Jitsi is a set of Open Source projects that allows you to easily build and deploy secure videoconferencing solutions.
Jitsi Meet is a fully encrypted, 100% Open Source videoconferencing solution that you can use all day, every day, for free — with no account needed.
This repository contains the necessary tools to run a Jitsi Meet stack on Docker using Docker Compose.
NOTE: This setup is experimental.
In order to quickly run Jitsi Meet on a machine running Docker and Docker Compose, follow these steps:
- Create a
.env
file by copying and adjustingenv.example
. - Run
docker-compose up -d
. - Access the web UI at
https://localhost:8443
(orhttp://localhost:8000
for HTTP, or a different port, in case you edited the compose file).
If you want to use jigasi too, first configure your env file with SIP credentials
and then run Docker Compose as follows: docker-compose -f docker-compose.yml -f jigasi.yml up -d
If you want to enable TURN server, configure it and run Docker Compose as
follows: docker-compose -f docker-compose.yml -f turn.yml up
A Jitsi Meet installation can be broken down into the following components:
- A web interface
- An XMPP server
- A conference focus component
- A video router (could be more than one)
- A SIP gateway for audio calls
The diagram shows a typical deployment in a host running Docker. This project separates each of the components above into interlinked containers. To this end, several container images are provided.
- base: Debian stable base image with the S6 Overlay for process control and the Jitsi repositories enabled. All other images are based off this one.
- base-java: Same as the above, plus Java (OpenJDK).
- web: Jitsi Meet web UI, served with nginx.
- prosody: Prosody, the XMPP server.
- jicofo: Jicofo, the XMPP focus component.
- jvb: Jitsi Videobridge, the video router.
- jigasi: Jigasi, the SIP (audio only) gateway.
- turn: Coturn, the TURN server.
Jitsi Meet uses XMPP for signalling, thus the need for the XMPP server. The setup provided by these containers does not expose the XMPP server to the outside world. Instead, it's kept completely sealed, and routing of XMPP traffic only happens on a user defined network.
The XMPP server can be exposed to the outside world, but that's out of the scope of this project.
The configuration is performed via environment variables contained in a .env
file. You
can copy the provided env.example
file as a reference.
IMPORTANT: At the moment, configuration is not regenerated on every container boot, so
if you make any changes to your .env
file, make sure you remove the configuration directory
before starting your containers again.
Variable | Description | Example |
---|---|---|
CONFIG |
Directory where all configuration will be stored | /opt/jitsi-meet-cfg |
TZ |
System Time Zone | Europe/Amsterdam |
HTTP_PORT |
Exposed port for HTTP traffic | 8000 |
HTTPS_PORT |
Exposed port for HTTPS traffic | 8443 |
DOCKER_HOST_ADDRESS |
IP address of the Docker host, needed for LAN environments | 192.168.1.1 |
PUBLIC_URL |
Public url for the web service | https://meet.example.com |
NOTE: The mobile apps won't work with self-signed certificates (the default) see below for instructions on how to obtain a proper certificate with Let's Encrypt.
If you plan on exposing this container setup to the outside traffic directly and want a proper TLS certificate, you are in luck because Let's Encrypt support is built right in. Here are the required options:
Variable | Description | Example |
---|---|---|
ENABLE_LETSENCRYPT |
Enable Let's Encrypt certificate generation | 1 |
LETSENCRYPT_DOMAIN |
Domain for which to generate the certificate | meet.example.com |
LETSENCRYPT_EMAIL |
E-Mail for receiving important account notifications (mandatory) | [email protected] |
In addition, you will need to set HTTP_PORT
to 80 and HTTPS_PORT
to 443.
If you want to enable the SIP gateway, these options are required:
Variable | Description | Example |
---|---|---|
JIGASI_SIP_URI |
SIP URI for incoming / outgoing calls | [email protected] |
JIGASI_SIP_PASSWORD |
Password for the specified SIP account | passw0rd |
JIGASI_SIP_SERVER |
SIP server (use the SIP account domain if in doubt) | sip2sip.info |
JIGASI_SIP_PORT |
SIP server port | 5060 |
JIGASI_SIP_TRANSPORT |
SIP transport | UDP |
For working jibri, you need to setup alsa loopback on the host. Configure 8 capture/playback interfaces. It's enough for 4 jibri instances on one node.
