How to self-host a Jitsi Meet server with password protection

Updated: 05/01/2023 by Computer Hope
Jitsi self-hosted

Jitsi Meet is a free video conference application. It offers an open-source alternative to proprietary video conferencing applications, such as Skype or Zoom. Anyone can create an encrypted Jitsi video meeting by going to the Jitsi Meet website or installing the free Jitsi app.

The Jitsi Meet service can also be self-hosted. Using the open-source Jitsi Meet server, you can operate private, encrypted videoconferencing on the Internet, on a domain you control.

The following instructions show how to install the Jitsi Meet server on a VPS and configure authorization, so a username and password is required to create new meetings. These steps require an account with a VPS provider, such as Linode or Digital Ocean, and a registered domain name.

Create a Debian 9 VPS

Debian logo

Begin by creating a new VPS for your Jitsi Meet server. In the dashboard of your VPS provider, create a new virtual host running Debian 9, with at least 2 GB of RAM (recommended).

For example, if you are using Linode, from your Linode dashboard, choose Create > Linode. Under Choose a Distribution, select Debian 9 and a Linode plan that offers 2 GB RAM.

Or, if you are using Digital Ocean, from your Digital Ocean dashboard, choose Create > Droplets. Under Distributions, choose Debian 9.12 x64 and a Droplet plan that offers 2 GB RAM.

Update DNS records

Add A/AAAA DNS records to your domain with the subdomain name and the IPv4/IPv6 address of your new VPS.

For example, to host Jitsi at video.mydomain.com, log in to your domain registrar account, and edit the DNS records for mydomain.com. Add two records for hostname video, one with the IPv4 address (the "A" record), and one with the IPv6 address (the "AAAA" record).

If you don't want to use a subdomain (e.g., mydomain.com instead of video.mydomain.com), leave the hostname blank in the A/AAAA records.

Upgrade and secure VPS

Open a terminal or command prompt window. SSH to your VPS as the root user.

ssh root@ipaddress

Update the package list and upgrade installed software.

apt update && apt -y upgrade

Install sudo and UFW (Uncomplicated Firewall).

apt install -y sudo ufw

Configure firewall

Configure UFW to allow TCP communication on the ports used by SSH, HTTP, and HTTPS, and to allow UDP traffic on port 10000.

ufw allow ssh
ufw allow http
ufw allow https
ufw allow 10000/udp

Enable the firewall.

ufw enable

Set the hostname of the server to your FQDN, for example, video.mydomain.com.

hostnamectl set-hostname video.mydomain.com

Add the FQDN to your hosts file. Open the file /etc/hosts in a text editor, such as nano.

nano /etc/hosts

Find the line 127.0.0.1 localhost and append your FQDN.

127.0.0.1        localhost video.mydomain.com

Save the file and exit the editor. (In nano, press Ctrl+O, Enter to save the file, and Ctrl+X to exit.)

Create a user with sudo rights

Add a new user account. Replace myuser with your desired username.

adduser myuser

Add this user to the 'sudo' group, so it can run commands with sudo.

usermod -aG sudo myuser

Disable root SSH

Open the SSH daemon configuration file in a text editor.

nano /etc/ssh/sshd_config

Find the line PermitRootLogin yes, and change yes to no.

PermitRootLogin no

Save the file and exit the editor. (In nano, press Ctrl+O, Enter to save the file, and Ctrl+X to exit.)

Then, restart the SSH daemon.

systemctl restart sshd

Add SSH key

The following steps add an SSH key to the server to provide stronger security. These steps are optional, but recommended.

If you are still logged in to your SSH session, log out.

logout

If you do not have an existing SSH key, create one on your local machine. (If you have an existing key you want to use, skip this step.)

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\neilg/.ssh/id_rsa):

Press Enter to use the default public/private key file names.

When prompted, choose a strong passphrase as an additional layer of security.

Enter passphrase (empty for no passphrase): This is my passphrase.

Transfer the key to your server using SSH. On Linux and macOS:

ssh-copy-id myuser@ipaddress

On Windows 10:

cd %USERPROFILE%
type .ssh\id_rsa.pub | ssh myuser@ipaddress "mkdir -p ~/.ssh;
  cat >> ~/.ssh/authorized_keys"

Log in to the VPS using your SSH key.

ssh myuser@ipaddress

When prompted, enter the key passphrase.

Next, disable password-based SSH authentication on the VPS. Open the SSH daemon configuration in a text editor.

sudo nano /etc/ssh/sshd_config

Find the line that reads #PasswordAuthentication yes. Change yes to no, and remove the # to uncomment the line.

PasswordAuthentication no

Save the file and exit the editor. Then, restart the SSH daemon.

sudo systemctl restart sshd

SSH logins are now restricted to users with the public and private key files who know the key passphrase.

As good practice, restrict access to the .ssh directory to your user only.

sudo chmod 600 ~/.ssh/*
sudo chmod 700 ~/.ssh

Install Jitsi Meet server

Powered by Jitsi

The following steps install the Jitsi Meet server package on your VPS.

First, enable installation of APT packages over HTTPS.

sudo apt install -y apt-transport-https

Add Jitsi to the list of APT repositories.

echo 'deb https://download.jitsi.org stable/' | sudo tee \
  /etc/apt/sources.list.d/jitsi-stable.list

Download and install the public encryption key of the Jitsi repository.

wget -qO -  https://download.jitsi.org/jitsi-key.gpg.key | sudo \
  apt-key add -

Update your APT package list.

sudo apt update

Install the Jitsi Meet server.

sudo apt install -y jitsi-meet

When prompted for the hostname of the current installation, enter your FQDN, including the subdomain, if any.

