
Running your own secure communication service with Matrix and Jitsi - jrepinc
https://matrix.org/blog/2020/04/06/running-your-own-secure-communication-service-with-matrix-and-jitsi
======
smartbit
Extinction Rebellion switched to Jitsi, Matrix etc. From the slide at t=2078:

    
    
                      *.organise.earth
                     *.rebellion.global
    
                          OWN3D           OWNED (self hosted)
                          
      Team Chat           Slack           Mattermost (Team Edition)
      Cloud Storage       Google Drive    Nextcloud (2 instances)
      Collaborative docs  Google docs     Only Office Etherpad-Lite
      Surveys             Google Forms    LimeSurvey
      Video Conferencing  Zoom            Jitsi-Meet
      Webmail             Gmail, etc      Rainloop (Postfix, Dovecot)
      Collaborative Dev   Github          gitlab
      Mailinglist manager Mail Chimp      Mailtrain
      Actions/Operations  WhatsApp, Skype Signal, Wire
      Social              Twitter         Mastodon
      Video               Youtube         Peertube
      Site                                Jekyll
      Admin Gender        Bros            Any
    

[https://media.ccc.de/v/36c3-11008-server_infrastructure_for_...](https://media.ccc.de/v/36c3-11008-server_infrastructure_for_global_rebellion#t=2078)

> _In this talk Julian will outline his work as sysadmin, systems and security
> architect for the climate and environmental defense movement Extinction
> Rebellion. Responsible for 30 server deployments in 11 months, including a
> community hub spanning dozens of national teams (some of which operate in
> extremely hostile conditions), he will show why community-owned free and
> open source infrastructure is mission-critical for the growth, success and
> safety of global civil disobedience movements._

~~~
sneak
I am on board with this stack 100% and have been recommending Mattermost
myself. Imagine my disappointment when I found out that Mattermost, even the
self-hosted one, is spyware.

They call it "Diagnostics" to hide its true purpose, but really it's phone-
home. Silently and with _no_ notification, on f/oss self-hosted software; it's
really a letdown.

To disable it, you must use the following entirely undocumented environment
variables:

    
    
        MM_LOGSETTINGS_ENABLEDIAGNOSTICS=false
        MM_SERVICESETTINGS_ENABLESECURITYFIXALERT=false
    

I go the further step of using a small Dockerfile that contains the following
to patch the binary itself:

    
    
        FROM mattermost/mattermost-team-edition:latest
        RUN sed -i 's#api.segment.io#xx.example.com#gI' /mattermost/bin/mattermost
        RUN sed -i 's#securityupdatecheck.mattermost.com#xxxxxxxxxxxxxxxxxxxxxx.example.com#gI' /mattermost/bin/mattermost

~~~
Arathorn
You might want to consider Matrix, where admittedly we do have phone-home
stats, but you have to explicitly opt in to them during installation if you
want to participate.
([https://youtu.be/dDddKmdLEdg?t=605](https://youtu.be/dDddKmdLEdg?t=605) in
the video in the original post here)

~~~
giggles_giggles
If you use the Matrix identity server, which is required to have federation,
the 3rd party identity server operated by the Matrix organization retains a
list of your usernames. They don't tell you up front about this, either, and I
think silently leaking a username list is pretty bad. You have to really pay
attention during setup to realize that the federation technology relies on a
bastion operated by matrix.org.

The identity server is optional and you can use your own, but you will lose
the federation that Matrix is so proud of, and the instructions to set up the
reference home server don't make it clear that this is necessary in order to
avoid a leak of your users' identities.

[https://vector.im/identity-server-privacy-notice](https://vector.im/identity-
server-privacy-notice)

~~~
Arathorn
Fwiw, this is pretty much entirely untrue.

> Matrix identity server, which is required to have federation,

The identity server is __not __required to have federation to work. All it
does is let you __optionally __discover users on Matrix by their email address
or phone number.

> 3rd party identity server operated by the Matrix organization retains a list
> of your usernames.

Not sure what this means, but the identity service does not retain a "list of
your usernames". All it does is keep track of email->matrix ID mappings for
users who have published them. When you look up an email address (or phone
number), a hashed representation is sent to the service, and even then,
they're not retained.

