Blue Coat Systems Proxy SG Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung Blue Coat Systems Proxy SG an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von Blue Coat Systems Proxy SG, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung Blue Coat Systems Proxy SG die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung Blue Coat Systems Proxy SG. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung Blue Coat Systems Proxy SG sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts Blue Coat Systems Proxy SG
- Den Namen des Produzenten und das Produktionsjahr des Geräts Blue Coat Systems Proxy SG
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts Blue Coat Systems Proxy SG
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von Blue Coat Systems Proxy SG zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von Blue Coat Systems Proxy SG und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service Blue Coat Systems finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von Blue Coat Systems Proxy SG zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts Blue Coat Systems Proxy SG, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von Blue Coat Systems Proxy SG widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    Blue Coat Systems TM Pro xy SG Content P olicy Language Guide Content P olicy Language Guide[...]

  • Seite 2

    Proxy SG Content Policy Language Guide 2 Blue Coat Systems Inc. (408) 220-2200 V oice 650 Almanor A venue (408) 220-2250 F AX Sunnyvale, California 94086 (866) 302-2628 T echnical Support (866) 362-2628 info@bluecoat.com www .bluecoat.com Copyright (c) 2002, 2003 Blue Co at Systems, Inc. All rights reserved worldwide. No part of this document m ay [...]

  • Seite 3

    Copyrights 3 THIRD P ARTY COPYRIGHT NO TICE S Blue Coat Systems, Inc. Security Gateway Operating System (SGO S) version 3 utilizes third party software fr om various sources. Portions of this software ar e copyrighted by their respective owne rs as indicated in the copyright notices below . The following lists the copyright notices for: BPF Copyrig[...]

  • Seite 4

    Proxy SG Content Policy Language Guide 4 Redistribution and use of this software and associated document ation ("Software"), with or without modification, ar e permitted provided that the following conditions are met: 1. Redistributions of so urce code must retain copyright statements and notices, 2. Redistributions in binary form must re[...]

  • Seite 5

    Copyrights 5 A F AILURE OF THE PROGRAM TO OPERA TE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER O R OTHER P ARTY HAS BEEN ADVISED OF THE POSSI BILITY OF SUCH DAMAGES. 2) The 32-bit CRC compensation attack de tector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license. Cryptographic attack detector for ssh - sour ce code Copyrig[...]

  • Seite 6

    Proxy SG Content Policy Language Guide 6 2. Redistributions in binary form must reproduce the above copy right notice, this list of condit ions and the following disclaim er in the documentation and/or other materials provided with the distribution. THIS SOFTW ARE IS PROVIDED BY THE AU THOR ``AS IS'' AND ANY EX PRESS OR IMPLIED W ARRANTIE[...]

  • Seite 7

    Copyrights 7 This produc t includes cryptographic softwar e written by Eric Y o ung (eay@c ryptsoft .com). This pr oduct includes software written by T im Hudson (tjh@cr yptsoft.c om). PCRE Copyright (c) 1997-2001 University of Cambridge University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. W ritten by: P hilip Haze[...]

  • Seite 8

    Proxy SG Content Policy Language Guide 8 documentation. Moscow Center for SP ARC T e chnology makes no repr esentations about the suitability of this software for any purpos e. It is provided "as is" without express or implied warranty . SmartFilter Copyright (c) 2003 Secure Computing Corporation. All rights reserved. SurfControl Copyrigh[...]

  • Seite 9

    Pref ace: Introducing the Content P o licy Language The Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a variety of W eb-access policies. Proxy SG policy is written in CPL, and ever y W e b request is evaluated based on the installed policy . The language is designed so that policies can be customiz ed to[...]

  • Seite 10

    Proxy SG Content Policy Language Guide x Suppor ted Bro wsers The Proxy SG Management Console supports Micr osoft ® Internet Explorer 5 and 6, and Netscape ® Communicator 4. 78, 6.2, and 7.1. The Management Console uses the Java Runtime En vironment. All br owsers come with a default, built-in JRE, and you should us e this default JRE rather than[...]

  • Seite 11

    Contents Preface: Introducing t he Content Policy Language About the Document Organization ............ .................... .................... ................... .................... ..... ............... ..ix Supported Browsers .................. .................... .................... .................... ................... ............ ..[...]

  • Seite 12

    Proxy SG Content Policy Language Guide xii <Forward> Layers ..................... ................. ................... .................... .................... .............. ........ ............. 39 <Proxy> Layers ...... .................... ................... .................... .................... .................... ........ [...]

  • Seite 13

    Contents xiii http.method= ............ .................... ................... .................... ................. .................... ....... ............ ............. 79 http.request.version= ............. .................... ................... .................... ................. ................. ... .................. 8 0 http.respo[...]

  • Seite 14

    Proxy SG Content Policy Language Guide xiv server_url= .......... .................... .................... ................. ................... .................... .......... ............. ............. 125 socks= .............. ................ .................... .................... .................... ................... ............ .....[...]

  • Seite 15

    Contents xv force_cache( ) ................. .................... .................... .................... ................... ................. .................... ..... 180 force_deny( )................. ................... ................. .................... .................... .................... . ..................... ..... 181 force_e[...]

  • Seite 16

    Proxy SG Content Policy Language Guide xvi trace.request( ) ........................ ................. .................... ................... .................... .......... ....... ................... 223 trace.rules( ) ...................... .................... .................... ................. ................... .............. ... .....[...]

