Last active
September 8, 2020 20:33
-
-
Save TimHeckel/8ae568083b136aad0f2474b3c86cb162 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Taken from the original thread: https://github.com/jitsi/lib-jitsi-meet/issues/1082#issuecomment-616948457 | |
###Fresh install of jitsu meet with JWT token authentication on Ubuntu Bionic Beaver 18.04 | |
#add dns for meet.mydomain.com to point to public ip for vm | |
# Open ports on network security group | |
# 80/tcp | |
# 443/tcp | |
# 4443/tcp | |
# 10000/udp | |
sudo ufw allow 80/tcp | |
sudo ufw allow 443/tcp | |
sudo ufw allow 4443/tcp | |
sudo ufw allow 10000/udp | |
sudo ufw allow 22/tcp | |
sudo ufw enable | |
sudo hostnamectl set-hostname meet.mydomain.com | |
sudo nano /etc/hosts | |
#manually append | |
#127.0.0.1 meet.mydomain.com | |
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add - | |
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list | |
sudo apt-get -y update | |
sudo apt-get -y install prosody | |
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add - | |
sudo sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list" | |
sudo apt-get -y update | |
sudo apt-get -y install jitsi-meet | |
#manually type | |
#meet.mydomain.com | |
#choose self-signed cert for now | |
sudo add-apt-repository ppa:certbot/certbot | |
sudo apt -y install certbot | |
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh | |
#enter sully@sully.com | |
sudo apt-get -y install jitsi-meet-tokens | |
#enter app id | |
#enter app secret | |
sudo nano /etc/prosody/prosody.cfg.lua | |
#c2s_require_encryption=false | |
sudo nano /etc/prosody/conf.avail/meet.mydomain.com.cfg.lua | |
#authentication="token" | |
#app_id="myappid" | |
#app_secret="myappsecret" | |
#allow_empty_token=false | |
#further down remove comment from -- "token_verification" | |
#Fix permissions on localhost key | |
sudo chown root:prosody /etc/prosody/certs/localhost.key | |
sudo chmod 644 /etc/prosody/certs/localhost.key | |
sudo apt-get -y install lua5.2 luarocks libssl-dev liblua5.2 | |
cat <<EOT >> luajwtjitsi-1.3-7.rockspec | |
package = "luajwtjitsi" | |
version = "1.3-7" | |
source = { | |
-- Use fork from ASolomatin which uses luaossl | |
url = "git://github.com/ASolomatin/luajwt/", | |
tag = "replace_luacrypto" | |
} | |
description = { | |
summary = "JSON Web Tokens for Lua", | |
detailed = "Very fast and compatible with pyjwt, php-jwt, ruby-jwt, node-jwt-simple and others", | |
homepage = "https://github.com/jitsi/luajwt/", | |
license = "MIT <http://opensource.org/licenses/MIT>" | |
} | |
dependencies = { | |
-- Prosody uses lua 5.2 | |
"lua >= 5.2", | |
"luaossl >= 20190731-0", | |
-- Use exact version 2.1, see https://github.com/mpx/lua-cjson/issues/56 | |
"lua-cjson = 2.1.0", | |
"lbase64 >= 20120807-3" | |
} | |
build = { | |
type = "builtin", | |
modules = { | |
luajwtjitsi = "luajwtjitsi.lua" | |
} | |
} | |
EOT | |
luarocks install luajwtjitsi-1.3-7.rockspec | |
luarocks install basexx | |
#install again | |
sudo apt-get install -y jitsi-meet jitsi-meet-tokens | |
sudo rm /var/log/prosody/prosody.err | |
sudo systemctl restart prosody.service | |
sudo systemctl restart jicofo.service | |
sudo systemctl restart jitsi-videobridge2.service | |
sudo cat /var/log/prosody/prosody.err #no errors! just some warnings | |
###In order for JWT to honor moderator: true flag in the JWT, now install the below plugin: | |
cd /usr/share/jitsi-meet/prosody-plugins/ | |
wget https://raw.githubusercontent.com/nvonahsen/jitsi-token-moderation-plugin/master/mod_token_moderation.lua | |
sudo nano /etc/prosody/conf.d/[YOUR DOMAIN].cfg.lua | |
#edit the conferance.[YOUR DOMAIN] component to add token_moderation | |
Change this line modules_enabled = { [EXISTING MODULES] } TO modules_enabled = { [EXISTING MODULES]; "token_moderation" } | |
sudo systemctl restart prosody && sudo systemctl restart jicofo && sudo systemctl restart jitsi-videobridge2 | |
###In order to reduce CPU usage on server, turn off timeseries logging: | |
vi /etc/jitsi/videobridge/logging.properties | |
#java.util.logging.FileHandler.level = OFF | |
Also add this line: | |
vi /etc/jitsi/videobridge/sip-communicator.properties | |
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true | |
sudo systemctl restart jitsi-videobridge2 | |
###Test using jwt.io generated token -- moderator should gen a JWT that allows a couple extra things: (1) password protect and enable lobby; (2) mute everyone under settings, (3) start live recording, and some other things | |
{ | |
"context": { | |
"user": { | |
"avatar": "https:/gravatar.com/avatar/abc123", | |
"name": "moderator", | |
"email": "amoderator@example.com", | |
"id": "testid" | |
}, | |
"group": "testgroup" | |
}, | |
"aud": "appid", | |
"iss": "appid", | |
"sub": "meet.example.com", | |
"room": "*", | |
"exp": 1599964155, | |
"moderator": true|false | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment