Jitsi Video Bridge Poor Video Quality

Hi,

We’ve done a fresh install of the latest version of Jitsi on Ubuntu 20.04 by following the documentation and we are experiencing very poor video quality while using Jitsi Video Bridge.

Here is Jitsi version we are using:

ii  jitsi-meet                                 2.0.6173-1                            all          WebRTC JavaScript video conferences
ii  jitsi-meet-prosody                         1.0.5211-1                            all          Prosody configuration for Jitsi Meet
ii  jitsi-meet-tokens                          1.0.5211-1                            all          Prosody token authentication plugin for Jitsi Meet
ii  jitsi-meet-turnserver                      1.0.5211-1                            all          Configures coturn to be used with Jitsi Meet
ii  jitsi-meet-web                             1.0.5211-1                            all          WebRTC JavaScript video conferences
ii  jitsi-meet-web-config                      1.0.5211-1                            all          Configuration for web serving of Jitsi Meet
ii  jitsi-videobridge2                         2.1-538-g062e9f56-1                   all          WebRTC compatible Selective Forwarding Unit (SFU)

We are behind a NAT. We installed Jitsi on port 444 (port 443 is dedicated to ower website) and we’ve opened the following ports:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 444/tcp
sudo ufw allow 10000/udp
sudo ufw allow 22/tcp
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp
sudo ufw enable

Here is our sip-communicator.properties:

org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=www.wexstream.com:3478
org.jitsi.videobridge.ENABLE_STATISTICS=false
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.www.wexstream.com
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=XXXX
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.www.wexstream.com
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=de88b017-464f-48fd-babf-3aae4ae2bdcb
org.jitsi.videobridge.TRUST_BWE=false
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.107
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=160.178.14.207
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true
org.ice4j.ipv6.DISABLED=false

We have a dynamic public IP and we update org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS using a bash script running as a cron job.

Here is our jvb.conf:

videobridge {
    http-servers {
        public {
            port = 9090
        }
    }
    websockets {
        enabled = true
        domain = "www.wexstream.com:444"
        tls = true
    }
    cc {
        trust-bwe = false
    }
    health {
      interval = 86400000
    }
}

We have disabled p2p to test jvb, Here is our config.js:

/* eslint-disable no-unused-vars, no-var */

var config = {
    // Connection
    //

    hosts: {
        // XMPP domain.
        domain: 'www.wexstream.com',

        // When using authentication, domain for guest users.
        // anonymousdomain: 'guest.example.com',

        // Domain for authenticated users. Defaults to <domain>.
        // authdomain: 'www.wexstream.com',

        // Focus component domain. Defaults to focus.<domain>.
        // focus: 'focus.www.wexstream.com',

        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
        muc: 'conference.<!--# echo var="subdomain" default="" -->www.wexstream.com'
    },

    // BOSH URL. FIXME: use XEP-0156 to discover it.
    bosh: '//www.wexstream.com:444/http-bind',

    // Websocket URL
    websocket: 'wss://www.wexstream.com:444/xmpp-websocket',
    //websocketKeepAliveUrl: 'https://www.wexstream.com:444/_unlock',

    // The name of client node advertised in XEP-0115 'c' stanza
    clientNode: 'http://jitsi.org/jitsimeet',

    // The real JID of focus participant - can be overridden here
    // Do not change username - FIXME: Make focus username configurable
    // https://github.com/jitsi/jitsi-meet/issues/7376
    // focusUserJid: 'focus@auth.www.wexstream.com',


    // Testing / experimental features.
    //

    testing: {
        // Disables the End to End Encryption feature. Useful for debugging
        // issues related to insertable streams.
        // disableE2EE: false,

        // P2P test mode disables automatic switching to P2P when there are 2
        // participants in the conference.
        p2pTestMode: false

        // Enables the test specific features consumed by jitsi-meet-torture
        // testMode: false

        // Disables the auto-play behavior of *all* newly created video element.
        // This is useful when the client runs on a host with limited resources.
        // noAutoPlayVideo: false

        // Enable / disable 500 Kbps bitrate cap on desktop tracks. When enabled,
        // simulcast is turned off for the desktop share. If presenter is turned
        // on while screensharing is in progress, the max bitrate is automatically
        // adjusted to 2.5 Mbps. This takes a value between 0 and 1 which determines
        // the probability for this to be enabled. This setting has been deprecated.
        // desktopSharingFrameRate.max now determines whether simulcast will be enabled
        // or disabled for the screenshare.
        // capScreenshareBitrate: 1 // 0 to disable - deprecated.

        // Enable callstats only for a percentage of users.
        // This takes a value between 0 and 100 which determines the probability for
        // the callstats to be enabled.
        // callStatsThreshold: 5 // enable callstats for 5% of the users.
    },

    // Enables reactions feature.
    enableReactions: false,

    // Disables ICE/UDP by filtering out local and remote UDP candidates in
    // signalling.
    // webrtcIceUdpDisable: false,

    // Disables ICE/TCP by filtering out local and remote TCP candidates in
    // signalling.
    // webrtcIceTcpDisable: false,


    // Media
    //

    // Enable unified plan implementation support on Chromium based browsers.
    // enableUnifiedOnChrome: false,

    // Audio

    // Disable measuring of audio levels.
    disableAudioLevels: false,
    // audioLevelsInterval: 200,

    // Enabling this will run the lib-jitsi-meet no audio detection module which
    // will notify the user if the current selected microphone has no audio
    // input and will suggest another valid device if one is present.
    enableNoAudioDetection: true,

    // Enabling this will show a "Save Logs" link in the GSM popover that can be
    // used to collect debug information (XMPP IQs, SDP offer/answer cycles)
    // about the call.
    // enableSaveLogs: false,

    // Enabling this will hide the "Show More" link in the GSM popover that can be
    // used to display more statistics about the connection (IP, Port, protocol, etc).
    // disableShowMoreStats: true,

    // Enabling this will run the lib-jitsi-meet noise detection module which will
    // notify the user if there is noise, other than voice, coming from the current
    // selected microphone. The purpose it to let the user know that the input could
    // be potentially unpleasant for other meeting participants.
    enableNoisyMicDetection: true,

    // Start the conference in audio only mode (no video is being received nor
    // sent).
    startAudioOnly: true,

    // Every participant after the Nth will start audio muted.
    // startAudioMuted: 10,

    // Start calls with audio muted. Unlike the option above, this one is only
    // applied locally. FIXME: having these 2 options is confusing.
    // startWithAudioMuted: false,

    // Enabling it (with #params) will disable local audio output of remote
    // participants and to enable it back a reload is needed.
    // startSilent: false

    // Enables support for opus-red (redundancy for Opus).
    // enableOpusRed: false,

    // Specify audio quality stereo and opusMaxAverageBitrate values in order to enable HD audio.
    // Beware, by doing so, you are disabling echo cancellation, noise suppression and AGC.
    audioQuality: {
         stereo: false
        // opusMaxAverageBitrate: null // Value to fit the 6000 to 510000 range.
    },

    // Video

    // Sets the preferred resolution (height) for local video. Defaults to 720.
    resolution: 720,  // 720

    // How many participants while in the tile view mode, before the receiving video quality is reduced from HD to SD.
    // Use -1 to disable.
    // maxFullResolutionParticipants: 2,

