These guidelines aimed to define Deliverect's preferred way of integrating with partners taking into consideration their size and infrastructure topology.
Glossary
Term | Definition | Notes |
ISP | Internet Service Provider | Example: Proximus, Telenet, Comcast, Vodafone, ... |
FQDN | Fully Qualified Domain Name | Example: deliverect.com |
DNS | Domain Name Server | Some DNS registrars are: Google, Namecheap, No-IP, Dyn, GoDaddy |
DUC | Dynamic DNS Update Client | No-IP tool to automatic update IP |
Dyn's Update Client | Dynamic DNS Update Client | Dyn tool to automatic update IP |
Reverse proxy | A reverse proxy is a type ofproxy server that retrieves resources on behalf of aclient from one or moreservers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. | |
POS | Point of Sale |
|
Problem
Deliverect provides seamless integration between the delivery channel and the POS.
To provide this integration, Deliverect services need a connection to the POS. This document addresses the issue that not all POS is accessible from the internet, and how can this issue be solved in a way that is secure and demands the least maintenance effort on both parts.
In this article, we propose multiple solutions to solve the problem described above from small business integrations to enterprise customers.
General Information
Deliverect IPs and API documentation
All Deliverect services are hosted in a distributed cloud environment and, are currently running on Google Cloud Platform.
At the moment, the document that holds the official Deliverect API documentation and the public IPs associated with it can be found here.
Solutions
1. Direct connection to the POS
(Deliverect preferred solution)
Description
Deliverect suggests using this solution as it allows Deliverect services to access the POS directly from the internet through an exposed port on the firewall.
Installation steps
Step 1. As a best practice, an FQDN (Fully Qualified Domain Name) should be configured and associated with the IP. This simplifies the management of this approach. If the client doesn't have one, buying one is the best option but it's also possible to request one for free, but it might require manual interaction every month as approval to keep using that domain (such as receiving an email every month and click to confirm the usage of it).
Step 2. There are two scenarios for this setup. A static public IP (which we recommend) and a dynamic one:
Static IP: If the IP is static it only needs to be added to the DNS list.
Dynamic IP (not recommended): If the IP is dynamic some tools can give a static web address. There are some limitations to this kind of solution which might bring downtime if the IP changes. Also, if this IP update tool is down, there will be no update which may cause problems that are harder to diagnose.
Step 3. Once the IP has been set up, the firewall should be updated to give access to the required port to the POS host.
Step 4. Make sure the POS service is running.
Step 5. Validate the public access to that specific port.
Step 6. To improve security, whitelist Deliverect outgoing IP’s present here. Even though these should not change, they might change and any change will be communicated with a reasonable time in advance.
Notes
POS Host internal IP
When setting up the firewall to open the port for the POS Host, make sure that the firewall always points to the same host. This configuration might be different per firewall and might allow different configurations (example: to a MAC address or to an IP address). If the configuration requires an IP address, make sure that the POS host has an internal fixed IP in the network.
2. Reverse-proxy inside of the client's network
Description
For the setup, it's necessary to set the reverse proxy, its authentication, and the ports that need to be configured on the firewall to expose it. (This should be discussed ahead before the implementation).
If the client has a centralized way to access the network where different POS is, then configuring one reverse proxy is enough to reach all of them. Here, the stakeholders should agree on how one reverse proxy will allow connecting to different POS (e.g., different subdomains or URI paths).
If this is not the case, one reverse proxy needs to be set up per network.
After the setup, the Deliverect services will send the request to the reverse proxy and according to its rules, the request gets redirected to the target POS.
Installation steps
Step 1. Arrange an agreement between the stakeholders for:
The reverse proxy to use (e.g., Nginx, Apache)
Authentication (e.g., basic auth, self-signed certificates)
Ports to expose (using unconventional ports might help to improve the security)
Step 2. As a best practice, an FQDN should be configured that points to the reverse proxy IP address.
Step 3. Set up the reverse proxy with instructions provided by Deliverect (a list will be provided with the required features)
Step 4. Guarantee access from the reverse proxy to the POS (this requires to take a look at the client's infrastructure topology)
Step 5. Configure the firewall to expose the port to the reverse proxy.
Step 6. At this point, share with your Deliverect account manager the different subdomains or URIs to be able to reach the POS
3. TCP tunnel to the client’s network
(Not suggested for large-scale roll-outs)
Description
The first two cases are advised when the firewall configuration to expose ports is an option (with security rules or not, like IP whitelisting). When this is not the case, we allow using a TCP tunnel between the client and Deliverect.
Installation steps
Before starting the installation, if any instance of the tunnel was previously installed please uninstall it. (Instructions can be found in the "Notes" section)
Windows
Step 1. Download the installer (choose one of the following: link)
Step 2. Run the installer with the following parameters:
Token: This should be requested to Deliverect
Port: The port in which the POS service is running
Step 3. Follow the installer redirect (access the following link on the browser https://localhost:4040) to confirm it is working and see the tunnel domain.
Step 4. Ask your account manager (in Deliverect) to update your channel-link and add the new POS URL: https://DOMAIN-SHOWN-ABOVE.tunnel.deliverect.com (provide the https URL)
Step 5. Send an order to confirm the setup is working.
Notes
Security
Only services inside of the Deliverect's network will be able to send requests through TCP tunnel server (POS proxied services).
This solution has not been tested in large live environments and is not advised for production systems.
Uninstall
Uninstall by browsing to the installation folder (for Windows, it can probably be found in "Program Files (x86)/deliverect-tunnel") and run the uninstall file (unis000.exe).
Extra Details
Identify if the ISP gives a static or dynamic public IP. This needs to be identified per ISP or maybe per country.
Note: In most cases, there's always the possibility of requesting/buying the static IP on the ISP services.
Check open port
If you need to check a port you can use several tools (e.g., Nmap).
If the exposed port is not publicly open, Nmap can be used (Nmap example TBD).
On the other hand, if the port is a publicly open one, one tool to check if the expected port is open in the firewall is canyouseeme.org.
If the port is open and the service is running on that port, you should see a successful connection port attempt (example below).