In my previous blog post HERE, we set up a Jitsi server on Vultr from start to finish. This post is going to build on that previous post and add some basic authentication to the server.
At the end of the last post, our server had no authentication – anyone who knows the URL can connect and start a video conferencing session.
Now we’re going to set up Jitsi so that you have to have a username and password to start a Jitsi conference – but you can then share that link with anyone, and all other attendees can join anonymously. This is the best way to run Jitsi – you know that your server won’t be running unauthorized video conferencing sessions, but you can still invite whomever you want, and your invitees don’t have to have an account on your Jitsi server (though you should still password protect your video conferences).
Before we get started, if you find this guide helpful, you can always:
PRO TIP: If you are following along with this post after you already set up Jitsi from my previous post, I would recommend taking a snapshot of your Vultr or Digital Ocean server at this point. That way, if you mess up your server going through these next steps, you can revert to the snapshot and not have to start the entire project over from scratch!
Prosody is the name of the Jitsi component that handles authentication. The first thing we need to do is enable authentication on our main domain – for our example, our main domain was jitsi.crosstalksolutions.com. These changes have to be made in the /etc/prosody/conf.avail/[your-hostname].cfg.lua file. So, for our example, we want to edit:
sudo nano -w /etc/prosody/conf.avail/jitsi.crosstalksolutions.com.cfg.lua
Find the line that says ‘VirtualHost “[your-hostname].” Underneath that line you’ll see another line that says:
authentication = "anonymous"
Change that line to:
authentication = "internal_plain"
This disables the anonymous authentication for the ‘main’ server host URL – however, we also need to create a new virtual host for our anonymous guests in order to facilitate their anonymous connections. Scroll to the bottom of the file and add these lines to create the new virtual host with the anonymous login method (use your own FQDN):
VirtualHost "guest.jitsi.crosstalksolutions.com"
authentication = "anonymous"
c2s_require_encryption = false
*** NOTE: The VirtualHost that we just created – guest.jitsi.crosstalksolutions.com – is only used for Jitsi internally – there is no need to create a separate DNS A record for that FQDN.
CTRL+X followed by Y+ENTER to save and exit.
Next we need to configure our newly created VirtualHost / anonymous domain in our config.js file:
sudo nano -w /etc/jitsi/meet/jitsi.crosstalksolutions.com-config.js
Under the ‘var config = [‘ section (right near the top of the file), you should already see a line that says domain: ‘jitsi.crosstalksolutions.com’, (it’ll say your FQDN, not mine). Just below that line, after the comment, you should see a line that is commented out that starts with ‘anonymousdomain.’ Uncomment that line and add your FQDN with a ‘guest.’ in front of it like this:
anonymousdomain: 'guest.jitsi.crosstalksolutions.com',
CTRL+X followed by Y+ENTER to save and exit.
Next, we need to tell the Jicofo service to only allow requests from our ‘authenticated’ domain.
sudo nano -w /etc/jitsi/jicofo/sip-communicator.properties
Add a new line at the bottom of this file:
org.jitsi.jicofo.auth.URL=XMPP:jitsi.crosstalksolutions.com
Again, substitute your own FQDN for jitsi.crosstalksolutions.com.
CTRL+X followed by Y+ENTER to save and exit.
Now let’s restart our Jitsi services:
sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2
OK – this is great…we now have authentication…but we’re forgetting something – users!
To add users who can create video conferences in Jitsi, run the following command:
prosodyctl register <username> jitsi.crosstalksolutions.com <password>
So – to create user ‘john’ with password ‘12345’ you would run:
sudo prosodyctl register john jitsi.crosstalksolutions.com 12345
Use your own FQDN instead of jitsi.crosstalksolutions.com, and also use nice STRONG passwords for your users.
That’s it! Now to test it out – if you log onto your Jitsi server – https://jitsi.crosstalksolutions.com and start a new meeting, you will told that the conference is waiting for the host – and you have a button to indicate that YOU are the host – click that button.
When prompted, enter in the username and password that you created with the prosodyctl command.
*** NOTE: If you created user ‘john’ your username here can be either ‘john’ or ‘john@jitsi.crosstalksolutions.com’ – either one will work fine.
