Reverse Proxies and Web Firewalls
TASS does not formally support any particular reverse proxy or web firewall services (such as CloudFlare, Squid, HAProxy, Azure AD Application Proxy, etc). If you wish to use one, we offer the following guidance:
Disable caching. TASS is a complex web application, not a static website, and there is no content that can or should be cached.
Ensure that web requests aren’t subject to timeout restrictions. It is expected that some requests placed to your TASS instance will take a long time to execute, such as API calls and complex reports.
Ensure that the proxy does not attempt to to enforce authentication before responding to web requests. This will cause problems with APIs, payment gateways, and modules such as Commercial Debtors Payment Portal, Attendance Self Registration, and Business Directory. The modules that require authentication will manage the session and redirect to identity providers or login screens as required.
Ensure that cookies issued by TASS are not modified. If your proxy needs to add an additional cookie for session tracking, this should be fine, however the cookies issued by the TASS application cannot modified as this will cause authentication issues due to cookies no longer being considered valid.
Consider whitelisting your API endpoint and other URLs used for external integrations. These include:
/tassweb/api/*
/tassweb/external/*
Product-specific guidance
IIS Web Application Proxy on Windows Server 2019
You may need to disable HTTP/2 to resolve an issue where the request response isn't returned correctly for API requests (thanks to Sebastian Tabulo from Ambrose Treacy College for this tip).
Sophos XG Firewall
You'll need to ensure that HTTP host headers are passed through correctly, otherwise the firewall will rewrite them as an IP address, which will break session validation in TASS v54+. To set this, in the firewall admin interface, go to Protect > Rules and Policies, then edit the WAF rule for the TASS web server. Under Advanced > Additional Options, ensure that "Pass host header" is selected.
TASS Cloud
TASS Cloud customers using a self-managed custom domain should only use the DNS details provided by the TASS Technical Services team.