[HN Gopher] Running your own secure communication service with M...
___________________________________________________________________
Running your own secure communication service with Matrix and Jitsi
Author : jrepinc
Score : 364 points
Date : 2020-04-07 12:46 UTC (10 hours ago)
(HTM) web link (matrix.org)
(TXT) w3m dump (matrix.org)
| teekert wrote:
| So, what are the lines I need to add to my docker-compose.yaml ;)
| Arathorn wrote:
| This was deliberately the Debian package flavoured
| installation. We'll probably do a Docker one too (which will
| likely be a lot faster, but also a lot more mysterious as to
| what's actually going on :)
| smartbit wrote:
| Docker would be nice indeed, an helm chart would be even more
| convenient.
| Arathorn wrote:
| To be clear - Docker & Helm installations of course exist
| for Synapse:
|
| * https://github.com/matrix-
| org/synapse/blob/master/INSTALL.md... is the official
| Docker instructions
|
| * https://github.com/dacruz21/matrix-chart is a Helm one
|
| etc
| ptman wrote:
| And there's https://github.com/spantaleev/matrix-docker-
| ansible-deploy
| johnchristopher wrote:
| It'd be really cool if you could also add how to setup
| federation :).
|
| edit: for docker with synapse living on subdomain.domain.tld
| and addresses like @user:domain.tld, I don't know ^^.
| lousken wrote:
| is there any way to transfer e2e chats from matrix.org homeserver
| account to my own server?
| ta999999171 wrote:
| Add your new user account to your rooms, leave with old user
| acct.
| MayeulC wrote:
| Just join the chats from your server, they will exist on both
| matrix.org and your server. Then you may leave with your old
| matrix.org account.
|
| As for history, you could just import your key backup, if the
| room history is set to visible. Truly decentralized accounts
| will likely come at a later point, especially with all the work
| surrounding p2p matrix, where each p2p client is a server.
| illuminated wrote:
| I have had a matrix instance on one of my servers running but
| integrating Jitsi was a real pain. And even when the integration
| is done correctly the user experience of using it within Matrix
| is at least weird. It appears as an "attachment" in the
| conversation and is very non-intuitive for everyone.
| chme wrote:
| What would the hardware requirements for such a stack be?
|
| Last I read was that synapse requires a lot to memory and I guess
| that managing audio/video streams will be cpu intensive.
| fleetside72 wrote:
| I have an old R710 with 24 cores and 32GB I got on ebay for
| $200 in my dining room with 10mbits upload/100 download and it
| works great. bought my .me domain for $5. It's a wonderful time
| to be alive.
| SaltySolomon wrote:
| For how many users?
| spockz wrote:
| I've run 10-12 users with video and desktop screen sharing
| on a 6 core azure vm with between 20-30% cpu load with
| spikes to 46%. It also depends a bit on the adaptive bit
| rate. Image quality of FaceTime is higher than Jitsi.
| fleetside72 wrote:
| I've run 6 on jitsi.
| cheald wrote:
| I'm running Mattermost and Jitsi for my employer on a $20
| droplet (2 vCPU/4GB RAM) and it works like a champ. Meetings of
| 5-10 are common, but we've run meetings larger than that too.
| As a facilitator of 1:1 adhoc meetings, it's basically zero
| overhead, because the server just coordinates a P2P connection
| then gets out of the way.
| pmlnr wrote:
| > The installer magically detects you have nginx installed and
| adds in an appropriate vhost!
|
| Yes, because those of us who run their own vidconf setup want
| automagically mangled nginx configs.
|
| Other than that, thank you for the guide.
| fleetside72 wrote:
| ...I kinda thought it was neet-o
| warrenm wrote:
| Like a Dorito!
| [deleted]
| KaoruAoiShiho wrote:
| Can Jitsi be used as a streaming server?
|
| A small number of people in a call, 3-5, streaming to thousands.
| Live podcasts etc?
| neilalexander wrote:
| There is a document on how to live-stream to YouTube:
| https://jitsi.org/live-streaming-and-recording-a-jitsi-confe...
| KaoruAoiShiho wrote:
| Okay so jitsi can't be the "youtube" itself?
| tsukurimashou wrote:
| youtube and other steaming platforms use a lot of servers
| to handle the load, so no jitsi can't be youtube itself
| unless you have a beast of a connection and even then you'd
| cap your connection after a hundred users. CDNs like
| cloudflare does the same but for websites.
| KaoruAoiShiho wrote:
| I already have a lot of servers. I was asking if jitsi is
| server side software that can handle the encoding /
| delivery to users. The answer is no. Jitsi is apparently
| completely unscalable.
| kitd wrote:
| _Jitsi is apparently completely unscalable._
|
| Is this intended as a criticism? You wanted it to do a
| job it was never designed to do.
| KaoruAoiShiho wrote:
| It's not a criticism, just a clarification on what its
| job is.
| joshuaellinger wrote:
| I just setup my own Jitsi server at Digital Ocean. It was easy
| and it works well.
|
| My only tip is that you really have to get the DNS name right.
| There is no easy way to change it post install. I had a typo on
| the first pass.
|
| Next step is securing the launch screen. Since it sits behind
| NGINX, do the configuration there.
| mgbmtl wrote:
| Any suggestions on simple auth methods to avoid running an open
| Jitsi server?
|
| Last time I tested it, it seemed to be very open by default,
| letting anyone create meetings. I got lost when digging deeper.
|
| If I install-and-forget, I want to avoid situations where
| strangers are using my Jitsi server and overloading the system,
| or pretending to be our company. Last I checked, it was not
| possible to have simple auth, or monitor/list calls.
|
| I also run an Asterisk VoIP server with a WebRTC bridge (because
| most Linux SIP clients have terrible usability). That can make
| one pretty paranoid :)
| jvanveen wrote:
| I've been experimenting with Asterisk WebRTC (video & audio)
| and developing a SIP + P2P webphone for some time now. Quite
| close to something that's useable imho. See
| https://github.com/garage11/ca11 in case you're interested
| fock wrote:
| my university' setup has something asking for "host
| credentials" before starting the session, so I think it's
| possible. If it's just for internal use, one could just put
| basic HTTP(s)-auth in front?
| johnmaguire2013 wrote:
| You could use something like the Duo Network Gateway or
| Cloudflare Access to protect it.
| plett wrote:
| Yes, I installed Jitsi Meet over the weekend and enabled auth
| so you need credentials to start a new conference, but anyone
| with the link (and optionally password too) can join
| unauthenticated.
|
| I followed these instructions to add the auth
| https://github.com/jitsi/jicofo#secure-domain
| eof wrote:
| any recommendations on an sufficient instance size for 4-5 people
| to use it for comms?
| d_runs_far wrote:
| I've been running it on a 4 core, 8GB ram droplet at
| DigitalOcean with no problems. We typically have 3-6 people in
| multiple sessions at the same time. In the test install, I did
| it with a $10 droplet, and it stuttered with 30 people in one
| conference, but didn't drop anyone.
| JoeAltmaier wrote:
| I hope those things are much better than they used to be. Last I
| looked, they were a bunch of APIs glued together to look like a
| media server. No hard features; no guarantees. Almost a mockup of
| what a media switching server should look like on the outside;
| nothing inside.
| diafygi wrote:
| Is there a way to integrate a phone call-in number to Jitsi?
| Maybe via Twilio or something?
| saghul wrote:
| Yes, you can deploy Jigasi (https://github.com/jitsi/jigasi) to
| VoIP access to Jitsi Meet.
| dangerboysteve wrote:
| if you go to the jitsi.org site and start a meeting, there is a
| share box that can be popped up and it shows a dial-in number
| for your conf. So it must have sip integration.
| ThinkingGuy wrote:
| I haven't tried it myself but according to the FAQ:
|
| "Jitsi offers a telephony interface that allows users to dial
| into a conference or for placing dial-out reminder calls. You
| can try this for free on meet.jit.si. Self-installed Jitsi Meet
| deployments will need to setup and configure Jigasi with a SIP
| provider to connect to the phone network. "
|
| https://jitsi.org/user-faq/
| solinent wrote:
| Here are some text instructions: https://github.com/jitsi/jitsi-
| meet/blob/master/doc/manual-i...
|
| Instead of generating the certs with prosody (there was some
| issue since my system uses p11-kit), I found it easier to just
| generate them all with certbot. update-ca-trust doesn't seem to
| correctly add them to the Java keystore and then you'll encounter
| problems. Certbot does. If you're on a debian based distro you
| shouldn't have to worry, however.
|
| All you really have to do is copy/paste configs and then also
| change the url in the config.
|
| Here's the process for adding the certs using p11-kit.
| https://github.com/jitsi/jitsi-meet/issues/2842#issuecomment...
| and the comment below.
| ThinkingGuy wrote:
| I think I may have found a typo in the instructions. Under the
| section for setting up the Matrix .well-known info, shouldn't the
| line: cat '{ "m.server":
| "matrix.dangerousdemos.net:443" }' > server
|
| be echo '{ "m.server": "matrix.dangerousdemos.net:443" }' >
| server instead?
| Arathorn wrote:
| oops, my bad - thanks! https://github.com/matrix-
| org/matrix.org/commit/42e8a90932ae.... CI will pick up the fix
| in a few minutes.
| KingFelix wrote:
| Im following the instructions and getting all 404 pages after
| I install Synapse, nginx and ssl are all good, I am missing
| something?
|
| I assume its my server block, but I have made many changes /
| adjustments and still getting a 404 on all my pages??
| Arathorn wrote:
| you might have forgotten to set the proxy_pass on the
| synapse vhost, or create directories for the riot vhost?
| macawfish wrote:
| There's also rocket chat! I love matrix, don't get me wrong...
| j45 wrote:
| For self hosting .. is there some sort of a guide available that
| helps understand the resourcing needs relative to concurrent
| active users?
|
| I'd like to hop on this, and think it will work great, but would
| like to make sure there's a way to right size a particular
| installation.
| tsukurimashou wrote:
| see comment bellow
| https://news.ycombinator.com/item?id=22804464 and other
| comments talk about it too
| AnonC wrote:
| Tangentially, I wanted to run Jitsi Meet for some meetings and
| created an account on Digital Ocean, only for the account to be
| promptly locked with no access to a human for support...just
| automated replies rehashing the same text again and again for
| tickets saying that I could provide more information if I
| believed that was in error (with no responses after providing
| additional information). Now I'm looking at trying Linode. Any
| other provider recommendations are welcome.
| KingFelix wrote:
| I use DO, and VULTR too, they have had some pretty cheap cloud
| servers ~2.5 sometimes
| dade_ wrote:
| Thanks for the warning, I was thinking about doing the same
| thing last weekend, but only had time to get Synapse up and
| running, not Jitsi.
| phaer wrote:
| I am using a hetzner.cloud box for EUR5.88/month for a personal
| Jitsi instance without problems. There servers are in Europe
| though, so if you are somewhere else on the globe, it might be
| better idea to look for a provider which is geographically
| closer to you
| martin_a wrote:
| Thinking about doing the same. Any experience with how much
| load those cloud instances can take?
| phaer wrote:
| Depends on the instance I guess, but a few dozen users on a
| cx21 seem to be no trouble at all. As someone else already
| mentioned in this thread, Jitsi does no transcoding server-
| side and is pretty low on resources.
| martin_a wrote:
| Thanks for the feedback. Estimating resource use for
| these kinds of service seems to be really hard.
|
| Thought about running it semi-public for my
| homewtown/area to support businesses, but how many of the
| 350k people will join? Or be concurrent users?
|
| Quite a few question marks for me...
| _ink_ wrote:
| I am quite happy with the Hetzner Cloud services.
| illuminated wrote:
| I've been using SoYouStart [0] for the last several years. It's
| an OVH company and they have really great servers for a great
| price.
|
| [0] https://www.soyoustart.com/
| xrd wrote:
| What does matrix add to jitsi? Jitsi is already easy to run over
| https. Does this make it so you can't randomly enter rooms if you
| know the name and there is no password set?
| dade_ wrote:
| It's the Slack for your Zoom.
| SparkyMcUnicorn wrote:
| Chat/Messaging and any other real-time data you want.
| Arathorn wrote:
| Matrix adds featureful decentralised e2e-encrypted chat
| alongside the voice/video conferencing, and makes it possible
| to coordinate the location of a given conference for a given
| room. It doesn't impose additional auth currently to the
| conferences (but it could). It also maintains your displaynames
| & avatars for you inside the Jitsi :)
| villgax wrote:
| Jitsi despite its frequent re-occurence here is a nightmare to
| configure with so many bells & whistle to setup just one basic
| functionality. Try setting it up with word-to-word instructions
| for setup & later SSL certs to work on your own iOS app of Jitsi
| meet without ripping your hair out.
| eeZah7Ux wrote:
| I'd rather use Janus
| xenonite wrote:
| could you elaborate a bit?
| SparkyMcUnicorn wrote:
| This is the case if you're doing a completely custom
| configuration. Their quick install took me about 5 or 10
| minutes to set up.
|
| https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-in...
| fleetside72 wrote:
| It not my experience at all. In fact it was the easiest install
| I have ever done. It knew I was using nginx as a reverse proxy
| and inserted itself correctly as a subdomain. The only issue I
| had was webmin was running on port 10000 which created a
| conflict because it also wanted to bind to 10000.
| polote wrote:
| After reading your message, I tried installing it on
| archlinux, and here we are 3 hours later and I still didnt
| figure out to make it work, so I'm sadly giving up
| fleetside72 wrote:
| what kind of issues you running into? hit me up.
| paul@hptrow.me
| oxidising wrote:
| This hasn't been my experience at all. Setting it up on a VM
| using their installation instructions
| (https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-
| in...) was very easy.
| EvanAnderson wrote:
| Same experience here. I had a VM up and running in about 30
| minutes. (Having said that, I never got test meetings to work
| reliably. My clients, both on the LAN and on the Internet,
| would repeatedly "disconnect" and "reconnect" every few
| seconds. I didn't spend too much time on it because the
| company ended up making a "let's standardize on WebEx"
| decision the next day.)
| xrd wrote:
| Super easy for me. I followed the instructions to setup on
| Ubuntu and it was ten minutes with zero confusion. Just copy
| the steps from the guide. Even the let's encrypt script
| installed certbot and configured whatever was needed with the
| existing web server.
|
| Then I just hit the url and it worked perfectly.
|
| The biggest surprise was when I tried to access that same
| page from an Android phone. It prompted me to install the
| jitsi app. After I installed it, it directed me to my jitsi
| server.
|
| For me it was flawless and even better that I expected. It's
| a strong competitor to zoom because of the fact that it works
| right inside the browser really well.
| villgax wrote:
| Android isn't the problem, I mentioned iOS. I know WebRTC
| works and all starting iOS 11, but the problem remains with
| the way Jitsi configures SSL in the nginx conf. iOS Safari
| is simply unable to establish a secure connection despite
| the server having a valid LetEncrypt cert.
| saghul wrote:
| Hey there, saghul from Jitsi here. Have you reported that
| to us? I have deployed several self-hosste instances with
| Lets Enccrypt and haven't seen this, but there might a
| bug lurking somewhere.
| leesalminen wrote:
| There was a version of nginx that broke TLS for Safari
| when HTTP/2 is enabled. This was a number of years ago
| now and I'm sure isn't happening on new versions.
| smartbit wrote:
| Extinction Rebellion switched to Jitsi, Matrix etc. From the
| slide at t=2078: *.organise.earth
| *.rebellion.global OWN3D
| OWNED (self hosted) Team Chat
| Slack Mattermost (Team Edition) Cloud Storage
| Google Drive Nextcloud (2 instances) Collaborative docs
| Google docs Only Office Etherpad-Lite Surveys
| Google Forms LimeSurvey Video Conferencing Zoom
| Jitsi-Meet Webmail Gmail, etc Rainloop
| (Postfix, Dovecot) Collaborative Dev Github
| gitlab Mailinglist manager Mail Chimp Mailtrain
| Actions/Operations WhatsApp, Skype Signal, Wire Social
| Twitter Mastodon Video Youtube
| Peertube Site Jekyll
| Admin Gender Bros Any
|
| https://media.ccc.de/v/36c3-11008-server_infrastructure_for_...
|
| > _In this talk Julian will outline his work as sysadmin, systems
| and security architect for the climate and environmental defense
| movement Extinction Rebellion. Responsible for 30 server
| deployments in 11 months, including a community hub spanning
| dozens of national teams (some of which operate in extremely
| hostile conditions), he will show why community-owned free and
| open source infrastructure is mission-critical for the growth,
| success and safety of global civil disobedience movements._
| sneak wrote:
| I am on board with this 100% and have been recommending
| Mattermost myself. Imagine my disappointment when I found out
| that Mattermost, even the self-hosted one, is spyware.
|
| They call it "Diagnostics" to hide its true purpose, but really
| it's phone-home. Silently and with _no_ notification, on f /oss
| self-hosted software; it's really a letdown.
|
| To disable it, you must use the following entirely undocumented
| environment variables:
| MM_LOGSETTINGS_ENABLEDIAGNOSTICS=false
| MM_SERVICESETTINGS_ENABLESECURITYFIXALERT=false
|
| I go the further step of using a Dockerfile that contains the
| following to patch the binary itself: FROM
| mattermost/mattermost-team-edition:latest RUN sed -i
| 's#api.segment.io#xx.example.com#gI' /mattermost/bin/mattermost
| RUN sed -i 's#securityupdatecheck.mattermost.com#xxxxxxxxxxxxxx
| xxxxxxxx.example.com#gI' /mattermost/bin/mattermost
| edhelas wrote:
| Nope, it's actually written in your own post, XR is using
| Mattermost for the chat. Not Matrix :)
| trynewideas wrote:
| Video Conferencing Zoom Jitsi-Meet
| 3fe9a03ccd14ca5 wrote:
| "Admin Gender"?
| martin_a wrote:
| I think it's more of a joke with the "we changed from second
| column to third column"-thing that's going on in that list.
| smartbit wrote:
| It's a copy from the screen for your convenience. Click on
| the link to see yourselves. I've updated the list to remove
| the misunderstanding
|
| Extinction Rebellion is fostering _Inclusion_ & _Diversity_ ,
| I think is what he is trying to say.
|
| If you don't like what _Julian_ wrote, please contact him.
| sschueller wrote:
| I operate a matrix server but I recently found Jami which
| supposedly is p2p encrypted. Does anyone use it? Downsides?
|
| https://jami.net/
| evandrofisico wrote:
| tried the mobile version, because of the p2p aspect it sucks
| your battery dry.
| drcross wrote:
| Can anyone comment on if this will run successfully on a
| raspberry pi 3 for a small number of users (<10)?
| treve wrote:
| No experience with the Pi, but I ran it on a free EC2 instance
| and synapse loves RAM, so I have doubt.
| neiljohnson wrote:
| Many people do just that, but it really depends on what you use
| it for.
|
| Synapse resource usage is dependent on the complexity of the
| rooms that it participates in, not the number of users.
