Linode Jitsi

admin

I'm considering using Jitsi for an event, and I'm looking into self hosting. Probably Linode, unless there's a significantly better alternative. How do I estimate the hosting plan I need to get? I'll probably have 100-300 concurrent visitors in total, divided into rooms with 5-20 people each. For 12-24 hours total.

Hi all,

Over the last few weeks there's been huge increase in interest from folkswanting the security and autonomy of running their remote collaborationservices, rather than being at the mercy of traditional proprietarycentralised apps. Meanwhile, the Matrix.org homeserver has been veryoverloaded (although we're at last making excellent progress in radicallyimproving Synapse's performance) - so it's particularly important right now tohelp folks run their own servers.

  1. Learn more about Jitsi, a free open-source video conferencing software for web & mobile. Make a call, launch on your own servers, integrate into your app, and more.
  2. I will install jitsi meet on Fresh & Clean Ubuntu 18.04-LTS (x64) Server with Recommended Specification. 100/500 GB Hard Disk ( For Recording and Installation ) I need for this dedicated bare metal server Or VPS of well known Company.( Amazon AWS, Google Cloud, Digital Ocean, Linode, Vultr, Upcloud, Azure and etc).

Therefore we're very happy to announce that it's easier than ever before now toself-host your own video conferencing alongside Riot & Synapse: as of Riot/Web1.5.15 (released last week), it's now a single config option to point Riot ata specific Jitsi rather than needing to hook up to an integration manager!

Meanwhile, over the last 18 months, it's got easier and easier to run yourown Matrix deployments: the Debian packages are unrecognisably better now, andwith .well-known URL support it's trivial to set up federation withoutneeding to worry about complicated DNS, TLS or load balancer configurations.

So, to try to show off just how smooth this has become, we thought we'd do arun-through video showing installing Synapse, Riot & Jitsi on a completelyfresh Debian install. It's (almost) filmed in a single shot, and takes about20 minutes from beginning to end.

Please note that this does assume you're pretty familiar with Linux systemadministration. If you're not, then we'd recommend using a Matrix hostingprovider such as Modular.im (which directly supports development of the core team),Ungleich.ch, or StartupStack.

Finally, while the video shows how to install on Debian via Debian packages,there are many many other environments and architectures (e.g. installingunder Docker) - this is just one relatively easy way to skin the cat. Perhapsthere will be other 'speed-run' videos in future :)

If you want to follow along at home without listening to the video (and I can't blame you if you do ;) the high level steps are as follows:

Debian & DNS

  • Take one fresh Debian 10 install.
  • Point the DNS for your domain to it. You should use separate subdomains for the various services as a hygiene measure to make cross-site scripting attacks less effective. In this example, we set up DNS for:
    • dangerousdemos.net (general website, and for hosting a .well-known path to advertise the Matrix service)
    • matrix.dangerousdemos.net (Synapse)
    • riot.dangerousdemos.net (Riot/Web)
    • jitsi.dangerousdemos.net (Jitsi video conferencing)
    • In practice, we used a *.dangerousdemos.net wildcard DNS record for the three subdomains in this instance.

Nginx and LetsEncrypt

  • Install nginx as a webserver: apt-get update && apt -y install nginx
  • Go to /etc/nginx/sites-enabled and copy the vhost configuration block from the bottom of default to new files called dangerousdemos.net, matrix.dangerousdemos.net, and riot.dangerousdemos.net. We don't set up jitsi.dangerousdemos.net at this point as the jitsi installer handles it for us.
    • Rename the server_name field in the new files to match the hostname of each host, and point root to an appropriate location per domain (e.g. /var/www/dangerousdemos.net for the main domain, or /var/www/riot.dangerousdemos.net/riot for riot)
    • For the Synapse domain (matrix.dangerousdemos.net here), you should replace the contents of the location block with proxy_pass http://localhost:8008; - telling nginx to pass the traffic through to synapse, which listens by default for plaintext HTTP traffic on port 8008. (N.B. do not put a trailing slash on the URL here, otherwise nginx will mangle the forwarded URLs.)
  • Enable TLS via LetsEncrypt on nginx, by: apt install -y python3-certbot-nginx && certbot --nginx -d dangerousdemos.net -d riot.dangerousdemos.net -d matrix.dangerousdemos.net (or whatever your domains are).
  • You should be able to go to https://dangerousdemos.net at this point and see a page with valid HTTPS.

Synapse

  • Then, install Synapse via Debian packages using the instructions at https://github.com/matrix-org/synapse/blob/master/INSTALL.md#debianubuntu (see below). If you're not on Debian, keep an eye out for all the other OSes we support too!
    • You should specify the server name to be the domain you want in your matrix IDs - i.e. dangerousdemos.net in this example.
    • Please report anonymous aggregate stats to us so we can gauge uptake and help justify funding for Matrix!
  • You should now be able to go to https://matrix.dangerousdemos.net and see a valid 'It works! Synapse is running' page.