Your video conference has now started! At this point, you can share your video conference link with other folks (recommended to add a password to your conference) and then they can join up without having to have a Prosody user created for them.
If you enjoyed this post you can always:
Comments 61
I have used your instructions today and they worked like a charm. Thank you so much for this tutorial. God bless.
It is clear how to add a user record. How do we manage these users? What file are they added to? It may be necessary to remove it update a user or their password
The user records are handled by the XMPP backend of Jitsi, Prosody. You can add and remove users from the command line by using the prosodyctl command. This page will sum it up for you: https://prosody.im/doc/prosodyctl
You can configure Prosody to store this information using different types of database (MySQL, PostgreSQL, SQLite) but by default, it uses SQLite, which should work for modest use cases.
Hope this helped!
does it also ask for email/user and password only once per browser?
How do I end the exisiting test video conferences, I have restarted prosody and it is still there
HI Chris,
Great guide (as always)…….worked a treat for me first time.
Keep up the good work.
Thanks, Mark
Thanks for sussing out the necessary bit. As always quick and to the point.
Hello, Chris.
I’ve learned so much from your videos and blog and would love to buy you a beer.
Unfortunately the link on your website does not work.
Many greetings,
Michael
Author
Fixed! Thanks for pointing that out.
Chris,
Your videos have been a huge help for quite some time.
One little comment. It might be beneficial to call out in your blog post how one would remove a user who can create video conferences in Jitsi
-Jordan
Thanks for the tutorial. Very easy to follow. Is there a way to remove a user if they are no longer needed?
I’m very grateful for this. Thanks
Hi Chris,
thanks for your perfect guides how to install jisti meet server and implement authentification.
Another guide would be very interesting:
Howto allow guests to join conference by telefon using a dail-in phone number.
Maybe you are interested in creating one 😉
Many greetings from Germany
Makrus
Like always, I love your tutorial!
Installed two instances one open and one with authentication.
Both running on hypervisor behind Nat and dynamic IP’s…
They both work great…
Has anyone been able to setup sip support?
Excuse me I’m french!🙄😉
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.example.net
Great tutorials and step by step guides. I followed your instructions to set up a Jitsi server and then added hosting authentication without any problem. And that’s from someone who has zero knowledge / experience in Linux.!
One quick question, it seems to me once I have hosted a meeting once (with proper authentication). All subsequent hostings did not ask for authentication even though I have turned off password saving in Chrome.
The only way the server would ask for authentication everytime is to use Incognito mode in Chrome.
Is there anyway to force Chrome in normal mode to ask for authentication everytime?
Thanks a lot.
so so appreciative of these guides! I’m running into a problem. As soon as I add:
anonymousdomain:
(regardless of what follows) it opens up everything. I’m wondering if it is in fact a DNS or hostname issue?
Great video and notes. I tried it today but it’s not working. I “think” I tried all steps correctly. Did it a 2nd time. Same result. When I put it back I go a weird thing . .asking for credentials. Now it’s supposed to be enabled but no security is happening. Any suggestions?
Hello Chris,
For your information, I think there is a typo in your guide. In “Under the ‘var config = [‘ section (right near the top of the file)”, “[” should be replaced by a “{“.
Have a good one
Thanks Chris! I appreciate the work you put into tutorials for the community.
Would love to see a guide on connecting FreePBX to Jitsi for dial-in option.
Is there a way to authenticate with Google API/oAuth2 ?
Hi, Chris. I installed jitsi meet per your instructions, except for my Ubuntu being 18.04
I followed through with this blog post for authentication, and that mostly works, but fails on several one or two major issues (the two may be related):
My install silently fails to include more than 2 participants (no explicit errors are raised to end user). Strangely, during my recent test-run, it was the host and creator of a room who was excluded from the screen. The host could to see themselves as the only participant showing, on their own screen. The two guests who connected after the room was created were able to see each other (though not without tab crashes and other glitches), but were not able to see the host/creator.
The host/creator shared an external IP with the one of the guests. If that may be a factor.
