blog

Jitsi install with HAProxy

Jitsi install with HAProxy

Prerequisites

The way I was able to set this up was with an LXC container holding the actual Prosody/Jicofo/Jitsi Videobridge components. This was fronted with a HAProxy and some iptables rules (for getting the RTC stream going one can use Nginx). You’ll need:

  • Physical host

  • FQDN (DNS name) pointing to an IPv4 address on that physical host

  • HAProxy

  • IPTables firewall

  • Some type of hypervisor or container virtualization

Create LXC container

Fire up a new one:

lxc-create -n jitsi-container -t debian -- -r buster

Install the parts inside the LXC container

Get inside and prepare to install the needed software:

echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list
wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
apt-get update
apt-get -u dist-upgrade
apt-get install vim mtr-tiny gpg

I had to get the dialog frontend into noninteractive mode in order to be able to install from within LXC.

export DEBIAN_FRONTEND=noninteractive
apt-get -y install jitsi-meet

Setup HAProxy and iptables

I already had a running HAProxy with SSL certs from LetsEncrypt, so I only had to add the following:

frontend FE-HTTP-443
        bind 0.0.0.0:443 tfo ssl crt /etc/haproxy/ssl/example.org.pem alpn h2,http/1.1
        rspadd Strict-Transport-Security:\ max-age=31536000
        mode            http
        option          forwardfor
        option          http-server-close
        option          httpclose
        compression algo gzip
        compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json
        http-request del-header X-Forwarded-Proto
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        acl             is-jitsi hdr(host) -i jitsi-meet.example.org
        use_backend     BE-JITSI  if { ssl_fc_sni jitsi-meet.example.org }
        # ...

frontend FE-HTTP-55555
        bind 0.0.0.0:55555 tfo ssl crt /etc/haproxy/ssl/example.org.pem alpn h2,http/1.1
        rspadd Strict-Transport-Security:\ max-age=31536000
        mode            http
        option          forwardfor
        option          http-server-close
        option          httpclose
        compression algo gzip
        compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json
        http-request del-header X-Forwarded-Proto
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        default_backend BE-JITSI-55555

backend BE-JITSI
        mode http
        balance source
        stick-table type ip size 50k expire 30m
        stick on src
        timeout connect 30s
        timeout server 30s
        http-reuse safe
        server JitsiMeet 10.120.240.10:443 ssl verify none

backend BE-JITSI-55555
        mode http
        balance source
        option redispatch
        option forwardfor
        option http-server-close
        option http-pretend-keepalive
        http-response set-header X-Frame-Options SAMEORIGIN
        source 0.0.0.0 usesrc clientip
        server JitsiMeet 10.120.240.10:55555 ssl verify none

That’s for the TCP part of things. For the UDP RTC stream I decided to setup iptables. Again, I already had a (somewhat) functioning set of rules.

iptables -A FORWARD -j ACCEPT -d 10.120.240.0/24 -p udp -m multiport --dport 10000
iptables -A PREROUTING -t nat -p udp -d $EXTERNAL_IP_ADDRESS --dport 10000 -j DNAT --to 10.120.240.10:10000

Configure JVB

Here are the relevant bits from /etc/jitsi/videobridge/sip-communicator.properties:

org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
#org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.jitsi.videobridge.DISABLE_UDP_HARVESTER=false
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false
org.jitsi.videobridge.TCP_HARVESTER_PORT=55555
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.120.240.10
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<YOUR EXTERNAL IP>

Secure your installation

I strongly suggest that you secure your installation so that only authorized people can create new rooms:

References

Started off with the Jitsi part of the first one, but ended having to use the actual Jitsi docs (YMMV).