  • Then, you should enable registration on your synapse by switching enable_registration: true in /etc/matrix-synapse/homeserver.yaml and restarting synapse via systemctl restart matrix-synapse.

  • Now you need to tell the rest of Matrix how to find your server. The easiest way to do this is to publish a file at https://dangerousdemos.net/.well-known/matrix/server which tells everyone the hostname and port where they can find the synapse for dangerousdemos.net - in this instance, it's matrix.dangerousdemos.net:443:

  • Alternatively, you could advertise the server via DNS, if you don't have write access to /.well-known on your main domain. However, to prove you are allowed to host the Matrix traffic for dangerousdemos.net, you would have to configure nginx to use the dangerousdemos.net TLS certificate for the matrix.dangerousdemos.net vhost (i.e. the 'wrong' one), and in general we think that /.well-known is much easier to reason about. In this case you would advertise the server with an SRV record like this:

Riot/Web

  • Then, install Riot/Web. Grab the latest .tgz release from https://github.com/vector-im/riot-web/releases. You should check its GnuPG signature too:
  • You then tweak the config.json to change the base_url of the homeserver to be https://matrix.dangerousdemos.net (i.e. where to find the Client Server API for your server), and change the server_name to be dangerousdemos.net (i.e. the name of your server).
  • You should then be able to go to https://riot.dangerousdemos.net, register for an account, sign in, and talk to the rest of Matrix!

Jitsi

Jitsi
  • Finally, we install Jitsi so you can run your own video conferencing. We take the instructions from Jitsi's quick install guide:
  • We give the installer the hostname jitsi.dangerousdemos.net. Make sure this DNS is already set up, otherwise the installer will fail!

  • The installer magically detects you have nginx installed and adds in an appropriate vhost!

  • We select a self-signed certificate for now, and then upgrade it to LetsEncrypt after the fact with /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh.

    • Alternatively, you could have specified manual certificates, and then used certbot alongside the rest of nginx to create a certificate for jitsi.dangerousdemos.net - both work.
  • You should now be able to go to https://jitsi.dangerousdemos.net and use the Jitsi directly.

  • Finally, and this is the cool new bit: you can now point Riot to use the new Jitsi by going to its config.json at /var/www/riot.dangerousdemos.net/riot/config.json and changing the preferredDomain of the jitsi block from https://jitsi.riot.im to your own self-hosted https://jitsi.dangerousdemos.net.

  • You then refresh your Riot/Web, and you should be all set to use Jitsi from within your new Riot - as Riot/Web 1.5.15 and later has the ability to natively embed Jitsi straight into the app without needing to use an integration manager. Boxhead the zombie warsspiter games.

Conclusion

Matrix nowadays provides an excellent alternative to the centralised solutions. It gives:

  • Full autonomy over how to host and store your own conversations
  • Full freedom to talk to anyone else on the wider global Matrix network (or indeed anyone else bridged into Matrix)
  • Full privacy via full end-to-end-encryption for chats, file transfer and 1:1 voice/video calls (when enabled)
  • Full transparency by being 100% open source (as well as benefiting from the overall open source community)

Hopefully this gives some confidence that it's pretty easy to run your own fully functional Matrix instance these days.If not, then hopefully someone will do a similar one to show off Docker!And if that's still too scary, please take a look at a hosting services like Modular.im.

(Comments over at HN and here too)

Does Jitsi support end-to-end encryption?

The short answer is: Yes, we do!

You can turn on end-to-end encryption (e2ee) as long as you are using Jitsi Meet on a browser with support for insertable streams. Currently this means any browser based on Chromium 83 and above, including Microsoft Edge, Google Chrome, Brave and Opera. You may also use our Electron client, which supports it out of the box.

All you need to do is select the “End-to-end Encryption” option in the overflow menu and then make sure that all participants fill in the same pass word or phrase in the Key field.

Linode Gitlab

You can learn more about our e2ee support at: https://jitsi.org/e2ee

Jitsi Meet offers very strong protection even if you don’t explicitly turn on e2ee. Here are more details:

Jitsi meetings in general operate in 2 ways: peer-to-peer (P2P) or via the Jitsi Videobridge (JVB). This is transparent to the user. P2P mode is only used for 1-to-1 meetings. In this case, audio and video are encrypted usingDTLS-SRTP all the way from the sender to the receiver, even if they traverse network components like TURN servers.

Jitsi

Linode Jitsi App

In the case of multiparty meetings all audio and video traffic is still encrypted on the network (again, usingDTLS-SRTP). This outer layer of DTLS-SRTP encryption is removed while packets are traversing Jitsi Videobridge; however they are never stored to any persistent storage and only live in memory while being routed to other participants in the meeting.

It is very important to note that when packets are also end-to-end encrypted, this second layer of encryption is never removed (nor can it be)

Since Jitsi is built on top of WebRTC, a deeper look into itssecurity architecture is very important when evaluating Jitsi’s security aspects.