> They don't tell you up front about this

We do; to use the identity service you have to click through a very explicit
GDPR terms of use which explains precisely how it works. You only get prompted
with this when you actually use the identity service though (i.e. when
inviting someone by email address) which might be why you've never seen it,
however.

> You have to really pay attention during setup to realize that the federation
> technology relies on a bastion operated by matrix.org.

Again, Matrix federation does not depend on identity servers (and I kinda wish
we'd never even implemented the feature, given how confused and upset people
get about them).

[https://matrix.org/blog/2019/09/27/privacy-improvements-
in-s...](https://matrix.org/blog/2019/09/27/privacy-improvements-in-
synapse-1-4-and-riot-1-4) goes into this all in much more detail.

~~~
giggles_giggles
I'm sorry if I was unclear, but

> All it does is keep track of email->matrix ID mappings for users who have
> published them

This is what I mean by "it leaks the userlist." Matrix (the organization)
stores the email addresses of my users, along with some mapping that could
allow Matrix the organization to correlate email addresses with my server. To
me, as a server operator, this is a deal-breaker, even if it was just email
addresses with no mapping. I see this as a privacy violation against my users
who trust me to hold their information privately and securely. My
understanding is that you cannot join another Matrix homeserver server with an
identity established on a homeserver disconnected from the vector.im identity
server, which effectively forces the homeserver operator to use the vector.im
centralized identity server if you want, as an end user, to actually take
advantage of federation. I do not know how a user is supposed to take their
login from one homeserver to log into another one if the first homeserver is
not connected to vector.im.

Please correct me if the above is wrong.

Additionally, when I set up Synapse I was not presented with any kind of GDPR
info, and it wouldn't make sense that I would be, because the GPDR is for end
users, not site operators. Maybe this is presented to new users who connect to
the public reference Synapse instance using Riot.im or something, but I'm not
talking about this issue from the perspective of an end user, I'm talking
about it from the perspective of a homeserver operator. I got about halfway
through the homeserver setup before I realized that vector.im was necessary
for identity lookup and I realized it only by carefully following the docs.
This was long before the 9/27/2019 blog post was published, so I guess maybe
this has been addressed somewhat. I have been following Matrix now for the
better part of a decade.

If federation is possible without identity mapping done on a central server,
then I too wish that identity mapping was never implemented.

~~~
Arathorn
> Please correct me if the above is wrong.

Yup, this is still wrong, sorry.

> My understanding is that you cannot join another Matrix homeserver server
> with an identity established on a homeserver disconnected from the vector.im
> identity server

This is not true. The identity server is an _optional_ feature, which users
can use if they want to try to discover a user's matrix ID based on their
email address. Matrix itself operates using matrix IDs to federate and
establish conversations.

A good analogy is using LDAP as an address book in an email client. LDAP
addressbook lookups are very clearly optional, not relevant to all people, and
don't stop email itself working.

> Additionally, when I set up Synapse I was not presented with any kind of
> GDPR info, and it wouldn't make sense that I would be, because the GPDR is
> for end users, not site operators.

Because the identity server is an optional feature for _users_ (just like a
_user_ , not a sysadmin, would configure LDAP lookups in Thunderbird), the
GDPR terms of use are shown to users if they try to use an identity server to
make sure they understand what they're doing.

~~~
giggles_giggles
Well then I'm glad that the blog post linked above was written, because
obviously this situation was confusing when I set up Synapse a couple years
back. I might not be a genius but I'm not stupid, either, and I'm obsessed
with chat systems (I trialed every available self-hostable chat server at the
time), so I guarantee if this confused me, it confused plenty of perfectly
intelligent individuals.

I hope the team has clarified this in the documentation.

------
solinent
Here are some text instructions: [https://github.com/jitsi/jitsi-
meet/blob/master/doc/manual-i...](https://github.com/jitsi/jitsi-
meet/blob/master/doc/manual-install.md)

Instead of generating the certs with prosody (there was some issue since my
system uses p11-kit), I found it easier to just generate them all with
certbot. update-ca-trust doesn't seem to correctly add them to the Java
keystore and then you'll encounter problems. Certbot does. If you're on a
debian based distro you shouldn't have to worry, however.

All you really have to do is copy/paste configs and then also change the url
in the config.

Here's the process for adding the certs using p11-kit.
[https://github.com/jitsi/jitsi-
meet/issues/2842#issuecomment...](https://github.com/jitsi/jitsi-
meet/issues/2842#issuecomment-385284622) and the comment below.

------
mgbmtl
Any suggestions on simple auth methods to avoid running an open Jitsi server?

Last time I tested it, it seemed to be very open by default, letting anyone
create meetings. I got lost when digging deeper.

If I install-and-forget, I want to avoid situations where strangers are using
my Jitsi server and overloading the system, or pretending to be our company.
Last I checked, it was not possible to have simple auth, or monitor/list
calls.

I also run an Asterisk VoIP server with a WebRTC bridge (because most Linux
SIP clients have terrible usability). That can make one pretty paranoid :)