  • Seite 17

    Contents xvii Appendix B: T esting and Troubleshooting Enabling Rule Tracing ................... .................... .................... .................... ................... ........ ............ ..... 275 Enabling Request Tracing ........... ................... .................... .................... .................... ............. ....[...]

  • Seite 18

    Proxy SG Content Policy Language Guide xviii[...]

  • Seite 19

    Chapter 1: Ov er view of Content P olicy Language The Content Policy Language (CPL) is a programming langu age with its own concepts and rules that you must follow . This chapter pr ovides an overview of CPL, including the following topics: • "Concepts" • "CPL Language Basics" • "W riting Policy Using CP L" • &[...]

  • Seite 20

    Proxy SG Content Policy Language Guide 20 This provides the abi lity to test various aspects of a re quest, such as the IP address of the client and the URL used, or the response, such as th e contents of any HTTP headers. • Ensures policy integ rity during processing. The lifetime of a transaction may be rel atively long, especially if a large o[...]

  • Seite 21

    Chapter 1: Overview of Content Policy Language 21 For new Proxy SG appliances, the default is to deny all requests . For Proxy SG appliances being upgraded fr om 4.x, the default is to allo w all requests. In ei ther case, the P roxy SG can be configured for either default. The default setti ng is displayed in policy listing s. The proper appr oach[...]

  • Seite 22

    Proxy SG Content Policy Language Guide 22 W ith a few notable exceptions, trigge rs te st on e as pe c t o f re qu e st, re sponse, or associated state against a boolean expression of values. For the conditions in a rule, each of the triggers is logically anded together . In other words, the condition is only true if each one of the trigger express[...]

  • Seite 23

    Chapter 1: Overview of Content Policy Language 23 • More complex boolean expressions ar e allowed for the pattern_expres sion in the triggers. For example, the second part of the condition in the simple rule shown above could be “the request is made between 9 a.m. and noon or between 1 p.m. and 5 p.m”, expressed as: ... time=(0900..1200 || 13[...]

  • Seite 24

    Proxy SG Content Policy Language Guide 24 La y ers A policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating decisions helps contr ol policy complexi ty , and is do ne through writing each decision in a separate layer . Each layer has the form: < layer_type [ label ] > [ layer_condition ][ l ayer_pro[...]

  • Seite 25

    Chapter 1: Overview of Content Policy Language 25 [ section_type [ label ]] [ section_condition ][ sect ion_properties ] section_content where: • The section_type defines the syn tax of the rules used in the se ction, and the evaluation strategy used to evaluate those rules. The square brackets [ ] surrounding the section name (and optional label[...]

  • Seite 26

    Proxy SG Content Policy Language Guide 26 Named Definitions There ar e various types of named definitions. Each defi nition is given a user defined name that is then used in rules to refer to the definition. This sectio n highlights a few of the definition types, as an overview of the topic. Refer to the Definitions refer ence chapter for more deta[...]

  • Seite 27

    Chapter 1: Overview of Content Policy Language 27 policy that does not requir e the realm. Once all outs tanding transactions that r equir ed refer ence to the realm have completed, the realm can be removed fr om configuration. Substitutions The actions used to r ewrite the URL request or to modify HTTP request he aders or HTTP r esponse headers of[...]

  • Seite 28

    Proxy SG Content Policy Language Guide 28 A uthentication and Denial One of the most important timing relationships to be awar e of is the relation between authentication and denial. Denial can be done eithe r before or af ter authentication, and dif f erent or ganizations have diffe rent requir ements. For example, suppose an organization r equire[...]

  • Seite 29

    Chapter 1: Overview of Content Policy Language 29 <Proxy> client.address=!corporate_subnet deny ; filter out strangers socks.authenticate(MyRealm) ; this happe ns earlier than the category test <Proxy> ; user names be displayed in the access log for the denied requests category=Gambling exception(content_filt er_denied) Note that t his [...]

  • Seite 30

    Proxy SG Content Policy Language Guide 30 T roub leshooting P olicy When installed policy does not behave as expected, use policy tracing to understand the behavior of the installed policy . T racing r ecords additional information about a transa ction and re-evaluates the transaction when it is terminated; however , it does not show the timing of [...]

  • Seite 31

    Chapter 1: Overview of Content Policy Language 31 Conditional Compilation Occasionally , y ou might be requir ed to maintain poli cy that can be applied to appliances running diffe rent versions of SGOS and requiring dif ferent CPL . CPL provides the foll owing conditional compilation dir ective that tes ts the SGOS version (suc h as 2.1.06): relea[...]

  • Seite 32

    Proxy SG Content Policy Language Guide 32[...]

  • Seite 33

    Chapter 2: Managing Content P olicy Language As discussed in Chapter 1, Content Policy Language policies are composed of transactions that are placed into rules and tested against various conditions. This chapter discusses the followi ng: • "Understanding T ransactions and T iming" • "Understanding Layers" • "Understa[...]

  • Seite 34

    Proxy SG Content Policy Language Guide 34 Each of the protocol-specific pr oxy transact ions has specific information that can be tested—informati on that may not be available fr om or relevant to othe r protocols. HTTP Headers and Instant Messaging buddy names ar e two exam ples of protocol-specific information. Other key differ entiators among [...]

