The author selected the Open Internet/Free Speech Fund to receive a donation as part of the Write for DOnations program.
作者选择了“ 开放互联网/言论自由基金会”作为“ Write for DOnations”计划的一部分来接受捐赠。
介绍 (Introduction)
Jitsi Meet is an open-source video-conferencing application based on WebRTC. A Jitsi Meet server provides multi-person video conference rooms that you can access using nothing more than your browser and provides comparable functionality to a Zoom or Skype conference call. The benefit of a Jitsi conference is that all your data only passes through your server, and the end-to-end TLS encryption ensures that no one can snoop on the call. With Jitsi you can be sure that your private information stays that way.
Jitsi Meet是基于WebRTC的开源视频会议应用程序。 Jitsi Meet服务器提供了多人视频会议室,您仅需使用浏览器即可访问它,并提供与Zoom或Skype电话会议相当的功能。 Jitsi会议的好处是所有数据仅通过服务器,并且端到端TLS加密确保没有人可以监听呼叫。 使用Jitsi,您可以确保您的私人信息保持原样。
In this tutorial, you will install and configure a Jitsi Meet server on Ubuntu 18.04. The default configuration allows anyone to create a new conference room. This is not ideal for a server that is publicly available on the internet so you will also configure Jitsi Meet so that only registered users can create new conference rooms. After you have created the conference room, any users can join, as long as they have the unique address and the optional password.
在本教程中,您将在Ubuntu 18.04上安装和配置Jitsi Meet服务器。 默认配置允许任何人创建一个新会议室。 这对于Internet上公开可用的服务器而言并不理想,因此您还将配置Jitsi Meet,以便只有注册用户才能创建新会议室。 创建会议室后,只要具有唯一地址和可选密码的任何用户都可以加入。
先决条件 (Prerequisites)
Before you begin this guide you’ll need the following:
在开始本指南之前,您需要满足以下条件:
One Ubuntu 18.04 server set up by following the Initial Server Setup with Ubuntu 18.04 tutorial, including a non-root sudo-enabled user. The size of the server you will need mostly depends on the available bandwidth and the number of participants you expect to be using the server. The following table will give you some idea of what is needed.
通过遵循带有Ubuntu 18.04的初始服务器设置教程来设置一台Ubuntu 18.04服务器,其中包括未启用root的sudo用户。 您将需要的服务器大小主要取决于可用带宽和预期使用服务器的参与者数量。 下表将使您对所需的内容有所了解。
A domain name configured to point to your server. You can learn how to point domains and hostnames to DigitalOcean Droplets by referring to the Domains and DNS guide. Throughout this guide, the example domain name
jitsi.example.comis used.配置为指向您的服务器的域名。 您可以通过参考“ 域和DNS”指南来学习如何将域和主机名指向DigitalOcean Droplet。 在本指南中,均使用示例域名
jitsi.example.com。
When you are choosing a server to run your Jitsi Meet instance you will need to consider the system resources needed to host conference rooms. The following benchmark information was collected from a single-core virtual machine using high-quality video settings:
选择服务器运行Jitsi Meet实例时,需要考虑托管会议室所需的系统资源。 以下基准信息是使用高质量视频设置从单核虚拟机收集的:
| CPU | Server Bandwidth | |
|---|---|---|
| Two Participants | 3% | 30Kbps Up, 100Kbps Down |
| Three Participants | 15% | 7Mbps Up, 6.5Mbps Down |
| 中央处理器 | 服务器带宽 | |
|---|---|---|
| 两名参加者 | 3% | 上升30Kbps,下降100Kbps |
| 三名参加者 | 15% | 最高7Mbps,最低6.5Mbps |
The jump in resource use between two and three participants is because Jitsi will route the call data directly between the clients when there are two of them. When more than two clients are present then call data is routed through the Jitsi Meet server.
两到三个参与者之间资源使用的跳跃是因为,当有两个参与者时,Jitsi将直接在客户之间路由呼叫数据。 如果存在两个以上的客户端,则呼叫数据将通过Jitsi Meet服务器路由。
步骤1 —设置系统主机名 (Step 1 — Setting the System Hostname)
In this step, you will change the system’s hostname to match the domain name that you intend to use for your Jitsi Meet instance and resolve that hostname to the localhost IP, 127.0.0.1. Jitsi Meet uses both of these settings when it installs and generates its configuration files.