    // w3c spec-compliant video constraints to use for video capture. Currently
    // used by browsers that return true from lib-jitsi-meet's
    // util#browser#usesNewGumFlow. The constraints are independent from
    // this config's resolution value. Defaults to requesting an ideal
    // resolution of 720p.
    //constraints: {
    //     video: {
    //         height: {
    //             ideal: 720,
    //             max: 720,
    //             min: 240
    //         }
    //},
    
   constraints: {
        video: {
            height: {
                ideal: 720, // 720
                max: 720, // 720
                min: 180
            },
            width: {
                ideal: 1280, // 1280
                max: 1280, // 1280
                min: 320
            }
        }
    },

    // Enable / disable simulcast support.
    disableSimulcast: false,

    // Enable / disable layer suspension.  If enabled, endpoints whose HD
    // layers are not in use will be suspended (no longer sent) until they
    // are requested again.
    enableLayerSuspension: true,

    // Use XEP-0215 to fetch STUN and TURN servers.
    useStunTurn: true,
    useTurnUdp: false,

    // Enable/Disable IPv6 support.
    useIPv6: true,

    // Suspend sending video if bandwidth estimation is too low. This may cause
    // problems with audio playback. Disabled until these are fixed.
    //disableSuspendVideo: true,

    // Enables / disables a data communication channel with the Videobridge.
    // Values can be 'datachannel', 'websocket', true (treat it as
    // 'datachannel'), undefined (treat it as 'datachannel') and false (don't
    // open any channel).
    openBridgeChannel: 'websocket',

    // Every participant after the Nth will start video muted.
    // startVideoMuted: 10,

    // Start calls with video muted. Unlike the option above, this one is only
    // applied locally. FIXME: having these 2 options is confusing.
    // startWithVideoMuted: false,

    // If set to true, prefer to use the H.264 video codec (if supported).
    // Note that it's not recommended to do this because simulcast is not
    // supported when  using H.264. For 1-to-1 calls this setting is enabled by
    // default and can be toggled in the p2p section.
    // This option has been deprecated, use preferredCodec under videoQuality section instead.
    // preferH264: true,

    // If set to true, disable H.264 video codec by stripping it out of the
    // SDP.
    disableH264: true,

    // Desktop sharing

    // Optional desktop sharing frame rate options. Default value: min:5, max:5.
    // desktopSharingFrameRate: {
    //     min: 5,
    //     max: 5
    // },

    // Try to start calls with screen-sharing instead of camera video.
    // startScreenSharing: false,

    // Recording

    // Whether to enable file recording or not.
    // fileRecordingsEnabled: false,
    // Enable the dropbox integration.
    // dropbox: {
    //     appKey: '<APP_KEY>' // Specify your app key here.
    //     // A URL to redirect the user to, after authenticating
    //     // by default uses:
    //     // 'https://www.wexstream.com/static/oauth.html'
    //     redirectURI:
    //          'https://www.wexstream.com/subfolder/static/oauth.html'
    // },
    // When integrations like dropbox are enabled only that will be shown,
    // by enabling fileRecordingsServiceEnabled, we show both the integrations
    // and the generic recording service (its configuration and storage type
    // depends on jibri configuration)
    // fileRecordingsServiceEnabled: false,
    // Whether to show the possibility to share file recording with other people
    // (e.g. meeting participants), based on the actual implementation
    // on the backend.
    // fileRecordingsServiceSharingEnabled: false,

    // Whether to enable live streaming or not.
    // liveStreamingEnabled: false,

    // Transcription (in interface_config,
    // subtitles and buttons can be configured)
    transcribingEnabled: false,

    // If true transcriber will use the application language.
    // The application language is either explicitly set by participants in their settings or automatically
    // detected based on the environment, e.g. if the app is opened in a chrome instance which is using french as its
    // default language then transcriptions for that participant will be in french.
    // Defaults to true.
    // transcribeWithAppLanguage: true,

    // Transcriber language. This settings will only work if "transcribeWithAppLanguage" is explicitly set to false.
    // Available languages can be found in lang/language.json.
    // preferredTranscribeLanguage: 'en',

    // Enables automatic turning on captions when recording is started
    // autoCaptionOnRecord: false,

    // Misc

    // Default value for the channel "last N" attribute. -1 for unlimited.
    channelLastN: -1,

    // Provides a way for the lastN value to be controlled through the UI.
    // When startLastN is present, conference starts with a last-n value of startLastN and channelLastN
    // value will be used when the quality level is selected using "Manage Video Quality" slider.
    // startLastN: 1,

    // Provides a way to use different "last N" values based on the number of participants in the conference.
    // The keys in an Object represent number of participants and the values are "last N" to be used when number of
    // participants gets to or above the number.
    //
    // For the given example mapping, "last N" will be set to 20 as long as there are at least 5, but less than
    // 29 participants in the call and it will be lowered to 15 when the 30th participant joins. The 'channelLastN'
    // will be used as default until the first threshold is reached.
    //
    // lastNLimits: {
    //     5: 20,
    //     30: 15,
    //     50: 10,
    //     70: 5,
    //     90: 2
    // },

    // Provides a way to translate the legacy bridge signaling messages, 'LastNChangedEvent',
    // 'SelectedEndpointsChangedEvent' and 'ReceiverVideoConstraint' into the new 'ReceiverVideoConstraints' message
    // that invokes the new bandwidth allocation algorithm in the bridge which is described here
    // - https://github.com/jitsi/jitsi-videobridge/blob/master/doc/allocation.md.
    useNewBandwidthAllocationStrategy: true,

    // Specify the settings for video quality optimizations on the client.
    // videoQuality: {
    //    // Provides a way to prevent a video codec from being negotiated on the JVB connection. The codec specified
    //    // here will be removed from the list of codecs present in the SDP answer generated by the client. If the
    //    // same codec is specified for both the disabled and preferred option, the disable settings will prevail.
    //    // Note that 'VP8' cannot be disabled since it's a mandatory codec, the setting will be ignored in this case.
    //    disabledCodec: 'H264',
    //
    //    // Provides a way to set a preferred video codec for the JVB connection. If 'H264' is specified here,
    //    // simulcast will be automatically disabled since JVB doesn't support H264 simulcast yet. This will only
    //    // rearrange the the preference order of the codecs in the SDP answer generated by the browser only if the
    //    // preferred codec specified here is present. Please ensure that the JVB offers the specified codec for this
    //    // to take effect.
    //    preferredCodec: 'VP8',
    //
    //    // Provides a way to enforce the preferred codec for the conference even when the conference has endpoints
    //    // that do not support the preferred codec. For example, older versions of Safari do not support VP9 yet.
    //    // This will result in Safari not being able to decode video from endpoints sending VP9 video.
    //    // When set to false, the conference falls back to VP8 whenever there is an endpoint that doesn't support the
    //    // preferred codec and goes back to the preferred codec when that endpoint leaves.
    //    // enforcePreferredCodec: false,
    //
    //    // Provides a way to configure the maximum bitrates that will be enforced on the simulcast streams for
    //    // video tracks. The keys in the object represent the type of the stream (LD, SD or HD) and the values
    //    // are the max.bitrates to be set on that particular type of stream. The actual send may vary based on
    //    // the available bandwidth calculated by the browser, but it will be capped by the values specified here.
    //    // This is currently not implemented on app based clients on mobile.
    //    maxBitratesVideo: {
    //          H264: {
    //              low: 200000,
    //              standard: 500000,
    //              high: 1500000
    //          },
    //          VP8 : {
    //              low: 200000,
    //              standard: 500000,
    //              high: 1500000
    //          },
    //          VP9: {
    //              low: 100000,
    //              standard: 300000,
    //              high:  1200000
    //          }
    //    },
    //
    //    // The options can be used to override default thresholds of video thumbnail heights corresponding to
    //    // the video quality levels used in the application. At the time of this writing the allowed levels are:
    //    //     'low' - for the low quality level (180p at the time of this writing)
    //    //     'standard' - for the medium quality level (360p)
    //    //     'high' - for the high quality level (720p)
    //    // The keys should be positive numbers which represent the minimal thumbnail height for the quality level.
    //    //
    //    // With the default config value below the application will use 'low' quality until the thumbnails are
    //    // at least 360 pixels tall. If the thumbnail height reaches 720 pixels then the application will switch to
    //    // the high quality.
    //    minHeightForQualityLvl: {
    //        360: 'standard',
    //        720: 'high'
    //    },
    //
    //    // Provides a way to resize the desktop track to 720p (if it is greater than 720p) before creating a canvas
    //    // for the presenter mode (camera picture-in-picture mode with screenshare).
    //    resizeDesktopForPresenter: false
    // },

