Jitsi quick install and LXD in Ubuntu 18.04

I had quite a journey getting Jitsi to run in a LXD-container on Ubuntu 18.04 and nginx doing the proxying and ssl-encryption. In hindsight these things are kind of obvious, but I had trouble finding the causes of my problems. So here they are for future LXD users. May it help:

  • the nginx proxy has to do ssl-reencryption since jitsi will only serve https. But if you configure re-encryption too early, the proxy will only send https requests and the letsencrypt certification process will fail. You need to install certifiactes for jitsi before you turn on ssl re-encryption in nginx.
  • if you use nginx as reverse proxy and let nginx do the ssl encryption, you may be used to setting the CAA for your DNS. If you don’t use your own certificates, but rather just let letsencrypt do the job, having set a CAA record to something else than letsencrypt will fail the certificate generation
  • You will need port-forwarding from host to LXD-container for port tcp 4443 and udp 10000. Ubuntu 18.04 comes with LXD v3.0.3. You will need to update LXD to v3.2 or later (e.g. run “snap install lxd” and “lxd.migrate”) for it to support UDP port forwarding.
  • if you are used to using the container DNS names rather than the ip addresses, this won’t work when setting the ICE harvester values in the sip-communicator.properties. You actually need to use the ip address.

Or am I mistaken for these points?

Hi and welcome to our community!

Thanks for taking the time to post your findings!

This shouldn’t be needed. The quick-install doesn’t cover the proxying case, but with minor changes you can make it use HTTP and then handle SSL yourself. Are you using the builtin webserver (jetty) or nginx? (For Jitsi, that is).

Good to know!

You need to set the puiblic IP of the machine running LXD, the local IP part you could script on boot.

I have only used LXD very lightly, years ago, and not with Jitsi, but except what I mentioned above, you’re not wrong.

Cheers.

For what I found webrtc requires https. I haven’t found any information regarding jitsi over http.
I am using nginx. I never used jetty before but heard it needs more resources.

Yes, WebRTC requires HTTPS. But you don’t need to do SSL twice. You can just handle SSL in an nginx instance and then proxy via HTTP to another one serving jitsi over HTTP.

Hm, what do I have to do to have it run without certificates?

If your nginx wasn’t reconfigured to serve Jitsi when you installed it, you must be using the builtin Jetty server. What do you have in /etc/jitsi/videobridge/sip-communicator.properties ?

Don’t get me wrong. I delete missconfigured containers and just start from scratch. Jitsi is running with nginx as webserver. It’s working. Im just interested in hosting it without re-encryption.

org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.jitsi.mydomain.com/.* org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=<INTERNAL> org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=<PUBLIC> org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<INTERNAL> org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<PUBLIC> org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true