Barcode Scanners Customer Displays Public Product List Product Requesting Scales
Email Accounts eCommerce Websites In Store Website
Pre Install Planning Creating a Franchise
Network Level Security
Information on this page only applies to retailers with their own inhouse Servers. If you are using Fieldpine online then you cannot change these options
A Store Server or Head Office Server is a special type of web server called an application server. It behaves a lot like a normal web server but is designed specifically for retail operations not general purpose web serving. The default configuration is to allow all connections from local LAN addresses and block any internet connections. If you wish to allow realtime integration or access from mobile staff, at home, etc then you might like to allow access from the internet.
Enabling Internet Access
As your server is situated inside your network it does not normally have inbound acces from the internet. There main reasons you may want to enable internet access to your Fieldpine server are
- To provide selected access to information to outside applications and users
- So you can manage and review your store from home or while mobile
- In order to use HTTPS / SSL on web pages inside your network, allowing your tablets to use secure resources such as cameras and geo location. ( More on using HTTPS )
Before you start, first enable a password so that it is protected immediately. Instructions to set a password are further down this page. After that you need to enable internet access. There are two main ways this can be done
Pros | Cons | |
Cloudflare Tunnel |
|
|
Opening Firewall (on your router) |
|
|
Cloudflare Tunnels
By using a Cloudflare Tunnel you are able to install a special program on your server that connects out to the Cloudflare network and makes Fieldpine available without having to open firewalls or expose your origin IP address (the internat address you have).
Step 1. Register for a free, pro or business Cloudflare account and move your DNS server to them. If you do not have a custom DNS name like "mystore.com" you might like to purchase one of these. Search for "domain registrars".
Step 2. Install the Cloudflare tunnel application. Cloudflares instructions for this are available here, or a quick list is
- Download and install Cloudflared. These instructions will assume you place this in the \fieldpine\Cloudflared folder
- Register Cloudflared as per standard instructions
- Create a tunnel with cloudflared tunnel create XXX
Where XXX is a name you wish to call the tunnel such as 'GDS'. This name is not used by general public it is only for admin purposes. - If you are using one machine to create tunnels, but are deploying to different machine, repeat steps 1 & 2 (but not 3) on the target machine, and all the following instructions on the target machine
- Copy the tunnel definition file created in step 3 to the target machine folder containing the cloudflared program. (\fieldpine\cloudflared) The tunnel definition file will have a name that looks something like F1CB-ED8173737-585839858T-3847EA.json
- Create the folder \windows\system32\config\systemprofile\.cloudflared and then create a text file called config.yml in that folder, Note, there is a "." (dot) in that path name between systemprofile and cloudlared. Insert the following content, changing as required
url: http://localhost:8310 tunnel: F1CB-ED8173737-585839858T-3847EA credentials-file: /fieldpine/cloudflared/F1CB-ED8173737-585839858T-3847EA.json
- Open a command prompt with administrator rights. Set your default to the cloudflared folder and issue the command cloudflared service install
- Open regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cloudflared and add "tunnel run" to the ImagePath key. Example C:\Fieldpine\Cloudflared\cloudflared.exe tunnel run
- Start the service.
- Login to your Cloudflare account and configure a DNS record pointing to your tunnel. Instructions for this are on the cloudflare website
- You should now be able to browse to https://YOUR-DOMAIN/report/pos/sshome.htm and it should prompt for a password, assuming you enabled a password as recommeneded.
Opening a Router/Firewall port
When you open your firewall/router, then any connections to your IP address/port will forward to your Fieldpine Server.
To open a port, login to your internet router and add something variously called "Virtual server", "Port forwarding", "Pinhold routing", "Remote applications" on different routers. You may need to consult your router documentation to complete this step. In general terms, the following needs to be completed. These steps are the normal steps required for proxying ports, except # which may be Fieldpine specific
- Need fixed IP from ISP
- Define your internet domain to point to that IP
- Allocate a fixed IP on server computer instore (some routers can access by MAC)
- Configure router/firewall to pass ports 80 + 443 to your reverse proxy/stunnel
-
Install/configure whatever SSL gateway/reverse proxy you want (most use stunnel, or Meraki, but alternatives exist)
Obtain SSL certificates and automate renewal. (LetsEncrypt, or purchase annual certs if you prefer) - Point the SSL gateway/proxy output to port 8310 on the computer running Fieldpine
- If required, whitelist in Gds.ctl all IP addresses that the reverse proxy comes from (eg Azure/AWS host address list if running there)
-
Make sure the SSL gateway etc sends a valid PROXY header. Essentially Fieldpine requires the source IP in the Forward-for headers.