    videoQuality: {
     maxBitratesVideo: {
        VP8: {
            low: 200000,
            standard: 500000,
            high: 1500000
        },
        VP9: {
            low: 100000,
            standard: 300000,
            high: 1200000
        }
     }
    },

    startBitrate: "800",
    forceJVB121Ratio:  -1,
    enableTalkWhileMuted: true,


    // // Options for the recording limit notification.
    // recordingLimit: {
    //
    //    // The recording limit in minutes. Note: This number appears in the notification text
    //    // but doesn't enforce the actual recording time limit. This should be configured in
    //    // jibri!
    //    limit: 60,
    //
    //    // The name of the app with unlimited recordings.
    //    appName: 'Unlimited recordings APP',
    //
    //    // The URL of the app with unlimited recordings.
    //    appURL: 'https://unlimited.recordings.app.com/'
    // },

    // Disables or enables RTX (RFC 4588) (defaults to false).
    disableRtx: false,

    // Disables or enables TCC support in this client (default: enabled).
    //enableTcc: true,

    // Disables or enables REMB support in this client (default: enabled).
    //enableRemb: true,

    // Enables ICE restart logic in LJM and displays the page reload overlay on
    // ICE failure. Current disabled by default because it's causing issues with
    // signaling when Octo is enabled. Also when we do an "ICE restart"(which is
    // not a real ICE restart), the client maintains the TCC sequence number
    // counter, but the bridge resets it. The bridge sends media packets with
    // TCC sequence numbers starting from 0.
    // enableIceRestart: false,

    // Enables forced reload of the client when the call is migrated as a result of
    // the bridge going down.
    enableForcedReload: true,

    // Use TURN/UDP servers for the jitsi-videobridge connection (by default
    // we filter out TURN/UDP because it is usually not needed since the
    // bridge itself is reachable via UDP)
    // useTurnUdp: false

    // UI
    //

    // Disables responsive tiles.
    disableResponsiveTiles: true,

    // Hides lobby button
    // hideLobbyButton: false,

    // Require users to always specify a display name.
    // requireDisplayName: true,

    // Whether to use a welcome page or not. In case it's false a random room
    // will be joined when no room is specified.
    enableWelcomePage: false,

    // Disable app shortcuts that are registered upon joining a conference
    // disableShortcuts: false,

    // Disable initial browser getUserMedia requests.
    // This is useful for scenarios where users might want to start a conference for screensharing only
    // disableInitialGUM: false,

    // Enabling the close page will ignore the welcome page redirection when
    // a call is hangup.
    enableClosePage: false,

    // Disable hiding of remote thumbnails when in a 1-on-1 conference call.
    // Setting this to null, will also disable showing the remote videos
    // when the toolbar is shown on mouse movements
    // disable1On1Mode: null | false | true,

    // Default language for the user interface.
    defaultLanguage: 'en',

    // Disables profile and the edit of all fields from the profile settings (display name and email)
    // disableProfile: false,

    // Whether or not some features are checked based on token.
    // enableFeaturesBasedOnToken: false,

    // When enabled the password used for locking a room is restricted to up to the number of digits specified
    // roomPasswordNumberOfDigits: 10,
    // default: roomPasswordNumberOfDigits: false,

    // Message to show the users. Example: 'The service will be down for
    // maintenance at 01:00 AM GMT,
    // noticeMessage: '',

    // Enables calendar integration, depends on googleApiApplicationClientID
    // and microsoftApiApplicationClientID
    // enableCalendarIntegration: false,

    // When 'true', it shows an intermediate page before joining, where the user can configure their devices.
    prejoinPageEnabled: false,

    // If etherpad integration is enabled, setting this to true will
    // automatically open the etherpad when a participant joins.  This
    // does not affect the mobile app since opening an etherpad
    // obscures the conference controls -- it's better to let users
    // choose to open the pad on their own in that case.
    // openSharedDocumentOnJoin: false,

    // If true, shows the unsafe room name warning label when a room name is
    // deemed unsafe (due to the simplicity in the name) and a password is not
    // set or the lobby is not enabled.
    enableInsecureRoomNameWarning: false,

    // Whether to automatically copy invitation URL after creating a room.
    // Document should be focused for this option to work
    // enableAutomaticUrlCopy: false,

    // Base URL for a Gravatar-compatible service. Defaults to libravatar.
    // gravatarBaseURL: 'https://seccdn.libravatar.org/avatar/',

    // App name to be displayed in the invitation email subject, as an alternative to
    // interfaceConfig.APP_NAME.
    // inviteAppName: null,

    // Moved from interfaceConfig(TOOLBAR_BUTTONS).
    // The name of the toolbar buttons to display in the toolbar, including the
    // "More actions" menu. If present, the button will display. Exceptions are
    // "livestreaming" and "recording" which also require being a moderator and
    // some other values in config.js to be enabled. Also, the "profile" button will
    // not display for users with a JWT.
    // Notes:
    // - it's impossible to choose which buttons go in the "More actions" menu
    // - it's impossible to control the placement of buttons
    // - 'desktop' controls the "Share your screen" button
    // - if `toolbarButtons` is undefined, we fallback to enabling all buttons on the UI
    toolbarButtons: [
        'camera',
        'chat',
        'closedcaptions',
        'desktop',
    //    'download',
    //    'embedmeeting',
        'etherpad',
    //    'feedback',
        'filmstrip',
        'fullscreen',
        'hangup',
        'help',
    //    'invite',
    //    'livestreaming',
        'microphone',
        'mute-everyone',
        'mute-video-everyone',
    //    'participants-pane',
        'profile',
        'raisehand',
    //    'recording',
        'security',
        'select-background',
        'settings',
    //    'shareaudio',
    //    'sharedvideo',
        'shortcuts',
        'stats',
        'tileview',
        'toggle-camera',
        'videoquality',
        '__end'
    ],

