Once I took care of my Matrix-Synapse server I also wanted to upgrade the OS of my Jitsi Meet server - which of course would force me to re-install everything. Getting a basic Jitsi setup running is quite easy. However, each time I install it I’m struggling with the right sequence of steps and I’m trying to remember what I’m usually customizing. So I’m putting it down here now.
Once the operating system is installed and you did some basic hardening (sshd settings, users, fail2ban, firewall, etc.) we can start by adding two new software repositories: one for Prosody and of course for Jitsi itself:
UPDATE: as of April 2022 Jitsi seems not compatible with Prosody 0.12, so replace
Let’s install some packages which will be required (snapd and fuse are optional, but required if you’d like to install certbot for generating ssl certificates):
Get SSL certificates
Open firewall ports 80 and 443 for nginx. If you’re using ufw:
…and get the certificates (
certonly: this will not modify your nginx config):
Additional firewall ports
We need to open some additional firewall ports for Coturn:
Check some limits:
Each command should return at least
65000. If not edit
/etc/systemd/system.conf and reload systemd:
Finally install Jitsi:
You will have to enter your domain name at some point. Choose “I want to use my own certificate” when asked for SSL certificates. You will then have to enter the path to your key and certificate file manually. (Let’s Encrypt usually stores them here:
/etc/letsencrypt/live/<YOUR_DOMAIN>/). Jitsi packages will then take care of configuring nginx, coturn and prosody.
Though everything should work by now, it’s probably not a bad idea to do a little tweaking…
As it’s quite unlikely you need the “default” site, you can just remove it:
I tend to set
server_tokens off; in
/etc/nginx/nginx.conf and also remove
TLSv1 TLSv1.1 from
By default coturn will run with root privileges which I consider a bad idea. To change that, add
/etc/turnserver.conf, then change ownership and mode:
Of course now coturn has no access to SSL certificates anymore. You could either work with acl or you could just copy certificate and key to another location and make them readable for the group “turnserver”. Of course you have to remember to copy certificates again as soon as you renew them. I would not alter permissions of the original Let’s Encrypt files though. Do not forget to set the new path in
/etc/turnserver.conf as well (
Customizing Jitsi is a little annoying as some stuff will be overwritten on each update. You can for example replace the “welcome” image, located at
/usr/share/jitsi-meet/images/welcome-background.png with something you like, but you will lose that as soon as Jitsi will be updated. I think they will put more options into the configuration files in
/etc/jitsi in the future. Alterations made there will not be overwritten then.
If you would like to restrict access to your Jitsi instance simply follow their secure domain guide. It used to be quite a mess but now it works fine.
As last step you’ll have to either restart each service…
…or simply reboot your server (will be good to check whether everything’s coming up upon reboot anyway).
That’s it :-)