# configure 8 capture/playback interfaces
echo "options snd-aloop enable=1,1,1,1,1,1,1,1 index=0,1,2,3,4,5,6,7" > /etc/modprobe.d/asound.conf
# setup autoload the module
echo "snd_aloop" > /etc/modules-load.d/snd_aloop.conf
# load the module
modprobe snd-aloop
# check that the module is loaded
lsmod | grep snd_aloop
# install the module
apt update && apt install linux-image-extra-virtual
# configure 8 capture/playback interfaces
echo "options snd-aloop enable=1,1,1,1,1,1,1,1 index=0,1,2,3,4,5,6,7" > /etc/modprobe.d/asound.conf
# setup autoload the module
echo "snd-aloop" >> /etc/modules
# load the module
modprobe snd-aloop
# check that the module is loaded
lsmod | grep snd_aloop
If you want to enable the JIBRI, these options are required:
Variable | Description | Example |
---|---|---|
ENABLE_RECORDING |
Enable recording conference to local disk | 1 |
If you want to enable the Transcribing function, these options are required:
Variable | Description | Example |
---|---|---|
ENABLE_JIGASI_TRANSCRIBER |
Enable Jigasi transcription in a conference | 1 |
GOOGLE_APPLICATION_CREDENTIALS |
Credentials for connect to Cloud Google API from Jigasi. Path located inside the container | /config/key.json |
For set GOOGLE_APPLICATION_CREDENTIALS
please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section "Before you begin" from 1 to 5 paragraph
Authentication can be controlled with the environment variables below. If guest access is enabled, unauthenticated users will need to wait until a user authenticates before they can join a room. If guest access is not enabled, every user will need to authenticate before they can join.
Variable | Description | Example |
---|---|---|
ENABLE_AUTH |
Enable authentication | 1 |
ENABLE_GUESTS |
Enable guest access | 1 |
ENABLE_LDAP_AUTH |
Enable authentication via LDAP. Depended from ENABLE_AUTH |
1 |
Variables that might be configured if the ENABLE_LDAP_AUTH
is set:
Variable | Description | Example |
---|---|---|
LDAP_URL |
URL for ldap connection | ldaps://ldap.domain.com/ |
LDAP_BASE |
LDAP base DN. Can be empty. | DC=example,DC=domain,DC=com |
LDAP_BINDDN |
LDAP user DN. Do not specify this parameter for the anonymous bind. | CN=binduser,OU=users,DC=example,DC=domain,DC=com |
LDAP_BINDPW |
LDAP user password. Do not specify this parameter for the anonymous bind. | LdapUserPassw0rd |
LDAP_FILTER |
LDAP filter. | (sAMAccountName=%u) |
LDAP_AUTH_METHOD |
LDAP authentication method. | bind |
LDAP_VERSION |
LDAP protocol version | 3 |
LDAP_USE_TLS |
Enable LDAP TLS | 1 |
LDAP_TLS_CIPHERS |
Set TLS ciphers list to allow | SECURE256:SECURE128 |
LDAP_TLS_CHECK_PEER |
Require and verify LDAP server certificate | 1 |
Internal users must be created with the prosodyctl
utility in the prosody
container.
In order to do that, first execute a shell in the corresponding container:
docker-compose exec prosody /bin/bash
Once in the container, run the following command to create a user:
prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password
These configuration options are already set and generally don't need to be changed.