在此步骤中,您将更改系统的主机名,以匹配您打算用于Jitsi Meet实例的域名,并将该主机名解析为localhost IP 127.0.0.1 。 Jitsi Meet在安装并生成其配置文件时会同时使用这两个设置。
First, set the system’s hostname to the domain name that you will use for your Jitsi instance. The following command will set the current hostname and modify the /etc/hostname that holds the system’s hostname between reboots:
首先,将系统的主机名设置为将用于Jitsi实例的域名。 以下命令将设置当前主机名,并修改在重新引导之间保存系统主机名的/etc/hostname :
sudo hostnamectl set-hostname jitsi.your-domain
sudo hostnamectl设置主机名jitsi。您的域
The command that you ran breaks down as follows:
您运行的命令分解如下:
hostnamectlis a utility from the systemd tool suite to manage the system hostname.hostnamectl是systemd工具套件中的实用程序,用于管理系统主机名。set-hostnamesets the system hostname.set-hostname设置系统主机名。
Check that this was successful by running the following:
通过运行以下命令来检查是否成功:
- hostname 主机名
This will return the hostname you set with the hostnamectl command:
这将返回您使用hostnamectl命令设置的hostnamectl :
Output
jitsi.your-domain
Next, you will set a local mapping of the server’s hostname to the loopback IP address, 127.0.0.1. Do this by opening the /etc/hosts file with a text editor:
接下来,您将设置服务器主机名到环回IP地址127.0.0.1的本地映射。 通过使用文本编辑器打开/etc/hosts文件来执行此操作:
- sudo nano /etc/hosts 须藤nano / etc / hosts
Then, add the following line:
然后,添加以下行:
127.0.0.1 jitsi.your-domainMapping your Jitsi Meet server’s domain name to 127.0.0.1 allows your Jitsi Meet server to use several networked processes that accept local connections from each other on the 127.0.0.1 IP address. These connections are authenticated and encrypted with a TLS certificate, which is registered to your domain name. Locally mapping the domain name to 127.0.0.1 makes it possible to use the TLS certificate for these local network connections.
通过将Jitsi Meet服务器的域名映射到127.0.0.1 ,Jitsi Meet服务器可以使用多个联网的进程,这些进程在127.0.0.1 IP地址上接受彼此的本地连接。 这些连接使用TLS证书进行身份验证和加密,该证书已注册到您的域名。 将域名本地映射到127.0.0.1可以将TLS证书用于这些本地网络连接。
Save and exit your file.
保存并退出文件。
Your server now has the hostname that Jitsi requires for installation. In the next step, you will open the firewall ports that are needed by Jitsi and the TLS certificate installer.
您的服务器现在具有Jitsi安装所需的主机名。 在下一步中,您将打开Jitsi和TLS证书安装程序所需的防火墙端口。
第2步-配置防火墙 (Step 2 — Configuring the Firewall)
When you followed the Initial Server Setup with Ubuntu 18.04 guide you enabled the UFW firewall and opened the SSH port. The Jitsi server needs some ports opened so that it can communicate with the call clients. Also, the TLS installation process needs to have a port open so that it can authenticate the certificate request.
在遵循Ubuntu 18.04的初始服务器设置指南时,您启用了UFW防火墙并打开了SSH端口。 Jitsi服务器需要打开一些端口,以便它可以与呼叫客户端进行通信。 此外,TLS安装过程需要打开一个端口,以便它可以认证证书请求。
The ports that you will open are the following:
您将打开的端口如下:
80/tcpused in the TLS certificate request.TLS证书请求中使用的
80/tcp。443/tcpused for the conference room creation web page.用于会议室创建网页的
443/tcp。4443/tcp,10000/udpused to transmit and receive the encrypted call traffic.4443/tcp,10000/udp用于发送和接收加密的呼叫流量。
Run the following ufw commands to open these ports:
运行以下ufw命令以打开这些端口:
- sudo ufw allow 80/tcp sudo ufw允许80 / tcp
- sudo ufw allow 443/tcp sudo ufw允许443 / tcp
- sudo ufw allow 4443/tcp sudo ufw允许4443 / tcp
- sudo ufw allow 10000/udp sudo ufw允许10000 / udp
Check that they were all added with the ufw status command:
使用ufw status命令检查它们是否都已添加:
- sudo ufw status sudo ufw状态
You will see the following output if these ports are open:
如果这些端口打开,您将看到以下输出:
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
4443/tcp ALLOW Anywhere
10000/udp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
4443/tcp (v6) ALLOW Anywhere (v6)
10000/udp (v6) ALLOW Anywhere (v6)
The server is now ready for the Jitsi installation, which you will complete in the next step.
现在,服务器已准备好进行Jitsi安装,您将在下一步中完成安装。
第3步-安装Jitsi Meet (Step 3 — Installing Jitsi Meet)
In this step, you will add the Jitsi stable repository to your server and then install the Jitsi Meet package from that repository. This will ensure that you are always running the latest stable Jitsi Meet package.