    // Stats
    //

    // Whether to enable stats collection or not in the TraceablePeerConnection.
    // This can be useful for debugging purposes (post-processing/analysis of
    // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
    // estimation tests.
    gatherStats: false,

    // The interval at which PeerConnection.getStats() is called. Defaults to 10000
    // pcStatsInterval: 10000,

    // To enable sending statistics to callstats.io you must provide the
    // Application ID and Secret.
    // callStatsID: '',
    // callStatsSecret: '',

    // Enables sending participants' display names to callstats
    // enableDisplayNameInStats: false,

    // Enables sending participants' emails (if available) to callstats and other analytics
    // enableEmailInStats: false,

    // Controls the percentage of automatic feedback shown to participants when callstats is enabled.
    // The default value is 100%. If set to 0, no automatic feedback will be requested
    feedbackPercentage: 0,

    // Privacy
    //

    // If third party requests are disabled, no other server will be contacted.
    // This means avatars will be locally generated and callstats integration
    // will not function.
    // disableThirdPartyRequests: false,


    // Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
    //

    p2p: {
        // Enables peer to peer mode. When enabled the system will try to
        // establish a direct connection when there are exactly 2 participants
        // in the room. If that succeeds the conference will stop sending data
        // through the JVB and use the peer to peer connection instead. When a
        // 3rd participant joins the conference will be moved back to the JVB
        // connection.
        enabled: false,

        // Enable unified plan implementation support on Chromium for p2p connection.
        enableUnifiedOnChrome: true,

        // Sets the ICE transport policy for the p2p connection. At the time
        // of this writing the list of possible values are 'all' and 'relay',
        // but that is subject to change in the future. The enum is defined in
        // the WebRTC standard:
        // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
        // If not set, the effective value is 'all'.
        // iceTransportPolicy: 'all',

        // If set to true, it will prefer to use H.264 for P2P calls (if H.264
        // is supported). This setting is deprecated, use preferredCodec instead.
        // preferH264: true,

        // Provides a way to set the video codec preference on the p2p connection. Acceptable
        // codec values are 'VP8', 'VP9' and 'H264'.
        // preferredCodec: 'H264',

        // If set to true, disable H.264 video codec by stripping it out of the
        // SDP. This setting is deprecated, use disabledCodec instead.
        disableH264: true,

        enableUnifiedOnChrome: true,

        useStunTurn: true, // use XEP-0215 to fetch STUN and TURN servers for the P2P connection
        
        // Provides a way to prevent a video codec from being negotiated on the p2p connection.
        // disabledCodec: '',

        // How long we're going to wait, before going back to P2P after the 3rd
        // participant has left the conference (to filter out page reload).
        // backToP2PDelay: 5,

        // The STUN servers that will be used in the peer to peer connections
        stunServers: [

            { urls: 'stun:www.wexstream.com:3478' }
            // { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
        ]
    },

    analytics: {
        // The Google Analytics Tracking ID:
        // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'

        // Matomo configuration:
        // matomoEndpoint: 'https://your-matomo-endpoint/',
        // matomoSiteID: '42',

        // The Amplitude APP Key:
        // amplitudeAPPKey: '<APP_KEY>'

        // Configuration for the rtcstats server:
        // By enabling rtcstats server every time a conference is joined the rtcstats
        // module connects to the provided rtcstatsEndpoint and sends statistics regarding
        // PeerConnection states along with getStats metrics polled at the specified
        // interval.
        // rtcstatsEnabled: true,

        // In order to enable rtcstats one needs to provide a endpoint url.
        // rtcstatsEndpoint: wss://rtcstats-server-pilot.jitsi.net/,

        // The interval at which rtcstats will poll getStats, defaults to 1000ms.
        // If the value is set to 0 getStats won't be polled and the rtcstats client
        // will only send data related to RTCPeerConnection events.
        // rtcstatsPolIInterval: 1000,

        // Array of script URLs to load as lib-jitsi-meet "analytics handlers".
        // scriptURLs: [
        //      "libs/analytics-ga.min.js", // google-analytics
        //      "https://example.com/my-custom-analytics.js"
        // ],
    },

    // Logs that should go be passed through the 'log' event if a handler is defined for it
    // apiLogLevels: ['warn', 'log', 'error', 'info', 'debug'],

    // Information about the jitsi-meet instance we are connecting to, including
    // the user region as seen by the server.
    deploymentInfo: {
        // shard: "shard1",
        // region: "europe",
        // userRegion: "asia"
    },

    // Decides whether the start/stop recording audio notifications should play on record.
    // disableRecordAudioNotification: false,

    // Disables the sounds that play when other participants join or leave the
    // conference (if set to true, these sounds will not be played).
    // disableJoinLeaveSounds: false,

    // Disables the sounds that play when a chat message is received.
    // disableIncomingMessageSound: false,

    // Information for the chrome extension banner
    // chromeExtensionBanner: {
    //     // The chrome extension to be installed address
    //     url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',

    //     // Extensions info which allows checking if they are installed or not
    //     chromeExtensionsInfo: [
    //         {
    //             id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
    //             path: 'jitsi-logo-48x48.png'
    //         }
    //     ]
    // },

    // Local Recording
    //

    // localRecording: {
    // Enables local recording.
    // Additionally, 'localrecording' (all lowercase) needs to be added to
    // the `toolbarButtons`-array for the Local Recording button to show up
    // on the toolbar.
    //
    //     enabled: true,
    //

    // The recording format, can be one of 'ogg', 'flac' or 'wav'.
    //     format: 'flac'
    //

    // },

    // Options related to end-to-end (participant to participant) ping.
    e2eping: {
       // The interval in milliseconds at which pings will be sent.
       // Defaults to 10000, set to <= 0 to disable.
       pingInterval: -1, // 10000
    
       // The interval in milliseconds at which analytics events
       // with the measured RTT will be sent. Defaults to 60000, set
       // to <= 0 to disable.
       //analyticsInterval: 60000,
    },

    // If set, will attempt to use the provided video input device label when
    // triggering a screenshare, instead of proceeding through the normal flow
    // for obtaining a desktop stream.
    // NOTE: This option is experimental and is currently intended for internal
    // use only.
    // _desktopSharingSourceDevice: 'sample-id-or-label',

    // If true, any checks to handoff to another application will be prevented
    // and instead the app will continue to display in the current browser.
    disableDeepLinking: true,

    // A property to disable the right click context menu for localVideo
    // the menu has option to flip the locally seen video for local presentations
    disableLocalVideoFlip: false,

    // A property used to unset the default flip state of the local video.
    // When it is set to 'true', the local(self) video will not be mirrored anymore.
    // doNotFlipLocalVideo: false,

    // Mainly privacy related settings

    // Disables all invite functions from the app (share, invite, dial out...etc)
    // disableInviteFunctions: true,

    // Disables storing the room name to the recents list
    // doNotStoreRoom: true,

    // Deployment specific URLs.
    // deploymentUrls: {
    //    // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
    //    // user documentation.
    //    userDocumentationURL: 'https://docs.example.com/video-meetings.html',
    //    // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
    //    // to the specified URL for an app download page.
    //    downloadAppsUrl: 'https://docs.example.com/our-apps.html'
    // },

