Note - you are muted

by default

​

​

Please enter your name - click on “me” to edit

​

​

Chat window

Raise hand to get moderator’s attention

Intro from the President (Wyatt)

Reminder: due payments (Brad)

Moderated roundtable (Troy)

Hands on with

Overview, Installation, Configuration

Troy Denton, P.Eng.

May 2020

Intro to Jitsi

• https://jitsi.org/
• Started as Emil Ivov’s project, “JSPhone”, “SIP Communicator”
• Founds the “Blue Jimp” company
• “SIP Communicator” Renamed to “Jitsi”
• Bought by atlassian, and then by 8x8

Intro to Jitsi

• Open source product. Server packages for debian, ubuntu available
• Written primarily in java
• Integrates a number of applications to deliver the service
• NGINX (Web server)
• Prosody (XMPP server)
• letsencrypt/certbot
• jitsi-videobridge2
• jicofo

Intro to Jitsi

• Works with modern browsers via WebRTC

Intro to Jitsi

• On mobile devices, it is recommended to use their app.

Dive in - no install required

• You can start a meeting today with nothing but your browser, at https://meet.jit.si. Free of charge!

​

• Enter a unique conference name - don’t use something that other people would commonly use. (“Test”, “meeting”, etc ). You will likely get unwanted visitors.

What about E2EE?

• In a one-on-one meeting, Jitsi is end-to-end encrypted. In fact, the video doesnt flow through the server at all, it’s a p2p connection.
• With 3+ attendees, jitsi is not currently end-to-end encrypted

​

• Full end-to-end encryption depends on the “insertable stream API” that is coming soon to a browser near you. Once this becomes a stable feature, jitsi’s full E2EE won’t be far behind.

What about E2EE? 2 parties

Signalling, https

Video, DTLS-SRTP

What about E2EE? - 3+ parties

Why would my organization use Jitsi?

• You want to minimize costs for your video conferencing platform
• You trust your security team more than your current video conferencing provider
• You endeavour to use open source software wherever possible
• You want an easy-to-use video conferencing tool
• You want to customize or add functionality to your video conferencing platform

Case study: 24-7 Intouch

• Hiring remote call center employees - need to conduct many interviews
• Wanted something easy to use
• Wanted something with low expense, fast setup time
• Require interview audio recordings

Case study: 24-7 Intouch

What worked well:

• Was able to go from “no video conferencing” -> “we have branded video conferencing” in under a day
• Jitsi’s SIP integration allowed us to connect it to
• Automatic interview recording was relatively painless to implement (custom software required)
• People within the company prefer it to other video call services

Case study: 24-7 Intouch

What didn’t work so well:

• Most interviewees are connecting from a mobile device, and had to use the jitsi mobile app
• This was not as intuitive as clicking the provided interview link. Many interviews reverted to using a phone call
• Our interviewers were forced to do basic tech support as a result, which stressed out both parties
• Ultimately went back to a phone based solution

Jitsi Installation

• Let’s tempt fate with a live install demo - jitsi-test.troydenton.ca

​

• Warning - installation is much easier on a machine that does not already have nginx, etc. Highly recommend using a dedicated machine for this purpose.

Jitsi Installation

• Host machine: Debian 10
• Network: TCP ports 443, 4443 and UDP port 10000
• https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md
• Demo machine: jitsi-demo.troydenton.ca

​

​

Jitsi Installation

Set up the Fully Qualified Domain Name (FQDN) (optional)

If the machine used to host the Jitsi Meet instance has a FQDN (for example meet.example.org) already set up in DNS, /etc/hostname must contain this FQDN; if this is not the case yet, change the hostname.

Then add the same FQDN in the /etc/hosts file, associating it with the loopback address:

127.0.0.1 localhost your.fqdn.org

​

​

​

​

​

Jitsi Installation

Install wget, not in debian by default.

Add the Jitsi package repository

echo 'deb https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -

​

​

​

Jitsi Installation

Install Jitsi Meet

Note: The installer will check if Nginx or Apache is present (in that order) and configure a virtualhost within the web server it finds to serve Jitsi Meet. If none of the above is found it then defaults to Nginx. If you are already running Nginx on port 443 on the same machine turnserver configuration will be skipped as it will conflict with your current port 443.

apt-get install apt-transport-https

apt-get update

apt-get -y install jitsi-meet

​

​

​

​

Jitsi Installation

Jitsi Installation

Jitsi Installation

Generate a Let's Encrypt certificate (optional, recommended)

In order to have encrypted communications, you need a TLS certificate. The easiest way is to use Let's Encrypt.

Note: Jitsi Meet mobile apps require a valid certificate signed by a trusted Certificate Authority (such as a Let's Encrypt certificate) and will not be able to connect to your server if you choose a self-signed certificate.