在此步骤中,您将把Jitsi稳定存储库添加到服务器,然后从该存储库安装Jitsi Meet软件包。 这将确保您始终运行最新的稳定Jitsi Meet软件包。
First, download the Jitsi GPG key with the wget downloading utility:
首先,使用wget下载实用程序下载Jitsi GPG密钥:
- wget https://download.jitsi.org/jitsi-key.gpg.key wget https://download.jitsi.org/jitsi-key.gpg.key
The apt package manager will use this GPG key to validate the packages that you will download from the Jitsi repository.
apt软件包管理器将使用此GPG密钥来验证您将从Jitsi存储库下载的软件包。
Next, add the GPG key you downloaded to apt’s keyring using the apt-key utility:
接下来,使用apt-key实用程序将下载的GPG密钥添加到apt的密钥apt-key :
- sudo apt-key add jitsi-key.gpg.key sudo apt-key添加jitsi-key.gpg.key
You can now delete the GPG key file as it is no longer needed:
现在,您可以删除GPG密钥文件,因为它不再需要:
- rm jitsi-key.gpg.key rm jitsi-key.gpg.key
Now, you will add the Jitsi repository to your server by creating a new source file that contains the Jitsi repository. Open and create the new file with your editor:
现在,您将通过创建一个包含Jitsi存储库的新源文件将Jitsi存储库添加到服务器。 使用编辑器打开并创建新文件:
- sudo nano /etc/apt/sources.list.d/jitsi-stable.list 须藤nano /etc/apt/sources.list.d/jitsi-stable.list
Add this line to the file for the Jitsi repository:
将此行添加到Jitsi存储库的文件中:
deb https://download.jitsi.org stable/Save and exit your editor.
保存并退出编辑器。
Finally, perform a system update to collect the package list from the Jitsi repository and then install the jitsi-meet package:
最后,执行系统更新以从Jitsi存储库收集软件包列表,然后安装jitsi-meet软件包:
- sudo apt update sudo apt更新
- sudo apt install jitsi-meet sudo apt安装jitsi-meet
During the installation of jitsi-meet you will be prompted to enter the domain name (for example, jitsi.your-domain) that you want to use for your Jitsi Meet instance.
在安装jitsi-meet期间,将提示您输入要用于Jitsi Meet实例的域名(例如jitsi.your-domain )。
Note: You move the cursor from the hostname field to highlight the <OK> button with the TAB key. Press ENTER when <OK> is highlighted to submit the hostname.
注意:您将光标从主机名字段移到以使用TAB键突出显示<OK>按钮。 突出显示<确定>时按ENTER以提交主机名。
You will then be shown a new dialog box that asks if you want Jitsi to create and use a self-signed TLS certificate or use an existing one you already have:
然后,将显示一个新对话框,询问您是要Jitsi创建和使用自签名 TLS证书还是使用已经拥有的现有证书:
If you do not have a TLS certificate for your Jitsi domain select the first, Generate a new self-signed certificate, option.
如果您的Jitsi域没有TLS证书,请选择第一个“ 生成新的自签名证书 ”选项。
Your Jitsi Meet instance is now installed using a self-signed TLS certificate. This will cause browser warnings, so you will get a signed TLS certificate in the next step.
现在,已使用自签名TLS证书安装了Jitsi Meet实例。 这将导致浏览器警告,因此您将在下一步中获得签名的TLS证书。
步骤4 —获得签名的TLS证书 (Step 4 — Obtaining a Signed TLS Certificate)
Jitsi Meet uses TLS certificates to encrypt the call traffic so that no one can listen to your call as it travels over the internet. TLS certificates are the same certificates that are used by websites to enable HTTPS URLs.
Jitsi Meet使用TLS证书对通话流量进行加密,因此在Internet上通话时,没人能听到您的通话。 TLS证书与网站用于启用HTTPS URL的证书相同。
Jitsi Meet supplies a program to automatically download a TLS certificate for your domain name that uses the Certbot utility. You will need to install this program before you run the certificate installation script.
