Jitsi install with HAProxy
Jitsi install with HAProxy Link to heading
Prerequisites Link to heading
The way I was able to set this up was with an LXC container holding the actual Prosody/Jicofo/Jitsi Videobridge components. This was fronted with a HAProxy and some iptables rules (for getting the RTC stream going one can use Nginx). You’ll need:
-
Physical host
-
FQDN (DNS name) pointing to an IPv4 address on that physical host
-
HAProxy
-
IPTables firewall
-
Some type of hypervisor or container virtualization
Create LXC container Link to heading
Fire up a new one:
lxc-create -n jitsi-container -t debian -- -r buster
Install the parts inside the LXC container Link to heading
Get inside and prepare to install the needed software:
echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
apt-get update
apt-get -u dist-upgrade
apt-get install vim mtr-tiny gpg
I had to get the dialog frontend into noninteractive mode in order to be able to install from within LXC.
export DEBIAN_FRONTEND=noninteractive
apt-get -y install jitsi-meet
Setup HAProxy and iptables Link to heading
I already had a running HAProxy with SSL certs from LetsEncrypt, so I only had to add the following:
frontend FE-HTTP-443
bind 0.0.0.0:443 tfo ssl crt /etc/haproxy/ssl/example.org.pem alpn h2,http/1.1
rspadd Strict-Transport-Security:\ max-age=31536000
mode http
option forwardfor
option http-server-close
option httpclose
compression algo gzip
compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json
http-request del-header X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
acl is-jitsi hdr(host) -i jitsi-meet.example.org
use_backend BE-JITSI if { ssl_fc_sni jitsi-meet.example.org }
# ...
frontend FE-HTTP-55555
bind 0.0.0.0:55555 tfo ssl crt /etc/haproxy/ssl/example.org.pem alpn h2,http/1.1
rspadd Strict-Transport-Security:\ max-age=31536000
mode http
option forwardfor
option http-server-close
option httpclose
compression algo gzip
compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json
http-request del-header X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default_backend BE-JITSI-55555
backend BE-JITSI
mode http
balance source
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
server JitsiMeet 10.120.240.10:443 ssl verify none
backend BE-JITSI-55555
mode http
balance source
option redispatch
option forwardfor
option http-server-close
option http-pretend-keepalive
http-response set-header X-Frame-Options SAMEORIGIN
source 0.0.0.0 usesrc clientip
server JitsiMeet 10.120.240.10:55555 ssl verify none
That’s for the TCP part of things. For the UDP RTC stream I decided to setup iptables. Again, I already had a (somewhat) functioning set of rules.
iptables -A FORWARD -j ACCEPT -d 10.120.240.0/24 -p udp -m multiport --dport 10000
iptables -A PREROUTING -t nat -p udp -d $EXTERNAL_IP_ADDRESS --dport 10000 -j DNAT --to 10.120.240.10:10000
Configure JVB Link to heading
Here are the relevant bits from /etc/jitsi/videobridge/sip-communicator.properties:
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
#org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.jitsi.videobridge.DISABLE_UDP_HARVESTER=false
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false
org.jitsi.videobridge.TCP_HARVESTER_PORT=55555
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.120.240.10
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<YOUR EXTERNAL IP>
Secure your installation Link to heading
I strongly suggest that you secure your installation so that only authorized people can create new rooms:
References Link to heading
Started off with the Jitsi part of the first one, but ended having to use the actual Jitsi docs (YMMV).