We will work without original source IP address, but you lose tracking and ability to filter by IP address. You must check that access from outside the store (ie from internet) is detected as INTERNET from Gds, otherwise we will apply the security policy for LAN. Technically, we look at source IP and determine security based on that. When using a proxy, the source IP is obviously the proxy IP address, not original caller. If a PROXY header is present, we use the information in that. If not, then we check for Forward-for HTTP headers to determine source IP address. - Tip. Make sure your router(s) and/or ISP handle hairpinning, otherwise you cannot connect to https://mystore.xyz from within the store, which can be pain and limit instore operations.
Tip, if you aren't sure what this is all about, hire a local IT technician to make these changes, it will take them an hour or two. Fieldpine support cannot help with configuring routers as there are numerous models and they all vary.
Technical. Fieldpine Store Server runs an HTTP based server, typically on port 8310. SSL connections are provided using external applications (such as stunnel) as these arguably have some security advantages. In order to access Fieldpine from the internet you are opening the router/fireall (whatever port you want) and forwarding that to an SSL/Proxy, which then connects to Fieldpine on port 8310
Changing Security
Your retail server applies security at 3 levels
- The interface port at socket level. When a connection is opened, this is the first area it connects too. When a connection arrives, Fieldpine performs the following:
- Determine the remote IP address of the socket and allocate this to internet or private IP address ranges
- If that address type is not enabled, close the socket
- If accept/deny lists of IP addresses are present, apply those rules
- Read the HTTP headers and look for the header X-Forwarded-For indicating a proxy is in use. Validate all those x-forwarded-for addresses and verify they also meet the above restrictions
- If the source claims to be via Cloudflare, perform additonal checks to verify that claim
- Next, any host requested in the HTTP headers is located, and then broadly speaking the same rules as above are applied
- Finally, the retail environment (essentially your database) is located and checked with similar rules.
Requiring a username/password
The minimum security we recommend is to apply a username/password for internet connections. Edit the file \fieldpine\gds\gds.ctl using notepad, and make the changes as shown in bold
interface port=8310 filter-internet=require-password(mySecretUserName:mySecretPassword) type=debug,normal,internet,private,ipv6,trace
You may insert multiple filter-internet=require-password options if you wish, so that you can have a couple of different logins. But do not create a login/password for each user here, there are better ways to manage bulk authorisations.
Tip. The username/password does not need to be friendly, most browsers or password managers will offer to remember the password so you only need to enter it rarely
Allowing or Blocking Specific IP addresses
If you wish to permit or deny specific IP addresses these can be hardcoded into Gds.ctl This can be used in a multistore environment where external stores have static IP addresses. You can then add them and they are granted access. This is not needed if your stores are running a VPN, as with VPN remote stores will have IP addresses in the Private IP address range.
interface port=8310 filter-internet=allow(202.123.45.67) filter-internet=block(199.*.*.*)
IP addresses allowed do not need to provide any password. Blocked IP addresses are blocked, even if they supply the correct name/password.
Allowing/Blocking address, step by step guide
- Locate the file \fieldpine\gds\gds.ctl It might be in a different folder such as \Fieldpine\gds2
- Right click this file, and select "open with" and then notepad. You must edit this file using a simple text editor, not word or similar.
- Search for the keyword "interface". This typically only appears once. But if present multiple times there will be a line "port=NNN" below it. Find the interface section for the port you require
- Add the line
filter-internet=allow(23.24.25.26)
where 23.24.25.26 is the IPv4 address you wish to add. (Tip, if the address you are adding starts with 192. or 10. you probably have the internal IP addres and not the public IP address, so it will not work) - If you are blocking an address, change the word "allow" to "block"
filter-internet=block(23.24.25.26)
- Save the file changes
- Restart Gds. Either by using Services to restart Gds or reboot windows if easier.
Permitting Specific API Keys
A common requirement is to permit external eCommerce websites to access the APIs. If you list the valid API-keys, then those keys are permitted access and also do not need to provide the access username/password.
interface port=8310 filter-internet=apikey(Gkfjhvh3k50v83h5hvivh2kj5hgiuvwjBDhvdiBVFvh4hv) filter-internet=apikey(i82ghvghwjenvG4f5gBGbgdXDDJSORJV89245jv9himum9uadjdj3vkpejjvakaGDD)
An alternative strategy would be to list the valid source IP addresses of the eCommerce site, however this may be tricky especially if the website is hosted on common platforms such as Azure or AWS.