Installation of serverside components for video conferencing

This document describes the installation of Videoconferencing backend.

In this installation guide we will install the following items.

  • Jisti backend
  • Web UI frontend
  • Conference management server
  • SSO server
  • Video bridge (possibly multiple).

It is possible to install everything on the same machine but we recommend having a separate machine for the video bridge.

Video bridge machine should have eight CPU cores, 1 Gbit connection and 8 GB of RAM. This should be enough for one hundred of simultaneous users that are all having video conference at the same time. For all the other services, a machine with 4GB RAM should be sufficient.

You should have Debian 10 Buster installed on the machines. If you want to use Debian 9 Stretch, you need to use Prosody from Backports. You may be able to use the procedure on newer Debian versions but should be prepared to adapt instructions and do your own troubleshooting.

Different parts of the setup are distributed in different ways:

  • Jitsi backend: Debian packages, Luarocks packages, zip package.
  • Web UI frontend: zip package
  • Conference management server (and possibly SSO server): Our docker repository
  • videobridge (possibly multiple videobridge servers): Debian repository

The DNS names for this tutorial will be

  • conf.example.com for your backend
  • ui.conf.example.com for Web UI frontend
  • conferencing-management.example.com for conferencing management
  • sso.example.com for SSO
  • guest.example.com for guest links

Videobridge does not need any DNS name.

Download the zipfile from Acrobits with some additional files. We will use them during installation.

This is the address of the zipfile: https://dist.acrobits.net/conference-files/conference-files.zip

Jitsi backend

Begin the installation by enabling our Debian repository

Note

This step is the same as in the SIPIS installation guide.

Note

You can use the official Jitsi repositories instead of our repository. We just keep the package version that is known to work.

wget -O - https://dist.acrobits.cz/debian/acrobits.gpg.key | apt-key add -

Create file /etc/apt/sources.list.d/Acrobits.list with

deb http://username:password@dist.acrobits.cz/debian buster main

Start by installing the package jitsi-videobridge2. The installation will ask for your domain (conf.example.com in this guide).

Stop and disable the jitsi-videobridge2 service using appropriate systemctl commands, unless you expect low traffic and wish to use the same machine for your videobridge.

Keep the files from /etc/jitsi/videobridge. You will need them later.

Then install the following packages:

  • jitsi-meet-prosody
  • jicofo
  • nginx
  • luarocks
  • liblua5.2-dev

Use luarocks to install packages basexx and net-url:

luarocks install basexx
luarocks install net-url

Additional files we will use in this section are from our Zip package in backend directory.

Apply the patch from the zip file. That is, run the following command:

patch /usr/lib/prosody/modules/muc/muc.lib.lua < muc_owner_allow_kick.patch

Replace file /usr/share/jitsi-meet/prosody-plugins/mod_token_verification.lua with the one from our zipfile.

Place file mod_muc_status.lua to /usr/share/jitsi-meet/prosody-plugins/.

Run luarocks make in luajwtjitsi directory from our ZIP file. This will install fixed version of luajwtjitsi package.

Open the prosody configuration file for your server: /etc/prosody/conf.d/conf.example.com.cfg.lua

Note

In the following steps, replace conf.example.com with your domain.

Add the following to the top of the file, just below plugin_paths:

admins = { "focus@auth.conf.example.com" }

Change cross_domain_bosh to true.

In section for your domain (VirtualHost "conf.example.com") set the following (asap_key_server url is directed to Conferencing management server described below)

authentication = "token"
app_id="acrobits_csp"
asap_key_server = "https://conferencing-management.example.com/public-keys"
enable_domain_verification = true

Also add the following modules to the modules_enabled section

  • presence_identity
  • muc_status

In the conference subdomain section (under Component "conference.conf.example.com" "muc") set the same app_id and asap_key_server as in previous main section. Enable module token_verification and set restrict_room_creation = "local"

Get the TLS certificate for your domain (conf.example.com in this guide) and for your auth subdomain (auth.conf.example.com). Place the certificate (along with keys) into /etc/prosody/certs. You should have the following files there:

  • auth.conf.example.com.crt
  • auth.conf.example.com.key
  • conf.example.com.crt
  • conf.example.com.key

Make sure that the access rights of the certificates and keys are set so that prosody can access them.