Jitsi Meet提供了一个程序,该程序使用Certbot实用程序自动为您的域名下载TLS证书。 在运行证书安装脚本之前,您将需要安装此程序。
First, add the Certbot repository to your system to ensure that you have the latest version of Certbot. Run the following command to add the new repository and update your system:
首先,将Certbot存储库添加到系统中,以确保您具有最新版本的Certbot。 运行以下命令以添加新的存储库并更新系统:
- sudo add-apt-repository ppa:certbot/certbot sudo add-apt-repository ppa:certbot / certbot
Next, install the certbot package:
接下来,安装certbot软件包:
- sudo apt install certbot sudo apt安装certbot
Your server is now ready to run the TLS certificate installation program provided by Jitsi Meet:
您的服务器现在可以运行Jitsi Meet提供的TLS证书安装程序了:
- sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh 须藤/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
When you run the script you will be shown the following prompt for an email address:
运行脚本时,将提示您输入以下电子邮件地址:
Output
-------------------------------------------------------------------------
This script will:
- Need a working DNS record pointing to this machine(for domain jitsi.example.com)
- Download certbot-auto from https://dl.eff.org to /usr/local/sbin
- Install additional dependencies in order to request Let’s Encrypt certificate
- If running with jetty serving web content, will stop Jitsi Videobridge
- Configure and reload nginx or apache2, whichever is used
- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks
- Add command in weekly cron job to renew certificates regularly
You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf)
by providing an email address for important account notifications
Enter your email and press [ENTER]:
This email address will be submitted to the certificate issuer https://letsencrypt.org and will be used to notify you about security and other matters related to the TLS certificate. You must enter an email address here to proceed with the installation. The installation will then complete without any further prompts.
该电子邮件地址将被提交给证书颁发者https://letsencrypt.org ,并将用于通知您有关TLS证书的安全性和其他事项。 您必须在此处输入电子邮件地址才能继续安装。 然后,安装将完成,而没有任何其他提示。
When it finishes, your Jitsi Meet instance will be configured to use a signed TLS certificate for your domain name. Certificate renewals will also happen automatically because the installer placed a renewal script at /etc/cron.weekly/letsencrypt-renew that will run each week.
完成后,您的Jitsi Meet实例将配置为对您的域名使用签名的TLS证书。 证书更新也将自动发生,因为安装程序将更新脚本放在/etc/cron.weekly/letsencrypt-renew ,该脚本每周运行一次。
The TLS installer used port 80 to verify you had control of your domain name. Now that you have obtained the certificate your server no longer needs to have port 80 open because port 80 is used for regular, non-encrypted HTTP traffic. Jitsi Meet only serves its website via HTTPS on port 443.
TLS安装程序使用端口80来验证您对域名的控制权。 现在你已经获得的证书,您的服务器不再需要有端口80打开,因为端口80用于常规的非加密的HTTP流量。 Jitsi Meet仅在端口443上通过HTTPS服务其网站。
Close this port in your firewall with the following ufw command:
使用以下ufw命令在防火墙中关闭此端口:
- sudo ufw delete allow 80/tcp sudo ufw删除允许80 / tcp
Your Jitsi Meet server is now up and running and available for testing. Open a browser and point it to your domain name. You will be able to create a new conference room and invite others to join you.
您的Jitsi Meet服务器现已启动并正在运行,并且可以进行测试。 打开浏览器并将其指向您的域名。 您将能够创建一个新的会议室并邀请其他人加入。
The default configuration for Jitsi Meet is that anyone visiting your Jitsi Meet server homepage can create a new conference room. This will use your server’s system resources to run the conference room and is not desirable for unauthorized users. In the next step, you will configure your Jitsi Meet instance to only allow registered users to create conference rooms.
Jitsi Meet的默认配置是任何访问您的Jitsi Meet服务器主页的人都可以创建一个新会议室。 这将使用服务器的系统资源来运行会议室,并且对于未经授权的用户而言是不希望的。 在下一步中,您将Jitsi Meet实例配置为仅允许注册用户创建会议室。
步骤5 –锁定会议创建 (Step 5 — Locking Conference Creation)
In this step, you will configure your Jitsi Meet server to only allow registered users to create conference rooms. The files that you will edit were generated by the installer and are configured with your domain name.
在此步骤中,您将Jitsi Meet服务器配置为仅允许注册用户创建会议室。 您将编辑的文件由安装程序生成,并使用您的域名进行配置。
The variable your_domain will be used in place of a domain name in the following examples.
在以下示例中,将使用变量your_domain代替域名。
First, open sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua with a text editor:
首先,使用文本编辑器打开sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua :
sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua
须藤纳米/etc/prosody/conf.avail/ your_domain .cfg.lua
Edit this line:
编辑此行:
...
authentication = "anonymous"
...To the following:
要以下内容:
...
authentication = "internal_plain"
...This configuration tells Jitsi Meet to force username and password authentication before allowing conference room creation by a new visitor.
此配置告诉Jitsi Meet在允许新访客创建会议室之前,强制执行用户名和密码身份验证。
Then, in the same file, add the following section to the end of the file:
然后,在同一文件中,将以下部分添加到文件末尾:
...