    // Options related to the remote participant menu.
    // remoteVideoMenu: {
    //     // If set to true the 'Kick out' button will be disabled.
    //     disableKick: true,
    //     // If set to true the 'Grant moderator' button will be disabled.
    //     disableGrantModerator: true
    // },

    // If set to true all muting operations of remote participants will be disabled.
    // disableRemoteMute: true,

    // Enables support for lip-sync for this client (if the browser supports it).
    enableLipSync: false,

    /**
     External API url used to receive branding specific information.
     If there is no url set or there are missing fields, the defaults are applied.
     The config file should be in JSON.
     None of the fields are mandatory and the response must have the shape:
     {
         // The domain url to apply (will replace the domain in the sharing conference link/embed section)
         inviteDomain: 'example-company.org,
         // The hex value for the colour used as background
         backgroundColor: '#fff',
         // The url for the image used as background
         backgroundImageUrl: 'https://example.com/background-img.png',
         // The anchor url used when clicking the logo image
         logoClickUrl: 'https://example-company.org',
         // The url used for the image used as logo
         logoImageUrl: 'https://example.com/logo-img.png'
     }
    */
    // dynamicBrandingUrl: '',

    // Sets the background transparency level. '0' is fully transparent, '1' is opaque.
    // backgroundAlpha: 1,

    // The URL of the moderated rooms microservice, if available. If it
    // is present, a link to the service will be rendered on the welcome page,
    // otherwise the app doesn't render it.
    // moderatedRoomServiceUrl: 'https://moderated.www.wexstream.com',

    // If true, tile view will not be enabled automatically when the participants count threshold is reached.
    // disableTileView: true,

    // Hides the conference subject
    // hideConferenceSubject: true,

    // Hides the recording label
    // hideRecordingLabel: false,

    // Hides the conference timer.
    // hideConferenceTimer: true,

    // Hides the participants stats
    // hideParticipantsStats: true,

    // Sets the conference subject
    // subject: 'Conference Subject',

    // This property is related to the use case when jitsi-meet is used via the IFrame API. When the property is true
    // jitsi-meet will use the local storage of the host page instead of its own. This option is useful if the browser
    // is not persisting the local storage inside the iframe.
    // useHostPageLocalStorage: true,

    // etherpad ("shared document") integration.
    //

    // If set, add a "Open shared document" link to the bottom right menu that
    // will open an etherpad document.
    // etherpad_base: 'https://your-etherpad-installati.on/p/',

    // If etherpad_base is set, and useRoomAsSharedDocumentName is set to true,
    // open a pad with the name of the room (lowercased) instead of a pad with a
    // random UUID.
    // useRoomAsSharedDocumentName: true,

    // List of undocumented settings used in jitsi-meet
    /**
     _immediateReloadThreshold
     debug
     debugAudioLevels
     deploymentInfo
     dialInConfCodeUrl
     dialInNumbersUrl
     dialOutAuthUrl
     dialOutCodesUrl
     disableRemoteControl
     displayJids
     externalConnectUrl
     firefox_fake_device
     googleApiApplicationClientID
     iAmRecorder
     iAmSipGateway
     microsoftApiApplicationClientID
     peopleSearchQueryTypes
     peopleSearchUrl
     requireDisplayName
     tokenAuthUrl
     */

    /**
     * This property can be used to alter the generated meeting invite links (in combination with a branding domain
     * which is retrieved internally by jitsi meet) (e.g. https://meet.jit.si/someMeeting
     * can become https://brandedDomain/roomAlias)
     */
    // brandingRoomAlias: null,

    // List of undocumented settings used in lib-jitsi-meet
    /**
     _peerConnStatusOutOfLastNTimeout
     _peerConnStatusRtcMuteTimeout
     abTesting
     avgRtpStatsN
     callStatsConfIDNamespace
     callStatsCustomScriptUrl
     desktopSharingSources
     disableAEC
     disableAGC
     disableAP
     disableHPF
     disableNS
     enableTalkWhileMuted
     forceJVB121Ratio
     forceTurnRelay
     hiddenDomain
     ignoreStartMuted
     websocketKeepAlive
     websocketKeepAliveUrl
     */

    /**
     * Default interval (milliseconds) for triggering mouseMoved iframe API event
     */
    mouseMoveCallbackInterval: 1000,

    /**
        Use this array to configure which notifications will be shown to the user
        The items correspond to the title or description key of that notification
        Some of these notifications also depend on some other internal logic to be displayed or not,
        so adding them here will not ensure they will always be displayed

        A falsy value for this prop will result in having all notifications enabled (e.g null, undefined, false)
    */
    // notifications: [
    //     'connection.CONNFAIL', // shown when the connection fails,
    //     'dialog.cameraNotSendingData', // shown when there's no feed from user's camera
    //     'dialog.kickTitle', // shown when user has been kicked
    //     'dialog.liveStreaming', // livestreaming notifications (pending, on, off, limits)
    //     'dialog.lockTitle', // shown when setting conference password fails
    //     'dialog.maxUsersLimitReached', // shown when maximmum users limit has been reached
    //     'dialog.micNotSendingData', // shown when user's mic is not sending any audio
    //     'dialog.passwordNotSupportedTitle', // shown when setting conference password fails due to password format
    //     'dialog.recording', // recording notifications (pending, on, off, limits)
    //     'dialog.remoteControlTitle', // remote control notifications (allowed, denied, start, stop, error)
    //     'dialog.reservationError',
    //     'dialog.serviceUnavailable', // shown when server is not reachable
    //     'dialog.sessTerminated', // shown when there is a failed conference session
    //     'dialog.sessionRestarted', // show when a client reload is initiated because of bridge migration
    //     'dialog.tokenAuthFailed', // show when an invalid jwt is used
    //     'dialog.transcribing', // transcribing notifications (pending, off)
    //     'dialOut.statusMessage', // shown when dial out status is updated.
    //     'liveStreaming.busy', // shown when livestreaming service is busy
    //     'liveStreaming.failedToStart', // shown when livestreaming fails to start
    //     'liveStreaming.unavailableTitle', // shown when livestreaming service is not reachable
    //     'lobby.joinRejectedMessage', // shown when while in a lobby, user's request to join is rejected
    //     'lobby.notificationTitle', // shown when lobby is toggled and when join requests are allowed / denied
    //     'localRecording.localRecording', // shown when a local recording is started
    //     'notify.disconnected', // shown when a participant has left
    //     'notify.grantedTo', // shown when moderator rights were granted to a participant
    //     'notify.invitedOneMember', // shown when 1 participant has been invited
    //     'notify.invitedThreePlusMembers', // shown when 3+ participants have been invited
    //     'notify.invitedTwoMembers', // shown when 2 participants have been invited
    //     'notify.kickParticipant', // shown when a participant is kicked
    //     'notify.mutedRemotelyTitle', // shown when user is muted by a remote party
    //     'notify.mutedTitle', // shown when user has been muted upon joining,
    //     'notify.newDeviceAudioTitle', // prompts the user to use a newly detected audio device
    //     'notify.newDeviceCameraTitle', // prompts the user to use a newly detected camera
    //     'notify.passwordRemovedRemotely', // shown when a password has been removed remotely
    //     'notify.passwordSetRemotely', // shown when a password has been set remotely
    //     'notify.raisedHand', // shown when a partcipant used raise hand,
    //     'notify.startSilentTitle', // shown when user joined with no audio
    //     'prejoin.errorDialOut',
    //     'prejoin.errorDialOutDisconnected',
    //     'prejoin.errorDialOutFailed',
    //     'prejoin.errorDialOutStatus',
    //     'prejoin.errorStatusCode',
    //     'prejoin.errorValidation',
    //     'recording.busy', // shown when recording service is busy
    //     'recording.failedToStart', // shown when recording fails to start
    //     'recording.unavailableTitle', // shown when recording service is not reachable
    //     'toolbar.noAudioSignalTitle', // shown when a broken mic is detected
    //     'toolbar.noisyAudioInputTitle', // shown when noise is detected for the current microphone
    //     'toolbar.talkWhileMutedPopup', // shown when user tries to speak while muted
    //     'transcribing.failedToStart' // shown when transcribing fails to start
    // ],

