Technitium DNS server zone high-availability

on
0

Oracle Cloud VPS: Self-hosted Jitsi Meet video conferencing solution

on

Jitsi Meet is a fully encrypted, 100% open source video conferencing solution that you can use all day, every day, for free — with no account needed.

Let self-hosted Jitsi Meet on Oracle Cloud VPS free tier running Ubuntu minimal 20.04.

1. Setup Ubuntu minimal instance and install extra packages.

sudo apt-get install cron nano rsyslog logrotate lsof

2. Register and configure the VPS with a valid FQDN.

sudo hostnamectl set-hostname jitsi.your_domain

3. Update /etc/hosts entry and map localhost with the FQDN.

sudo nano /etc/hosts
127.0.0.1 jitsi.your_domain

4. Configure iptables and Oracle Cloud's VCN firewall rules.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
 
Below are network ports that require by Jitst Meet. Enable it if require the services.
  • 80 TCP - for SSL certificate verification / renewal with Let's Encrypt
  • 443 TCP - for general access to Jitsi Meet
  • 10000 UDP - for general network video/audio communications
  • 22 TCP - if you access you server using SSH (change the port accordingly if it's not 22)
  • 3478 UDP - for quering the stun server (coturn, optional, needs config.js change to enable it)
  • 5349 TCP - for fallback network video/audio communications over TCP (when UDP is blocked for example), served by coturn

5. Download and install Jitsi's official GPG key. Remove it afterward as no longer needed.

wget https://download.jitsi.org/jitsi-key.gpg.key
sudo apt-key add jitsi-key.gpg.key
rm jitsi-key.gpg.key

6. Setup apt source list for Jitsi.

echo "deb https://download.jitsi.org stable/" | sudo tee /etc/apt/sources.list.d/jitsi-stable.list

7. Update apt and install jitsi-meet package.

sudo apt-get update
sudo apt-get install jitsi-meet

8. Key in the FQDN and configure self-signed SSL certificate during the Jitsi Meet configuration.

 
 

9. Setup jitsi-meet authentication.

sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua

#authentication = "anonymous"
authentication = "internal_plain"

VirtualHost "guest.jitsi.your_domain"
    authentication = "anonymous"
    c2s_require_encryption = false

10. Enable guest access.

sudo nano /etc/jitsi/meet/jitsi.your_domain-config.js
anonymousdomain: 'guest.jitsi.your_domain',

11. Configure jicofo service.

sudo nano /etc/jitsi/jicofo/jicofo.conf

jicofo {
  ....
  authentication: {
    enabled: true
    type: XMPP
    login-url: jitsi.your_domain
 }

12. Add admin/moderator user to jitsi-meet.

sudo prosodyctl register user jitsi.your_domain password

13. Restart jitsi service.

sudo systemctl restart prosody.service
sudo systemctl restart jicofo.service
sudo systemctl restart jitsi-videobridge2.service

14. If you prefer Let's Encrypt, Jitsi Meet supplies a script to automatically download a TLS certificate for your domain.

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

15. Enable fail2ban for jitsi-meet for better security.

sudo apt-get install fail2ban mercurial

16. Download mod_log_auth from prosody IM community repository. Copy the plugin to prosody module path.

hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
sudo cp prosody-modules/mod_log_auth/mod_log_auth.lua /usr/lib/prosody/modules/

17. Edit jitsi-meet configuration to enable the log_auth plugin.

sudo nano /etc/prosody/conf.d/jitsi.your_domain.cfg.lua

-- we need bosh
modules_enabled = {
    "bosh";
    "pubsub";
    "ping"; -- Enable mod_ping
    "speakerstats";
    "turncredentials";
    "conference_duration";
    "log_auth";
}

18. Setup fail2ban prosody filter.

sudo nano /etc/fail2ban/filter.d/prosody-auth.conf

# /etc/fail2ban/filter.d/prosody-auth.conf
# Fail2Ban configuration file for prosody authentication
[Definition]
failregex = Failed authentication attempt \(not-authorized\) for user .* from IP: <HOST>
ignoreregex =

19. Enable prosody jail.

sudo nano /etc/fail2ban/jail.d/prosody-auth-jail.conf

[prosody]
enabled = true
iptables-multiport[name="prosody", port="443,5222,5269"]
port    = 443,5222,5269
filter  = prosody-auth
logpath = /var/log/prosody/prosody*.log
maxretry = 5

20. Restart services and monitor the fail2ban in action.

sudo systemctl restart prosody
sudo systemctl restart fail2ban

21. Run below command to double check the fail2ban log.

tail -f /var/log/prosody/prosody.log


 

Comments

Post a Comment