~~~
plett
Yes, I installed Jitsi Meet over the weekend and enabled auth so you need
credentials to start a new conference, but anyone with the link (and
optionally password too) can join unauthenticated.

I followed these instructions to add the auth
[https://github.com/jitsi/jicofo#secure-
domain](https://github.com/jitsi/jicofo#secure-domain)

------
ThinkingGuy
I think I may have found a typo in the instructions. Under the section for
setting up the Matrix .well-known info, shouldn't the line:

    
    
      cat '{ "m.server": "matrix.dangerousdemos.net:443" }' > server

be echo '{ "m.server": "matrix.dangerousdemos.net:443" }' > server instead?

~~~
Arathorn
oops, my bad - thanks! [https://github.com/matrix-
org/matrix.org/commit/42e8a90932ae...](https://github.com/matrix-
org/matrix.org/commit/42e8a90932ae8f455221dea652e18ecd19b1692d). CI will pick
up the fix in a few minutes.

~~~
KingFelix
Im following the instructions and getting all 404 pages after I install
Synapse, nginx and ssl are all good, I am missing something?

I assume its my server block, but I have made many changes / adjustments and
still getting a 404 on all my pages??

~~~
Arathorn
you might have forgotten to set the proxy_pass on the synapse vhost, or create
directories for the riot vhost?

~~~
KingFelix
I followed the video on the link and finally sorted it all out. I was doing a
few things wrong!

------
deepersprout
Does someone have experience running Jitsi with 4+ users? Like in conferences
with maybe up to 12 people? Can it handle it?

~~~
Arathorn
We regularly run it with 40-50 users, and it's fine... as long as you limit
the number of displayed video streams to 12-15 or fewer. This tends to happen
organically with people muting video, or otherwise you can configure Jitsi to
limit it to show video for the last 12 people who spoke.

Otherwise you risk overloading people on devices which can't render >12
simultaneous video streams without melting. You can push the limit higher if
you know everyone is on a fast machine however.

One thing worth noting is that if a one or more user connects via Firefox then
quality degrades for everyone - but fixes for this look to be in flight over
at [https://github.com/jitsi/jitsi-
meet/issues/4758](https://github.com/jitsi/jitsi-meet/issues/4758)

~~~
gnufx
What server resources to you need for those 40-50 users with Jitsi/Matrix? I
haven't seen estimates of required resources when I've looked, but I assume
there's some doc somewhere. (Thanks for the good work.)

~~~
Arathorn
Roughly speaking we're seeing Jitsi serve around 1000 concurrent streams (i.e.
25x 50-user conferences) on a typical 4 core box with 8GB of RAM. However,
it's worth noting that Jitsi is pretty low resource - all it's doing is
forwarding streams of data around the place. All the heavy lifting is done by
the clients when displaying all the concurrent videos, so it's the clients
which tend to be the bottleneck.

------
AnonC
Tangentially, I wanted to run Jitsi Meet for some meetings and created an
account on Digital Ocean, only for the account to be promptly locked with no
access to a human for support...just automated replies rehashing the same text
again and again for tickets saying that I could provide more information if I
believed that was in error (with no responses after providing additional
information). Now I'm looking at trying Linode. Any other provider
recommendations are welcome.