Note

auth subdomain is used for connection from videobridges to prosody. It is not strictly necessary to use valid certificate here, but if you use self signed certificate, you need to configure your videobridges to accept it.

Make sure that /etc/jitsi/jicofo/sip-communicator.properties contains

org.jitsi.jicofo.auth.URL=XMPP:conf.example.com

Place config.js file from our zipfile to /var/www/conferencing/config.js. Edit it and replace all occurences of conf.example.com with your domain. Also replace ui.conf.example.com with the domain for your web UI.

The nginx configuration file for the backend is nginx_backend.conf. Place it into /etc/nginx/sites-enabled and edit the server name and paths to your certificates.

Restart services prosody, nginx and jicofo.

Conferencing management server

Conferencing management server is a service that controls access to your conference server. It uses a SSO server and an external authentication service to check the user’s credentials.

Start by installing Docker and Docker Compose. Then add our Docker registry.

docker login -u customer -p Aen1ieB5sh docker.acrobits.net

There are several possible configurations to consider when installing conference management server:

# You do not have your own SSO server. # You already have one but wish to run conference management server on a different machine # You already have one and wish to run conference management server on the same machine

Without own SSO

In this section we will use files in conferencing-management/separate_sso directory in provided ZIP file.

Place a file application.yml to /etc/acrobits/conferencing_management/application.yml. Change the password for the postgres database in the file to something random. Change domain in statistics_url setting to the one used on Prosody and change ui_host to the address of your conferencing Web user interface (installed in the next step).

Create a directory (let’s call it conferencing somewhere on the server and place the file docker-compose.yml there. Edit it and change postgresql password to the same thing you placed into application.yml. Then run docker-compose up -d in this directory. This should download the needed docker images and start them up.

Install nginx (using Debian package manager) and place nginx_conferencing.conf (from conferencing-management directory in our ZIP file) into /etc/nginx/sites-enabled/. Edit it and change the domain name and paths to the TLS certificate and key. Then reload the nginx configuration.

With own SSO on a different machine

The procedure is identical to the previous case. The only difference is that you need to change SSO url to point to your SSO server in /etc/acrobits/conferencing_management/application.yml.

With own SSO on the same machine

We expect that you already have contact server on this machine and that you have docker-compose.yml that was used to start it..

Find snippets of configuration files in with_sso directory.

The procedure is almost identical as in the previous cases but instead of creating new docker-compose.yml you would edit the existing one that is used for your current SSO and Contacts server installation.

Place a file application.yml to /etc/acrobits/conferencing_management/application.yml. Change the password for the postgres database in the file to something random. You may note that this file does not contain SSO address. The default one (http://sso:8080/) is used in this case.

If you used advanced installation with Admin server, set adminServerEnabled to true and uncomment the section below it. Change the password there to something random.

The file docker-compose.snip contains a section that is commented out and should be same as you have already in your docker-compose.yml file for your SSO/Contacts server. Then it contains two additional services definitions. Edit your existing docker-compose.yml that you used for your current SSO and Contact server installation and add these two sections to it. Set postgres database to the same thing as you placed into application.yml above.

Run docker-compose up -d to create these two services.

Make sure that your conferencing-management.example.com domain is pointed to this machine. Place nginx_conferencing.conf (from conferencing-management directory in our ZIP file) into /etc/nginx/sites-enabled/. Edit it and change the domain name and paths to the TLS certificate and key. Then reload the nginx configuration.

You may be able to use docker-compose.snip to install conferencing_management and sso without Contacts server. This may work but we do not officially support it for now.

Web GUI

Install nginx from Debian packages.

Download the package with Web GUI. Unpack it into /var/www/conferencing/conferencing (you should have a file /var/www/conferencing/conferencing/index.html there).

The address of the package with the Web GUI is https://dist.acrobits.net/conference-files/conferencing-web.tar.gz

Place ui.conf file (from the first zipfile) into /etc/nginx/sites-enabled and edit it to set the TLS certificate and the server name. Reload nginx.

Videobridge

We recommend installing this part on a separate machine. You can install it on multiple machines.

Enable our Debian repository. Then install package jitsi-videobridge2.

Replace the file /etc/jitsi/videobridge/sip-communicator.properties with the one from your backend server and change the item org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME to a different random string (every videobridge needs to have a different MUC_NICKNAME). Restart the service jitsi-videobridge2.

Note

You can use command uuid to generate a random nickname for your videobridge.