Jitsi DIY | Debian

apt-get update
apt-get dist-upgrade
apt-get -y install openjdk-11-jre nginx

Add default.conf to nginx/sites-available:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name _;

    include snippets/well-known.conf;
}

Link this file to nginx/sites-enabled.

Add jitsi.mydomain.mytld.conf to nginx/sites-available:

server_names_hash_bucket_size 64;

server {
    listen 80;
    listen [::]:80;
    server_name jitsi.ir-media-tec.com;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
       return 404;
    }
    location / {
       return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name jitsi.ir-media-tec.com;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /etc/letsencrypt/live/jitsi.mydomain.mytld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/jitsi.mydomain.mytld/privkey.pem;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json;
    gzip_vary on;

    location = /config.js {
        alias /etc/jitsi/meet/jitsi.mydomain.mytld-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";

       alias /etc/jitsi/meet/jitsi.ir-media-tec.com-config.js;
    }

    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
}

But do NOT activate it yet.

Add well-known.conf to nginx/snippets:

location /.well-known/ {
    allow all;
    auth_basic off;
    default_type "text/plain";
    alias /var/www/letsencrypt/.well-known/;
}

Add cache-expire.conf to nginx/snippets:

location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
    expires max;
    add_header Pragma public;
    add_header Cache-Control public;
}

Add deny-dot.conf to nginx/snippets:

# deny access to any dot-files (except .well-known)

location ~ /\.(?!well-known/). {
    deny all;
}

Add redirect-https.conf to nginx-snippets:

if ($scheme != "https") {
    rewrite ^ https://$host$uri permanent;
}

Restart nginx.

service nginx restart
apt-get -y install python3-venv
python3 -m venv /usr/local/bin/certbot_venv
source /usr/local/bin/certbot_venv/bin/activate
pip install --upgrade pip
pip install --upgrade pip
pip install setuptools certbot certbot-dns-rfc2136
mkdir -p /var/www/letsencrypt
chown www-data:www-data /var/www/letsencrypt
certbot certonly --webroot --webroot-path /var/www/letsencrypt -d jitsi.mydomain.mytld
deactivate

Do some cron stuff:

echo "0 0 * * 1 root . /usr/local/bin/certbot_venv/bin/activate && perl -e 'sleep int(rand(3600))' && certbot --renew-hook 'systemctl reload nginx' -q renew && deactivate" > /etc/cron.d/certbot

Activate jitsi in nginx and restart nginx:

ln -s /etc/nginx/sites-available/jitsi.mydomain.mytld.conf /etc/nginx/sites-enabled/jitsi.mydomain.mytld.conf
service nginx restart

IMPORTANT: Install nginx with open port 443 BEFORE jitsi – the jitsi uses port 4443.

Install jitsy:

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list"
apt-get update

Set Hostname during installation.
Set certificate as SELF-SIGNED

apt install jitsi-meet

Corporate firewall stuff:
NATed corporate clients need access to your external server at 80 443 4443 10000
There is no need to allow incoming connections.
Avoid proxies for performance.

Reduce video quality for large crowds (/etc/jitsi/meet# diff jitsi.mydomain.mytld-config.js):

resolution: 360,
---
      constraints: {
          video: {
              height: {
                  ideal: 360,
                  max: 360,
                  min: 180
              }
          }
      },

Use youtube streaming for even larger crowds.

Tune the skin via /usr/share/jitsi-meet/interface_config.js

On errors: check nginx pathes to letsecrypt certs.

Use Chrome or Firefox. Firefox needs lot more bandwidth.

Credits: uwe [ https://runlevel3.de ]

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.