Jitsi
Self host
Queste sono istruzioni per creare un proprio servizio privato di videoconferenza
(da fare: testare nel server l'eventuale comunicazione con terzi usando wireshark o tcpdump)
Tutorial
Requisiti
Per piccole conferenze tra amici
- Ubuntu 22
- 2 core
- RAM 4 GB
- Disco 40 GB
SSH
Richiede un server con connessione SSH
Queste istruzioni aiutano a migliorare la sicurezza del server SSH
Firewall
apt install ufw ufw status INACTIVE ufw allow 22 ufw enable ufw allow 80/tcp ufw allow 443/tcp ufw allow 10000/udp ufw allow 3478/udp ufw allow 5349/tcp ufw enable
chiudere tutti i servizi ad eccezione del servizio ssh
ss --listening
DNS
Richiede un server con nome di dominio Nome: cloud TTL: 10800 Tipo: A IP: x.x.x.x
certificato https (parte 1/2)
Esempio con Let's Encrypt
- Installare nginx
- Installare certbot seguendo istruzioni aggiornate su certbot.eff.org
- apt install snapd
- snap install core; snap refresh core
- snap install –classic certbot
- ln -s /snap/bin/certbot /usr/bin/certbot
Installare jitsi
da jitsi.github.io/handbook/docs/devops-guide/
apt install man gnupg2 nginx-full curl openjdk-11-jdk apt-transport-https lua5.2 apt-add-repository universe hostnamectl set-hostname <FQDN>
/etc/hosts
127.0.0.1 localhost x.x.x.x meet.esempio.org
ping "$(hostname)"
nota: il pacchetto binario proviene da repository esterni
curl -sL https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/jitsi-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | sudo tee /etc/apt/sources.list.d/jitsi-stable.list apt update
Nota: Durante l'installazione chiede una mail per un certificato let's encrypt (premere INVIO)
apt install jitsi-meet
You can easily add dial-in support to your meetings. To allow this we would need your permission to create a free JaaS (Jitsi as a Service) account for you.
W: Operation was interrupted before it could finish
A questo punto per completare l'installazione (incompleta) basta installare qualsiasi cosa con apt
apt install dialog
Certificate written to /var/lib/prosody/FQDN.crt Choose key size (2048): Key written to /var/lib/prosody/auth.FQDN.key Please provide details to include in the certificate config file. Leave the field empty to use the default value or '.' to exclude the field. countryName (GB): localityName (The Internet): organizationName (Your Organisation): organizationalUnitName (XMPP Department): commonName (auth.FQDN): emailAddress (xmpp@auth.FQDN): Config written to /var/lib/prosody/auth.FQDN.cnf Certificate written to /var/lib/prosody/auth.FQDN.crt Clearing symlinks in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL 138 added, 0 removed; done. Replacing debian:vTrus_Root_CA.pem Adding debian:auth.FQDN.pem Setting up jitsi-meet (2.0.8719-1) ... Setting up bind9-dnsutils (1:9.18.12-0ubuntu0.22.04.1) ... Setting up dnsutils (1:9.18.12-0ubuntu0.22.04.1) ... Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
Firefox
Firefox usa https, ma evidenzia che il certificato non è a posto…
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT info > This website does not supply ownership information
Certbot e certificato https (parte 2/2)
Si ottiene un vero certificato (senza modificare la configurazione di nginx)
certbot certonly --nginx
NOTA: è obbligatorio dare una e-mail.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/FQDN/fullchain.pem -> ../../archive/FQDN/fullchain1.pem Key is saved at: /etc/letsencrypt/live/FQDN/privkey.pem -> ../../archive/FQDN/privkey1.pem This certificate expires on.... These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.
Spostare i certificati
# ls -l /etc/jitsi/meet/
- rw-r–r– 1 root root 2065 Jun 14 17:32 FQDN.crt
- rw——- 1 root root 3272 Jun 14 17:32 FQDN.key ←–nota bene attributi e dimensioni
# ls -l /etc/letsencrypt/live/FQDN
- rw-r–r– 1 root root 692 Jun 14 19:31 README
lrwxrwxrwx 1 root root 44 Jun 14 19:31 cert.pem → ../../archive/FQDN/cert1.pem
lrwxrwxrwx 1 root root 45 Jun 14 19:31 chain.pem -> ../../archive/FQDN/chain1.pem lrwxrwxrwx 1 root root 49 Jun 14 19:31 fullchain.pem -> ../../archive/FQDN/fullchain1.pem lrwxrwxrwx 1 root root 47 Jun 14 19:31 privkey.pem -> ../../archive/FQDN/privkey1.pem
# cp /etc/letsencrypt/live/archive/FQDN/cert1.pem /etc/jitsi/meet/FQDN.crt # cp /etc/letsencrypt/live/archive/FQDN/privkey1.pem /etc/jitsi/meet/FQDN.key
Autenticazione utenti
Così appena installato il server Jitsi è aperto al mondo intero Vediamo come chiedere password
/etc/prosody/conf.avail/[your-hostname].cfg.lua
VirtualHost "[your-hostname]" authentication = "internal_hashed" --#(not jitsi-anonymoys)
/etc/jitsi/jicofo/jicofo.conf
jicofo { authentication { enabled: true type: XMPP login-url: FQDN enable-auto-login: true } }
Utente
# prosodyctl register <nomeutente> <FQDN>