    // Prevent the filmstrip from autohiding when screen width is under a certain threshold
    // disableFilmstripAutohiding: false,

    // Allow all above example options to include a trailing comma and
    // prevent fear when commenting out the last value.
    makeJsonParserHappy: 'even if last key had a trailing comma'

    // no configuration value should follow this line.
};

/* eslint-enable no-unused-vars, no-var */

Here is our nginx config:

server {
    listen 444 ssl http2;
    listen [::]:444 ssl http2;
    server_name www.wexstream.com;

    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;
    set $prefix "";

    ssl_certificate /etc/ssl/www.wexstream.com.bundle.crt;
    ssl_certificate_key /etc/ssl/www.wexstream.com.key;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
    gzip_vary on;
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 512;

    location = /xmpp-websocket
    {
        proxy_pass http://localhost:5280/xmpp-websocket;
       
        #shard & region that matches config.deploymentInfo.shard/region -  See [note 1] below
        add_header 'x-jitsi-shard' 'shard';
        add_header 'x-jitsi-region' 'us-east-2a';
        add_header 'Access-Control-Expose-Headers' 'X-Jitsi-Shard, X-Jitsi-Region';

        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;

        proxy_http_version 1.1;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size  256k;
        proxy_set_header Connection "upgrade";
        tcp_nodelay on;
    }

    location = /config.js {
        alias /etc/jitsi/meet/www.wexstream.com-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    location = /external_api.min.map {
        alias /usr/share/jitsi-meet/libs/external_api.min.map;
    }

    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;

        # cache all versioned files
        if ($arg_v) {
            expires 1y;
        }
    }

    # BOSH
    location = /http-bind {
        proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    #location = /xmpp-websocket {
    #    proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
    #    proxy_http_version 1.1;
    #    proxy_set_header Upgrade $http_upgrade;
    #    proxy_set_header Connection "upgrade";
    #    proxy_set_header Host $http_host;
    #    tcp_nodelay on;
    #}

    # colibri (JVB) websockets for jvb1
    location ~ ^/colibri-ws/default-id/(.*) {
        proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        tcp_nodelay on;
    }

    # load test minimal client, uncomment when used
    #location ~ ^/_load-test/([^/?&:'"]+)$ {
    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
    #}
    #location ~ ^/_load-test/libs/(.*)$ {
    #    add_header 'Access-Control-Allow-Origin' '*';
    #    alias /usr/share/jitsi-meet/load-test/libs/$1;
    #}

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
        set $subdomain "$1.";
        set $subdir "$1/";

        alias /etc/jitsi/meet/www.wexstream.com-config.js;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }

    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }
}

Here is our prosody.cfg.lua:

-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at https://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
--     prosodyctl check config
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!


---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }

-- Enable use of libevent for better performance under high load
-- For more information see: https://prosody.im/doc/libevent
--use_libevent = true

-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
-- For a local administrator it's common to place local modifications
-- under /usr/local/ hierarchy:
plugin_paths = { "/usr/local/lib/prosody/modules" }

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {

	-- Generally required
		"roster"; -- Allow users to have a roster. Recommended ;)
		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
		"tls"; -- Add support for secure TLS on c2s/s2s connections
		"dialback"; -- s2s dialback support
		"disco"; -- Service discovery

	-- Not essential, but recommended
		"carbons"; -- Keep multiple clients in sync
		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
		"private"; -- Private XML storage (for room bookmarks, etc.)
		"blocklist"; -- Allow users to block communications with other users
		"vcard4"; -- User profiles (stored in PEP)
		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard

	-- Nice to have
		"version"; -- Replies to server version requests
		"uptime"; -- Report how long server has been running
		"time"; -- Let others know the time here on this server
		"ping"; -- Replies to XMPP pings with pongs
		"register"; -- Allow users to register on this server using a client and change passwords
		--"mam"; -- Store messages in an archive and allow users to access it
		--"csi_simple"; -- Simple Mobile optimizations

	-- Admin interfaces
		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582

	-- HTTP modules
		"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
		"websocket"; -- XMPP over WebSockets
		--"http_files"; -- Serve static files from a directory over HTTP

	-- Other specific functionality
		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
		--"limits"; -- Enable bandwidth limiting for XMPP connections
		--"groups"; -- Shared roster support
		--"server_contact_info"; -- Publish contact information for this service
		--"announce"; -- Send announcement to all online users
		--"welcome"; -- Welcome users who register accounts
		--"watchregistrations"; -- Alert admins of registrations
		--"motd"; -- Send a message to users when they log in
		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
}

smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60; 
smacks_max_hibernated_sessions = 1;
smacks_max_old_sessions = 1;

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
	-- "offline"; -- Store offline messages
	-- "c2s"; -- Handle client connections
	-- "s2s"; -- Handle server-to-server connections
}

-- Disable account creation by default, for security
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = false

-- Debian:
--   Do not send the server to background, either systemd or start-stop-daemon take care of that.
--
daemonize = false;

-- Debian:
--   Please, don't change this option since /run/prosody/
--   is one of the few directories Prosody is allowed to write to
--
pidfile = "/run/prosody/prosody.pid";

-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.

c2s_require_encryption = false

-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.

s2s_require_encryption = true

-- Force certificate authentication for server-to-server connections?

s2s_secure_auth = false

-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.

--s2s_insecure_domains = { "insecure.example" }

-- Even if you disable s2s_secure_auth, you can still require valid
-- certificates for some domains by specifying a list here.

--s2s_secure_domains = { "jabber.org" }

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.

authentication = "internal_hashed"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See https://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }


-- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.

archive_expires_after = "1w" -- Remove archived messages after 1 week

-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam

-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
--
-- Debian:
--  Logs info and higher to /var/log
--  Logs errors to syslog also
log = {
	-- Log files (change 'info' to 'debug' for debug logs):
	info = "/var/log/prosody/prosody.log";
	error = "/var/log/prosody/prosody.err";
	-- Syslog:
	{ levels = { "error" }; to = "syslog";  };
}

-- Uncomment to enable statistics
-- For more info see https://prosody.im/doc/statistics
-- statistics = "internal"

-- Certificates
-- Every virtual host and component needs a certificate so that clients and
-- servers can securely verify its identity. Prosody will automatically load
-- certificates/keys from the directory specified here.
-- For more information, including how to use 'prosodyctl' to auto-import certificates
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates

-- Location of directory to find certificates in (relative to main config file):
certificates = "certs"

-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "/etc/prosody/certs/localhost.crt"

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
-- It's customary to maintain VirtualHost entries in separate config files
-- under /etc/prosody/conf.d/ directory. Examples of such config files can
-- be found in /etc/prosody/conf.avail/ directory.

