Jitsi Installation with JWT Support on Ubuntu 20.04 TLS

 

Complete guide to install Jitsi with JWT support on Ubuntu 20.04 TLS

Since Ubuntu 20.04 Focal Fossa fairly new comparing to previous Ubuntu TLS Bionic Beaver, there are same differences when installing Jitsi with JWT support. So i decided to share a separate manual for the installation of Jitsi with JWT authentication support for Ubuntu 20.04 TLS.

Security is very important issue if we are talking about live conferencing. As Zoom had several security issues like Room Bombing, insecurity of personal data and encryption policies, Zoom was about to loose its reputation. Immediate actions are taken by the company to cover these security issues which was out of priority as a requirement for a very fast growing company during – and because of – COVID-19. 

Jitsi has JWT implementation to provide security for web conferencing. Basically Jitsi rooms can be created and/or joined after a successful JWT validation.

Jitsi with JWT is a very smart and simple solution perspective to add enhanced security to your Jitsi installations. But i must say it is not easy to find accurate documentation on that even on Jitsi Community portal. For my first installation which i did last year – long time ago from COVID –  took me to much time to experiment and learn. Now there are few posts about Jitsi with JWT in Jitsi Community forums. But i must say it is still like  “looking for a needle in a haystack” as said in Turkish idiom.

Anyway i thought it will be good idea to collect my experience and provide a manual for people who are interested in installing and configuring Jitsi with JWT. So, here it is!

Setting up FQDN

Run;

sudo hostnamectl set-hostname YOUR_DOMAIN

 

 

Edit /etc/hostname file as;

YOUR_DOMAIN

 

 

Edit /etc/hosts file as;

 127.0.0.1       localhost

YOUR_LOCAL_IP    YOUR_DOMAIN  jitsimain

YOUR_GLOBAL_IP YOUR_DOMAIN  jitsimain

127.0.0.1       localhost           YOUR_DOMAIN

# The following lines are desirable for IPv6 capable hosts

::1     localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

 

 

To restart VM run;

reboot

 

After restart to test your FQDN setup run; 

ping “$(hostname)”

 

Should ping 127.0.0.1 and command out put will be similar to;

PING YOUR_DOMAIN (127.0.0.1) 56(84) bytes of data.

64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.026 ms

64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.041 ms

64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.045 ms

 

Setting Up Base Jitsi Components with JWT Support

 

Switch to root;

sudo su

 

Since Ubuntu 20.04 TLS Focal Fossa is a fairly new distribution  libssl1.0-dev does not exist in its Debian repository. So we need to install  libssl1.0-dev package for 18.04 TLS Bionic Beaver. So that;

Edit Debian (Ubuntu) package repository resources;

sudo nano /etc/apt/sources.list

 

Add the following line for global Debian repo;

deb http://security.ubuntu.com/ubuntu bionic-security main

 

Execute;

sudo apt update && apt-cache policy libssl1.0-dev

 

 

We need to install the Jitsi base components and latest Prosody version now. Components to be installed;

 

  • gcc (c++ compiler to compile luarocks)

  • unzip

  • lua5.2 (Lua programming language)

  • liblua5.2 (Lua base libraries)

  • luarocks (The main repository of Lua modules)

  • basexx ( Lua library which provides base2(bitfield), base16(hex), base32(crockford/rfc), base64(rfc/url), base85(z85) decoding and encoding.)

  • libssl1.0-dev (Debian (Ubuntu) package is part of the OpenSSL project’s implementation of the SSL and TLS)

  • luacrypto (Lua frontend to the OpenSSL cryptographic library)

  • lua-cjson (JSON encoding/parsing module for Lua)

  • luajwtjitsi (JSON Web Tokens module for Lua)

  • Prosody (Latest stable version)

 

To install components simply run; (VM will be restarted with the last command)

cd &&

apt-get update -y &&

apt-get install gcc -y &&

apt-get install unzip -y &&

apt-get install lua5.2 -y &&

apt-get install liblua5.2 -y &&

apt-get install luarocks -y &&

luarocks install basexx &&

apt-get install libssl1.0-dev -y &&

luarocks install luacrypto &&

mkdir src &&

cd src &&

luarocks download lua-cjson &&

luarocks unpack lua-cjson-2.1.0.6-1.src.rock &&

cd lua-cjson-2.1.0.6-1/lua-cjson &&

sed -i ‘s/lua_objlen/lua_rawlen/g’ lua_cjson.c &&

sed -i ‘s|$(PREFIX)/include|/usr/include/lua5.2|g’ Makefile &&

luarocks make &&

luarocks install luajwtjitsi &&

cd &&

wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add – &&

echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list &&

apt-get update -y &&

apt-get upgrade -y &&

apt-get install prosody -y &&

chown root:prosody /etc/prosody/certs/localhost.key &&

chmod 644 /etc/prosody/certs/localhost.key &&

sleep 2 &&

shutdown -r now

 

After reboot switch to root as always;

sudo su

 

Install rest of the components;

 

Notes for the installation of this part;

  • Hostname will be prompted. Enter FQDN which is same as hostname of the VM. 

  • As a second prompted question, generate a new certificate instead of using your existing certificate. If you have your own certificates i guess it is better to install with generating new certificates also. You will always have a chance to replace your certificates later.

  • Enter application ID as; YOUR_APP_ID

  • Enter application secret as; YOUR_SECRET

 

Simply run;

 

cd &&

cp /etc/prosody/certs/localhost.key /etc/ssl &&

apt-get install nginx -y &&

wget -qO – https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add – &&

sh -c “echo ‘deb https://download.jitsi.org stable/’ > /etc/apt/sources.list.d/jitsi-stable.list” &&

apt-get -y update &&

apt-get install jitsi-meet -y &&

apt-get install jitsi-meet-tokens -y

 

By now we have installed all of the required components.

