apt-get update apt-get dist-upgrade apt-get -y install openjdk-11-jre nginx
Add default.conf to nginx/sites-available:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
include snippets/well-known.conf;
}
Link this file to nginx/sites-enabled.
Add jitsi.mydomain.mytld.conf to nginx/sites-available:
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name jitsi.ir-media-tec.com;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/jitsi-meet;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jitsi.ir-media-tec.com;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/letsencrypt/live/jitsi.mydomain.mytld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jitsi.mydomain.mytld/privkey.pem;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;
location = /config.js {
alias /etc/jitsi/meet/jitsi.mydomain.mytld-config.js;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2;
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/jitsi.ir-media-tec.com-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /xmpp-websocket;
}
}
But do NOT activate it yet.
Add well-known.conf to nginx/snippets:
location /.well-known/ {
allow all;
auth_basic off;
default_type "text/plain";
alias /var/www/letsencrypt/.well-known/;
}
Add cache-expire.conf to nginx/snippets:
location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires max;
add_header Pragma public;
add_header Cache-Control public;
}
Add deny-dot.conf to nginx/snippets:
# deny access to any dot-files (except .well-known)
location ~ /\.(?!well-known/). {
deny all;
}
Add redirect-https.conf to nginx-snippets:
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
Restart nginx.
service nginx restart
apt-get -y install python3-venv python3 -m venv /usr/local/bin/certbot_venv source /usr/local/bin/certbot_venv/bin/activate pip install --upgrade pip pip install --upgrade pip pip install setuptools certbot certbot-dns-rfc2136 mkdir -p /var/www/letsencrypt chown www-data:www-data /var/www/letsencrypt certbot certonly --webroot --webroot-path /var/www/letsencrypt -d jitsi.mydomain.mytld deactivate
Do some cron stuff:
echo "0 0 * * 1 root . /usr/local/bin/certbot_venv/bin/activate && perl -e 'sleep int(rand(3600))' && certbot --renew-hook 'systemctl reload nginx' -q renew && deactivate" > /etc/cron.d/certbot
Activate jitsi in nginx and restart nginx:
ln -s /etc/nginx/sites-available/jitsi.mydomain.mytld.conf /etc/nginx/sites-enabled/jitsi.mydomain.mytld.conf service nginx restart
IMPORTANT: Install nginx with open port 443 BEFORE jitsi – the jitsi uses port 4443.
Install jitsy:
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add - sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list" apt-get update
Set Hostname during installation.
Set certificate as SELF-SIGNED
apt install jitsi-meet
Corporate firewall stuff:
NATed corporate clients need access to your external server at 80 443 4443 10000
There is no need to allow incoming connections.
Avoid proxies for performance.
Reduce video quality for large crowds (/etc/jitsi/meet# diff jitsi.mydomain.mytld-config.js):
resolution: 360,
---
constraints: {
video: {
height: {
ideal: 360,
max: 360,
min: 180
}
}
},
Use youtube streaming for even larger crowds.
Tune the skin via /usr/share/jitsi-meet/interface_config.js
On errors: check nginx pathes to letsecrypt certs.
Use Chrome or Firefox. Firefox needs lot more bandwidth.
Credits: uwe [ https://runlevel3.de ]
You can also check this: https://scheible.it/jitsi-meet-installation-ubuntu-20-04/
bytes and bones 