~~~
phaer
I am using a hetzner.cloud box for €5.88/month for a personal Jitsi instance
without problems. There servers are in Europe though, so if you are somewhere
else on the globe, it might be better idea to look for a provider which is
geographically closer to you

~~~
martin_a
Thinking about doing the same. Any experience with how much load those cloud
instances can take?

~~~
phaer
Depends on the instance I guess, but a few dozen users on a cx21 seem to be no
trouble at all. As someone else already mentioned in this thread, Jitsi does
no transcoding server-side and is pretty low on resources.

~~~
martin_a
Thanks for the feedback. Estimating resource use for these kinds of service
seems to be really hard.

Thought about running it semi-public for my homewtown/area to support
businesses, but how many of the 350k people will join? Or be concurrent users?

Quite a few question marks for me...

~~~
toomuchtodo
Start small. Failure is cheap. Worst case, you seek out local sponsors for a
dedicated server in donated colo somewhere nearby. Even if it doesn’t take
off, you’ll have learned from the experience.

~~~
phaer
That's a good suggestion as well. If the plan is to run this instance as a
non-profit for local users, it might also be possible to ask local ISPs to
sponsor a box. That could help keeping traffic local and latencies low.

------
xrd
What does matrix add to jitsi? Jitsi is already easy to run over https. Does
this make it so you can't randomly enter rooms if you know the name and there
is no password set?

~~~
Arathorn
Matrix adds featureful decentralised e2e-encrypted chat alongside the
voice/video conferencing, and makes it possible to coordinate the location of
a given conference for a given room. It doesn't impose additional auth
currently to the conferences (but it could). It also maintains your
displaynames & avatars for you inside the Jitsi :)

~~~
Teever
Are the e2e-encrypted chats enabled by default?

------
chme
What would the hardware requirements for such a stack be?

Last I read was that synapse requires a lot to memory and I guess that
managing audio/video streams will be cpu intensive.

~~~
fleetside72
I have an old R710 with 24 cores and 32GB I got on ebay for $200 in my dining
room with 10mbits upload/100 download and it works great. bought my .me domain
for $5. It's a wonderful time to be alive.

~~~
SaltySolomon
For how many users?

~~~
spockz
I’ve run 10-12 users with video and desktop screen sharing on a 6 core azure
vm with between 20-30% cpu load with spikes to 46%. It also depends a bit on
the adaptive bit rate. Image quality of FaceTime is higher than Jitsi.

------
JoeAltmaier
I hope those things are much better than they used to be. Last I looked, they
were a bunch of APIs glued together to look like a media server. No hard
features; no guarantees. Almost a mockup of what a media switching server
should look like on the outside; nothing inside.

------
pmlnr
> The installer magically detects you have nginx installed and adds in an
> appropriate vhost!

Yes, because those of us who run their own vidconf setup want automagically
mangled nginx configs.

Other than that, thank you for the guide.

~~~
fleetside72
...I kinda thought it was neet-o

~~~
warrenm
Like a Dorito!

------
sschueller
I operate a matrix server but I recently found Jami which supposedly is p2p
encrypted. Does anyone use it? Downsides?

[https://jami.net/](https://jami.net/)

~~~
t0astbread
I tried it a while ago and message delivery took minutes between me and a
friend. It also won't do well on Android versions that kill background tasks
and effectively force you to use Firebase Cloud Messaging for push (although
you can't really blame it for that).

------
teekert
So, what are the lines I need to add to my docker-compose.yaml ;)

~~~
Arathorn
This was deliberately the Debian package flavoured installation. We'll
probably do a Docker one too (which will likely be a lot faster, but also a
lot more mysterious as to what's actually going on :)

~~~
johnchristopher
It'd be really cool if you could also add how to setup federation :).

edit: for docker with synapse living on subdomain.domain.tld and addresses
like @user:domain.tld, I don't know ^^.

~~~
lub
What you want is named delegation and there is a document about it in the
synapse repository:

[https://github.com/matrix-
org/synapse/blob/master/docs/deleg...](https://github.com/matrix-
org/synapse/blob/master/docs/delegate.md)

Just in case you weren't already aware of it :)

------
Uehreka
Has anyone done a recent comparison of Jitsi and Janus? The only benchmark I
can find is from 2018 and seemed a bit shallow. I’d be interested in seeing
which one could deliver the best performance while running on a really cheap
EC2 box. My guess would be Janus, since it’s C and Jitsi is Java, but maybe
Jitsi has something about its architecture that gives it an edge.

