Self-hosted Jitsi Meet
Overview
I set up a self-hosted Jitsi Meet instance, which is of course the video conferencing software. These are the steps I took and additional research options for future use. No custom SELinux rules were necessary, which is a departure from the norm. I guess docker handles the SELinux parts?
Devices
I used these systems.
| System | OS | IP address | Role |
|---|---|---|---|
| server1 | CentOS 7 | 10.43.20.155 | apache httpd server |
| server4 | CentOS 7 | 10.44.153.156 | docker host |
| net1 | ddwrt | 10.43.20.1 | ingress for port forwarding |
Setting up Jitsi Meet
Installing Meet server
I already had docker and docker-compose installed on server4. Those steps are outside the scope of this document.
Follow the directions from reference 1 which are included here briefly.
Fetch latest release: https://github.com/jitsi/docker-jitsi-meet/releases/latest and do not clone the git repo. I etracted to the home directory of my service account, so use the directory name from the tarball.
Configure a .env file from the env.example file. Mine is included file env.internal. Note that DOCKER_HOST_ADDRESS should point to the public IP address, so the IPv4 address for www.example.com. This attribute is important because groups of 3 and more participants use the server as a central point, rather than the peer-to-peer connection of just 2 participants.
Make directories:
mkdir -p ~/.jitsi-meet-cfg/{web,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
Start the application.
docker-compose up -d
Open the host firewall on server4.
tf=/usr/lib/firewalld/services/jitsi-meet.xml sudo touch "${tf}" ; sudo chmod 0644 "${tf}" cat <<EOF | sudo tee "${tf}" 1>/dev/null <?xml version="1.0" encoding="utf-8"?> <service> <short>jitsi-meet</short> <description>Jitsi Meet is a web conferencing solution. These rules expect a different host to handle encryption.</description> <port protocol="tcp" port="8000"/> <port protocol="udp" port="10000"/> </service> EOF sudo firewall-cmd --reload sudo firewall-cmd --permanent --add-service=jitsi-meet sudo firewall-cmd --reload
Configuring Apache httpd for reverse proxy
Host server1 is the main web server for the Internal network. Modify the main configuration file, /etc/httpd/conf.d/local_mirror.conf with a new virtual host and listen directive.
This snippet depends on ssl-pre being included at the top, and also the relevant included files.
# 5443 is jitsi Listen *:5443 <VirtualHost *:5443> Include conf.d/ssl-common.cnf Include conf.d/ssl-5443.cnf ProxyPreserveHost On <IfModule mod_proxy.c> <IfModule mod_proxy_wstunnel.c> ProxyTimeout 900 <Location "/xmpp-websocket"> ProxyPass "ws://server4:8000/xmpp-websocket" </Location> <Location "/colibri-ws/"> ProxyPass "ws://server4:8000/colibri-ws/" </Location> </IfModule> </IfModule> Proxypass / http://server4:8000/ ProxypassReverse / http://server4:8000/ </VirtualHost>
Modify SELinux rules to allow httpd to listen on port 5443.
sudo semanage port -a -t http_port_t -p tcp 5443
Reload httpd after testing it.
sudo httpd -t sudo systemctl reload httpd
Open the host firewall on server1. I updated my custom firewall service xml rule and reloaded firewalld.
Configure router
Device net1 is the current edge router for Internal network. Modify the port forwarding rules to include the following:
| Application | Protocol | Port from | IP address | Port to |
|---|---|---|---|---|
| jitsi1 | Both | 5443 | 10.43.20.155 | 5443 |
| jitsi2 | Both | 10000 | 10.44.153.156 | 10000 |
Files involved
server4:/home/jitsi/stable-7287.tar.gzserver4:/home/jitsi/docker-jitsi-meet-stable-7287/.envserver4:/usr/lib/firewalld/services/jitsi-meet.xmlserver1:/usr/lib/firewalld/services/http-internal.xmlserver1:/etc/httpd/conf.d/local_mirror.conf
References
Weblinks
Other
Original research
Comments