There is a lot of talk about fixing this on the community forum:
https://community.jitsi.org/t/not-working-for-more-than-2-people-in-the-room/18821/60
A lot of suggestions to tweak the firewall rules, on the above
However, in my case, I tried to run it with NO firewall rules at all, with all ports open, just to test and get things working (intend to lock that down). So, my logic tells me the issue is elsewhere.
Perhaps you could review the community posts and triangulate the issue, and perhaps give us the nutshell version of the fix here?
thanks for your blogs. You do deserve the beer donations; i will follow up on that.
Where to view registered users?
Thank you.
Thank you very much! God bless you!
Hello,
Thanks for the tutorial .
Set up is done and authentication works well at the start but after some tests the authentication does not work.
Note: I made changes to the presentation on the css side (change of logo, etc.)
Thanks in advance
Hi, Can you please make a guide integrate Jitsi with AD
Hello, You are doing great work. Currently, I followed all the steps you mentioned. All configurations seem good but the login option does not popups
Any chance you would like to make a video or blog about how to enable Google Calendar integration for a Jitsi Server? One for people who have never set up a Google API client? The instructions found in the Jitsi github are assume a lot for us newbies.
Hello Chris
Wonderful article . I was able to spin my ec2 t2 micro instance with 20GB ssd , within an hour following your tutorials. A test 3 party conference was a good experience
Few questions
– is it allowed to use Jitsi for commercial purposes ..say someone wants to sell this product to couple of schools with number of hosting accounts ? What are the licensing agreements to follow with jitsi ?
– in your experience what is the right instance type + memory required …say to offer it to a school where there could be hundreds of students are expected to join ?
– if I place more than one ec2 instance behind a load balancer in aws, will it work ?
– are the sessions sticky ( guess so..)?
Please advise
Sandeep , India
Thank you, keep going with the useful videos.
hello, on execute command for restart prosody … system return:
“Failed to add /run/systemd/ask-password to directory”
Everything is fine but its not working in mobile. People can join from Desktop or Laptop but not from Mobile. I installed in Ubuntu Desktop 20 with Letsencrypt. I really appreciate if you please help me regarding this issue.
hi, install module jigasi authenticate user and password on asterisk. but in web jisti not button for invite call.
you example install and configure is module jigase. thansk
after adding user with authentication audio and video are supporting
I am having a similar issue.
After adding authentication, I am no longer able to hear audio, or see video from guests. Everyone can connect, text chat, and raise hand work find. I have not been able to find a single fix for this anywhere. Any suggestions?
Hi. How to make calls from asterisk into jitsi conference?
Thanks for the well written and concise guide to authenticating in jitsi.
It worked well for me with jitsi on Debian9, much appreciated!
Hi there,
excellent tutorial, all works fine the one way or the other… however, I need both.
I set up a Jitsi-Server, it works well with authentication = “internal_plain” and user /pwd. However, I also want to give access to my server for my students within a moodle-installation. This also works fine when setting authentication = “token”, setting token and secret and putting them into the moodle-plugin.
But… It would be marvelous to have both ways. How can I do that?
Regards
Christof
That’s a bit tricky because you’ll need to build a custom prosody plugin.
Somehow my question got lost…
First of all thanks for that nice how-to, it helped a lot.
My final problem is as follows: I would like to provide my Jitsi installation in Moodle. For that I have to set “authentication = “token””. However, I would appreciate the service to be also still available using user/pwd. Then “authentication = “internal_plain”” (or hash) is needed. How can I have both? I would be happy for any helpful hint.
Regards
Christof
Thanks for this post! Very easy & convenient. Saved a lot of time setting up security.
Love your videos, I followed the instructions watched the video a couple of times, even made a notepad to edit all commands before pasting them into the server.
looks all well and good, but when I create a conference I get the username and password prompt, but it tells me that its not the correct username and password combo. I am at a loss as to where i can verify this informaiton.
I follow along perfectly with your tutorial and this helps more than any other that I have found! 🙂
My problem is that (with Jitsi already installed on my server), the “/etc/prosody/conf.avail/xxxx.xxxx.xxx.cfg.lua” file is not present.
I found the example file, do I just copy that over? (I am just concerned because I see that your file has different settings than what is in the “example” file that is present.
Hello Chris,
I have used your instructions today and they worked like a charm. The only thing I miss is the lobby feature.
