Audio and Video chat setup
Code With Me uses Jitsi as a main framework for audio/video group calls. Jitsi is an open source solution, and seems to be an industry standard for those who seek such a framework. It is actively developed and improved by the community and used by various large corporations.
The Jitsi client has a web-based user interface, so its UI is integrated with JCEF technology. It is not anticipated that Code With Me users will require video so often - it’s more likely one would need to just have a voice communication during a session, so call management is wrapped with simple toolbar actions.
Server side is more interesting. Jitsi needs to create a virtual call room - this part of logic perfectly aligns with the Code With Me lobby server which generates a link. However, lobby-server has nothing to do with Jitsi services, instead it gets the username, generates the room’s name, determines the geo-region for a video bridge service, signs it with a private key and sends this back to the host. Received data can now be used from the host’s machine to enter the Jitsi’s virtual room.
Prosody, Jicofo and Web Frontend form the “Core” package, while Videobridge is a standalone scalable unit.
Free public Jitsi
You can use https://meet.jit.si. It's free, but it has some limitations. There are no guarantees that all Code With Me features will work with this type of distribution as well as there will be no guarantees that your meetings are safe because they are not protected by security JWT token.
Enable free public Jitsi
On-premise Audio/Video calls
Jitsi backend is represented with four main components:
Prosody: xmpp server for communication between components and clients
Jicofo: component for conference management
Web frontend: which serves Jitsi client web application and allows clients to communicate to prosody and other components
Videobridge: component which represents scalable and performant SFU implementation
Self-hosted Jitsi instance
Jitsi can be hosted in one of the following ways:
- Everything hosted on a single machine: you can use Jitsi Quick Setup
Some AWS hints and stats can be found here.
Single "Core" package + multiple Videobridges
- Multiple "Core" packages + Videobridges
This setup does not cover this case. Also, you can have problems with integrating this distribution to lobby due to only one link limitation in
JITSI_URLparameter. This can be supported in the future.
Once you have your Jitsi instance - put its URL into
JITSI_URL environment variable.
From now on you should have audio/video calls during the Code With Me sessions, but it is highly recommended to add some security to your meetings. Read about Secure setup.
To guarantee a secure video chat experience each client provides a JWT token signed by the lobby server that allows them to join a particular room in the system. JWT credentials are also time limited to prevent repetition attacks.
To make a signed JWT token Lobby server requires a private key.
To check validity of JWT token Jitsi requires associated public key.
Generate RSA256 for JWT tokens
To generate private and public key you can use these commands:ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key # Don't add passphrase openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
Configure lobby Jitsi certificate
- Set the lobby server
JITSI_RSA_JWT_KEY_FILEENV variable file path of the
From now on lobby will generate links with jwt tokens.
Next, we must configure jitsi to accept tokens forged by Lobby server.
- The configuration is based on this guide.
To make prosody capable of working with jwt tokens install jitsi-meet-tokens package:apt-get install jitsi-meet-tokens
- Now we have to tweak some parameters manually. Prosody config is located at /etc/prosody/prosody.cfg.lua.
Make sure that /etc/prosody/prosody.cfg.lua contains the line below:Include "conf.d/*.cfg.lua"
- Also, make sure that client to server encryption is not enforced.
Otherwise, token authentication won't work:c2s_require_encryption=false
For cases where JWT tokens signed by certificate, prosody provides
asap_key_serveris a server which serves public part of JWT token certificate.
asap_key_servershould serve our certificate for path containing sha256 of kid claim of incoming JWT token.
kid claim of our JWT token equals
app_idsetting of your VirtualHost in prosody config should equal to
Check the following code example:... c2s_require_encryption = false ... VirtualHost "jitmeet.example.com" authentication = "token"; app_id = "CodeWithMe"; asap_key_server = "https://keyserver.example.com/asap"; allow_empty_token = false; ...
asap_key_server nginx configuration (could also be the one, which serves Jitsi frontend):