  • Seite 35

    Chapter 2: Managing Content Policy Language 35 Some conditions cannot be evaluated during th e first stage; for example, the user and group information will not be known until stage two. Likewise, the response headers and MIME type are unavailable for testing until stage three. For conditions, this is known as the earliest available time . Policy d[...]

  • Seite 36

    Proxy SG Content Policy Language Guide 36 An HTTP cache transaction is examined in two stages: • Before the object is retrieved from the origin s erver . • After the object is retrieved. F orwarding T r ansactions A forwar ding transaction is cr eated when th e Proxy SG needs to evaluate forwarding policy befor e accessing a remote host and no [...]

  • Seite 37

    Chapter 2: Managing Content Policy Language 37 But policy cannot determine th e value of the Conten t-type re sponse header until the response is returned. The Pr oxy SG ca nnot contact the server to get the response until pol icy determines what hosts or gateways to route thr ough to get th ere. In othe r words, policy must s et the forward() prop[...]

  • Seite 38

    Proxy SG Content Policy Language Guide 38 • The optional admin_properties is a list of properties set if an y of the rules in the layer match. These act as defaults, and can be overridden by prop erty settings in specific rules in the layer . For more informatio n on using properties, see Chapter 4: " Property Refer ence". See also the [...]

  • Seite 39

    Chapter 2: Managing Content Policy Language 39 <Exception> La y ers <Exception> layers ar e evaluated when a proxy transaction is terminated by an exception. This could be caused by a bad r equest (for example, the r equ est URL names a non-existent server) or by setting the deny or exception() pr operties in policy . Policy in an excep[...]

  • Seite 40

    Proxy SG Content Policy Language Guide 40 <Pro xy> La y ers <Proxy> layers define policy for authenticating and auth orizing users’ requests for service over one of the configur ed proxy service ports (r efer to Chapter 6:”Managing Port Services” in the Pr oxy SG Configuration and Management Guide .). Proxy layer policy inv olves [...]

  • Seite 41

    Chapter 2: Managing Content Policy Language 41 Timing The “late guards early” timing errors that can occu r wi thin a rule can ar ise across r ules in a layer . When a trigger cannot yet be evaluated, policy also has to postpone evaluating all following r ules in that layer (since if the trigger turns out to be true and the rule matches, then e[...]

  • Seite 42

    Proxy SG Content Policy Language Guide 42 url.domain=nbc.com/athletics deny ; etc, suppose it's a substantial list url.regex="sports|athletics" access_serv er(no) url.regex=".mail." deny ; etc url=www.bluecoat.com/internal group=!blu ecoat_employees deny url=www.bluecoat.com/proteus group=!blue coat_development deny ; etc[...]

  • Seite 43

    Chapter 2: Managing Content Policy Language 43 • Rules in [Rule] s ections are evaluated sequentially , top to bottom. The time taken is pr oportional to the number of rules in the sec tion. • [Rule] sections can be used in any la yer . [url] The [url] section type is used to group a number of rules that test the URL. The [url] section restrict[...]

  • Seite 44

    Proxy SG Content Policy Language Guide 44 • [server_url.domain] sections ar e allowed only in <Exception> or <Forward> layers. Section Guards Just as you can with layers, you can impr ove policy clarity and maintainability by gr ouping rules into sections and converting the common conditions and properties into guard expressions that [...]

  • Seite 45

    Chapter 2: Managing Content Policy Language 45 • Do not mix the CacheOS 4. x filter-file syntax with CPL syntax. Although the Content Polic y Language is backwa rd-compatible with the filter -file syntax, avoid using the older syntax with the new . For example, as the filter-file syntax uses a differ ent order of evaluation, mixing the old and ne[...]

  • Seite 46

    Proxy SG Content Policy Language Guide 46 The following example is an exception defined wi thin a layer . A company wants access to payroll information limited to Human Resou rces staf f on ly . The administrator uses membership in the HR_staff gr oup to define the exception for HR staff, foll owed by the general policy: <Proxy> ; Blue Coat u[...]

  • Seite 47

    Chapter 2: Managing Content Policy Language 47 evaluation or der as currently configur ed. Changes to the policy file evaluation order must be managed with great car e. Remember that pr operties maintain any setting unless overridden later in th e file, so you could implement general poli cy in early layers by setting a wi de number of propertie s,[...]

  • Seite 48

    Proxy SG Content Policy Language Guide 48 Best Practices • Express s eparate decisions in separate layer s. As policy gr ows and becomes more complex, mainten ance becomes a significant issue. Maintenance will be easier if the logic for each aspect of policy is separate and distinct. T ry to make policy decisions as independent as po ssible, and [...]

  • Seite 49

    Chapter 3: Condition Ref erence A condition is an express ion that yields true or fals e when evaluated. Conditions can appear in: • Policy r ules. • Section and layer headers, as guards; for example, [Rule] group=(“bankabchr” || “cn=hu manresources,ou=groups,o=westernnational”) • define condition , define domain condition , and defi[...]

  • Seite 50

    Proxy SG Content Policy Language Guide 50 • condition ::= trigger "=" expression • trigger ::= identifier | identifier "." word • expression ::= term | list • list ::= "(" ((pattern ",")* pattern)? " )" • disjunction ::= conjunction | disjunctio n "||" conjunction • conjunction[...]

