DISCLAIMER: this is not legal nor technical advice. It is just a WIP proposal, open to discussion, on how a Jitsi-Meet server can be quickly (and legally) deployed in order to host one’s own private videomeetings, based on authors’ practical experiences.

Server requirements

  • Server: should work on 1 core, 1GB RAM - suggested (at least) 2 core, 2GB RAM (scale at your needs)
  • OS: debian 10 minimal (just sshd and base system utilities) - ubuntu 18.04
  • hostname: (change it to the actual domain you are using)
  • create DNS A records for

NOTE: you do not need to create a DNS record for It is just an internal domain used by jicofo to connect to prosody.

Basic system configuration


→ first of all, create a new user, add it to sudoers group and logout as root:

apt install -y sudo
usermod -a -G sudo USER_NAME_OF_YOUR_CHOICE

login as the newly created user and add your public SSH key(s):

mkdir ~/.ssh
nano ~/.ssh/authorized_keys

save and exit (alternatively, you may use ssh-copy-id on your client machine).

→ disable SSH Password login and SSH root login:

sudo nano /etc/ssh/sshd_config

changing PasswordAuthentication and PermitRootLogin values to no (uncomment if necessary), save and exit, then restart sshd to apply changes (your ssh connection will not be interrupted):

sudo service sshd restart

Update your system (mantain local config files if asked) and reboot:

sudo apt update
sudo apt dist-upgrade -y && sudo reboot

→ install fail2ban:

sudo apt install -y fail2ban

Later on you will configure Fail2Ban to work with Prosody (see “Fail2Ban for Prosody” in authentication how-to).

→ set and enable firewall (UFW):

sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw allow http
sudo ufw allow https
sudo ufw allow in 10000:20000/udp
sudo ufw allow 5222/tcp
sudo ufw allow 5269/tcp
sudo ufw enable

Setup hostname and FQDN

Set hostname and FQDN values (change meet and to the actual domain you are using):

sudo hostnamectl set-hostname meet
sudo sed -i 's/^*$/ meet/g' /etc/hosts

then check hostname, it should look like this:

user@meet:~$ hostname
user@meet:~$ hostname -f

IMPORTANT Remember to create a DNS A record for

Install prerequisites

You should install nginx before jitsi-meet, so that you won’t need to manually configure the webserver:
(this is actually needed only on Ubuntu, but since someone reported having issues also with Debian, you have better to do it anyway)

sudo apt install -y nginx
sudo systemctl start nginx.service
sudo systemctl enable nginx.service

Jitsi is reported not to work with OpenJDK 10: many recommend using OpenJDK 8, but OpenJDK 11 appears to be OK.
You should check which Java version is automatically installed along with jitsi-meet while installing it.

If you want to stick to OpenJDK 8, do it before installing jitsi-meet:

sudo apt install -y openjdk-8-jre-headless

Install Jitsi-meet

Add Jitsi repository and install jitsi-meet (remember to check OpenJDK version - do not add -y to apt command):

wget -qO - | sudo apt-key add -
sudo sh -c "echo 'deb stable/' > /etc/apt/sources.list.d/jitsi-stable.list"
sudo apt update -y
sudo apt install jitsi-meet

when requested, enter your as FQDN and choose to generate a self signed certificate.

Install Let’s Encrypt Certificates

Run auto-install script:

sudo /usr/share/jitsi-meet/scripts/

when requested, enter your email (to receive certificate renewal notifications – IMPORTANT: put an email address that you actually use, such notifications are important!) and wait for the process to be successfully completed (in case of failure, relaunch the script above).

Now you have a jitsi-meet server up and running at (without any authentication: anyone can enter, create rooms and invite people).

IMPORTANT: Certificates renewal

There is an open issue on github about letsencrypt certificates renewal problems ( However, it does not appear to apply to the standard debian/ubuntu installation described here. In any case, if there are problems with certificates renewal, you will be notified by email; in such case, just run again the command above.

NOTE*: The command above does not create the certificate for Prosody (required to allow password change through external XMPP clients), so you have to import it manually (see the how-to page on authentication).