Skip to content

Deployment Overview of Jitsi on Server

Prerequisites and Basic Requirements

To successfully deploy Jitsi on a Debian-based server, the following requirements must be met:

  • Operating System: Debian (specifically compatible with apt package management).
  • Privileges: Root access or sudo privileges are required to install packages, configure the firewall, and manage services.
  • Domain Configuration: A Fully Qualified Domain Name (FQDN) must be defined and pointed to the server's IP address.
  • Ports: The following ports must be accessible:
  • Port 80 (TCP) for HTTP traffic and Let's Encrypt validation.
  • Port 443 (TCP) for HTTPS traffic.
  • Port 10000 (UDP) for Jitsi Videobridge media traffic.
  • Email Address: A valid administrator email address is required for Let's Encrypt certificate issuance.

File and Directory Structure

The deployment utilizes the following directory structure for configuration, data, and certificates:

  • /etc/apt/trusted.gpg.d/jitsi.gpg: Location of the Jitsi APT repository key.
  • /usr/share/keyrings/prosody-debian-packages.key: Location of the Prosody repository key.
  • /etc/nginx/sites-available/: Contains the Nginx virtual host configuration file named after the FQDN (e.g., {{ jitsi_host }}.conf).
  • /etc/nginx/sites-enabled/: Contains symbolic links to active virtual host configurations.
  • /etc/letsencrypt: Stores SSL certificates and private keys issued by Let's Encrypt.
  • /root/nginx/: Directory used for Docker Compose configuration in containerized deployments.
  • /data/nginx/user_conf.d/: Directory for custom Nginx site configurations in containerized deployments.

Application Installation Process

The standard installation process involves adding official repositories and installing the necessary packages via apt.

  1. Add Repositories:

    • Add the Jitsi repository: deb https://download.jitsi.org stable/.
    • Add the Prosody repository: deb [signed-by=/usr/share/keyrings/prosody-debian-packages.key] https://packages.prosody.im/debian jammy main.

  2. Install Dependencies:

    • Install base tools: curl, gnupg, apt-transport-https, ca-certificates.
    • Install Lua: lua5.2.

  3. Install Jitsi Packages: The following packages are installed to provide the full Jitsi Meet stack:

    • jitsi-meet
    • jicofo
    • jitsi-videobridge2
    • jitsi-meet-prosody
    • jitsi-meet-web
    • jitsi-meet-web-config
    • jitsi-meet-turnserver
    • nginx

  4. Configuration Preseeding: During installation, the system is configured with the following parameters:

    • Hostname (FQDN) for jitsi-meet-web-config.
    • Hostname (FQDN) for jitsi-videobridge2.
    • Certificate type selection set to Let's Encrypt.

  5. Reconfiguration: If the virtual host file is missing or incorrect, the jitsi-meet-web-config package is reconfigured using dpkg-reconfigure to ensure the FQDN is correctly applied.

Access Rights and Security

Security measures are implemented through firewall rules and service configurations:

  • Firewall (UFW):
  • The Uncomplicated Firewall (ufw) is enabled with a default policy to allow incoming connections.
  • Specific rules are added to allow traffic on:
    • Port 80 (TCP).
    • Port 443 (TCP).
    • Port 10000 (UDP).
  • SSL/TLS:
  • Let's Encrypt is used to issue and manage SSL certificates automatically.
  • The certificate issuance script is executed non-interactively using the administrator's email address.
  • Nginx Configuration:
  • The default Nginx site is removed to prevent conflicts.
  • The Jitsi virtual host is configured to listen on port 80 and port 443 with SSL and HTTP/2 enabled.
  • The configuration explicitly disables listening on 127.0.0.1:8443 for external access, redirecting traffic through the public ports.

Docker Containers and Their Deployment

For containerized deployments, the system utilizes Docker Compose to manage Nginx and Certbot.

  • Compose File Location: /root/nginx/compose.yml.
  • Service Definition:
  • Image: jonasal/nginx-certbot:latest.
  • Restart Policy: unless-stopped.
  • Network Mode: host.
  • DNS: Configured to use 1.1.1.1 and 8.8.8.8.
  • Environment Variables:
    • CERTBOT_EMAIL: Set to the administrator's email address.

  • Volumes:

    • nginx_secrets: Mounted to /etc/letsencrypt for certificate storage.
    • /data/nginx/user_conf.d: Mounted to /etc/nginx/user_conf.d for custom configurations.

  • Custom Nginx Configuration: A custom server block is generated in /data/nginx/user_conf.d/ with the following routing rules:

  • HTTP (Port 80): Redirects all traffic to HTTPS.
  • HTTPS (Port 443):
    • Proxies root path / to https://127.0.0.1:8443/.
    • Proxies /xmpp-websocket to https://127.0.0.1:8443/xmpp-websocket.
    • Proxies /colibri-ws/ to https://127.0.0.1:8443/colibri-ws/.
    • Proxies /http-bind to https://127.0.0.1:8443/http-bind.
  • Headers:
    • Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto are set for proxying.
    • Upgrade and Connection headers are configured to support WebSocket upgrades.

  • SSL Verification: proxy_ssl_verify is set to off.

  • Deployment Command: The container stack is started using: 

    docker compose up -d
    executed from the /root/nginx directory.

Proxy Servers

Nginx acts as the reverse proxy for the Jitsi application, handling SSL termination and routing.

  • Virtual Host Configuration:
  • The server name is set to the FQDN ({{ jitsi_host }}).
  • Listens on port 80 for HTTP.
  • Listens on port 443 with ssl and http2 enabled.
  • Certificate Management:
  • Certificates are issued and renewed using the install-letsencrypt-cert.sh script provided by Jitsi.
  • The script runs non-interactively, accepting the administrator's email via standard input.
  • Containerized Proxy:
  • In Docker environments, the jonasal/nginx-certbot image handles both proxying and certificate management.
  • Custom configurations are injected via the /data/nginx/user_conf.d volume mount.

Starting, Stopping, and Updating

Service management is handled via systemd for native installations and docker compose for containerized environments.

  • Native Services: The following services are managed by systemd:
  • prosody
  • jicofo
  • jitsi-videobridge2
  • nginx

To restart these services after configuration changes: 

systemctl restart prosody
systemctl restart jicofo
systemctl restart jitsi-videobridge2
systemctl restart nginx

To ensure services start on boot: 

systemctl enable prosody
systemctl enable jicofo
systemctl enable jitsi-videobridge2
systemctl enable nginx

  • Nginx Configuration Validation: Before reloading Nginx, the configuration is tested: 

    nginx -t
    If the test passes, Nginx is reloaded: 
    systemctl reload nginx

  • Docker Services: To start or restart the containerized stack: 

    docker compose up -d
    executed from the /root/nginx directory.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×