------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/

VirtualHost "localhost"

--VirtualHost "example.com"
--	certificate = "/path/to/example.crt"

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see https://prosody.im/doc/components

---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"
--- Store MUC messages in an archive and allow users to access it
--modules_enabled = { "muc_mam" }

---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: https://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--	component_secret = "password"
Include "conf.d/*.cfg.lua"

Here is our www.wexstream.com.cfg.lua:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "www.wexstream.com";

external_service_secret = "XXXX";
external_services = {
     { type = "stun", host = "www.wexstream.com", port = 3478 },
     { type = "turn", host = "www.wexstream.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "www.wexstream.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = true;
consider_bosh_secure = true;

cross_domain_websocket = true;
consider_websocket_secure = true;

https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}

unlimited_jids = {
    "focus@auth.www.wexstream.com",
    "jvb@auth.www.wexstream.com"
}

VirtualHost "www.wexstream.com"
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="wexstream"
    app_secret="XXXX"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/www.wexstream.com.key";
        certificate = "/etc/prosody/certs/www.wexstream.com.crt";
    }
    av_moderation_component = "avmoderation.www.wexstream.com"
    speakerstats_component = "speakerstats.www.wexstream.com"
    conference_duration_component = "conferenceduration.www.wexstream.com"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "av_moderation";
        "websocket";
        "smacks";
    }

   smacks_max_unacked_stanzas = 5;
   smacks_hibernation_time = 60; 
   smacks_max_hibernated_sessions = 1;
   smacks_max_old_sessions = 1;

    c2s_require_encryption = false
    lobby_muc = "lobby.www.wexstream.com"
    main_muc = "conference.www.wexstream.com"
    -- muc_lobby_whitelist = { "recorder.www.wexstream.com" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.www.wexstream.com" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
    }
    admins = { "focus@auth.www.wexstream.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.www.wexstream.com" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.www.wexstream.com", "jvb@auth.www.wexstream.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.www.wexstream.com"
    ssl = {
        key = "/etc/prosody/certs/auth.www.wexstream.com.key";
        certificate = "/etc/prosody/certs/auth.www.wexstream.com.crt";
    }
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.www.wexstream.com" "client_proxy"
    target_address = "focus@auth.www.wexstream.com"

Component "speakerstats.www.wexstream.com" "speakerstats_component"
    muc_component = "conference.www.wexstream.com"

Component "conferenceduration.www.wexstream.com" "conference_duration_component"
    muc_component = "conference.www.wexstream.com"

Component "avmoderation.www.wexstream.com" "av_moderation_component"
    muc_component = "conference.www.wexstream.com"

Component "lobby.www.wexstream.com" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

Here is our turnserver.conf:

# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=XXXX
realm=www.wexstream.com
cert=/etc/ssl/www.wexstream.com.bundle.crt
pkey=/etc/ssl/www.wexstream.com.key
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-ip=0.0.0.0
external-ip=160.178.14.207
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# jitsi-meet coturn relay disable config. Do not modify this line
#denied-peer-ip=0.0.0.0-0.255.255.255
#denied-peer-ip=10.0.0.0-10.255.255.255
#denied-peer-ip=100.64.0.0-100.127.255.255
#denied-peer-ip=127.0.0.0-127.255.255.255
#denied-peer-ip=169.254.0.0-169.254.255.255
#denied-peer-ip=127.0.0.0-127.255.255.255
#denied-peer-ip=172.16.0.0-172.31.255.255
#denied-peer-ip=192.0.0.0-192.0.0.255
#denied-peer-ip=192.0.2.0-192.0.2.255
#denied-peer-ip=192.88.99.0-192.88.99.255
#denied-peer-ip=192.168.0.0-192.168.255.255
#denied-peer-ip=198.18.0.0-198.19.255.255
#denied-peer-ip=198.51.100.0-198.51.100.255
#denied-peer-ip=203.0.113.0-203.0.113.255
#denied-peer-ip=240.0.0.0-255.255.255.255
syslog

We update external-ip setting using a bash script running as a cron job since our public IP is dynamic.

Websockets are working fine, turn/stun server is working fine, and we’ve been monitoring jvb.log and jicofo.log but there are no errors and no warnings in there. We’ve been trying to solve this issue for weeks but no luck. We don’t know how to troubleshoot and fix this issue and we don’t know why jvb gives us very poor video quality. We think that this issue is maybe related to Jitsi configuration.

Can you please help us to troubleshoot and fix this issue?

Kind regards,

I have the same problem since the last jitsi update. Video and desktop sharing quality are very poor after the update. If I roll back to the previous state, everything is good again.

Please help.

Kind regards

We removed these lines from sip-communicator.properties:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.107
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=160.178.14.207

and these lines from turnserver.conf:

listening-ip=192.168.1.107
external-ip=160.178.14.207/192.168.1.107

We noticed an improvement in video quality between two users, and we are now getting these logs in jvb.log:

JVB 2021-09-11 12:35:57.058 INFOS: [66] [confId=aea2e88d4c102075 gid=13403 stats_id=Felton-Lbe conf_name=613c937d6bd5865f3309d5c4@conference.www.wexstream.com ufrag=41vug1ffaa1c23 epId=73471200 local_ufrag=41vug1ffaa1c23] ConnectivityCheckClient.processTimeout#860: timeout for pair: 192.168.1.107:10000/udp/host -> 192.168.1.107:59490/udp/relay (stream-73471200.RTP), failing.
JVB 2021-09-11 12:35:57.289 INFOS: [66] [confId=aea2e88d4c102075 gid=13403 stats_id=Elmore-vmo conf_name=613c937d6bd5865f3309d5c4@conference.www.wexstream.com ufrag=dg7qh1ffaa1dsp epId=b3f90025 local_ufrag=dg7qh1ffaa1dsp] ConnectivityCheckClient.processTimeout#860: timeout for pair: 192.168.1.107:10000/udp/host -> 192.168.1.107:53009/udp/prflx (stream-b3f90025.RTP), failing.

192.168.1.107 is the local IP of our Jitsi server.

Port 10000/udp is open in the firewall and forwarded in our router.

Ports 49152:65535/udp are open in the firewall and forwarded in our router.

We also noticed that as soon as a third user joins the conference, video quality becomes poor then video is lost.

Do you have websocket errors in your browser console?

No, we don’t have websocket errors in browser console but we are getting these warnings in jvb.log:

JVB 2021-09-11 12:32:02.153 WARNING: [64] [confId=aea2e88d4c102075 epId=73471200 gid=13403 stats_id=Felton-Lbe conf_name=613c937d6bd5865f3309d5c4@conference.www.wexstream.com] SendSideBandwidthEstimation.getRttMs#598: RTT suspiciously high (1280ms), capping to 1000ms.
JVB 2021-09-11 12:32:02.593 WARNING: [64] [confId=aea2e88d4c102075 epId=73471200 gid=13403 stats_id=Felton-Lbe conf_name=613c937d6bd5865f3309d5c4@conference.www.wexstream.com] SendSideBandwidthEstimation.getRttMs#598: RTT suspiciously high (1266ms), capping to 1000ms.
JVB 2021-09-11 12:32:03.012 WARNING: [65] [confId=aea2e88d4c102075 epId=73471200 gid=13403 stats_id=Felton-Lbe conf_name=613c937d6bd5865f3309d5c4@conference.www.wexstream.com] SendSideBandwidthEstimation.getRttMs#598: RTT suspiciously high (1282ms), capping to 1000ms.