Simply run the following in your shell:

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

Enter your email and hit enter. If your DNS and hosts file are in order, it will complete automatically.

Jitsi Installation

Thats it for the base installation!

https://jitsi-demo.troydenton.ca

Behind the curtains - multiple daemons

Webserver, web app content

Behind the curtains - multiple daemons

Room creation and management logic

Behind the curtains - multiple daemons

Extensible xmpp server

Behind the curtains - multiple daemons

Video stream processor

“Selective Forwarding Unit”

Behind the curtains - SFU

Selective Forwarding Unit : instead of mixing all video on the server, send last N relevant streams to all participants. Let clients do the video rendering.

“Last N: The SFU only forwards a fixed number of video streams (N) to each endpoint, and changes the set of forwarded streams dynamically according to audio activity.”

​

Behind the curtains - relevant services

Systemd services:

• nginx
• jitsi-videobridge2
• jicofo
• prosody

Managed with systemctl, eg. ‘sudo systemctl restart jitsi-videobridge2’

​

Behind the curtains - pertinent files

Logs:

• /var/log/jitsi/jvb.log - logs from the video bridge
• /var/jog/jitsi/jicofo.log - room creation, destruction
• /var/log/prosody/prosody.log /var/log/prosody/prosody.err
• XMPP server logs

Behind the curtains - pertinent files

Config directories:

• /etc/jitsi/meet
• Configuration for the web app
• /etc/jitsi/jicofo
• Configuration for conference management
• /etc/jitsi/videobridge
• /etc/prosody
• Configuration for e.g. moderator login goes here
• /etc/nginx

​

Customization 1: Let’s change the logo

Logo is the “watermark.png” located in /usr/share/jitsi-meet/images

Simply replace it

E.g., with

http://muug.mb.ca/images/muug-ca-logo-hires.png

​

Customization 2: moderator auth

The default behaviour is that anyone can start a meeting, and every attendee has moderator privileges. Sometimes, more control is desired.

The installation can be configured such that a moderator must unlock the room first

The following steps come from this forum post:

https://community.jitsi.org/t/how-to-introduce-authentication-to-start-a-meeting-in-jitsi-secure-moderator-my-comprehensive-tutorial-for-the-beginner/41163

​

Customization 2: moderator auth

Configuration of prosody, set authentication

In /etc/prosody/conf.avail/your.fqdn.org.cfg.lua

Step 1) Change authentication from “anonymous” to “internal_plain”:

VirtualHost "your.fqdn.org"

authentication = "internal_plain"

​

​

​

​

Customization 2: moderator auth

Step 2) In the same file, add a new VirtualHost at the bottom of the file:

-- Allow our guests to join a conference without the need for a password

-- BELOW VIRTUALHOST NAME SHOULD NOT(!) BE REGISTERED IN DNS!

VirtualHost "guest.your.fqdn.org"

authentication = "anonymous"

c2s_require_encryption = false

​

​

​

​

Customization 2: moderator auth

Add moderators to Jitsi

In the terminal run following command:

sudo prosodyctl register igor your.fqdn.org

​

​

​

​

​

Customization 2: moderator auth

Configuration of jicofo

/etc/jitsi/jicofo/sip-communicator.properties

Add a new authentication line at the bottom of this file:

org.jitsi.jicofo.auth.URL=XMPP:your.fqdn.org

​

​

​

​

Customization 2: moderator auth

Uncomment anonymousdomain and set the domain to enable guests to join us:

/etc/jitsi/meet/meet.myfirewall.org-config.js

hosts: {

// XMPP domain.

domain: 'meet.myfirewall.org',

​

// When using authentication, domain for guest users.

// BELOW VIRTUALHOST NAME SHOULD NOT(!) BE REGISTERED IN DNS!

anonymousdomain: 'guest.your.fqdn.org',

​

​

​

​

​

Customization 2: moderator auth

Restart all services and test the changes:

systemctl restart prosody jicofo jitsi-videobridge2

​

​

Test out at https://jitsi-demo.troydenton.ca - should prompt for moderator to begin the room. Once it’s started, guests can join anonymously.

​

​

​

​

​

​

​

​

​

Customization 2: moderator auth

An observation: prosody may give you an error as follows. Apparently it is not an issue:

​

​

Further configurations

Jitsi has other integrations you can install and configure, including:

• jigasi, a gateway that enables participants to “dial in” to meetings
• VoIP acount required
• Latest version is not so stable. Use 1.0-235
• jibri, a means to record/stream jitsi conferences
• Dropbox integrations - record your meetings directly to dropbox
• Likely others that I am not yet aware of :)

​

End of prepared material

Questions?

​