VirtualHost "guest.your_domain"
authentication = "anonymous"
c2s_require_encryption = falseThis configuration allows anonymous users to join conference rooms that were created by an authenticated user. However, the guest must have a unique address and an optional password for the room to enter it.
此配置允许匿名用户加入由经过身份验证的用户创建的会议室。 但是,客人必须具有唯一的地址和可选的密码,房间才能进入。
Here, you added guest. to the front of your domain name. For example, for jitsi.your-domain you would put guest.jitsi.your-domain. The guest. hostname is only used internally by Jitsi Meet. You will never enter it into a browser or need to create a DNS record for it.
在这里,您添加了guest. 域名的前面。 例如,对于jitsi.your-domain您将放置guest.jitsi.your-domain 。 guest. 主机名仅由Jitsi Meet内部使用。 您将永远不会在浏览器中输入它,也不需要为其创建DNS记录。
Open another configuration file at /etc/jitsi/meet/your_domain-config.js with a text editor:
使用文本编辑器在/etc/jitsi/meet/your_domain-config.js打开另一个配置文件:
sudo nano /etc/jitsi/meet/your_domain-config.js
须藤纳米/ etc / jitsi / meet / your_domain -config.js
Edit this line:
编辑此行:
...
// anonymousdomain: 'guest.example.com',
...To the following:
要以下内容:
...
anonymousdomain: 'guest.your_domain',
...Again, by using the guest.your_domain hostname that you used earlier this configuration tells Jitsi Meet what internal hostname to use for the un-authenticated guests.
再次,通过使用guest. your_domain 您之前在此配置中使用的guest. your_domain主机名告诉Jitsi Meet未认证的来宾使用什么内部主机名。
Next, open /etc/jitsi/jicofo/sip-communicator.properties:
接下来,打开/etc/jitsi/jicofo/sip-communicator.properties :
- sudo nano /etc/jitsi/jicofo/sip-communicator.properties 须藤纳米/etc/jitsi/jicofo/sip-communicator.properties
And add the following line to complete the configuration changes:
并添加以下行以完成配置更改:
org.jitsi.jicofo.auth.URL=XMPP:your_domainThis configuration points one of the Jitsi Meet processes to the local server that performs the user authentication that is now required.
此配置将Jitsi Meet流程之一指向执行现在所需的用户身份验证的本地服务器。
Your Jitsi Meet instance is now configured so that only registered users can create conference rooms. After a conference room is created, anyone can join it without needing to be a registered user. All they will need is the unique conference room address and an optional password set by the room’s creator.
现在已配置了Jitsi Meet实例,以便只有注册用户才能创建会议室。 创建会议室后,任何人都可以加入会议室而无需成为注册用户。 他们所需要的只是唯一的会议室地址和会议室创建者设置的可选密码。
Now that Jitsi Meet is configured to require authenticated users for room creation you need to register these users and their passwords. You will use the prosodyctl utility to do this.
现在,Jitsi Meet已配置为要求经过身份验证的用户才能创建房间,您需要注册这些用户及其密码。 您将使用prosodyctl实用程序执行此操作。
Run the following command to add a user to your server:
运行以下命令以将用户添加到您的服务器:
sudo prosodyctl register user your_domain password
sudo prosodyctl注册用户 your_domain 密码
The user that you add here is not a system user. They will only be able to create a conference room and are not able to log in to your server via SSH.
您在此处添加的用户不是系统用户。 他们将只能创建会议室,而不能通过SSH登录到服务器。
Finally, restart the Jitsi Meet processes to load the new configuration:
最后,重新启动Jitsi Meet进程以加载新配置:
- sudo systemctl restart prosody.service sudo systemctl重新启动prosody.service
- sudo systemctl restart jicofo.service sudo systemctl重新启动jicofo.service
- sudo systemctl restart jitsi-videobridge2.service sudo systemctl重新启动jitsi-videobridge2.service
The Jitsi Meet instance will now request a username and password with a dialog box when a conference room is created.
现在,创建会议室时,Jitsi Meet实例将通过对话框请求用户名和密码。
Your Jitsi Meet server is now set up and securely configured.
您的Jitsi Meet服务器现在已设置并安全配置。
结论 (Conclusion)
In this article, you deployed a Jitsi Meet server that you can use to host secure and private video conference rooms. You can extend your Jitsi Meet instance with instructions from the Jitsi Meet Wiki.
在本文中,您部署了Jitsi Meet服务器,可用于托管安全的私人视频会议室。 您可以使用Jitsi Meet Wiki中的说明扩展Jitsi Meet实例。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-install-jitsi-meet-on-ubuntu-18-04
970
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