  • Seite 51

    Chapter 3: Con dition Reference 51 Una v ailable T riggers Some triggers can be unavailable in some transactions. If a trigger is unavai lable, then any condition containing that tr igger is false, regardless of the pattern expression. For example, if the current transaction is not authenticated (that is , the authenticate pr operty was set to no )[...]

  • Seite 52

    Proxy SG Content Policy Language Guide 52 acl= Deprecated syntax. See "client.addr ess=" on page 60 for mor e information.[...]

  • Seite 53

    Chapter 3: Con dition Reference 53 admin.access= T ests the administrative access requ ested by the current transaction. It evaluates to null if the transaction is not an admi nistrative transaction, whic h may occur if the test is included in an <Exception> layer . Replac es: method= Syntax admin.access=READ|WRITE Lay er and T ransa ction No[...]

  • Seite 54

    Proxy SG Content Policy Language Guide 54 attribute . name = T ests if the curr ent transaction is authenticated in a RADIUS or LDAP realm, and if the authenticated user has the specified attribute with the specified value. This trigger is unavai lable if the curr ent transaction i s not authenticated ( that is, the authenticate pr operty is set to[...]

  • Seite 55

    Chapter 3: Con dition Reference 55 <proxy> authenticate(RADIUSRealm) ; This rule would restrict non-authorize d users. <proxy> deny condition=!ProxyAllowed ; This rule would serve to override a previous denial and gr ant access to authorized ; users <proxy> allow condition=ProxyAllowed See Also • Conditions: authenticated= , gro[...]

  • Seite 56

    Proxy SG Content Policy Language Guide 56 authenticated= T rue if authentication was requested and the cr edentials could be verified; otherwise, false. Syntax authenticated=(yes|no) Lay er and T ransa ction Notes •U s e i n <Admin> and <Proxy> layers. • Applies to proxy and administrator transactions. • This condition cannot be c[...]

  • Seite 57

    Chapter 3: Con dition Reference 57 bitrate= T ests if a streaming tr ansaction re quests bandwidth within the specif ied range or an exact match. When providing a range, either value can be left empt y , implying either no lower or no upper limit on the test. Bitrate can change dynamically during a transaction, so this poli cy is re-evaluated for e[...]

  • Seite 58

    Proxy SG Content Policy Language Guide 58 <Proxy> ; Use this layer to override a d eny in a previous layer ; Grant everybody access to streams up to 56K, sales group up to 2M allow bitrate=..56K allow group=sales bitrate=..2M See Also • Conditions: live= , streaming.client= , streaming.content= •P r o p e r t i e s : access_server( ) , ma[...]

  • Seite 59

    Chapter 3: Con dition Reference 59 categor y= T ests the content categor ies of the requested URL as assigned by policy def i nitions or an installed content filter database. A URL that is not categori zed is assigned the cate gory none . If a content filter provid er is selected in configuration, but an error occurs in determini ng the category , [...]

  • Seite 60

    Proxy SG Content Policy Language Guide 60 client.address= T ests the IP address of the client. The expr ession can include an IP address or subnet or the label of a subnet definit ion block. Important: If a user is explicitly proxied to the Proxy SG , <Proxy > layer policy applies even if the URL destination is an administrative URL for the P[...]

  • Seite 61

    Chapter 3: Con dition Reference 61 client.protocol= T ests true if the client transport protocol matches the specification. Replaces: client_protocol= syntax client.protocol=http|https|ftp|tcp|socks |mms|rtsp|icp|aol-im|msn-im|yahoo-im Note that tcp specifies a tunneled t ransaction. Lay er and T ransa ction Notes •U s e i n <Exception> , &[...]

  • Seite 62

    Proxy SG Content Policy Language Guide 62 condition= T ests if the specified defined condition is true. Syntax condition= condition_label where conditi on_label is the label of a custom condition as defined in a define condition , define url.domain conditi on , or define url condition definition block. Lay er and T ransa ction Notes • Use in all [...]

  • Seite 63

    Chapter 3: Con dition Reference 63 http://www.x.com time=0800..1000 http://www.y.com month=1 http://www.z.com hour=9..10 end <proxy> condition=test deny ; Example of a define domain-suffix (or domain) condition define url.domain condition test com ; Matches all domains ending in .com end <proxy> condition=test deny See Also • Definiti[...]

  • Seite 64

    Proxy SG Content Policy Language Guide 64 console_access= T ests if the cur rent request is destined for the <Admin> layer . This test can be used to distinguish access to the management console by admininstrators who are explicitly pr oxied to the Proxy SG being admininstered. The te st can be used to guard tran sfor ms that should not apply[...]

  • Seite 65

    Chapter 3: Con dition Reference 65 content_admin= The content_admin= condition has bee n deprecated. For mor e information, see "content_management" on page 66.[...]

  • Seite 66

    Proxy SG Content Policy Language Guide 66 content_management T ests if the curr ent request is a content management transaction. Replaces: content_admin=yes|no Syntax content_management=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Forward> layers. • Applies to all transactions. See Also • Conditions: category= , f[...]

  • Seite 67

    Chapter 3: Con dition Reference 67 date[.utc]= T ests true if the curr ent time is within the startdate..enddate range, inclusive. The co mparison is made against local time unless the .utc qualifier is sp ecified. syntax date[.utc]=YYYYMMDD..YYYYMMDD date[.utc]=MMDD..MMDD Lay er and T ransa ction Notes • Using time-related con ditions to control[...]

