Deployment Pro on premises refactoring

Author: pabloFuente

docs/openvidu-pro/deployment/on-premises.md

@@ -71,50 +71,34 @@ Once you have your instances ready, be sure to meet the following criteria in th
 
 - **2 CPUs and 8GB of RAM at least**, as well as a generous network bandwidth
 
-- **Opened ports in _OpenVidu Server Pro Node_**
+- **Configure a domain name**: OpenVidu Pro is deployed using HTTPS because it is mandatory to use WebRTC. Then, if you do not have a domain name, an autogenerated SSL certificate will be used and an ugly warning will appear to your users when enter to your site. And of course you can suffer a man-in-the-middle attack. So it is recommended that you configure a domain name pointing to OpenVidu Server Pro Node public IP (Media Nodes do not need a domain name, it is enough for them to have a public IP). A valid SSL certificate can be automatically generated using Let's Encrypt in the installation process. If you already have a valid SSL certificate of your own, it also can be configured.
 
-    - **22 TCP**: to connect using SSH to admin OpenVidu.
-    - **80 TCP**: if you select Let's Encrypt to generate an SSL certificate this port is used by the generation process.
-    - **443 TCP**: OpenVidu Inspector is served in standard https port.
-    - **3478 TCP+UDP**: used by TURN server to resolve clients IPs.
-    - **40000 - 65535 TCP+UDP**: used by TURN server to establish relayed media connections.<br><br>    
+- **Port configuration in _OpenVidu Server Pro Node_**
 
-   Please take care to close ports not mentioned above to block access to some of the internal services of OpenVidu platform (like Redis). For example, you can configure public/private ports in any cloud platform ([OpenStak security groups](https://docs.openstack.org/horizon/latest/user/configure-access-and-security-for-instances.html#), [AWS security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html), etc..) or installing [UFW](https://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html) with the following configuration:
+    - **Open these ports** ([here](#close-ports-in-openvidu-server-pro-node-to-avoid-external-attacks) you have an UFW sample to configure a firewall)
 
-```
-ufw allow ssh
-ufw allow 80/tcp
-ufw allow 443/tcp
-ufw allow 3478/tcp
-ufw allow 3478/udp
-ufw allow 40000:65535/tcp
-ufw allow 40000:65535/udp
-ufw enable
-```
-
-- **Free ports in _OpenVidu Server Pro Node_**: OpenVidu platform services will need the following ports to be available in the machine: 80, 443,  3478, 5442, 5443, 6379. If some of these ports is used by any process, OpenVidu platform won't work correctly. It is a typical error to have an NGINX process in the system before installing OpenVidu. Please uninstall it.
+        - **22 TCP**: to connect using SSH to admin OpenVidu.
+        - **80 TCP**: if you select Let's Encrypt to generate an SSL certificate this port is used by the generation process.
+        - **443 TCP**: OpenVidu Inspector is served by default in standard https port.
+        - **3478 TCP+UDP**: used by TURN server to resolve clients IPs.
+        - **40000 - 65535 TCP+UDP**: used by TURN server to establish relayed media connections.<br><br>
 
-- **Opened ports in _Media Nodes_**
+    - **Close all other ports**: this is VERY important to avoid external attacks to OpenVidu internal services. Check troubleshooting section [Close ports in OpenVidu Server Pro Node to avoid external attacks](#close-ports-in-openvidu-server-pro-node-to-avoid-external-attacks) to learn more about this.
 
-    - **22 TCP**: to connect using SSH to admin OpenVidu.
-    - **40000 - 65535 TCP+UDP**: used by Kurento Media Server to establish media connections.
-    - **8888 TCP**: Kurento Media Server handler listens on port 8888. <strong style="color: #990000">WARNING!!</strong> Port 8888 **must only be accessible for OpenVidu Server Pro instance**. Access trough this port must be restricted from the Internet, or anyone could spy your sessions.<br><br>
+    - **Free ports inside the server**: OpenVidu Server Pro Node services will need the following ports to be available inside the machine: 80, 443,  3478, 5442, 5443, 6379. If some of these ports is used by any process, OpenVidu platform won't work correctly. It is a typical error to have an NGINX process in the system before installing OpenVidu. Please uninstall it.
 
-  If you use [UFW](https://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html) the configuration is:
- 
-```
-ufw allow ssh
-ufw allow 40000:65535/tcp
-ufw allow 40000:65535/udp
-ufw allow 8888/tcp from <OPENVIDU_SERVER_PRO_IP>
-ufw enable
-```
+- **Port configuration in _Media Nodes_**
 
-- **Free ports in _Media Nodes_**: OpenVidu platform services will need the port 8888 to be available in the machine.
+    - **Open these ports** ([here](#close-ports-in-media-nodes-to-avoid-external-attacks) you have an UFW sample to configure a firewall)
 