Variable | Description | Default value |
---|---|---|
XMPP_DOMAIN |
Internal XMPP domain | meet.jitsi |
XMPP_AUTH_DOMAIN |
Internal XMPP domain for authenticated services | auth.meet.jitsi |
XMPP_SERVER |
Internal XMPP server name xmpp.meet.jitsi | xmpp.meet.jitsi |
XMPP_BOSH_URL_BASE |
Internal XMPP server URL for BOSH module | http://xmpp.meet.jitsi:5280 |
XMPP_MUC_DOMAIN |
XMPP domain for the MUC | muc.meet.jitsi |
XMPP_INTERNAL_MUC_DOMAIN |
XMPP domain for the internal MUC | internal-muc.meet.jitsi |
XMPP_GUEST_DOMAIN |
XMPP domain for unauthenticated users | guest.meet.jitsi |
XMPP_RECORDER_DOMAIN |
Domain for the jibri recorder | recorder.meet.jitsi |
XMPP_MODULES |
Custom Prosody modules for XMPP_DOMAIN (comma separated) | mod_info,mod_alert |
XMPP_MUC_MODULES |
Custom Prosody modules for MUC component (comma separated) | mod_info,mod_alert |
XMPP_INTERNAL_MUC_MODULES |
Custom Prosody modules for internal MUC component (comma separated) | mod_info,mod_alert |
JICOFO_COMPONENT_SECRET |
XMPP component password for Jicofo | s3cr37 |
JICOFO_AUTH_USER |
XMPP user for Jicofo client connections | focus |
JICOFO_AUTH_PASSWORD |
XMPP password for Jicofo client connections | passw0rd |
JICOFO_MAX_PARTICIPANTS_PER_BRIDGE |
Max participants on the bridge for current conference | 15 |
JVB_AUTH_USER |
XMPP user for JVB MUC client connections | jvb |
JVB_AUTH_PASSWORD |
XMPP password for JVB MUC client connections | passw0rd |
JVB_STUN_SERVERS |
STUN servers used to discover the server's public IP | stun.l.google.com:19302, stun1.l.google.com:19302, stun2.l.google.com:19302 |
JVB_PORT |
UDP port for media used by Jitsi Videobridge | 10000 |
JVB_TCP_HARVESTER_DISABLED |
Disable the additional harvester which allows video over TCP (rather than just UDP) | true |
JVB_TCP_PORT |
TCP port for media used by Jitsi Videobridge when the TCP Harvester is enabled | 4443 |
JVB_BREWERY_MUC |
MUC name for the JVB pool | jvbbrewery |
JVB_ENABLE_APIS |
Comma separated list of JVB APIs to enable | none |
JVB_WS_ENABLE |
Use WebSockets instead of WebRTC Data Channels | 0 |
JVB_WS_PORT |
The port for WebSocket connection | 9090 |
JVB_WS_TLS |
To specify that the bridge should advertise the web socket protocol as "wss" even if it is locally using plain HTTP | true |
JVB_WS_SERVER_ID |
To specify a specific server ID to be advertised as path of the HTTP request path | jvb2 |
PUBLIC_WSS_DOMAIN |
To specify the domain to advertise. If not set, use LETSENCRYPT_DOMAIN by default |
wss.example.com |
JIGASI_XMPP_USER |
XMPP user for Jigasi MUC client connections | jigasi |
JIGASI_XMPP_PASSWORD |
XMPP password for Jigasi MUC client connections | passw0rd |
JIGASI_BREWERY_MUC |
MUC name for the Jigasi pool | jigasibrewery |
JIGASI_PORT_MIN |
Minimum port for media used by Jigasi | 20000 |
JIGASI_PORT_MAX |
Maximum port for media used by Jigasi | 20050 |
JIGASI_ENABLE_SDES_SRTP |
Enable SDES srtp | 1 |
JIGASI_SIP_KEEP_ALIVE_METHOD |
Keepalive method | OPTIONS |
JIGASI_HEALTH_CHECK_SIP_URI |
Health-check extension. Jigasi will call it for healthcheck | keepalive |
JIGASI_HEALTH_CHECK_INTERVAL |
Interval of healthcheck in milliseconds | 300000 |
JIBRI_RECORDER_USER |
Internal recorder user for Jibri client connections | recorder |
JIBRI_RECORDER_PASSWORD |
Internal recorder password for Jibri client connections | passw0rd |
JIBRI_RECORDING_DIR |
Directory for recordings inside Jibri container | /config/recordings |
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH |
The finalizing script. Will run after recording is complete | /config/finalize.sh |
JIBRI_XMPP_USER |
Internal user for Jibri client connections. | jibri |
JIBRI_RECORDER_PASSWORD |
Internal user for Jibri client connections | passw0rd |
JIBRI_STRIP_DOMAIN_JID |
Prefix domain for strip inside Jibri (please see env.example for details) | muc |
JIBRI_BREWERY_MUC |
MUC name for the Jibri pool | jibribrewery |
JIBRI_PENDING_TIMEOUT |
MUC connection timeout | 90 |
JIBRI_LOGS_DIR |
Directory for logs inside Jibri container | /config/logs |
JIBRI_EXTERNAL_INSTANCE |
Set only if the jibri hosted on a different host | 1 |
JIGASI_TRANSCRIBER_RECORD_AUDIO |
Jigasi will recordord an audio when transcriber is on | true |
JIGASI_TRANSCRIBER_SEND_TXT |
Jigasi will send transcribed text to the chat when transcriber is on | true |
JIGASI_TRANSCRIBER_ADVERTISE_URL |
Jigasi post to the chat an url with transcription file | true |
DISABLE_HTTPS |
Disable HTTPS, this can be useful if TLS connections are going to be handled outside of this setup | 1 |
ENABLE_HTTP_REDIRECT |
Redirects HTTP traffic to HTTPS | 1 |
ENABLE_CHROME_SCREEN_SHARING |
Enable screensharing for Chrome (has been working in Chrome since version 72) | 1 |
START_WITH_VIDEO_MUTED |
Mute a video when user is coming to a conference | 1 |
CALENDAR_MS_APP_ID |
Enable Microsoft calendar integarion. Set Azure application ID | 00000000-0000-0000-0000-000040240063 |
ETHERPAD_URL_BASE |
Set etherpad-lite URL | http://etherpad:9001 |
NOTE: For get working octo properly you have to set header "X-User-Region" before it passing to nginx. It can be realized via geoip or another logic and it's not described here.
