Jitsi Installation with JWT Support on Ubuntu 18.04 TLS

Security is very important issue if we are talking about live conferencing. As Zoom had several security issues like Room Bombing, insecurity of personal data and encryption policies, Zoom was about to loose its reputation. Immediate actions are taken by the company to cover these security issues which was out of priority as a requirement for a very fast growing company during — and because of — COVID-19.

Jitsi has JWT implementation to provide security for web conferencing. Basically Jitsi rooms can be created and/or joined after a successful JWT validation.

Jitsi with JWT is a very smart and simple solution perspective to add enhanced security to your Jitsi installations. But i must say it is not easy to find accurate documentation on that even on Jitsi Community portal. For my first installation which i did last year — long time ago from COVID — took me to much time to experiment and learn. Now there are few posts about Jitsi with JWT in Jitsi Community forums. But i must say it is still like “looking for a needle in a haystack” as said in Turkish idiom.

Anyway i thought it will be good idea to collect my experience and provide a manual for people who are interested in installing and configuring Jitsi with JWT. So, here it is!

Setting up FQDN

Execute;

Edit /etc/hostname file as;

YOUR_DOMAIN

Edit /etc/hosts file as;

To restart VM run;

After restart to test your FQDN setup run;

Should ping 127.0.0.1 and command output will be similar to;

Switch to root;

We need to install the Jitsi base components and latest Prosody version now. Components to be installed;

  • gcc (c++ compiler to compile luarocks)
  • unzip
  • lua5.2 (Lua programming language)
  • liblua5.2 (Lua base libraries)
  • luarocks (The main repository of Lua modules)
  • basexx ( Lua library which provides base2(bitfield), base16(hex), base32(crockford/rfc), base64(rfc/url), base85(z85) decoding and encoding.)
  • libssl1.0-dev (Debian (Ubuntu) package is part of the OpenSSL project’s implementation of the SSL and TLS)
  • luacrypto (Lua frontend to the OpenSSL cryptographic library)
  • lua-cjson (JSON encoding/parsing module for Lua)
  • luajwtjitsi (JSON Web Tokens module for Lua)
  • Prosody (Latest stable version)

To install components simply run;

Note: VM will be restarted with the last command

After reboot switch to root as always;

Install rest of the components;

Notes for the installation of this part;

  • Hostname will be prompted. Enter FQDN which is same as hostname of the VM.
  • As a second prompted question, generate a new certificate instead of using your existing certificate. If you have your own certificates i guess it is better to install with generating new certificates also. You will always have a chance to replace your certificates later.
  • Enter application ID as; YOUR_APP_ID
  • Enter application secret as; YOUR_SECRET

Simply run;

By now we have installed all of the required components.

To generate certificates;

To enable firewall run:

To open necessary Jitsi ports run:

Note: 22 is our ssh port and should be open to access server through ssh.

Check firewall rules:

Restart:

Open /etc/prosody/prosody.cfg.lua and add above lines after admins object

change

and check if on end of file has

Open /etc/prosody/conf.avail/YOUR_DOMAIN.cfg.lua and add lines below for your issuers and audiences

Also under you domain config change authentication to “token” and provide application ID, secret:

Also to access the data in lib-jitsi-meet you have to enable the prosody module mod_presence_identity in your config.

And enable room name token verification plugin in your MUC component config section:

And setup guest domain

Open your meet config in /etc/jitsi/meet/YOUR_DOMAIN-config.js and edit as:

Set following config in /etc/jitsi/jicofo/config as:

Edit your /etc/jitsi/jicofo/sip-communicator.properties file as:

Edit /etc/jitsi/videobridge/config file as:

And after JAVA_SYS_PROPS: … add;

For testing your Jitsi with JWT installation you will need a token. To generate your token you can go to jwt.io . In the main page there is a JWT debugger. Considering that you are using HS256 algorithm (which is default for Jitsi and also jwt.io) for encryption our token’s header section will be;

As a minimum requirement your token Payload data will be;

Now for Verify Section of JWT debugger you will need YOUR_SECRET to generate YOUR_TOKEN.

So considering the parameters above your generated token will be;

You can copy the token above and paste it to Encoded section of the JWT Debugger and also proving YOUR_SECRET string “as it is” for your secret in the Verify Section you will see your decoded token Payload “as it is”.

Now go to your Jitsi Meet URL:

https://YOUR_DOMAIN.com/jwt_test_room?jwt=YOUR_TOKEN

Now you can add user information to your token and pass it to Jitsi Meet. To do that you can add additional json formatted keys and values to your token. For further info about JWT token structure go to : https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

Also check logs for warning and error messages:

Prosody log;

Jicofo log;

JVB log;

Now you have your new Jitsi instance with JWT support!

And if you need support for Jitsi with JWT authentication do not hesitate to contact us at doganbros.com. We are giving professional grade Jitsi consultation service including installation, integration, customisation and maintenance support.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store