  • Seite 68

    Proxy SG Content Policy Language Guide 68 da y= T ests if the day of the month is in the spe cified range or an exact match. The Pr oxy SG appliance’s configured date and time zone ar e used to determine the curr ent day of the month. T o specify the UTC time zone, use the form day.utc= . Note that the numeric pattern used to test the day conditi[...]

  • Seite 69

    Chapter 3: Con dition Reference 69 e xception.id= T ests whether the exception being r eturned to the client is the specified exception. It can also be used to determine whether the exception be ing returned is a built-in or user -defined exception. Built-in exceptions are handled automatically by the Pr oxy SG but special handling can be defined w[...]

  • Seite 70

    Proxy SG Content Policy Language Guide 70 ; thrown by deny or force_deny exception.id=policy_denied action.log_in terloper(yes) <Exception> exception.id=user_defined.re stricted_content ; any policy required for this user defi ned exception ... See Also •P r o p e r t i e s : deny( ) , deny.unauthorized( ) , exception( ) •A c t i o n s : [...]

  • Seite 71

    Chapter 3: Con dition Reference 71 ftp .method= T ests FTP r equest methods against any of a well-k nown set of FTP methods. A CPL parse erro r is given if an unrecognized method is specified. • ftp.method= evaluates to true if the r equest method matches any of the methods specified. • ftp.method= evaluates to NULL if the request is not an FTP[...]

  • Seite 72

    Proxy SG Content Policy Language Guide 72 group= T ests if the client is authenticated, and the client belongs to the specified gr oup. If both of these conditions are met, the r esult is true. In addition, the realm= condition can be used to test whether the user is authenticated in the specified r ealm. This trigger is unavailable if the current [...]

  • Seite 73

    Chapter 3: Con dition Reference 73 • Applies to proxy and administrator transactions. • This condition cannot be combined with the authe nticate( ) , proxy_authentication( ) , or socks.authenticate( ) pr operties. Examples ; Test if user is authenticated in group all_staff and specified realm. realm=corp group=all_staff ; This example shows sam[...]

  • Seite 74

    Proxy SG Content Policy Language Guide 74 has_attribute . name = T ests if the current transaction is authenticated in an LDAP realm and if the authenticated user has the specified LDAP attribute. If the at tribute specif ied is not configur ed in the LDAP schema and yes is used in the expr ession, the condition always yields fal se. This trigger i[...]

  • Seite 75

    Chapter 3: Con dition Reference 75 See Also • Conditions: attribute. name = , authenticated= , group=, http.transparent_authentication= , re alm= , user= , user.domain= •P r o p e r t i e s : authenticate( ) , authenticate.force ( ) , check_authorization( )[...]

  • Seite 76

    Proxy SG Content Policy Language Guide 76 has_client= The has_cl ient= condition is used to test whether or not the current transaction has a client. This can be used to guard triggers that depend on client identity in a <Forward> layer . Syntax has_client=yes|no Lay er and T ransa ction Notes •U s e i n <Forward> layers. • Applies [...]

  • Seite 77

    Chapter 3: Con dition Reference 77 hour= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form hour.utc= . The numeric pattern used to test the hour= condition co[...]

  • Seite 78

    Proxy SG Content Policy Language Guide 78 <proxy> allow server_url.domain=xyz.com ; intern al site always available allow weekday=6..7 ; unrestricted weekends allow hour=17..8; Inverted range for out side business hours See Also • Conditions: date[.utc]= , day= , minute= , month= , time= , weekday= , year=[...]

  • Seite 79

    Chapter 3: Con dition Reference 79 http .method= T ests HTTP r equest methods agains t any of a common set of HTTP methods. A CPL parse error is given if an unrecognized method is specified. Syntax http.method=GET|CONNECT|DELETE|HEAD|POST |PUT|TRACE|OPTIONS|TUNNEL|LINK|UNLINK |PATCH|PROPFIND|PROPPATCH|MKCOL|COPY|MOV E|LOCK|UNLOCK|MKDIR|INDEX|RMDIR|[...]

  • Seite 80

    Proxy SG Content Policy Language Guide 80 http .request.version= T ests the vers ion of HTTP used by the client in making the re quest to the appliance. syntax http.request.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers. • Applies to HTTP transact ions. See Also • Con[...]

  • Seite 81

    Chapter 3: Con dition Reference 81 http .response.code= T ests true if the curr ent transaction is an HTTP tr ansaction and the response code r eceived from the origin server is as sp ecified. Replac es: http.response_code syntax http.response.code= nnn where nnn is a standard numeric range test with values in the range 100 to 999 inclusive. Lay er[...]

  • Seite 82

    Proxy SG Content Policy Language Guide 82 http .response.v ersion= T ests the vers ion of HTTP used by the origin server to deliver the response to the Pr oxy SG . Syntax http.response.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers. • Applies to HTTP transact ions. See [...]

  • Seite 83

    Chapter 3: Con dition Reference 83 http .transparent_authentication= This trigger evaluates to true if HTTP uses tr ansparent proxy authentication for this r equest. The trigger can be used with the authenticate( ) or authentica te.force( ) p r o p e r t i e s t o s e l e c t a n authentication realm. Syntax http.transparent_authentication=yes|no L[...]