------
shmerl
Why is Jitsi needed exactly, or it's handling server side video multiplexing?
Matrix itself doesn't support it?

------
daagma
Hi guys and thanks for this tutorial. Has I'm new to docker and synapse but I
would like to setup the same thing using docker but I'm not finding a clean
step by step tutorial on how to do this.

My goal is to set in way I could use docker swarm in future. Any advises or
links? thanks in advance

------
illuminated
I have had a matrix instance on one of my servers running but integrating
Jitsi was a real pain. And even when the integration is done correctly the
user experience of using it within Matrix is at least weird. It appears as an
"attachment" in the conversation and is very non-intuitive for everyone.

~~~
xf86alsa
Jitsi is much easier to add in the latest Riot-web version. No longer do you
need to set up your own integration manager. You just add the jitsi URL to
Riot's config.json and you're done.

------
joshuaellinger
I just setup my own Jitsi server at Digital Ocean. It was easy and it works
well.

My only tip is that you really have to get the DNS name right. There is no
easy way to change it post install. I had a typo on the first pass.

Next step is securing the launch screen. Since it sits behind NGINX, do the
configuration there.

------
KaoruAoiShiho
Can Jitsi be used as a streaming server?

A small number of people in a call, 3-5, streaming to thousands. Live podcasts
etc?

~~~
neilalexander
There is a document on how to live-stream to YouTube: [https://jitsi.org/live-
streaming-and-recording-a-jitsi-confe...](https://jitsi.org/live-streaming-
and-recording-a-jitsi-conference/)

~~~
KaoruAoiShiho
Okay so jitsi can't be the "youtube" itself?

~~~
tsukurimashou
youtube and other steaming platforms use a lot of servers to handle the load,
so no jitsi can't be youtube itself unless you have a beast of a connection
and even then you'd cap your connection after a hundred users. CDNs like
cloudflare does the same but for websites.

~~~
KaoruAoiShiho
I already have a lot of servers. I was asking if jitsi is server side software
that can handle the encoding / delivery to users. The answer is no. Jitsi is
apparently completely unscalable.

~~~
kitd
_Jitsi is apparently completely unscalable._

Is this intended as a criticism? You wanted it to do a job it was never
designed to do.

~~~
KaoruAoiShiho
It's not a criticism, just a clarification on what its job is.

------
j45
For self hosting .. is there some sort of a guide available that helps
understand the resourcing needs relative to concurrent active users?

I'd like to hop on this, and think it will work great, but would like to make
sure there's a way to right size a particular installation.

~~~
tsukurimashou
see comment bellow
[https://news.ycombinator.com/item?id=22804464](https://news.ycombinator.com/item?id=22804464)
and other comments talk about it too

------
diafygi
Is there a way to integrate a phone call-in number to Jitsi? Maybe via Twilio
or something?

~~~
ThinkingGuy
I haven't tried it myself but according to the FAQ:

"Jitsi offers a telephony interface that allows users to dial into a
conference or for placing dial-out reminder calls. You can try this for free
on meet.jit.si. Self-installed Jitsi Meet deployments will need to setup and
configure Jigasi with a SIP provider to connect to the phone network. "

[https://jitsi.org/user-faq/](https://jitsi.org/user-faq/)

------
drcross
Can anyone comment on if this will run successfully on a raspberry pi 3 for a
small number of users (<10)?

~~~
neiljohnson
Many people do just that, but it really depends on what you use it for.

Synapse resource usage is dependent on the complexity of the rooms that it
participates in, not the number of users.

So if you intend to use it just to talk to a few friends, you'll have no
problems at all. If you want to join rooms with 1000s of other servers
participating then it will be hungrier.

------
3fe9a03ccd14ca5
It’s still a ways to go for non technical users. We tried Jitsi to mixed
success. Some people had it work flawless the first time, others had to switch
browsers, still others couldn’t use it at all, probably because of some
privacy or cookie blocking extension.

Open source software needs to be as easy to use and configure as the
alternative if they really hope to gain wise adoption.

~~~
shostack
Are there any good guides on self-hosting this for private family group chats
on a home machine or something similar?

