Jitsi Installation with JWT Support on Ubuntu 20.04 TLS

sudo hostnamectl set-hostname YOUR_DOMAIN
YOUR_DOMAIN
127.0.0.1 localhostYOUR_LOCAL_IP YOUR_DOMAIN jitsimainYOUR_GLOBAL_IP YOUR_DOMAIN jitsimain127.0.0.1 localhost YOUR_DOMAIN# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters
reboot
ping “$(hostname)”
PING YOUR_DOMAIN (127.0.0.1) 56(84) bytes of data.64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.026 ms64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.041 ms64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.045 ms

Setting Up Base Jitsi Components with JWT Support

Switch to root;

sudo su
sudo nano /etc/apt/sources.list
deb http://security.ubuntu.com/ubuntu bionic-security main
sudo apt update && apt-cache policy libssl1.0-dev
  • unzip
  • lua5.2 (Lua programming language)
  • liblua5.2 (Lua base libraries)
  • luarocks (The main repository of Lua modules)
  • basexx ( Lua library which provides base2(bitfield), base16(hex), base32(crockford/rfc), base64(rfc/url), base85(z85) decoding and encoding.)
  • libssl1.0-dev (Debian (Ubuntu) package is part of the OpenSSL project’s implementation of the SSL and TLS)
  • luacrypto (Lua frontend to the OpenSSL cryptographic library)
  • lua-cjson (JSON encoding/parsing module for Lua)
  • luajwtjitsi (JSON Web Tokens module for Lua)
  • Prosody (Latest stable version)
cd &&apt-get update -y &&apt-get install gcc -y &&apt-get install unzip -y &&apt-get install lua5.2 -y &&apt-get install liblua5.2 -y &&apt-get install luarocks -y &&luarocks install basexx &&apt-get install libssl1.0-dev -y &&luarocks install luacrypto &&mkdir src &&cd src &&luarocks download lua-cjson &&luarocks unpack lua-cjson-2.1.0.6–1.src.rock &&cd lua-cjson-2.1.0.6–1/lua-cjson &&sed -i ‘s/lua_objlen/lua_rawlen/g’ lua_cjson.c &&sed -i ‘s|$(PREFIX)/include|/usr/include/lua5.2|g’ Makefile &&luarocks make &&luarocks install luajwtjitsi &&cd &&wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add — &&echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list &&apt-get update -y &&apt-get upgrade -y &&apt-get install prosody -y &&chown root:prosody /etc/prosody/certs/localhost.key &&chmod 644 /etc/prosody/certs/localhost.key &&sleep 2 &&shutdown -r now
sudo su
  • As a second prompted question, generate a new certificate instead of using your existing certificate. If you have your own certificates i guess it is better to install with generating new certificates also. You will always have a chance to replace your certificates later.
  • Enter application ID as; YOUR_APP_ID
  • Enter application secret as; YOUR_SECRET
cd &&cp /etc/prosody/certs/localhost.key /etc/ssl &&apt-get install nginx -y &&wget -qO — https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add — &&sh -c “echo ‘deb https://download.jitsi.org stable/’ > /etc/apt/sources.list.d/jitsi-stable.list” &&apt-get -y update &&apt-get install jitsi-meet -y &&apt-get install jitsi-meet-tokens -y

Create Cerificates

To generate a certificate execute;

sudo apt install certbot &&sudo sed -i ‘s/\.\/certbot-auto/certbot/g’ /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh &&sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

Firewall Settings

To enable firewall run:

ufw enable
ufw allow in 2220/tcp &&ufw allow in openssh &&ufw allow in 80/tcp &&ufw allow in 443/tcp &&ufw allow in 4443/tcp &&ufw allow in 5222/tcp &&ufw allow in 5347/tcp &&ufw allow in 10000/udp
ufw status
reboot

Configure Prosody

Open /etc/prosody/prosody.cfg.lua and add above lines after admins object;

admins = {}component_ports = { 5347 }component_interface = “0.0.0.0”
c2s_require_encryption=true
c2s_require_encryption=false
Include “conf.d/*.cfg.lua”

Configure Prosody for Your Host

Open /etc/prosody/conf.avail/YOUR_DOMAIN.cfg.lua and add above lines with your issuers and audiences;

asap_accepted_issuers = { “YOUR_APP_ID”, “smash” }asap_accepted_audiences = { “YOUR_APP_ID”, “smash” }
VirtualHost “YOUR_DOMAIN”authentication = “token”;app_id = “YOUR_APP_ID”; — application identifierapp_secret = “YOUR_SECRET”; — application secret known only to your token
VirtualHost “YOUR_DOMAIN”modules_enabled = { “presence_identity” }
Component “conference.YOUR_DOMAIN” “muc”modules_enabled = { “token_verification” }
VirtualHost “guest.YOUR_DOMAIN”authentication = “token”;app_id = “YOUR_APP_ID”;app_secret = “YOUR_SECRET”;c2s_require_encryption = true;allow_empty_token = true;

Enable Anonymous Domain in Jitsi Meet Config

Open your meet config in /etc/jitsi/meet/YOUR_DOMAIN-config.js and edit as:

var config = {hosts: {// When using authentication, domain for guest users.anonymousdomain: ‘guest.jitmeet.example.com’,},enableUserRolesBasedOnToken: true,}

Jicofo Configuration

Set following config in /etc/jitsi/jicofo/config as:

JICOFO_HOST=YOUR_DOMAIN
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.YOUR_DOMAIN org.jitsi.jicofo.auth.URL=XMPP:YOUR_DOMAIN org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true

Video Bridge Configuration

Edit Video Bridge config file;

nano /etc/jitsi/videobridge/config
JVB_HOST=YOUR_DOMAIN
AUTHBIND=yes

Restart All Services

systemctl restart prosody jicofo jitsi-videobridge2

Testing

For testing your Jitsi with JWT installation you will need a token. To generate your token you can go to jwt.io . In the main page there is a JWT debugger. Considering that you are using HS256 algorithm (which is default for Jitsi and also jwt.io) for encryption our token’s header section will be;

{
"alg": "HS256",
"typ": "JWT"
}
{  "aud": "YOUR_AUDIENCE",  "iss": "YOUR_ISSUER",  "sub": "YOUR_JITSI_DOMAIN",  "room": "*"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJZT1VSX0FVRElFTkNFIiwiaXNzIjoiWU9VUl9JU1NVRVIiLCJzdWIiOiJZT1VSX0pJVFNJX0RPTUFJTiIsInJvb20iOiIqIn0.lfdX8pvLIWxC1k27CAT3H4k2EhS2rbE_Ks8SwsD2pJo
tail -f -n 200 /var/log/prosody/prosody.log
tail -f -n 200 /var/log/jitsi/jicofo.log
tail -f -n 200 /var/log/jitsi/jvb.log

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store