Purchase Order Customisation
Send Purchase Orders
Capturing Return Reasons
Capturing Courier Tags
Creating Agency Stores
Using QR Codes
Custom User Interfaces
Securing your Systems
Barcode Scanners Customer Displays Public Product List Scales
Email Accounts Websites
Pre Install Planning Creating a Franchise
Enabling HTTPS / SSL in the browser
Modern browsers restrict access to certain resources that are classified as secure resources. Cameras and GeoLocation are the most common, but there are many. In order to use these resources, the web server must be running HTTPS protocol, which requires an externally purchased "SSL Certificate".
In order to get a SSL certificate, your web server needs to be accessible to the internet, or you need DNS control ability of the domain. You cannot obtain an SSL certificate for a dotted IP address (such as 10.50.2.101)
This server needs an SSL certifcate for myfieldpine.example
This in turn requires a way to cross the red firewalled off area
Browser tries to use https://myfieldpine.example/...
- Browser validates SSL certificate by calling out to internet servers
Browser tries to use http://10.50.2.101/...
- This will work, but cannot access any secure resources such as cameras
Option 1 - Use Cloudflare with your own domain
This the recommended approach for most retailers.
- If you have your own domain and DNS is managed by Cloudflare, skip to #
- If you have your own domain is DNS is managed elsewhere, then either register a new domain, or move DNS to Cloudflare
- If you do not yet have a domain, or want a seperate domain to your primary business name, then register and new domain and configure Cloudflare to manage the DNS entries
- You can now configure a Cloudflare tunnel, see Network security - Cloudflare Tunnels
- Once operational, devices within your store network can use https://your-domain to use Fieldpine.
Option 2 - Use Lets Encrypt
Lets Encrypt is free service providing SSL certificates. However, you still need to have your own domain and be able to prove control over it
Option 3 - Use Fieldpine randomly allocated domain
If you are unable to allocate your own domain for some reason, then Fieldpine may be able to allocate a random sub-domain from our pool. These are all on domains other than primary Fieldpine Domains. For example you might be allocated the domain name greyelephant.smowezzh.xyz Allocated domains will not include your store or business name. The costs of setting up a random Fieldpine domain is generally higher than registering your own domain and using Cloudflare.
Option 4 - Self trusted root certificates
There are other options for technically capable installations. You can install a self signed certificate and add this to the trusted certificate store. This opens a whole other series of concerns, so if you are considering this then you will already be aware of the implications. Keep in mind that if you are using a mix of devices (Android, Windows, Apple) you may have different requirements per device.
Notes for IT Professionals
- Fieldpine applications are integrated with Cloudflare and change their internal trust model based on whether requests come via Cloudflare or not. If you are opening to the internet using alternative providers (eg directly opening ports, using Lets Encrypt, etc) Fieldpine may apply lower/tighter security thresholds. This does not mean you must use Cloudflare, simply that we cannot prove overall security you implement.
- Fieldpine Servers installed "in house" do not generally have HTTPS/SSL directly built in - this is because that requires administrator level accesss to open/read the certificate stores. We use and recommend stunnel as a secure SSL shim. Install stunnel on the same host/server as Fieldpine, requests from stunnel must have source IP of localhost
- There many constraints around obtaining SSL certificates, and other options not highlighted above will exist.
- All Fieldpine need is:
- An Installed SSL certificate that can be verified by a browser on a device as an iPad
- An SSL convertor (eg stunnel) to translate HTTPS traffic to HTTP on the final Fieldpine host. (nb, security wise, anyone who can see/snop unencrypted HTTP traffic within a single server must have already broken into the server)
- You may implement whatever TCP routing rules you wish. These are invisible to Fieldpine