antipaucity

fighting the lack of good ideas

basic dockerized jitsi deployment with an apache reverse proxy on centos

After a friend of mine told me he wanted to deploy Jitsi on my main webserver, and me saying “sure”, I decided I wanted to get it up and running on a new server both so I knew how to do it, and to avoid the latency issues of videoconferencing from central North America to Germany and back.

Before I go into how I got it working, let me say that the official Quick Start guide is good – but it doesn’t cover anything but itself.

Here’s the basic setup:

What To Do:

Once you have your new CentOS instance up and running (I used Vultr), here’s everything you need to install:

yum -y install epel-release && yum -y upgrade && yum -y install httpd docker docker-compose screen bind-utils certbot git haveged net-tools mod_ssl

I also installed a few other things, but that’s because I’m multi-purposing this server for Squid, and other things, too.

Enable Apache, firewalld, & Docker:

systemctl enable httpd && systemctl enable docker && systemctl enable firewalld

Now get your swap space setup:

fallocate -l 4G /swapfile && chmod 0600 /swapfile && mkswap /swapfile && swapon /swapfile

Add the following line to the bottom of your /etc/fstab:

/swapfile swap swap default 0 0

Restart your VPS:

shutdown -r now

Get your cert from Let’s Encrypt (make sure you’ve already setup appropriate CAA & A records for your domain and any subdomains you want to use):

certbot -t -n --agree-tos --keep --expand --standalone certonly --must-staple --rsa-key-size 4096 --preferred-challenges dns-01,http-01 -m <user>@<domain.tld> -d <jitsi.yourdomain.tld>

Create a root crontab entry to run certbot frequently (I do @weekly ~/renew-le.sh)

Go to the home directory of whatever user you plan to run Jitsi as:

su - <jitsi-user>

Begin the Quick Start directions:

  • git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet
  • mv env.example .env
  • Change the timezone in .env from Europe/Amsterdam if you want it to show up in a sane timezone (like Etc/UTC)
  • mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}
  • docker-compose up -d

Now configure Apache for SSL. Start with this reference I posted.

But in the [sub]domain-specific conf file z-[sub]domain-tld.conf, add proxy and authentication lines (so that only people you allow to use your video conference can actually use it):

ProxyPreserveHost on
ProxyPass / http://localhost:8000/ nocanon
ProxyPassReverse / http://localhost:8000/
ProxyRequests       off
ServerAdmin warren@warrenmyers.com
AllowEncodedSlashes NoDecode
<Proxy http://localhost:8000/*>
    Order deny,allow
    Allow from all
    Authtype Basic
    Authname "Password Required"
    AuthUserFile /etc/httpd/.htpasswd
    Require valid-user
</Proxy>
RewriteEngine       on
RewriteRule        ^/meetwith/(.*)$ http://%{HTTP_HOST}/$1 [P]
ProxyPassReverseCookiePath /meetwith /

Reload your configs, and make sure they’re happy, fixing any errors that may exist:

apachectl graceful

Setup at least one user who’ll be able to access the site:

htpasswd -B -c /etc/httpd/.htpasswd <user>

You should also configure firewalld to allow only what you want (http, https, ssh):

firewall-cmd --zone=public --add-service=http && firewall-cmd --zone=public --add-service=https && firewall-cmd --zone=public --add-service=ssh

With any luck, when you now navigate to https://[sub.]domain.tld in your web browser, and enter your username and password you created with htpasswd, you’ll get the Jitsi welcome page!

Other Resources:

do you leak?

It would seem I have configured OpenVPN, Squid proxy, and, to a lesser extent, Pi-hole well – none of the major sites that report IP, DNS, and other connection-related security issues find anything out of the ordinary when I’m either running “just” proxied, or VPN, or VPN+proxy.

You should check yourself hereon:

  1. https://ipleak.net
  2. http://ip-check.info/?lang=en (ironic this site isn’t serving itself over https)
  3. https://doileak.com
  4. https://whatismyip.com
  5. https://browserleaks.com/ip

And, of course, if you just want to see what your pubic IP address is, go hit my service – IPv4.cf

manning is doing something similar to my bucket proposal

Manning Publishers has a liveBook offering.

And it allows for the type of mini transactions (through their self-hosted “token” system) that I proposed when writing about how I’d dumped Pi-hole last year.

Quoting from their recent announcement email

Book publishers follow a simple rule: put your content behind a solid paywall. At Manning, we believe you should be able to see before you buy. liveBook search and Manning Tokens make the paywall porous. Our new new timed unlock feature moves the whole wall further back!

That’s pretty dang cool, Manning.

simple ip address check – ipv4.cf

I’ve published another super-simple tool.

A la whatismyip.com, but with no extra cruft (and no queer formatting of the IP address under the hood), welcome IPv4.cf to the world with me!

new service – free, secure password generation

Today, I am formally announcing a brand-new service / website for secure password generation.

Go visit password.cf

Get yourself random passwords of commonly-required lengths and complexities*.

Password Varieties:

  • 4 of 4
  • upper & lower alphanumeric
  • lower alphanumeric

Lengths generated: 12, 16, & 24 characters

Visit the GitHub project page ..

.. if you want to run the site on your own server.

You can view the source “live” ..

.. if you’d like to see how it works without visiting GitHub – and verify nothing is saved anywhere by the code: it’s just a script with no filesystem / database access.

It’s fast ..

.. load times tend to be under 0.15 seconds!

It will always be linked from my Projects page, and from the ‘External’ links menu on this blog.


*Also findable at password.ga – same server, same code

above the cloud storage

Who wants to go into business with me?

I’ve got a super-cool storage company idea.

Load up a metric buttload of cubesats with radiation-hardened SSD storage, solar power, and [relatively] simple communicaton stacks (secured by SSH or SSL, of course), and launch them into orbit.

You think cloud storage is cool? What about above-the-cloud storage?

Pros:

  • avoid national jurisdictional rules, since the data will never be housed “in” a specific country
  • very hard to attack physically
  • great reason to use IPv6 addressing

Cons:

  • expensive to get the initial devices into orbit
  • software maintenance on the system could be annoying
  • need to continually plop more cubesats into orbit to handle both expanded data needs and loss of existing devices due to orbital degradation

Who’s with me?

haiku appliance

I have been a fan of Haiku for years – and BeOS since way back in the 90s. I run a Haiku mirror, and try to pay attention to the project’s updates.

Today I am making available a Haiku-OS r1 alpha 4.1 virtual appliance!

Download it from me here (created in VirtualBox, but in .ova format, so should work “anywhere”). Download links for current editions (for new releases of Haiku-OS) will be maintained on my Projects page.

Specs:

  • 1G RAM (could’ve easily gotten away with 512M or even 256M, but given everyone should have 1G free (especially if running VirtualBox), went with this size)
  • 20G storage (dynamically allocated, of course), formatted BFS (because it’s better than NTFS – and doesn’t “actually” format the disk (it does, but only kinda – it’s akin to lazy zeroing in VMware)) in VMDK format (if you care)
  • 2 CPUs
  • 32M video memory
  • network: NAT’d

Appliance [download] size :: ~250M.