  • Seite 84

    Proxy SG Content Policy Language Guide 84 http .x_method= T ests HTTP request me thods against any unc ommon HTTP methods . A CPL parse warning is given if the method specified is a recognized method (in which case, http.method= is recommende d). Uncommon methods are tested using a string compar ison, so some performanc e benefit exists with using [...]

  • Seite 85

    Chapter 3: Con dition Reference 85 im.b uddy_id= Te s t s t h e buddy_id associated with the inst ant messaging transaction. Syntax im.buddy_id[.case_sensitive]= user_id_str ing im.buddy_id.substring[.case_sensitive]= s ubstring im.buddy_id.regex[.case_sensitive]=“expr ” where: • user_id_string —An exact match of the complete instant messag[...]

  • Seite 86

    Proxy SG Content Policy Language Guide 86 im.chat_room.conf erence= T ests whether the chat r oom associated with the instant messaging transaction has the confer ence attribute set. Syntax im.chat_room.conference=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transac[...]

  • Seite 87

    Chapter 3: Con dition Reference 87 im.chat_room.id= T ests the chat r oom ID associated wi th the instant messagi ng transaction. Syntax im.chat_room.id[.case_sensitive]= user_id _string im.chat_room.id.substring[.case_sensitiv e]= substring im.chat_room.id.regex[.case_sensitive]=“ expr ” where: • user_id_string —An exact match of the compl[...]

  • Seite 88

    Proxy SG Content Policy Language Guide 88 im.chat_room.in vite_only= T ests whether the chat r oom associated with the instant messaging transaction has the invite_only attribute set. Syntax im.chat_room.invite_only=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging trans[...]

  • Seite 89

    Chapter 3: Con dition Reference 89 im.chat_room.type= T ests whether the chat r oom associated wi th the transaction is public or private. Syntax im.chat_room.type=public|private Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transactions . See Also •A c t i o n s : append[...]

  • Seite 90

    Proxy SG Content Policy Language Guide 90 im.chat_room.member= T ests whether the chat r oom associated with the instant messaging transaction has a member matching the specified criterion. Syntax im.chat_room.id[.case_sensitive]= buddy_i d_string m.chat_room.id.substring[.case_sensitive ]= substring im.chat_room.id.regex[.case_sensitive]=“ expr [...]

  • Seite 91

    Chapter 3: Con dition Reference 91 im.chat_room.v oice_enabled= T ests whether the chat r oom associated with the instant messaging transaction is voic e enabled. Syntax im.chat_room.voice_enabled=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transactions . See Also [...]

  • Seite 92

    Proxy SG Content Policy Language Guide 92 im.file.e xtension= T ests the file extension of a file associated with an instant messag ing transaction. The leading ' . ' of the file extension is optional. Only supports an exact match. Syntax im.file.extension[.case-sensitive]=[.] fi lename_extension Notes By default the test is case-insensit[...]

  • Seite 93

    Chapter 3: Con dition Reference 93 im.file.name= T ests the file name (the last component of the path), includ ing the extension, of a file a ssociated with an instant messaging transaction. Syntax im.file.name[.case_sensitive]= string im.file.name.prefix[.case_sensitive]= pre fix_string im.file.name.substring[.case_sensitive]= substring im.file.na[...]

  • Seite 94

    Proxy SG Content Policy Language Guide 94 im.file.path= T ests the file path of a file as sociated with an instant messaging transaction against the specified criterion. Syntax im.file.path[.case_sensitive]= string im.file.path.prefix[.case_sensitive]= pre fix_string im.file.path.substring[.case_sensitive]= substring im.file.path.regex[.case_sensit[...]

  • Seite 95

    Chapter 3: Con dition Reference 95 im.file.siz e= Performs a signed 64-bit range test of the size of a file associated wi th an instant messaging transaction. Syntax im.file.size= [min]..[max] The default minimum value is zer o ( 0 ); there is no default maximum value. Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> [...]

  • Seite 96

    Proxy SG Content Policy Language Guide 96 im.message.opcode= T ests the value of an opcode associated wi th an instant messaging transaction whose im.method is send_unknown or receive_unknown . Note: Generally , this is used with deny( ) to r estrict interactions that are new to one of the supported i nstant messaging protocols and for wh ich direc[...]

  • Seite 97

    Chapter 3: Con dition Reference 97 im.message.route= T ests how the instant messaging mes sage reaches its recipients. Syntax im.message.route=service|direct|chat where: • service —The message is r elayed through the IM service. • direct —The message is sent dir ectly to the re cipient. • chat —The message is sent to a chat room (includ[...]

  • Seite 98

    Proxy SG Content Policy Language Guide 98 im.message.siz e= Performs a signed 64-bit range test on the si ze of the inst ant messaging m essage. Syntax im.message.size= [min]..[max} The default minimum value is zer o ( 0 ); there is no default maximum value. Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. •[...]

  • Seite 99

    Chapter 3: Con dition Reference 99 im.message.te xt= T ests if the message text contains the specified text or pattern. Note: The .regex version of this test is limited to the first 8K of the message. The .substring version of the test does not have this r estriction. Syntax im.message.text.substring[.case_sensitiv e]= substring im.message.text.reg[...]

  • Seite 100

    Proxy SG Content Policy Language Guide 100 im.message.type= T ests the message type of an instant messaging transaction. Syntax im.message.type=text|invite|voice_invite |file|file_list|application where: • text —Normal IM text message. • invite —An invitation to a chat room or to communicate directly . • voice_invite —Invitation to a vo[...]