~~~
gmixer
I've done this recently - follow the vultr guide
[https://www.vultr.com/docs/how-to-install-jitsi-meet-on-
ubun...](https://www.vultr.com/docs/how-to-install-jitsi-meet-on-
ubuntu-18-04-lts) then the jitsi docs to secure your meetings as required
[https://github.com/jitsi/jicofo#secure-
domain](https://github.com/jitsi/jicofo#secure-domain) . Then you can use
basic Auth in nginx [https://docs.nginx.com/nginx/admin-guide/security-
controls/c...](https://docs.nginx.com/nginx/admin-guide/security-
controls/configuring-http-basic-authentication/) to secure the site.

------
lousken
is there any way to transfer e2e chats from matrix.org homeserver account to
my own server?

~~~
MayeulC
Just join the chats from your server, they will exist on both matrix.org and
your server. Then you may leave with your old matrix.org account.

As for history, you could just import your key backup, if the room history is
set to visible. Truly decentralized accounts will likely come at a later
point, especially with all the work surrounding p2p matrix, where each p2p
client is a server.

~~~
lousken
I've tested this with a couple of test accounts. By default the e2e rooms
history are set like this:

Who can read history?

Members only (since the point in time of selecting this option)

but this option doesn't seem to work for me. The history didn't synchronize
when i added my own homeserver account and verified it with other accounts -
do i need to import the keys from the old account first for it to show up or
am i misunderstanding how this option works?

~~~
xf86alsa
As of recent Riot/web versions old messages that can't be decrypted in rooms
will not be shown (saves the user from being blasted with Unable to Decrypt
errors).

So the messages are likely there, but you won't see them until you import your
e2e keys.

~~~
lousken
Some messages got reordered but other than that it works! Thank you

------
villgax
Jitsi despite its frequent re-occurence here is a nightmare to configure with
so many bells & whistle to setup just one basic functionality. Try setting it
up with word-to-word instructions for setup & later SSL certs to work on your
own iOS app of Jitsi meet without ripping your hair out.

~~~
oxidising
This hasn't been my experience at all. Setting it up on a VM using their
installation instructions ([https://github.com/jitsi/jitsi-
meet/blob/master/doc/quick-in...](https://github.com/jitsi/jitsi-
meet/blob/master/doc/quick-install.md)) was very easy.

~~~
xrd
Super easy for me. I followed the instructions to setup on Ubuntu and it was
ten minutes with zero confusion. Just copy the steps from the guide. Even the
let's encrypt script installed certbot and configured whatever was needed with
the existing web server.

Then I just hit the url and it worked perfectly.

The biggest surprise was when I tried to access that same page from an Android
phone. It prompted me to install the jitsi app. After I installed it, it
directed me to my jitsi server.

For me it was flawless and even better that I expected. It's a strong
competitor to zoom because of the fact that it works right inside the browser
really well.

~~~
villgax
Android isn't the problem, I mentioned iOS. I know WebRTC works and all
starting iOS 11, but the problem remains with the way Jitsi configures SSL in
the nginx conf. iOS Safari is simply unable to establish a secure connection
despite the server having a valid LetEncrypt cert.

~~~
saghul
Hey there, saghul from Jitsi here. Have you reported that to us? I have
deployed several self-hosste instances with Lets Enccrypt and haven't seen
this, but there might a bug lurking somewhere.

~~~
leesalminen
There was a version of nginx that broke TLS for Safari when HTTP/2 is enabled.
This was a number of years ago now and I’m sure isn’t happening on new
versions.

~~~
villgax
[https://github.com/jitsi/jitsi-
meet/issues/5649](https://github.com/jitsi/jitsi-meet/issues/5649)

------
eof
any recommendations on an sufficient instance size for 4-5 people to use it
for comms?

~~~
d_runs_far
I've been running it on a 4 core, 8GB ram droplet at DigitalOcean with no
problems. We typically have 3-6 people in multiple sessions at the same time.
In the test install, I did it with a $10 droplet, and it stuttered with 30
people in one conference, but didn't drop anyone.

------
macawfish
There's also rocket chat! I love matrix, don't get me wrong...

------
daagma
h

