Deployment CE on premises refactoring

Author: pabloFuente

docs/deployment/deploying-on-premises.md

@@ -35,33 +35,22 @@ This procedure installs the following services:
 
 - **[Install Docker Compose](https://docs.docker.com/compose/install/){:target="_blank"}**. NOTE: install docker-compose from the link (official Docker site) as minimum version `1.24` is required.
 
-- **Opened ports in the server**
+- **Configure a domain name**: OpenVidu is deployed using HTTPS because it is mandatory to use WebRTC. Then, if you do not have a domain name, an autogenerated SSL certificate will be used and an ugly warning will appear to your users when enter to your site. And of course you can suffer a man-in-the-middle attack. So it is recommended that you configure a domain name pointing to your machine's public IP. A valid SSL certificate can be automatically generated using Let's Encrypt in the installation process. If you already have a valid SSL certificate of your own, it also can be configured.
 
-    - **22 TCP**: to connect using SSH to admin OpenVidu.
-    - **80 TCP**: if you select Let's Encrypt to generate an SSL certificate this port is used by the generation process.
-    - **443 TCP**: OpenVidu server and application are published in standard https port.
-    - **3478 TCP+UDP**: used by TURN server to resolve clients IPs.
-    - **40000 - 57000 TCP+UDP**: used by Kurento Media Server to establish media connections.
-    - **57001 - 65535 TCP+UDP**: used by TURN server to establish relayed media connections.<br><br>
+- **Port configuration in the server**
 
-   Please take care to close ports not mentioned above to block access to some of the internal services of OpenVidu platform (like Redis). For example, you can configure public/private ports in any cloud platform ([OpenStak security groups](https://docs.openstack.org/horizon/latest/user/configure-access-and-security-for-instances.html#), [AWS security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html), etc..) or installing [UFW](https://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html) with the following configuration:
+    - **Open these ports** (in section [Close ports to avoid external attacks](#close-ports-to-avoid-external-attacks) you have an UFW sample to configure a firewall)
 
-```
-ufw allow ssh
-ufw allow 80/tcp
-ufw allow 443/tcp
-ufw allow 3478/tcp
-ufw allow 3478/udp
-ufw allow 40000:57000/tcp
-ufw allow 40000:57000/udp
-ufw allow 57001:65535/tcp
-ufw allow 57001:65535/udp
-ufw enable
-```
+        - **22 TCP**: to connect using SSH to admin OpenVidu.
+        - **80 TCP**: if you select Let's Encrypt to generate an SSL certificate this port is used by the generation process.
+        - **443 TCP**: OpenVidu server and application are published by default in standard https port.
+        - **3478 TCP+UDP**: used by TURN server to resolve clients IPs.
+        - **40000 - 57000 TCP+UDP**: used by Kurento Media Server to establish media connections.
+        - **57001 - 65535 TCP+UDP**: used by TURN server to establish relayed media connections.<br><br>
 
-- **Configure a domain name**: OpenVidu is deployed using HTTPS because it is mandatory to use WebRTC. Then, if you do not have a domain name, an autogenerated SSL certificate will be used and an ugly warning will appear to your users when enter to your site. And of course you can suffer a man-in-the-middle attack. So it is recommeded that you configure a domain name pointing to your machine's public IP. A valid SSL certificate can be automatically generated using Let's Encrypt in the installation process. If you already have a valid SSL certificate of your own, it also can be configured.
+    - **Close all other ports**: this is VERY important to avoid external attacks to OpenVidu internal services. Check troubleshooting section [Close ports to avoid external attacks](#close-ports-to-avoid-external-attacks) to learn more about this.
 
-- **Free ports**: OpenVidu platform services will need the following ports to be available in the machine: 80, 443,  3478, 5442, 5443, 6379 and 8888. If some of these ports is used by any process, OpenVidu platform won't work correctly. It is a typical error to have an NGINX process in the system before installing OpenVidu. Please uninstall it.
+    - **Free ports inside the server**: OpenVidu platform services will need the following ports to be available in the machine: 80, 443,  3478, 5442, 5443, 6379 and 8888. If some of these ports is used by any process, OpenVidu platform won't work correctly. It is a typical error to have an NGINX process in the system before installing OpenVidu. Please uninstall it.
 
 <br>
 
@@ -160,7 +149,7 @@ [email protected]
 By default, the [OpenVidu Call](demos/openvidu-call/){:target="_blank"} application is deployed alongside OpenVidu Platform. It is accessible in the URL:
 
 ```console
-https://openvidu_domain_or_public_ip/
+https://OPENVIDU_DOMAIN_OR_PUBLIC_IP/
 ```
 
 This application is defined in file `docker-compose.override.yml`. To disable OpenVidu Call application, you can delete the file `docker-compose.override.yml` (or just rename it in case you want to enable it again in the future).
@@ -353,6 +342,27 @@ To change the level of Kurento Media Server logs (***kms*** docker service) chan
 
 OpenVidu and Kurento Media Server evolve at a different pace. Sometimes, it is possible that a new KMS is released but OpenVidu is not still updated. In that case, if you hit a bug that might be solved in the last KMS version, you can test if just updating KMS fixes your issue. `KMS_IMAGE` property allows you to specify the new KMS image in configuration file `.env`.
 
+### Close ports to avoid external attacks
+
+Closing all non-necessary ports in your server is very important to avoid external attacks. Some administrators using OpenVidu have reported attacks because their ports weren't properly closed. Of course, all of the opened ports stated in [Prerequisites](#1-prerequisites) section must be accessible from the exterior, but the rest must be closed to grant proper protection.
+
+Typically, cloud providers initiate their machines with all ports closed by default, so usually it is only necessary to open the required ones. For example, you can configure public/private ports in in OpenStack with [OpenStack security groups](https://docs.openstack.org/horizon/latest/user/configure-access-and-security-for-instances.html#){:target="_blank"}, in AWS with [AWS security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html){:target="_blank"}, etc...
+
+If your only choice is to manually configure a firewall, you can for example install in any GNU/LInux system the great [UFW (Uncomplicated Firewall)](https://manpages.ubuntu.com/manpages/bionic/en/man8/ufw.8.html){:target="_blank"} (`sudo apt install ufw`) with the following configuration to only allow the required ports:
+
+```
+ufw allow ssh
+ufw allow 80/tcp
+ufw allow 443/tcp
+ufw allow 3478/tcp
+ufw allow 3478/udp
+ufw allow 40000:57000/tcp
+ufw allow 40000:57000/udp
+ufw allow 57001:65535/tcp
+ufw allow 57001:65535/udp
+ufw enable
+```
+
 <br>
 
 <script src="js/copy-btn.js"></script>