  • Seite 101

    Chapter 3: Con dition Reference 101 im.method= T ests the method associated with the i nstant messaging tr ansaction. Syntax im.method=open|create|join|join_user|log in|logout|notify_join|notify_quit| notify_state|quit|receive|receive_unknow n|send|send_unknown|set_state Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , an[...]

  • Seite 102

    Proxy SG Content Policy Language Guide 102 im.user_id= Te s t s t h e user_id associated with the instant messaging transaction. Syntax im.user_id[.case_sensitive]= user_id_stri ng im.user_id.substring[.case_sensitive]= su bstring im.user_id.regex[.case_sensitive]=“ expr ” where: • user_id_string —An exact match of the complete instant mess[...]

  • Seite 103

    Chapter 3: Con dition Reference 103 liv e= T ests if the str eaming content is a li ve stream. Syntax live=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Proxy> layers. • Applies to streaming transactions . Examples ; The following policy restricts access to live streams during morning hours. ; In this example, we use[...]

  • Seite 104

    Proxy SG Content Policy Language Guide 104 method= T ests the pr otocol method name as sociated with the transaction. Appr opriate method names depend on the protocol. Also, a warning is is sued during policy file compilation if the name is not a rec og n iz ed m et h od . method= accepts any of the pr otocol sp ecific methods accepted by admin.acc[...]

  • Seite 105

    Chapter 3: Con dition Reference 105 Examples <proxy> http.method=GET response.header.Pragma=”no-cache " deny ; This example is applicable to a blackl ist model. It denies access to ; transparent FTP by denying the OPEN me thod on port 21. <proxy> proxy.port=21 deny ftp.method=OPEN ; This example tests method=CONNECT to s ecure ag[...]

  • Seite 106

    Proxy SG Content Policy Language Guide 106 minu te= T ests if the minute of the hour is in the specified range or an ex act match. By default, the Prox y SG appliance’s clock and time zone are used to dete rmine the curr ent minute. T o specify the UTC time zone, use the form min ute.utc= . The numeric pattern used to test the minute condition ca[...]

  • Seite 107

    Chapter 3: Con dition Reference 107 month= T ests if the month is in the specified range or an exact match. By default, the Pr oxy SG appliance’s date and time zone ar e used to determine the curr ent month. T o specify the UTC time zone, use the form month.utc= . The numeric pattern used to test the month condition can contain no whitespace. Syn[...]

  • Seite 108

    Proxy SG Content Policy Language Guide 108 protocol= The protocol= condition has been de precated in favor of url.scheme= . For more information see "url=" on page 137. See Also Conditions: client.protocol=[...]

  • Seite 109

    Chapter 3: Con dition Reference 109 pro xy .address= T ests the de stination address of the arriving IP pa cket. The expr ession can in clude an IP address or subnet, or the label of a subnet definition blo ck. If the transaction was explicitly proxied, then proxy.address= tests the IP address the client used to reach the pr oxy , which is either t[...]

  • Seite 110

    Proxy SG Content Policy Language Guide 110 pro xy .card= T ests the or dinal number of the network in terface car d (NIC) used by a r equest. Replac es: proxy_card Syntax proxy.card= card_number where card_nu mber is an integer that reflects the installation order . Lay er and T ransa ction Notes •U s e i n <Admin> , <Proxy> , and <[...]

  • Seite 111

    Chapter 3: Con dition Reference 111 pro xy .por t= T ests if the IP port used by a r equest is within the specified range or an ex act match.The numeric pattern used to test the proxy.port= condition can contain no whitespace. If the transaction was explicitly proxied, then this tests the IP port that the client used to reach the proxy . The patter[...]

  • Seite 112

    Proxy SG Content Policy Language Guide 112 realm= T ests if the client is authenticated and if the client has logged into the specified r ealm. If both of these conditions are met, the r espon se is true. In addi tion, the group= condition can be used to test whether the user belongs to the specified group. Thi s trigger is unavailable if the curre[...]

  • Seite 113

    Chapter 3: Con dition Reference 113 •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( )[...]

  • Seite 114

    Proxy SG Content Policy Language Guide 114 release.id= T ests the r elease ID of the Proxy SG softwar e. The release ID of the Proxy SG software curr ently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade>Systems tab of the M anageme nt Cons ol e. It also can be displayed thro ugh t[...]

  • Seite 115

    Chapter 3: Con dition Reference 115 release.v ersion= T ests the r elease version of the Proxy SG s oftware. The r elease version of the Proxy SG softwar e currently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade > Systems tab of the Management Consol e. It also can be displayed t[...]

  • Seite 116

    Proxy SG Content Policy Language Guide 116 request.header . header_name = T ests the specified request hea der ( header_name ) against a regular expression. Any r ecognized HTTP request header can be tested. For custom heade rs, use request_x_header. header_name = instead. For st rea m in g re qu e st s, on ly t he User-Agent header is available. R[...]

  • Seite 117

    Chapter 3: Con dition Reference 117 request.header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP ad dress extracted fr om the header is tested against the specified IP addr ess. The expressio n can include an IP address or subnet, or the label of a[...]

