[HN Gopher] Running your own secure communication service with M... ___________________________________________________________________ Running your own secure communication service with Matrix and Jitsi Author : jrepinc Score : 364 points Date : 2020-04-07 12:46 UTC (10 hours ago) (HTM) web link (matrix.org) (TXT) w3m dump (matrix.org) | teekert wrote: | So, what are the lines I need to add to my docker-compose.yaml ;) | Arathorn wrote: | This was deliberately the Debian package flavoured | installation. We'll probably do a Docker one too (which will | likely be a lot faster, but also a lot more mysterious as to | what's actually going on :) | smartbit wrote: | Docker would be nice indeed, an helm chart would be even more | convenient. | Arathorn wrote: | To be clear - Docker & Helm installations of course exist | for Synapse: | | * https://github.com/matrix- | org/synapse/blob/master/INSTALL.md... is the official | Docker instructions | | * https://github.com/dacruz21/matrix-chart is a Helm one | | etc | ptman wrote: | And there's https://github.com/spantaleev/matrix-docker- | ansible-deploy | johnchristopher wrote: | It'd be really cool if you could also add how to setup | federation :). | | edit: for docker with synapse living on subdomain.domain.tld | and addresses like @user:domain.tld, I don't know ^^. | lousken wrote: | is there any way to transfer e2e chats from matrix.org homeserver | account to my own server? | ta999999171 wrote: | Add your new user account to your rooms, leave with old user | acct. | MayeulC wrote: | Just join the chats from your server, they will exist on both | matrix.org and your server. Then you may leave with your old | matrix.org account. | | As for history, you could just import your key backup, if the | room history is set to visible. Truly decentralized accounts | will likely come at a later point, especially with all the work | surrounding p2p matrix, where each p2p client is a server. | illuminated wrote: | I have had a matrix instance on one of my servers running but | integrating Jitsi was a real pain. And even when the integration | is done correctly the user experience of using it within Matrix | is at least weird. It appears as an "attachment" in the | conversation and is very non-intuitive for everyone. | chme wrote: | What would the hardware requirements for such a stack be? | | Last I read was that synapse requires a lot to memory and I guess | that managing audio/video streams will be cpu intensive. | fleetside72 wrote: | I have an old R710 with 24 cores and 32GB I got on ebay for | $200 in my dining room with 10mbits upload/100 download and it | works great. bought my .me domain for $5. It's a wonderful time | to be alive. | SaltySolomon wrote: | For how many users? | spockz wrote: | I've run 10-12 users with video and desktop screen sharing | on a 6 core azure vm with between 20-30% cpu load with | spikes to 46%. It also depends a bit on the adaptive bit | rate. Image quality of FaceTime is higher than Jitsi. | fleetside72 wrote: | I've run 6 on jitsi. | cheald wrote: | I'm running Mattermost and Jitsi for my employer on a $20 | droplet (2 vCPU/4GB RAM) and it works like a champ. Meetings of | 5-10 are common, but we've run meetings larger than that too. | As a facilitator of 1:1 adhoc meetings, it's basically zero | overhead, because the server just coordinates a P2P connection | then gets out of the way. | pmlnr wrote: | > The installer magically detects you have nginx installed and | adds in an appropriate vhost! | | Yes, because those of us who run their own vidconf setup want | automagically mangled nginx configs. | | Other than that, thank you for the guide. | fleetside72 wrote: | ...I kinda thought it was neet-o | warrenm wrote: | Like a Dorito! | [deleted] | KaoruAoiShiho wrote: | Can Jitsi be used as a streaming server? | | A small number of people in a call, 3-5, streaming to thousands. | Live podcasts etc? | neilalexander wrote: | There is a document on how to live-stream to YouTube: | https://jitsi.org/live-streaming-and-recording-a-jitsi-confe... | KaoruAoiShiho wrote: | Okay so jitsi can't be the "youtube" itself? | tsukurimashou wrote: | youtube and other steaming platforms use a lot of servers | to handle the load, so no jitsi can't be youtube itself | unless you have a beast of a connection and even then you'd | cap your connection after a hundred users. CDNs like | cloudflare does the same but for websites. | KaoruAoiShiho wrote: | I already have a lot of servers. I was asking if jitsi is | server side software that can handle the encoding / | delivery to users. The answer is no. Jitsi is apparently | completely unscalable. | kitd wrote: | _Jitsi is apparently completely unscalable._ | | Is this intended as a criticism? You wanted it to do a | job it was never designed to do. | KaoruAoiShiho wrote: | It's not a criticism, just a clarification on what its | job is. | joshuaellinger wrote: | I just setup my own Jitsi server at Digital Ocean. It was easy | and it works well. | | My only tip is that you really have to get the DNS name right. | There is no easy way to change it post install. I had a typo on | the first pass. | | Next step is securing the launch screen. Since it sits behind | NGINX, do the configuration there. | mgbmtl wrote: | Any suggestions on simple auth methods to avoid running an open | Jitsi server? | | Last time I tested it, it seemed to be very open by default, | letting anyone create meetings. I got lost when digging deeper. | | If I install-and-forget, I want to avoid situations where | strangers are using my Jitsi server and overloading the system, | or pretending to be our company. Last I checked, it was not | possible to have simple auth, or monitor/list calls. | | I also run an Asterisk VoIP server with a WebRTC bridge (because | most Linux SIP clients have terrible usability). That can make | one pretty paranoid :) | jvanveen wrote: | I've been experimenting with Asterisk WebRTC (video & audio) | and developing a SIP + P2P webphone for some time now. Quite | close to something that's useable imho. See | https://github.com/garage11/ca11 in case you're interested | fock wrote: | my university' setup has something asking for "host | credentials" before starting the session, so I think it's | possible. If it's just for internal use, one could just put | basic HTTP(s)-auth in front? | johnmaguire2013 wrote: | You could use something like the Duo Network Gateway or | Cloudflare Access to protect it. | plett wrote: | Yes, I installed Jitsi Meet over the weekend and enabled auth | so you need credentials to start a new conference, but anyone | with the link (and optionally password too) can join | unauthenticated. | | I followed these instructions to add the auth | https://github.com/jitsi/jicofo#secure-domain | eof wrote: | any recommendations on an sufficient instance size for 4-5 people | to use it for comms? | d_runs_far wrote: | I've been running it on a 4 core, 8GB ram droplet at | DigitalOcean with no problems. We typically have 3-6 people in | multiple sessions at the same time. In the test install, I did | it with a $10 droplet, and it stuttered with 30 people in one | conference, but didn't drop anyone. | JoeAltmaier wrote: | I hope those things are much better than they used to be. Last I | looked, they were a bunch of APIs glued together to look like a | media server. No hard features; no guarantees. Almost a mockup of | what a media switching server should look like on the outside; | nothing inside. | diafygi wrote: | Is there a way to integrate a phone call-in number to Jitsi? | Maybe via Twilio or something? | saghul wrote: | Yes, you can deploy Jigasi (https://github.com/jitsi/jigasi) to | VoIP access to Jitsi Meet. | dangerboysteve wrote: | if you go to the jitsi.org site and start a meeting, there is a | share box that can be popped up and it shows a dial-in number | for your conf. So it must have sip integration. | ThinkingGuy wrote: | I haven't tried it myself but according to the FAQ: | | "Jitsi offers a telephony interface that allows users to dial | into a conference or for placing dial-out reminder calls. You | can try this for free on meet.jit.si. Self-installed Jitsi Meet | deployments will need to setup and configure Jigasi with a SIP | provider to connect to the phone network. " | | https://jitsi.org/user-faq/ | solinent wrote: | Here are some text instructions: https://github.com/jitsi/jitsi- | meet/blob/master/doc/manual-i... | | Instead of generating the certs with prosody (there was some | issue since my system uses p11-kit), I found it easier to just | generate them all with certbot. update-ca-trust doesn't seem to | correctly add them to the Java keystore and then you'll encounter | problems. Certbot does. If you're on a debian based distro you | shouldn't have to worry, however. | | All you really have to do is copy/paste configs and then also | change the url in the config. | | Here's the process for adding the certs using p11-kit. | https://github.com/jitsi/jitsi-meet/issues/2842#issuecomment... | and the comment below. | ThinkingGuy wrote: | I think I may have found a typo in the instructions. Under the | section for setting up the Matrix .well-known info, shouldn't the | line: cat '{ "m.server": | "matrix.dangerousdemos.net:443" }' > server | | be echo '{ "m.server": "matrix.dangerousdemos.net:443" }' > | server instead? | Arathorn wrote: | oops, my bad - thanks! https://github.com/matrix- | org/matrix.org/commit/42e8a90932ae.... CI will pick up the fix | in a few minutes. | KingFelix wrote: | Im following the instructions and getting all 404 pages after | I install Synapse, nginx and ssl are all good, I am missing | something? | | I assume its my server block, but I have made many changes / | adjustments and still getting a 404 on all my pages?? | Arathorn wrote: | you might have forgotten to set the proxy_pass on the | synapse vhost, or create directories for the riot vhost? | macawfish wrote: | There's also rocket chat! I love matrix, don't get me wrong... | j45 wrote: | For self hosting .. is there some sort of a guide available that | helps understand the resourcing needs relative to concurrent | active users? | | I'd like to hop on this, and think it will work great, but would | like to make sure there's a way to right size a particular | installation. | tsukurimashou wrote: | see comment bellow | https://news.ycombinator.com/item?id=22804464 and other | comments talk about it too | AnonC wrote: | Tangentially, I wanted to run Jitsi Meet for some meetings and | created an account on Digital Ocean, only for the account to be | promptly locked with no access to a human for support...just | automated replies rehashing the same text again and again for | tickets saying that I could provide more information if I | believed that was in error (with no responses after providing | additional information). Now I'm looking at trying Linode. Any | other provider recommendations are welcome. | KingFelix wrote: | I use DO, and VULTR too, they have had some pretty cheap cloud | servers ~2.5 sometimes | dade_ wrote: | Thanks for the warning, I was thinking about doing the same | thing last weekend, but only had time to get Synapse up and | running, not Jitsi. | phaer wrote: | I am using a hetzner.cloud box for EUR5.88/month for a personal | Jitsi instance without problems. There servers are in Europe | though, so if you are somewhere else on the globe, it might be | better idea to look for a provider which is geographically | closer to you | martin_a wrote: | Thinking about doing the same. Any experience with how much | load those cloud instances can take? | phaer wrote: | Depends on the instance I guess, but a few dozen users on a | cx21 seem to be no trouble at all. As someone else already | mentioned in this thread, Jitsi does no transcoding server- | side and is pretty low on resources. | martin_a wrote: | Thanks for the feedback. Estimating resource use for | these kinds of service seems to be really hard. | | Thought about running it semi-public for my | homewtown/area to support businesses, but how many of the | 350k people will join? Or be concurrent users? | | Quite a few question marks for me... | _ink_ wrote: | I am quite happy with the Hetzner Cloud services. | illuminated wrote: | I've been using SoYouStart [0] for the last several years. It's | an OVH company and they have really great servers for a great | price. | | [0] https://www.soyoustart.com/ | xrd wrote: | What does matrix add to jitsi? Jitsi is already easy to run over | https. Does this make it so you can't randomly enter rooms if you | know the name and there is no password set? | dade_ wrote: | It's the Slack for your Zoom. | SparkyMcUnicorn wrote: | Chat/Messaging and any other real-time data you want. | Arathorn wrote: | Matrix adds featureful decentralised e2e-encrypted chat | alongside the voice/video conferencing, and makes it possible | to coordinate the location of a given conference for a given | room. It doesn't impose additional auth currently to the | conferences (but it could). It also maintains your displaynames | & avatars for you inside the Jitsi :) | villgax wrote: | Jitsi despite its frequent re-occurence here is a nightmare to | configure with so many bells & whistle to setup just one basic | functionality. Try setting it up with word-to-word instructions | for setup & later SSL certs to work on your own iOS app of Jitsi | meet without ripping your hair out. | eeZah7Ux wrote: | I'd rather use Janus | xenonite wrote: | could you elaborate a bit? | SparkyMcUnicorn wrote: | This is the case if you're doing a completely custom | configuration. Their quick install took me about 5 or 10 | minutes to set up. | | https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-in... | fleetside72 wrote: | It not my experience at all. In fact it was the easiest install | I have ever done. It knew I was using nginx as a reverse proxy | and inserted itself correctly as a subdomain. The only issue I | had was webmin was running on port 10000 which created a | conflict because it also wanted to bind to 10000. | polote wrote: | After reading your message, I tried installing it on | archlinux, and here we are 3 hours later and I still didnt | figure out to make it work, so I'm sadly giving up | fleetside72 wrote: | what kind of issues you running into? hit me up. | paul@hptrow.me | oxidising wrote: | This hasn't been my experience at all. Setting it up on a VM | using their installation instructions | (https://github.com/jitsi/jitsi-meet/blob/master/doc/quick- | in...) was very easy. | EvanAnderson wrote: | Same experience here. I had a VM up and running in about 30 | minutes. (Having said that, I never got test meetings to work | reliably. My clients, both on the LAN and on the Internet, | would repeatedly "disconnect" and "reconnect" every few | seconds. I didn't spend too much time on it because the | company ended up making a "let's standardize on WebEx" | decision the next day.) | xrd wrote: | Super easy for me. I followed the instructions to setup on | Ubuntu and it was ten minutes with zero confusion. Just copy | the steps from the guide. Even the let's encrypt script | installed certbot and configured whatever was needed with the | existing web server. | | Then I just hit the url and it worked perfectly. | | The biggest surprise was when I tried to access that same | page from an Android phone. It prompted me to install the | jitsi app. After I installed it, it directed me to my jitsi | server. | | For me it was flawless and even better that I expected. It's | a strong competitor to zoom because of the fact that it works | right inside the browser really well. | villgax wrote: | Android isn't the problem, I mentioned iOS. I know WebRTC | works and all starting iOS 11, but the problem remains with | the way Jitsi configures SSL in the nginx conf. iOS Safari | is simply unable to establish a secure connection despite | the server having a valid LetEncrypt cert. | saghul wrote: | Hey there, saghul from Jitsi here. Have you reported that | to us? I have deployed several self-hosste instances with | Lets Enccrypt and haven't seen this, but there might a | bug lurking somewhere. | leesalminen wrote: | There was a version of nginx that broke TLS for Safari | when HTTP/2 is enabled. This was a number of years ago | now and I'm sure isn't happening on new versions. | smartbit wrote: | Extinction Rebellion switched to Jitsi, Matrix etc. From the | slide at t=2078: *.organise.earth | *.rebellion.global OWN3D | OWNED (self hosted) Team Chat | Slack Mattermost (Team Edition) Cloud Storage | Google Drive Nextcloud (2 instances) Collaborative docs | Google docs Only Office Etherpad-Lite Surveys | Google Forms LimeSurvey Video Conferencing Zoom | Jitsi-Meet Webmail Gmail, etc Rainloop | (Postfix, Dovecot) Collaborative Dev Github | gitlab Mailinglist manager Mail Chimp Mailtrain | Actions/Operations WhatsApp, Skype Signal, Wire Social | Twitter Mastodon Video Youtube | Peertube Site Jekyll | Admin Gender Bros Any | | https://media.ccc.de/v/36c3-11008-server_infrastructure_for_... | | > _In this talk Julian will outline his work as sysadmin, systems | and security architect for the climate and environmental defense | movement Extinction Rebellion. Responsible for 30 server | deployments in 11 months, including a community hub spanning | dozens of national teams (some of which operate in extremely | hostile conditions), he will show why community-owned free and | open source infrastructure is mission-critical for the growth, | success and safety of global civil disobedience movements._ | sneak wrote: | I am on board with this 100% and have been recommending | Mattermost myself. Imagine my disappointment when I found out | that Mattermost, even the self-hosted one, is spyware. | | They call it "Diagnostics" to hide its true purpose, but really | it's phone-home. Silently and with _no_ notification, on f /oss | self-hosted software; it's really a letdown. | | To disable it, you must use the following entirely undocumented | environment variables: | MM_LOGSETTINGS_ENABLEDIAGNOSTICS=false | MM_SERVICESETTINGS_ENABLESECURITYFIXALERT=false | | I go the further step of using a Dockerfile that contains the | following to patch the binary itself: FROM | mattermost/mattermost-team-edition:latest RUN sed -i | 's#api.segment.io#xx.example.com#gI' /mattermost/bin/mattermost | RUN sed -i 's#securityupdatecheck.mattermost.com#xxxxxxxxxxxxxx | xxxxxxxx.example.com#gI' /mattermost/bin/mattermost | edhelas wrote: | Nope, it's actually written in your own post, XR is using | Mattermost for the chat. Not Matrix :) | trynewideas wrote: | Video Conferencing Zoom Jitsi-Meet | 3fe9a03ccd14ca5 wrote: | "Admin Gender"? | martin_a wrote: | I think it's more of a joke with the "we changed from second | column to third column"-thing that's going on in that list. | smartbit wrote: | It's a copy from the screen for your convenience. Click on | the link to see yourselves. I've updated the list to remove | the misunderstanding | | Extinction Rebellion is fostering _Inclusion_ & _Diversity_ , | I think is what he is trying to say. | | If you don't like what _Julian_ wrote, please contact him. | sschueller wrote: | I operate a matrix server but I recently found Jami which | supposedly is p2p encrypted. Does anyone use it? Downsides? | | https://jami.net/ | evandrofisico wrote: | tried the mobile version, because of the p2p aspect it sucks | your battery dry. | drcross wrote: | Can anyone comment on if this will run successfully on a | raspberry pi 3 for a small number of users (<10)? | treve wrote: | No experience with the Pi, but I ran it on a free EC2 instance | and synapse loves RAM, so I have doubt. | neiljohnson wrote: | Many people do just that, but it really depends on what you use | it for. | | Synapse resource usage is dependent on the complexity of the | rooms that it participates in, not the number of users. | | So if you intend to use it just to talk to a few friends, | you'll have no problems at all. If you want to join rooms with | 1000s of other servers participating then it will be hungrier. | deepersprout wrote: | Does someone have experience running Jitsi with 4+ users? Like in | conferences with maybe up to 12 people? Can it handle it? | Arathorn wrote: | We regularly run it with 40-50 users, and it's fine... as long | as you limit the number of displayed video streams to 12-15 or | fewer. This tends to happen organically with people muting | video, or otherwise you can configure Jitsi to limit it to show | video for the last 12 people who spoke. | | Otherwise you risk overloading people on devices which can't | render >12 simultaneous video streams without melting. You can | push the limit higher if you know everyone is on a fast machine | however. | | One thing worth noting is that if a one or more user connects | via Firefox then quality degrades for everyone - but fixes for | this look to be in flight over at | https://github.com/jitsi/jitsi-meet/issues/4758 | gnufx wrote: | What server resources to you need for those 40-50 users with | Jitsi/Matrix? I haven't seen estimates of required resources | when I've looked, but I assume there's some doc somewhere. | (Thanks for the good work.) | Arathorn wrote: | Roughly speaking we're seeing Jitsi serve around 1000 | concurrent streams (i.e. 25x 50-user conferences) on a | typical 4 core box with 8GB of RAM. However, it's worth | noting that Jitsi is pretty low resource - all it's doing | is forwarding streams of data around the place. All the | heavy lifting is done by the clients when displaying all | the concurrent videos, so it's the clients which tend to be | the bottleneck. | fleetside72 wrote: | I run this at the house with 10mbits upload connection. have | had 6 users, it was fine. | SparkyMcUnicorn wrote: | Jitsi uses about 5.5Mbps per connected Chrome user. This math | doesn't line up, but if Jitsi isn't transporting the 720p | video 10Mbps might work for 6 users. | | 1:1 video uses P2P and doesn't require video going through | the Jitsi bridge. | Arathorn wrote: | Tbf, the bitrate depends entirely on the res constraints | you've specified. We see 1Mbps when requesting 854x480, | which seems to be quite a reasonable resolution when on a | multiway conference. | SparkyMcUnicorn wrote: | Good to know! | | Is this configurable on the client-side via | configOverwrite.constraints when using the external API? | 3fe9a03ccd14ca5 wrote: | It's still a ways to go for non technical users. We tried Jitsi | to mixed success. Some people had it work flawless the first | time, others had to switch browsers, still others couldn't use it | at all, probably because of some privacy or cookie blocking | extension. | | Open source software needs to be as easy to use and configure as | the alternative if they really hope to gain wise adoption. | pbhjpbhj wrote: | That's interesting by brother and I have both worked in IT (he | still does) and came independently to the same conclusion, that | for domestic offerings meet.jit.si was the least friction - you | literally just go the website and so far it just works. | | Yesterday my kids used it for a 4hr call, no interruptions | though audio quality dropped on occasions - I think it was the | remote iPad's multiplexing that was struggling but couldn't be | sure. | tsukurimashou wrote: | "Open source software needs" | | Open source software doesn't owe you anything and you can use | the alternative if that doesn't satisfy you. | | People want self hosted, free software with privacy BUT also | all other features that big companies add to their software. | I'm sorry but you have to make compromises. Most people decide | to compromise their freedom and privacy. | | If you really want the software to improve the best way is to | contribute (or donate if that's an option), complaining things | could be better on the other hand don't help much. | shostack wrote: | Are there any good guides on self-hosting this for private | family group chats on a home machine or something similar? | Huijaaja42 wrote: | Sadly many schools etc probs won't use this since most schools | lack proper it-staff. ___________________________________________________________________ (page generated 2020-04-07 23:00 UTC)