Jitsi hostname

Choose Generate a new self-signed certificate.

Generate self-signed certificate

Next, replace the self-signed certificate with a trusted certificate provided by Let's Encrypt.

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

When prompted, enter an e-mail address to receive alerts or notifications about your certificate.

Enter your email and press [ENTER]: [email protected]

Certificate generation should take less than a minute. When it's done, your Jitsi Meet server is live on the Internet at your domain. You can create new meetings and invite users by sharing the meeting URL.

Jitsi Meet home

However, the application is not secure. Anyone who goes to your domain can create a new Jitsi meeting hosted on your server.

To prevent unauthorized access, the following steps enable authentication, so a username and password are required before a meeting is created.

Configure Prosody

Prosody is a component of Jitsi Meet that provides XMPP communication between users and the server. The following steps configure Prosody to authenticate users who create a Jitsi meeting.

Create a guest domain

On the VPS, switch user to root.

sudo su

Change to directory /etc/prosody/conf.avail/.

cd /etc/prosody/conf.avail/

Open the file fqdn.cfg.lua in a text editor.

nano video.mydomain.com.cfg.lua

In the VirtualHost section for your domain, change the authentication method from anonymous to internal_plain.

VirtualHost "video.mydomain.com"
        ...
        authentication = "internal_plain"
        ...

Above the existing VirtualHost section for your site, insert a new VirtualHost section. The name of this VirtualHost is guest.fqdn. For example, insert the following lines to create a new guest VirtualHost for the site video.mydomain.com.

VirtualHost "guest.video.mydomain.com"
        authentication = "anonymous"
        c2s_require_encryption = false
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping";
            "speakerstats";
            "turncredentials";
            "conference_duration";
        }

Save the file and exit the editor. Then, exit the root account.

exit

Install module storage_memory

An optional Prosody module, storage_memory, enables a temporary memory storage for persistent information, including user session data. The module source code is available from Prosody's Mercurial repository.

Install Mercurial on your VPS.

sudo apt install -y mercurial

Create a temporary directory and change to it.

mkdir ~/temp && cd ~/temp

Clone the prosody modules repository to a new directory, prosody_modules.

hg clone 'https://hg.prosody.im/prosody-modules/' prosody-modules

Copy file mod_storage_memory.lua to directory /usr/lib/prosody/modules.

sudo cp prosody-modules/mod_storage_memory/*.lua /usr/lib/prosody/modules/.

Create a Jitsi anonymous domain

Configure Jitsi Meet to use an anonymous domain for users invited to a meeting.

Open the file /etc/jitsi/meet/fqdn-config.js in a text editor.

sudo nano /etc/jitsi/meet/video.mydomain.com-config.js

In the config variable, in the hosts key, add a new key named anonymousdomain, with the value guest.fqdn.

For example, if your guest domain is guest.video.mydomain.com, the entry should appear as follows. Note that the line ends in a comma.

var config = {
    ...
    hosts: {
            ...
            domain: 'video.mydomain.com',
            anonymousdomain: 'guest.video.mydomain.com',
            ...
        },
        ...
}

Save the file and close the text editor.

Configure Jicofo

Jicofo (Jitsi Conference Focus) is a component of Jitsi Meet that manages user sessions. The following steps configure Jicofo's SIP (Session Initiation Protocol) to use XMPP authentication.

Open the file /etc/jitsi/jicofo/sip-communicator.properties in a text editor.

sudo nano /etc/jitsi/jicofo/sip-communicator.properties

Add a new line with the following configuration. Replace video.mydomain.com with your FQDN.

org.jitsi.jicofo.auth.URL=XMPP:video.mydomain.com

Save the file and exit the editor.

Create Jitsi admin users

Prosody administrative functions are accessed using the prosodyctl command ("Prosody control").

To create a user/password for Jitsi Meet, run the command prosodyctl register username fqdn password.

sudo prosodyctl register alice video.mydomain.com secretpassword123

Repeat this command for any additional users you want to create.

Tip

Only users who create new meetings require an account. Connecting to an existing meeting does not require authorization.

Restart services

To apply the new configuration, restart the affected services.

sudo systemctl restart {prosody,jicofo,jitsi-videobridge2,nginx}

Now, only users with the correct username/password combination can create new meetings on your Jitsi server.

Creating new meetings

Follow these steps to create new meetings on your Jitsi server.

In a browser

On a laptop or desktop computer, open a browser to the address of your Jitsi server.

Under Start a new meeting, type a name for the meeting, and click Go.

Tip

This name appears in the URL you share with invitees. Meeting names are not case-sensitive.

Name Jitsi meeting

Click I am the host.

Verify you are host

Enter the Jitsi username and password you created, and click OK.

Account authentication

If authentication is successful, the conference goes live immediately.

Tip

You only need to authenticate once per browser session. To forget your current login, clear your browser cookies, see: How to enable, disable, view, or delete Internet cookies.

In the mobile app

Get the Jitsi app for iOS at the App Store, or for Android at the Play Store.

Open the Jitsi Meet app. Tap the menu button and choose Settings.

Jitsi mobile app

In settings, under Server URL, enter the domain of your Jitsi server.

Configure host in settings

Go back to the main app window. Enter a new meeting name, and tap create/join.

Create new meeting

Tap OK.

Verify host status

Enter the Jitsi username and password you created, and tap OK.

Enter name and password

If the app seems to freeze at "Connecting," wait a few seconds for authentication to complete.