Gabriel for Secure Video Conferencing – Install & Configure a Jitsi Meet Server

SUPPORTED VERSIONS #

The following instructions were tested as working on Ubuntu 16.04.6 LTS, though other linux variants may also work. Additionally, the instructions installed the following Jitsi versions.

dpkg -l | grep jitsi
ii  jitsi-meet                       2.0.4468-1
ii  jitsi-meet-prosody               1.0.4025-1
ii  jitsi-meet-web                   1.0.4025-1
ii  jitsi-meet-web-config            1.0.4025-1
ii  jitsi-videobridge2               2.1-183-gdbddd169-1

BEFORE YOU START #

Before you get started on the steps below, make sure you have already done the following:

  1. Purchase a custom secure domain name (mycompany.scom) from VirnetX: https://www.myvirnetx.com/domain/search
  2. Create a Gabriel user named “www” that will secure access to your Jitsi server.
  3. You should also own or have access to the public version of your .scom domain. For example, if you register mycompany.scom, you should also own mycompany.com.
  4. Have root access to a Linux Ubuntu 16.04 server. This server can be running in the cloud (aka Amazon AWSDigital Ocean) or on your own network.

MEETING SERVER HOST NAME #

You need to decide what your meeting server host name will be before you begin. The Jitsi installation process, as well as the rest of this guide, will reference this name throughout. This guide will assume you are an admin on an example domain called mycompany.scom.

  1. If you have not already, create a Gabriel user named “www“. This user will be used to install Gabriel services to secure access to your Jitsi server.  This username will be “www.mycompany.scom”
  2. Choose your meeting server name. We will use “meet” as the Gabriel server name.
    1. Full Gabriel Secure Domain Name: meet.www.mycompany.scom
      1. Full web address will be: http://meet.www.mycompany.scom
      2. Abbreviated web address will be: http://www.mycompany.scom (the “www” user is implied)
    2. Your meeting server hostname will be “meet.mycompany.com” (Note the .com, not .scom)
    3. When HTTPS is working, the final Jitsi Meeting URL will be https://meet.mycompany.com
      1. Note: We will use a Gabriel CNAME to create a .com alias to your .scom. This process will allow https validation
      2. For example: https://meet.mycompany.com will point to https://meet.mycompany.scom underneath.

CONFIGURE & INSTALL JITSI MEET SERVER #

1. Login to your Ubuntu server and update the hostname to what you decided above:

sudo vi /etc/hosts

Edit the line with “127.0.0.1” adding the host name meet.mycompany.com

127.0.0.1 localhost meet.mycompany.com

Add the same meet.mycompany.com hostname to the hostname file:

sudo vi /etc/hostname
meet.mycompany.com

2. Prepare to install Jitsi – More help can be found here https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

apt-add-repository universe && 
echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list && 
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add - && 
sudo apt-get install apt-transport-https && 
sudo apt-get update

If you have your own SSL certificates, copy the key and cert onto your server. During the next step, the Jitsi installation process will ask you where they are located. If you do not have any ssl certs yet, thats okay, you can use the LetsEncrypt script create and install new SSL certificates.

3. Install Jitsi 

When prompted, enter your meeting server hostname, Example: meet.mycompany.com (don’t use the .scom)

sudo apt-get -y install jitsi-meet

During the Jitsi installation process, you will be asked about the location of your SSL certificates for HTTPS (https is required). If you have not already, copy the key and cert to the server and provide these locations when prompted. If you do not have any ssl certs yet, thats okay, choose the “self-signed” certification option. The next section will explain how you can use the LetsEncrypt script to create and install new SSL certificates.

After installation is complete, you should have a working Jitsi Meet server. You should be able to point your browser to your servers IP address (or public subdomain, if you already set one up). Example: https://123.45.123.456 or https://meet.mycompany.com

If you chose the “self-signed” certification option, for now, you will have to ignore the SSL certificate errors to see the site; we will fix these later in this guide.

5. INSTALL NEW SSL CERTS (required for self-signed certs) #

If you installed your own ssl certificates, skip down to “6. CONFIGURE & INSTALL GABRIEL.”

However, if you chose the “self-signed” option during the Jitsi installation process, you need to use the LetsEncrypt script to install new certificates. Jitsi will not work without https.

In order for this script to work, your server MUST be accessible from the internet (at least for now). The host name “meet.mycompany.scom” needs to resolve to your server’s IP address. This means that you will need to create a public subdomain for “meet.mycompany.com” in order for the script to pass the challenge stage. After you run this script, you can remove the public subdomain; we will not need it. Instead, we will use a Gabriel secure CNAME record that will match the SSL certificate.

Run the SSL script and follow the prompts.