|
| So if you intend to use it just to talk to a few friends,
| you'll have no problems at all. If you want to join rooms with
| 1000s of other servers participating then it will be hungrier.
| deepersprout wrote:
| Does someone have experience running Jitsi with 4+ users? Like in
| conferences with maybe up to 12 people? Can it handle it?
| Arathorn wrote:
| We regularly run it with 40-50 users, and it's fine... as long
| as you limit the number of displayed video streams to 12-15 or
| fewer. This tends to happen organically with people muting
| video, or otherwise you can configure Jitsi to limit it to show
| video for the last 12 people who spoke.
|
| Otherwise you risk overloading people on devices which can't
| render >12 simultaneous video streams without melting. You can
| push the limit higher if you know everyone is on a fast machine
| however.
|
| One thing worth noting is that if a one or more user connects
| via Firefox then quality degrades for everyone - but fixes for
| this look to be in flight over at
| https://github.com/jitsi/jitsi-meet/issues/4758
| gnufx wrote:
| What server resources to you need for those 40-50 users with
| Jitsi/Matrix? I haven't seen estimates of required resources
| when I've looked, but I assume there's some doc somewhere.
| (Thanks for the good work.)
| Arathorn wrote:
| Roughly speaking we're seeing Jitsi serve around 1000
| concurrent streams (i.e. 25x 50-user conferences) on a
| typical 4 core box with 8GB of RAM. However, it's worth
| noting that Jitsi is pretty low resource - all it's doing
| is forwarding streams of data around the place. All the
| heavy lifting is done by the clients when displaying all
| the concurrent videos, so it's the clients which tend to be
| the bottleneck.
| fleetside72 wrote:
| I run this at the house with 10mbits upload connection. have
| had 6 users, it was fine.
| SparkyMcUnicorn wrote:
| Jitsi uses about 5.5Mbps per connected Chrome user. This math
| doesn't line up, but if Jitsi isn't transporting the 720p
| video 10Mbps might work for 6 users.
|
| 1:1 video uses P2P and doesn't require video going through
| the Jitsi bridge.
| Arathorn wrote:
| Tbf, the bitrate depends entirely on the res constraints
| you've specified. We see 1Mbps when requesting 854x480,
| which seems to be quite a reasonable resolution when on a
| multiway conference.
| SparkyMcUnicorn wrote:
| Good to know!
|
| Is this configurable on the client-side via
| configOverwrite.constraints when using the external API?
| 3fe9a03ccd14ca5 wrote:
| It's still a ways to go for non technical users. We tried Jitsi
| to mixed success. Some people had it work flawless the first
| time, others had to switch browsers, still others couldn't use it
| at all, probably because of some privacy or cookie blocking
| extension.
|
| Open source software needs to be as easy to use and configure as
| the alternative if they really hope to gain wise adoption.
| pbhjpbhj wrote:
| That's interesting by brother and I have both worked in IT (he
| still does) and came independently to the same conclusion, that
| for domestic offerings meet.jit.si was the least friction - you
| literally just go the website and so far it just works.
|
| Yesterday my kids used it for a 4hr call, no interruptions
| though audio quality dropped on occasions - I think it was the
| remote iPad's multiplexing that was struggling but couldn't be
| sure.
| tsukurimashou wrote:
| "Open source software needs"
|
| Open source software doesn't owe you anything and you can use
| the alternative if that doesn't satisfy you.
|
| People want self hosted, free software with privacy BUT also
| all other features that big companies add to their software.
| I'm sorry but you have to make compromises. Most people decide
| to compromise their freedom and privacy.
|
| If you really want the software to improve the best way is to
| contribute (or donate if that's an option), complaining things
| could be better on the other hand don't help much.
| shostack wrote:
| Are there any good guides on self-hosting this for private
| family group chats on a home machine or something similar?
| Huijaaja42 wrote:
| Sadly many schools etc probs won't use this since most schools
| lack proper it-staff.
___________________________________________________________________
(page generated 2020-04-07 23:00 UTC)