/prosody.log
Powered by BetterDocs