The header "X-User-Region" will be passed through nginx and dynamically set variable for userRegion
in config.js file via ssi nginx module.
If userRegion
and JVB_OCTO_REGION
the same region, user will be connected to the instanse JVB that has this region.
This behavion already preconfigured and receiving X-User-Region in config.js looks like this:
deploymentInfo: {
// shard: "shard1",
// region: europe" -->',
userRegion: '<!--#echo var="http_x_user_region" default="us-east-1" -->'
},
If you want to enable the Octo cascading briges, these options are required:
Variable | Description | Default value |
---|---|---|
JICOFO_BRIDGE_SELECTION_STRATEGY |
Bridge selection stratagy for new connections | RegionBasedBridgeSelectionStrategy |
JVB_OCTO_BIND_PORT |
The UDP port number which the Octo relay should use | 4096 |
JVB_OCTO_REGION |
The region that the jitsi-videbridge instance is in | us-east-1 |
The brige selection stratagy is:
-
SplitBridgeSelectionStrategy
- can be used for testing. It tries to select a new bridge for each client, regardless of the regions. -
RegionBasedBridgeSelectionStrategy
- matches the region of the clients to the region of the Jitsi Videobridge instances. Used by default.
For enable turn server for P2P and JVB connections, please add to the variable GLOBAL_MODULES
string turncredentials
and set variables below
Variable | Description | Default value |
---|---|---|
TURN_ENABLE |
Use TURN for P2P and JVB (bridge mode) connections | 0 |
TURN_REALM |
Realm to be used for the users with long-term credentials mechanism or with TURN REST API | realm |
TURN_SECRET |
Secret for connect to TURN server | keepthissecret |
TURN_TYPE |
Type of TURN(s) (turn/turns) | turns |
TURN_HOST |
Annonce FQDN/IP address of the turn server via XMPP (XEP-0215) | 192.168.1.1 |
TURN_PUBLIC_IP |
Public IP address for an instance of turn server | set dynamically |
TURN_PORT |
TLS/TCP/UDP turn port for connection | 5349 |
TURN_TRANSPORT |
transport for turn connection (tcp/udp) | tcp |
TURN_RTP_MIN |
RTP start port for turn/turns connections | 16000 |
TURN_RTP_MAX |
RTP end port for turn/turns connections | 17000 |
For enable web-admin panel for turn, please set variables below
Variable | Description | Default value |
---|---|---|
TURN_ADMIN_ENABLE |
Enable web-admin panel | 0 |
TURN_ADMIN_USER |
Username for admin panel | admin |
TURN_ADMIN_SECRET |
Password for admin panel | changeme |
TURN_ADMIN_PORT |
HTTP(s) port for acess to admin panel | 8443 |
If running in a LAN environment (as well as on the public Internet, via NAT) is a requirement,
the DOCKER_HOST_ADDRESS
should be set. This way, the Videobridge will advertise the IP address
of the host running Docker instead of the internal IP address that Docker assigned it, thus making ICE
succeed.
The public IP address is discovered via STUN. STUN servers can be specified with the JVB_STUN_SERVERS
option.
- Support container replicas (where applicable).
- Docker Swarm mode.