Appunti di informatica

User Tools

Site Tools

Trace: jitsi
educare:jitsi

Jitsi

Self host

Queste sono istruzioni per creare un proprio servizio privato di videoconferenza

(da fare: testare nel server l'eventuale comunicazione con terzi usando wireshark o tcpdump)

Tutorial

Requisiti

Per piccole conferenze tra amici

  • Ubuntu 22
  • 2 core
  • RAM 4 GB
  • Disco 40 GB
SSH

Richiede un server con connessione SSH

Queste istruzioni aiutano a migliorare la sicurezza del server SSH

Firewall
apt install ufw
ufw status
INACTIVE
ufw allow 22
ufw enable
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 10000/udp
ufw allow 3478/udp
ufw allow 5349/tcp
ufw enable

chiudere tutti i servizi ad eccezione del servizio ssh 

ss --listening
DNS

Richiede un server con nome di dominio Nome: cloud TTL: 10800 Tipo: A IP: x.x.x.x

certificato https (parte 1/2)

Esempio con Let's Encrypt

  • Installare nginx
  • Installare certbot seguendo istruzioni aggiornate su certbot.eff.org
    • apt install snapd
    • snap install core; snap refresh core
    • snap install –classic certbot
    • ln -s /snap/bin/certbot /usr/bin/certbot
Installare jitsi

da jitsi.github.io/handbook/docs/devops-guide/ 

apt install man gnupg2 nginx-full curl openjdk-11-jdk apt-transport-https lua5.2
apt-add-repository universe
hostnamectl set-hostname <FQDN>

/etc/hosts 

127.0.0.1 localhost
x.x.x.x meet.esempio.org
ping "$(hostname)"

nota: il pacchetto binario proviene da repository esterni 

curl -sL https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/jitsi-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | sudo tee /etc/apt/sources.list.d/jitsi-stable.list
apt update

Nota: Durante l'installazione chiede una mail per un certificato let's encrypt (premere INVIO) 

apt install jitsi-meet
You can easily add dial-in support to your meetings. To allow this we would
need your permission to create a free JaaS (Jitsi as a Service) account for
you.
W: Operation was interrupted before it could finish

A questo punto per completare l'installazione (incompleta) basta installare qualsiasi cosa con apt 

apt install dialog
Certificate written to /var/lib/prosody/FQDN.crt
Choose key size (2048): Key written to /var/lib/prosody/auth.FQDN.key
Please provide details to include in the certificate config file.
Leave the field empty to use the default value or '.' to exclude the field.
countryName (GB): 
localityName (The Internet): 
organizationName (Your Organisation): 
organizationalUnitName (XMPP Department): 
commonName (auth.FQDN): 
emailAddress (xmpp@auth.FQDN): 
Config written to /var/lib/prosody/auth.FQDN.cnf
Certificate written to /var/lib/prosody/auth.FQDN.crt

Clearing symlinks in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
138 added, 0 removed; done.

Replacing debian:vTrus_Root_CA.pem
Adding debian:auth.FQDN.pem

Setting up jitsi-meet (2.0.8719-1) ...
Setting up bind9-dnsutils (1:9.18.12-0ubuntu0.22.04.1) ...
Setting up dnsutils (1:9.18.12-0ubuntu0.22.04.1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
Firefox

Firefox usa https, ma evidenzia che il certificato non è a posto… 

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
info > This website does not supply ownership information
Certbot e certificato https (parte 2/2)

Si ottiene un vero certificato (senza modificare la configurazione di nginx) 

certbot certonly --nginx

NOTA: è obbligatorio dare una e-mail. 

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/FQDN/fullchain.pem  -> ../../archive/FQDN/fullchain1.pem

Key is saved at:         /etc/letsencrypt/live/FQDN/privkey.pem -> ../../archive/FQDN/privkey1.pem

This certificate expires on....
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Spostare i certificati
# ls -l /etc/jitsi/meet/
  1. rw-r–r– 1 root root 2065 Jun 14 17:32 FQDN.crt
  2. rw——- 1 root root 3272 Jun 14 17:32 FQDN.key ←–nota bene attributi e dimensioni
# ls -l /etc/letsencrypt/live/FQDN
  1. rw-r–r– 1 root root 692 Jun 14 19:31 README

lrwxrwxrwx 1 root root 44 Jun 14 19:31 cert.pem → ../../archive/FQDN/cert1.pem 

lrwxrwxrwx 1 root root  45 Jun 14 19:31 chain.pem -> ../../archive/FQDN/chain1.pem
lrwxrwxrwx 1 root root  49 Jun 14 19:31 fullchain.pem -> ../../archive/FQDN/fullchain1.pem
lrwxrwxrwx 1 root root  47 Jun 14 19:31 privkey.pem -> ../../archive/FQDN/privkey1.pem
# cp /etc/letsencrypt/live/archive/FQDN/cert1.pem /etc/jitsi/meet/FQDN.crt
# cp /etc/letsencrypt/live/archive/FQDN/privkey1.pem /etc/jitsi/meet/FQDN.key
Autenticazione utenti

Così appena installato il server Jitsi è aperto al mondo intero Vediamo come chiedere password

/etc/prosody/conf.avail/[your-hostname].cfg.lua 

VirtualHost "[your-hostname]"
    authentication = "internal_hashed" --#(not jitsi-anonymoys)

/etc/jitsi/jicofo/jicofo.conf 

jicofo {
  authentication {
    enabled: true
    type: XMPP
    login-url: FQDN
    enable-auto-login: true
  }
}
Utente
# prosodyctl register <nomeutente> <FQDN>
educare/jitsi.txt · Last modified: 2023/06/15 13:55 by profpro