If you are using `ufw` or another firewall software, you need to add an exception to the TCP ports 443 and 4443 and the
UDP port 10000:
```bash
sudo ufw allow 443/tcp # this is probably already allowed if you are runnning a webserver
sudo ufw allow 4443/tcp
sudo ufw allow 10000/udp
```
## Prepare the Let's Encrypt certificate
The easiest way to set up HTTPS is by creating the SSL certificates beforehand. If you are using `certbot` you can do
this by running e.g.
```bash
sudo certbot certonly -d jitsi.yourdomain.example
```
## Run the installer
At this point you can start the jitsi setup. At this point either Nginx or Apache have to be set up for the installer to
configure everything correctly.
```bash
apt-get -y install jitsi-meet
```
In the first step, the installer will ask for the domain where you want to install Jitsi: `jitsi.yourdomain.example`.
In the next step select that you want to use your existing certificate which you
created [in the previous step](/books/how-to-install-jitsi-meet-on-debian-or-ubuntu/page/prepare-the-lets-encrypt-certificate)
. Assuming you are using certbot, you can find the private key
at `/etc/letsencrypt/live/jitsi.yourdomain.example/privkey.pem` and the certificate
at `/etc/letsencrypt/live/jitsi.yourdomain.example/fullchain.pem`.
If all goes well you should already be able to access Jitsi at `https://jitsi.yourdomain.example`. Nevertheless, there
are a few more steps to make sure everything is configured ideally.
{{<alerttype="danger">}}
Everyone who can access the website is able to create a meeting room. If you want to
restrict this, follow the instructions [below](#adding-authentification-to-room-creation).
{{</alert>}}
## Some more things...
### Nginx
If you are using Nginx, you can take a look at the generated `/etc/nginx/sites-available/jitsi.yourdomain.example.conf` and edit it to align with the configs of your other sites. You might want to adapt the ssl config or enable `http2`.
### NAT
If your server is not directly connected to the internet, you have to specify its local IP in `/etc/jitsi/videobridge/sip-communicator.properties`:
(thanks to [kuketz-blog.de](https://www.kuketz-blog.de/kurzanleitung-jitsi-meet-videokonferenz-per-browser-oder-app/) for the idea)
By default Jitsi uses the STUN server by Google to set up a connection.
If you don't want this, you can replace the list of STUN servers in the `/etc/jitsi/meet/jitsi.yourdomain.example-config.js`:
```javascript
stunServers: [
{ urls: 'stun:stun.t-online.de:3478' },
{ urls: 'stun:stun.1und1.de:3478' },
{ urls: 'stun:stun.easybell.de:3478' },],
```
### Screensharing and Firefox 74+
**Update: This change is included in the latest version of the Debian package and is therefore not needed anymore.**
Screensharing in Firefox 74+ doesn't work. Thankfully there is a [patch available](https://github.com/jitsi/jitsi-meet/pull/5180) and it is simple enough that one can apply it to the installed Jitsi instance.
Edit the `/usr/share/jitsi-meet/libs/external_api.min.js`. It is minified and quite unreadable, but one only has to search for `camera; microphone;` in it and then replace the string `this._frame.allow="camera; microphone"` with `this._frame.allow="camera; microphone; display-capture"`.
A save and reload of the page later everything should be working fine.
## Adding authentification to room creation
You probably want to restrict the creation of new rooms to some users, but still allow everyone with the link to join a room.
For this we can configure [`jicofo`](https://github.com/jitsi/jicofo/blob/master/README.md#secure-domain):
{{<alerttype="danger">}}
You might also want to take a look at [the official docs](https://jitsi.github.io/handbook/docs/devops-guide/secure-domain) on this topic.
{{</alert>}}
First edit the `/etc/prosody/conf.avail/jitsi.yourdomain.example.cfg.lua`.
In the main `VirtualHost`, replace `anonymous` authentication with `internal_plain`. Next up create a new `VirtualHost` below for e.g. `guest.jitsi.yourdomain.example` with `anonymous` authentication.
Afterwards the file should look similar to this:
```lua
VirtualHost "jitsi.yourdomain.example"
-- enabled = false -- Remove this line to enable this host
authentication = "internal_plain"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
--app_id="example_app_id"
--app_secret="example_app_secret"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
Now when you create a new room, you can click on `I am the host` and enter the username/passwort. Every following user will be able to join directly.
{{<imagesrc="waiting-for-host.png"title="Screenshot of confirmation window">}}
### Using existing user databases
As jitsi is using Prosody for this, you can use e.g. [IMAP](https://modules.prosody.im/mod_auth_imap.html), [LDAP](https://modules.prosody.im/mod_auth_ldap.html), [Wordpress](https://modules.prosody.im/mod_auth_wordpress.html) and [many more](https://modules.prosody.im/type_auth.html) for authentication.
But if you just want to limit the instance to the people you know, a single shared user account as set up above might be enough.