Jitsi Meet is an open-source video conferencing server. I've wanted to run Jitsi behind zrok and someone asked about it today in the forum and we got it working! Here's how I conveniently self-host Jitsi with zrok.
Why zrok?
zrok.io makes it easy to self-host web applications while obscuring your real public IP and protecting your private network. Your visitors will see a trusted certificate with the name *.share.zrok.io
provided by zrok.io as a service when they visit your Jitsi Meet instance's public URL.
Jitsi Meet requires a trusted certificate for WebRTC, so zrok.io also spares you the chore of issuing, renewing, and configuring a TLS server certificate for Jitsi.
Orientation
You only need Docker to follow this tutorial. There's nothing else to install. You can use this guide with a free account from zrok.io or a self-hosted zrok instance.
Jitsi Meet's Docker Compose project is pre-configured to publish the container ports to the Docker Host's external interfaces. Typically, that is necessary so they are reachable by clients.
zrok works differently and does not need the ports to be published externally. Instead, zrok runs inside the Compose project on the meet.jitsi
bridge network. zrok will proxy the traffic securely to the containers' internal ports, so we'll override the forwarded, published ports, exposing them only inside the Compose project.
The Steps
Follow Jitsi's Docker Quickstart and wait to run
docker compose up
.In your terminal, change to the directory where you have created these Jitsi quickstart files:
.env
anddocker-compose.yml
.Download the zrok public share compose example and save it as the filename
docker-compose.zrok.yml
in the same directory.Add the following YAML as the filename
docker-compose.override.yml
in the same directory.services: web: ports: !override [] jicofo: ports: !override [] jvb: ports: !override [] zrok-share: networks: meet.jitsi:
Think of a name for your self-hosted Jitsi Meet instance. You will use it in the next step to define the unique name of the zrok share which is part of the public URL. The name must be 4-32 lowercase letters or numbers.
Save the following variable assignments as the filename
.env.zrok
in the same directory.PUBLIC_URL="https://myjitsi.share.zrok.io" # subdomain must match ZROK_UNIQUE_NAME ZROK_UNIQUE_NAME="myjitsi" # must match PUBLIC_URL subdomain ZROK_ENABLE_TOKEN="ix9XrvQt13Rf" # zrok account token from console ZROK_ENVIRONMENT_NAME="jitsi-zrok-compose" # name for the environment in the console graph ZROK_API_ENDPOINT="https://api.zrok.io" # must be set to the zrok API you're using ZROK_TARGET="https://web:443" # this is correct for the web container's internal port ZROK_INSECURE="--insecure" # let zrok skip cert verification for the internal web:443 target
Optionally, turn on OAuth for this Jitsi Meet instance with zrok. Add the following to the
.env.zrok
file (Docker public share guide has more info).ZROK_OAUTH_PROVIDER="google" # google, github # space-separated list email patterns verified by the provider ZROK_OAUTH_EMAILS="alice.example@gmail.com *@acme.example.com"
Save the following script as the filename
compose.bash
in the same directory. This script configures the compose project and environment files.export COMPOSE_FILE="docker-compose.yml:docker-compose.zrok.yml:docker-compose.override.yml" export COMPOSE_ENV_FILES=".env,.env.zrok" docker compose "${@}"
Ensure you have all the necessary files.
docker-compose.yml
docker-compose.zrok.yml
docker-compose.override.yml
.env
.env.zrok
compose.bash
Run Jitsi and zrok.
bash ./compose.bash up
Open Jitsi in a web browser at the address from the
PUBLIC_URL
environment variable, e.g.,https://myjitsi.share.zrok.io
.If you need to change the name, authentication, etc. you can delete the environment in the zrok web console and delete the Docker volumes like this to start over. It's also possible to make surgical changes if you don't want to start over. Ask for help in Discourse.
bash ./compose.bash down --volumes
zrok frontdoor
This tutorial for Jitsi Meet is a great example of zrok frontdoor. zrok frontdoor brings many advantages for self-hosters and is always enabled when using zrok.io as a service with a production-ready service like this zrok public share in Docker. zrok.io users enjoy additional shielding for their Jitsi Meet public URL.
Relatedly
zrok is built with OpenZiti. Here's another post about running an Asterisk PBX without published ports, just as your Jitsi Meet instance has no open ports on the Docker Host's outward-facing interfaces.
Share the Project
If you find this interesting, please consider starring us on GitHub. It helps. Let us know if you found a good use for this or have an improvement or question in mind on X twitter, in /r/openziti, or the Discourse forum. We upload and stream on YouTube too. We'd love to hear from you!