 

Create Cerificates

To generate a certificate execute;

 

Note: For certificate default sh script does not work for Ubuntu 20.04 LTS. Following workaround solves the problem. Install certbot then replace certbot-auto with certbot in sh script then execute certificate script.

 

sudo apt install certbot &&

sudo sed -i ‘s/\.\/certbot-auto/certbot/g’ /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh && 

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

 

Firewall Settings

To enable firewall run: 

ufw enable

 

To open necessary Jitsi ports run:

Note: 2220 is our ssh port and should be open to access server through ssh.

 

ufw allow in 2220/tcp &&

ufw allow in openssh &&

ufw allow in 80/tcp &&

ufw allow in 443/tcp &&

ufw allow in 4443/tcp &&

ufw allow in 5222/tcp &&

ufw allow in 5347/tcp &&

ufw allow in 10000:20000/udp

 

Check firewall rules:

ufw status

 

Restart:

reboot

Configure Prosody

Open /etc/prosody/prosody.cfg.lua and add above lines after admins object;

admins = {}

component_ports = { 5347 }

component_interface = “0.0.0.0”

change

c2s_require_encryption=true

to

c2s_require_encryption=false

 

and check the end of file if file has the line;

Include “conf.d/*.cfg.lua”

 

Configure Prosody for Your Host

Open /etc/prosody/conf.avail/YOUR_DOMAIN.cfg.lua and add above lines with your issuers and audiences;

asap_accepted_issuers = { “YOUR_APP_ID”, “smash” }

asap_accepted_audiences = { “YOUR_APP_ID”, “smash” }

Also under you domain config change authentication to “token” and provide application ID, secret you have defined during components installation;

VirtualHost “YOUR_DOMAIN”

    authentication = “token”;

    app_id = “YOUR_APP_ID”;             — application identifier

    app_secret = “YOUR_SECRET”;     — application secret known only to your token

 

Also to access data by lib-jitsi-meet you have to enable the prosody module mod_presence_identity in your config.

VirtualHost “YOUR_DOMAIN”

    modules_enabled = { “presence_identity” }

 

And enable room name token verification plugin in your MUC component config section:

Component “conference.YOUR_DOMAIN” “muc”

    modules_enabled = { “token_verification” }

 

And setup guest domain

VirtualHost “guest.YOUR_DOMAIN”

    authentication = “token”;

    app_id = “YOUR_APP_ID”;

    app_secret = “YOUR_SECRET”;

    c2s_require_encryption = true;

    allow_empty_token = true;

Enable Anonymous Domain in Jitsi Meet Config

Open your meet config in /etc/jitsi/meet/YOUR_DOMAIN-config.js and edit as:

var config = {

    hosts: {

        … 

        // When using authentication, domain for guest users.

        anonymousdomain: ‘guest.jitmeet.example.com’,

        …

    },

    …

    enableUserRolesBasedOnToken: true,

    …

}

 

Jicofo Configuration

 

Set following config in /etc/jitsi/jicofo/config as:

JICOFO_HOST=YOUR_DOMAIN

Edit your /etc/jitsi/jicofo/sip-communicator.properties as;

org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.YOUR_DOMAIN org.jitsi.jicofo.auth.URL=XMPP:YOUR_DOMAIN org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true

 

Video Bridge Configuration

Edit Video Bridge config file;

nano /etc/jitsi/videobridge/config

In the config file set your JWB_HOST parameter as;

JVB_HOST=YOUR_DOMAIN

Also in the config,  add a new paramater AUTHBIND as;

 AUTHBIND=yes

Restart All Services

systemctl restart prosody jicofo jitsi-videobridge2

Testing

For testing your Jitsi with JWT installation you will need a token. To generate your token you can go to  jwt.io . In the main page there is a JWT debugger. Considering that you are using HS256 algorithm (which is default for Jitsi and also jwt.io) for encryption our token’s header section will be;

{
"alg": "HS256",
"typ": "JWT"
}

As a minimum requirement your token Payload data will be;

{

  "aud": "YOUR_AUDIENCE",

  "iss": "YOUR_ISSUER",

  "sub": "YOUR_JITSI_DOMAIN",

  "room": "*"

}

Now for Verify Section of JWT debugger you will need YOUR_SECRET to generate YOUR_TOKEN

So considering the parameters above your generated token will be;

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJZT1VSX0FVRElFTkNFIiwiaXNzIjoiWU9VUl9JU1NVRVIiLCJzdWIiOiJZT1VSX0pJVFNJX0RPTUFJTiIsInJvb20iOiIqIn0.lfdX8pvLIWxC1k27CAT3H4k2EhS2rbE_Ks8SwsD2pJo

You can copy the token above and paste it to  Encoded section of the JWT Debugger and also proving YOUR_SECRET string “as it is” for your secret in the Verify Section you will see your decoded token Payload “as it is”.

 Now go to your Jitsi Meet URL:

https://YOUR_DOMAIN.com/jwt_test_room?jwt=YOUR_TOKEN

Now you can add user information to your token and pass it to Jitsi Meet. To do that you can add additional json formatted keys and values to your token. For further info about JWT token structure go to : https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

Also check logs for warning and error messages:

Prosody log

tail -f -n 200 /var/log/prosody/prosody.log

Jicofo log

tail -f -n 200 /var/log/jitsi/jicofo.log

JVB log

tail -f -n 200 /var/log/jitsi/jvb.log

Now you have your new Jitsi instance with JWT support!

And if you need support for Jitsi with JWT authentication do not hesitate to Whatsup. We are giving professional grade Jitsi consultation service including installation, integration, customisation and maintenance support.

For your questions and comments please contribute below.

Leave a Comment

Your email address will not be published. Required fields are marked *