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

6. INSTALL GABRIEL & CONFIGURE SECURE GATEWAY #

1. Install Gabriel – More help can be found here: https://www.gabrielsecure.com/forum-root/topic/how-to-install-gabriel-on-linux/

When prompted, enter your Gabriel user name “www.mycompany.scom” and provide “meet” as the device name. This will make your full Gabriel username on the server “meet.www.mycompany.scom”

wget https://deb.myvirnetx.com/installers/gabriel_cmd && chmod +x gabriel_cmd && sudo ./gabriel_cmd

2. Secure Jitsi web ports using Gabriel Secure Gateway

Jitsi uses ports 80, 443 and 10000. You need to create a Secure Gateway mapping for port 80 and 443, but do not map port 10000 in the same way. Port 10000 is secured in step 4, below.

Secure port 80:

gabriel_cmd localservice add --name "port80" --dest_address 127.0.0.1 --dest_port 80 --mapped_port 80 --vpn_only_access=1 --allow_remote=1

Secure port 443:

gabriel_cmd localservice add --name "port443" --dest_address 127.0.0.1 --dest_port 443 --mapped_port 443 --vpn_only_access=1 --allow_remote=1

The result of the above should look like this:

tcp443 443 -> 127.0.0.1:443 (vpn-only: True, allowRemote: True)
tcp80 80 -> 127.0.0.1:80 (vpn-only: True, allowRemote: True)

3. Grant Secure Gateway Access

The previous step only created the Secure Gateway mappings for port 80 and 443. Initial access for new ports is limited to the creator only, the “www.mycompany.scom” user in this example. You need to also grant access for other users or domains. You will need to grant each user or domain access to these ports. Lets start by granting access to our entire domain:

gabriel_cmd localservice addgroup --name "tcp443" --domain "mycompany.scom"

The result of the above should look like this:

Groups for tcp443:
*.mycompany.scom

4. Secure Jitsi’s Audio/Video port 10000 (UDP)

You will need to expose port 10000 over the VPN using a simple modification to the ini file

sudo vi /home/gabriel/.gabriel/HKCU_registry.ini

Change “LocalVpnOnlyUdpPorts=” –> “LocalVpnOnlyUdpPorts=10000”

LocalVpnOnlyUdpPorts=10000

5. Test Jitsi over Gabriel – https://meet.mycompany.scom

You should now have a working Jitsi Meet server, secured by Gabriel. You should be able to point your browser to https://meet.mycompany.scom or https://meet.www.mycompany.scom – Since you are accessing the website using a URL that does not match the SSL certs, you will still see a cert error. The next step will resolve this issue.

7. CREATE A GABRIEL CNAME #

  1. Login into your account on the web portal: https://www.myvirnetx.com/domain/manage
  2. Go to “Domains” > “Manage” then click on “Settings”
  3. Click on “Hosted Zones” and create a new hosted zone for your public .com domain name. Example: mycompany.com
  4. Open the new “mycompany.com” hosted zone and add a new CNAME.
    1. On the left for “Domain Name” enter “meet.mycompany.com”
    2. On the right for “Secure Domain Name” enter your Gabriel server name “meet.www.mycompany.scom”
  5. Press the “Create CNAME Record” button to save

✓ You should now be able to access https://meet.mycompany.com and no longer see the SSL certificate error.

The last step is to lock the server down. We do not want any other access to our meeting server outside of Gabriel.

8. LOCK DOWN YOUR SERVER #

1. If you have not already, you can remove the public subdomain record you created in step 5 (if applicable)

2. Update Jitsi Interfaces to bind to Gabriel only

sudo vi /etc/jitsi/videobridge/sip-communicator.properties

Add new line “org.ice4j.ice.harvest.ALLOWED_INTERFACES=gsp”

3. Update the nginx webserver to listen on localhost only

sudo vi /etc/nginx/sites-available/meet.mycompany.com.conf

Change “listen 80;” –> “listen 127.0.0.1:80;”
Change “listen 443 ssl;” –> “listen 127.0.0.1:443 ssl;”

sudo vi /etc/nginx/sites-available/default

Change “listen [::]:80 default_server;” –> “listen meet.www.mycompany.scom:80 default_server;”

9. RUNNING GABRIEL & JITSI #

1. Restart Gabriel & Jitsi Services using the following command. 

sudo systemctl restart gabriel && sleep 20 && service nginx restart && service jitsi-videobridge2 restart && service prosody restart && service jicofo restart

Note: Gabriel needs to be running before Jitsi is started

2. Restart Jitsi Only

service nginx restart && service jitsi-videobridge2 restart && service prosody restart && service jicofo restart

3. Monitor Jitsi Logs

tail -F/var/log/jitsi/jvb.log
tail -F /var/log/jitsi/jicofo.log
tail -F /var/log/prosody/prosody.log

Powered by BetterDocs