-- **Configure a domain name**: OpenVidu Pro is deployed using HTTPS because it is mandatory to use WebRTC. Then, if you do not have a domain name, an autogenerated SSL certificate will be used and an ugly warning will appear to your users when enter to your site. And of course you can suffer a man-in-the-middle attack. So it is recommeded that you configure a domain name pointing to **OpenVidu Server Pro Node** public IP. A valid SSL certificate can be automatically generated using Let's Encrypt in the installation process. If you already have a valid SSL certificate of your own, it also can be configured.
+        - **22 TCP**: to connect using SSH to admin OpenVidu.
+        - **80 TCP**: to allow OpenVidu Server Pro Node downloading recording files.
+        - **40000 - 65535 TCP+UDP**: used by Kurento Media Server to establish media connections.
+        - **8888 TCP**: Kurento Media Server handler listens on port 8888. <strong style="color: #990000">WARNING!!</strong> Port 8888 **must only be accessible for OpenVidu Server Pro instance**. Access trough this port must be restricted from the Internet, or anyone could spy your sessions.<br><br>
 
+    - **Close all other ports**: this is VERY important to avoid external attacks to OpenVidu internal services. Check troubleshooting section [Close ports in Media Nodes to avoid external attacks](#close-ports-in-media-nodes-to-avoid-external-attacks) to learn more about this.
 
+    - **Free ports inside the server**: Media Node services will need the port 8888 to be available inside the machine.
 
 <br>
 
@@ -219,7 +203,7 @@ [email protected]
 By default, the [OpenVidu Call](demos/openvidu-call/){:target="_blank"} application is deployed alongside OpenVidu Platform. It is accessible in the URL:
 
 ```console
-https://openvidu_domain_or_public_ip/
+https://OPENVIDU_DOMAIN_OR_PUBLIC_IP/
 ```
 
 This application is defined in file `docker-compose.override.yml`. To disable OpenVidu Call application, you can delete the file `docker-compose.override.yml` (or just rename it in case you want to enable it again in the future).
@@ -610,6 +594,25 @@ Configuration properties
 
 To change the level of _openvidu-server_ logs change the property `OV_CE_DEBUG_LEVEL` in configuration file `.env`.
 
+#### Close ports in OpenVidu Server Pro Node to avoid external attacks
+
+Closing all non-necessary ports in your OpenVidu Server Pro Node machine is very important to avoid external attacks. Some administrators using OpenVidu have reported attacks because their ports weren't properly closed. Of course, all of the opened ports stated in [Prerequisites](#1-prerequisites) section must be accessible from the exterior, but the rest must be closed to grant proper protection.
+
+Typically, cloud providers initiate their machines with all ports closed by default, so usually it is only necessary to open the required ones. For example, you can configure public/private ports in in OpenStack with [OpenStack security groups](https://docs.openstack.org/horizon/latest/user/configure-access-and-security-for-instances.html#){:target="_blank"}, in AWS with [AWS security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html){:target="_blank"}, etc...
+
+If your only choice is to manually configure a firewall, you can for example install in any GNU/LInux system the great [UFW (Uncomplicated Firewall)](https://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html){:target="_blank"} (`sudo apt install ufw`) with the following configuration to only allow the required ports necessary in your OpenVidu Server Pro Node:
+
+```
+ufw allow ssh
+ufw allow 80/tcp
+ufw allow 443/tcp
+ufw allow 3478/tcp
+ufw allow 3478/udp
+ufw allow 40000:65535/tcp
+ufw allow 40000:65535/udp
+ufw enable
+```
+
 ---
 
 ### Troubleshooting Media Nodes
@@ -657,6 +660,23 @@ To change the level of Kurento Media Server _kms_ logs change the property `KMS_
 
 OpenVidu and Kurento Media Server evolve at a different pace. Sometimes, it is possible that a new KMS is released but OpenVidu is not still updated. In that case, if you hit a bug that might be solved in the last KMS version, you can test if just updating KMS fixes your issue. `KMS_IMAGE` property allows you to specify the new KMS image in configuration file `.env`.
 
+#### Close ports in Media Nodes to avoid external attacks
+
+Closing all non-necessary ports in your Media Node machines is very important to avoid external attacks. Some administrators using OpenVidu have reported attacks because their ports weren't properly closed. Of course, all of the opened ports stated in [Prerequisites](#1-prerequisites) section must be accessible from the exterior, but the rest must be closed to grant proper protection.
+
+Typically, cloud providers initiate their machines with all ports closed by default, so usually it is only necessary to open the required ones. For example, you can configure public/private ports in in OpenStack with [OpenStack security groups](https://docs.openstack.org/horizon/latest/user/configure-access-and-security-for-instances.html#){:target="_blank"}, in AWS with [AWS security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html){:target="_blank"}, etc...
+
+If your only choice is to manually configure a firewall, you can for example install in any GNU/LInux system the great [UFW (Uncomplicated Firewall)](https://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html){:target="_blank"} (`sudo apt install ufw`) with the following configuration to only allow the required ports necessary in your Media Nodes:
+
+```
+ufw allow ssh
+ufw allow 80/tcp
+ufw allow 40000:65535/tcp
+ufw allow 40000:65535/udp
+ufw allow 8888/tcp from <OPENVIDU_SERVER_PRO_IP>
+ufw enable
+```
+
 <br>
 
 <script src="js/copy-btn.js"></script>