So I add following lines to my **.cfg.lua for the VirtualHost guest.**:
modules_enabled = {
“muc_lobby_rooms”;
}
c2s_require_encryption = false
lobby_muc = “lobby.**”
main_muc = “conference.**”
Component “lobby.**” “muc”
storage = “memory”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
After restart the lobby butten is selectable in the security options. If a participant wants to join the conference, they will be asked to enter. However, the access request is not displayed within the conference. Any idea where I missed?
Hi,
great work!
I follow this howto to secure my jitsi installation.
It works fine, but when I create a new meeting it gernerates it behind, I get the question when I want to start the meeting, but when I cancel this and go back to the default site the meeting ist created.
What went wrong?
Thank you sir, you are the man.
One point of confusion you might want to clarify (it got me). When you sustitute your own URL, you have to be clear what exactly you are replacing. In your case the URL is “jitsi.crosstalksolutions.com”. When I substituted, I kept the “jitsi.” because I thought it was a standard required notation. So when you substitute your own domain name, replace everything between the quotes. If you leave the “jitsi.” part, or other typos, you will get strange results as described in other comments.
I can’t get authentication to work. I’ve followed your tutorial, I have followed the official docs, and I have followed two different youtube videos. I am running on an ubuntu server 20.04 LTS behind a home router. I’ve opened all the ports listed on the official docs, I have followed all the information given. For the authentication the offical docs say “internal_hashed” here you have internal_plain why? Further, I have tried both of those entries, neither one made a difference. I have searched and searched and searched and I cannot find anything.
Simply put, I can follow the link to the room, it shows a jitsi meet instance, I can click on create room, and I can open the room but I cannot authenticate. Keeps saying invalid user name and password every time. Thus, it is useless. I’m about to pull my hair out.
Just wanted to say thanks , the instructions are fantastic ( apart form using nano in place of vim tut tut 😛 ). Only kidding man , this is fantastic , saved me ages looking this up.
How to integrate jitsi server in our local active directory users .
i’,m using ubantu 18
I’ve seen a dozen other vids on this, yours was the only one that made any sense. Thank you very much.
how can redirect users after hungup?
I tried 4 times to get meeting authentication set up and each time I couldn’t get it to work. After this tutorial, its up and working in under 15 minutes. Thanks. One question….any idea why the sip-communicator.properties file did not exist? I had to create it and manually enter the first line that was already present in the tutorial?
Hi Chuck,
The file is actually in the folder /etc/jitsi/videobridge.
Can you make video tutorial on how to authenticate a single windows active directory group’s users in Jitsi-meet. For example,
Jitsi Server : meeting.mydomain.com
Windows Active Directory: ad.mydomain.com
AD User : CN=jitsi,CN=Users,DC=mydomain,DC=com
Base DN : CN=JitsiUsers,OU=Meeting,DC=mydomain,DC=com
Author
No, I won’t do any AD work with Jitsi.
Thanks so much for this. Much more helpful than the original tutorial from Jitsi.
A couple of things I noticed. Apologies if anyone else already pointed them out, but it’s a long comments thread.
1. You have a type in the written instructions for the step where you edit sip-communicator.properties
You put jifcofo instead of jicofo. The jitsi server still works with the typo, but won’t ask for authentification.
2. Not related to your instructions, but I had an issue using a special character in my password, which stopped it storing properly (it didn’t store the special character or anything after it). I was initially using internal_hashed which meant I couldn’t spot it, but I noticed this when I switched to internal_plain.
Ironically I made a typo with the word ‘typo’!
It does not work me. It is not enough.
For this type security to work I also must edit jicofo/jicofo.conf (under the jicofosection)
authentication: {
enabled: true
type: XMPP
login-url: basedomain.com
Hi, try this, for me it works
nano /etc/jitsi/jicofo/jicofo.conf
# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
xmpp: {
client: {
client-proxy: focus.example.com
}
trusted-domains: [ “recorder.example.com” ]
}
bridge: {
brewery-jid: “JvbBrewery@internal.auth.example.com”
}
authentication: {
enabled: true
type: XMPP
login-url: example.com
}
}
how to remove the user & password after created ?
what is command for this ??
Thanks William!
It worked.