You may try to remove any customizations you did. The default config works better in most cases

this is disabling videobridge.

We rolled back to default config and installed the new update (jitsi 2.0.6293) but we are still experiencing poor video quality.

Below jvb.log:

JVB 2021-09-11 14:24:20.448 INFOS: [71] [confId=f911d79caadf8edc gid=27472 stats_id=Justen-TtV conf_name=613cad546bd5865f3309d9a9@conference.www.wexstream.com ufrag=stef1ffagarcf epId=d4b5bc20 local_ufrag=stef1ffagarcf] ConnectivityCheckClient.processTimeout#874: timeout for pair: 192.168.1.107:10000/udp/host -> 192.168.1.107:63077/udp/prflx (stream-d4b5bc20.RTP), failing.
JVB 2021-09-11 14:24:23.449 INFOS: [71] [confId=f911d79caadf8edc gid=27472 stats_id=Justen-TtV conf_name=613cad546bd5865f3309d9a9@conference.www.wexstream.com ufrag=stef1ffagarcf epId=d4b5bc20 local_ufrag=stef1ffagarcf] ConnectivityCheckClient.processTimeout#874: timeout for pair: 192.168.1.107:10000/udp/host -> 192.168.1.107:63077/udp/prflx (stream-d4b5bc20.RTP), failing.
JVB 2021-09-11 14:24:29.045 WARNING: [69] [confId=f911d79caadf8edc epId=a2f1a0db gid=27472 stats_id=Felton-Lbe conf_name=613cad546bd5865f3309d9a9@conference.www.wexstream.com] SendSideBandwidthEstimation.getRttMs#598: RTT suspiciously high (1169ms), capping to 1000ms.
JVB 2021-09-11 14:24:29.345 WARNING: [69] [confId=f911d79caadf8edc epId=a2f1a0db gid=27472 stats_id=Felton-Lbe conf_name=613cad546bd5865f3309d9a9@conference.www.wexstream.com] SendSideBandwidthEstimation.getRttMs#598: RTT suspiciously high (1177ms), capping to 1000ms.

Do we have to set these settings in sip-communicator.properties (we noticed that they are missing in default config)?

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.107
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=160.178.14.207

You need HARVESTER lines if there are internal participants who are in the same network with Jitsi. AFAIK you don’t need these lines anymore on the new installation

Ok thanks. Do you know why jvb would give poor video quality?

This may be a client side issue too. Check the same client on meet.jit.si

Quality is excellent on meet.jit.si. We have almost the same config.js. The only difference is that we are behind a NAT and we have a dynamic public IP.

  • Can you share your jvb.conf?

  • Are you sure there is no websocket issue?

Here is jvb.conf:

videobridge {
    http-servers {
        public {
            port = 9090
        }
    }
    websockets {
        enabled = true
        domain = "www.wexstream.com:444"
        tls = true
    }
    cc {
        trust-bwe = false
    }
    health {
      interval = 86400000
    }
}

No, we didn’t see any websocket error in browser console.

Try without trust-bwe

We tried without trust-bwe. Now, video quality between two clients is very good. But as soon as a third client joins the conference, video quality becomes poor again and we noticed a lot of logs in jvb.log like these ones:

JVB 2021-09-11 19:28:28.689 INFOS: [68] [confId=d02877d6f092f25c epId=26f6bbf8 gid=29543 stats_id=Elmore-vmo conf_name=613cf4246bd5865f3309dbfb@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=30000 bps): 5ca5a077,f513be37
JVB 2021-09-11 19:28:29.129 INFOS: [67] [confId=d02877d6f092f25c epId=5ca5a077 gid=29543 stats_id=Justen-TtV conf_name=613cf4246bd5865f3309dbfb@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=30000 bps): f513be37
JVB 2021-09-11 19:28:30.027 INFOS: [68] [confId=d02877d6f092f25c epId=26f6bbf8 gid=29543 stats_id=Elmore-vmo conf_name=613cf4246bd5865f3309dbfb@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=149627 bps): f513be37

Then there may be a bandwidth issue between the client and the server

We made a test with 4 clients all connected through WiFi. Video quality is very good now. But as soon as a fifth client joins the meeting, we get “Video is turned off to save bandwidth” and the following logs:

JVB 2021-09-11 19:52:24.346 INFOS: [232] [confId=e139abd354421413 gid=8729 stats_id=Layne-iOx conf_name=613cf81e6bd5865f3309dc86@conference.www.wexstream.com ufrag=7ebj61ffb30o5b epId=5c960100 local_ufrag=7ebj61ffb30o5b] ConnectivityCheckClient.processTimeout#874: timeout for pair: 192.168.1.107:10000/udp/host -> 192.168.1.101:35390/udp/prflx (stream-5c960100.RTP), failing.
JVB 2021-09-11 19:52:26.462 INFOS: [68] [confId=e139abd354421413 epId=2594068c gid=8729 stats_id=Justen-TtV conf_name=613cf81e6bd5865f3309dc86@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=55222 bps): 6bd5c2c1,9055d3d1,e06af3ff
JVB 2021-09-11 19:52:26.481 INFOS: [68] [confId=e139abd354421413 epId=e06af3ff gid=8729 stats_id=Felton-Lbe conf_name=613cf81e6bd5865f3309dc86@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=154154 bps): 2594068c,9055d3d1
JVB 2021-09-11 19:52:26.546 INFOS: [68] [confId=e139abd354421413 epId=6bd5c2c1 gid=8729 stats_id=Elmore-vmo conf_name=613cf81e6bd5865f3309dc86@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=97711 bps): 2594068c,9055d3d1,e06af3ff

We also made a test with 2 clients connected through mobile data. Video quality is good now but as soon as a third client joins the meeting we get poor video quality and these logs:

JVB 2021-09-11 19:28:28.689 INFOS: [68] [confId=d02877d6f092f25c epId=26f6bbf8 gid=29543 stats_id=Elmore-vmo conf_name=613cf4246bd5865f3309dbfb@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=30000 bps): 5ca5a077,f513be37
JVB 2021-09-11 19:28:29.129 INFOS: [67] [confId=d02877d6f092f25c epId=5ca5a077 gid=29543 stats_id=Justen-TtV conf_name=613cf4246bd5865f3309dbfb@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=30000 bps): f513be37
JVB 2021-09-11 19:28:30.027 INFOS: [68] [confId=d02877d6f092f25c epId=26f6bbf8 gid=29543 stats_id=Elmore-vmo conf_name=613cf4246bd5865f3309dbfb@conference.www.wexstream.com] BandwidthAllocator.allocate#329: Endpoints were suspended due to insufficient bandwidth (bwe=149627 bps): f513be37

How can we solve these issues please?

What’s your server bandwidth?

Here are the results of speedtest-cli:

Download: 8.02 Mbit/s
Upload: 0.97 Mbit/s

Which corresponds to:

Download: 802 KB/s
Upload: 97 KB/s