  • Seite 118

    Proxy SG Content Policy Language Guide 118 request.header .Ref erer .ur l= T est if the URL specified by the Refer er head er matches the specified criteria. The basic request.header.Referer.url= test attempts to match the complete Refer er URL ag ainst a specified pattern. The pattern may include th e scheme , host, port, path and query components[...]

  • Seite 119

    Chapter 3: Con dition Reference 119 ; Relative URLs, such as docs subdirecto ries and pages, will match. deny request.header.Referer.url=http://w ww.example.com/docs ; Test if the Referer URL host’s IP addr ess is a match. request.header.Referer.url.address=10.1. 198.0 ; Test whether the Referer URL includes company.com as domain. request.header.[...]

  • Seite 120

    Proxy SG Content Policy Language Guide 120 <proxy> request.header.Referer.url.host.regex=my company ; request.header.Referer.url.path tests ; The following request.header.Referer.url.path strings would all match the examp le Referer URL: ; Referer: http://www.example.com/cgi-bi n/query.pl?q=test#fragment request.header.Referer.url.path=”/cg[...]

  • Seite 121

    Chapter 3: Con dition Reference 121 request.x_header . header_name = T ests the spec ified request header ( header _name ) against a regular expression. Any HTTP request header can be tested, including custom h eaders. T o te st recognized headers, use request.header. header_name = instead, so that typing errors can be caught at compile time. For s[...]

  • Seite 122

    Proxy SG Content Policy Language Guide 122 request.x_header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP addr ess extracted from the head er is tes ted against the specified IP address . The expressio n can include an IP addre ss or subnet, or th [...]

  • Seite 123

    Chapter 3: Con dition Reference 123 response.header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. Any recognize d HTTP response he ader can be tested. For custom headers, use respo nse.x_header. header_name = instead. Replac es: response_header. header_name = Syntax response.header. header_name[...]

  • Seite 124

    Proxy SG Content Policy Language Guide 124 response.x_header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. For HTTP requests, any response header can be tested, including cust om headers. For recognized HTTP headers, use response.header. header_name = instead so that typing errors can be caught[...]

  • Seite 125

    Chapter 3: Con dition Reference 125 ser v er_ur l= T ests if a portion of the URL used in server connecti ons matches the specified criteria. The basic server_url= test attempts to match the complete possib ly-rewritte n request URL against a specified pattern. The pattern may include the scheme, host, po rt, path a nd query components of the UR L.[...]

  • Seite 126

    Proxy SG Content Policy Language Guide 126 • Applies to all non-administrator transactions. Examples ; Test if the server URL includes this p attern, and block access. ; Relative URLs, such as docs subdirecto ries and pages, will match. server_url=http://www.example.com/docs a ccess_server(no) ; Test if the URL host’s IP address is a match. ser[...]

  • Seite 127

    Chapter 3: Con dition Reference 127 ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the firs t request is not matched <forward> server_url.host.regex=mycompany ; server_url.path tests ; The following server_url.path strings would all match the example URL: ; http://www.example.com/cgi-bin/query.p l?q=te[...]

  • Seite 128

    Proxy SG Content Policy Language Guide 128 soc ks= This condition is true whenever the session for th e current transaction involves SOCKS to the client. The SOCKS=yes trigger is intended as a way to test whether or not a r equest arrived via the SOCKS proxy . It will be true for both SOCKS r equests that the Proxy SG tunnels and for SOCKS r equest[...]

  • Seite 129

    Chapter 3: Con dition Reference 129 soc ks.acceler ated= T ests whether the SOCKS pr oxy will hand off this transaction to other pr otocol agents for acceleration. Syntax socks.accelerated={yes|http|aol-im|msn-i m|yahoo-im|no} where: • yes is t ru e o n ly f or S O C KS t r an s a c ti o n s t h a t w i l l hand off to another protocol-specific p[...]

  • Seite 130

    Proxy SG Content Policy Language Guide 130 soc ks.method= T ests the SOCKS pr otocol method name associated with the transaction. Syntax socks.method=CONNECT|BIND|UDP_ASSOCIATE Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to SOCKS transactions. See Also • Conditions: ftp.method= , http.method[...]

  • Seite 131

    Chapter 3: Con dition Reference 131 soc ks.v ersion= T ests whether the version of the SOCKS protocol used to communicate to the cl ient is SOCKS 4/4a or SOCKS 5. SOCKS 5 has mor e security and is more high ly recommended. SOCKS 5 supports authentication and can be used to authenticate tr ansactions that may be accelerated by other protocol service[...]

  • Seite 132

    Proxy SG Content Policy Language Guide 132 streaming.client= T ests the client agent associated with the current transaction. Syntax streaming.client=yes|no|windows_media|re al_media|quicktime where: • yes is true if the user agent is r ecognized as a windows media player , real media player or quicktime player . • no is true if the user agent [...]

  • Seite 133

    Chapter 3: Con dition Reference 133 streaming.content= T ests the content of the curr ent transaction to determ ine whether or not it is s treaming media, and to determine the streaming media type. Syntax streaming.content=yes|no|windows_media|r eal_media|quicktime where: • yes is true if the content is r ecognized as W indows media, Real media, [...]

  • Seite 134

    Proxy SG Content Policy Language Guide 134 time= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form time.utc= . The numeric pattern us ed to test the time cond[...]

  • Seite 135

    Chapter 3: Con dition Reference 135 ; This example restricts the times durin g which certain ; stations can log in with administrativ e privileges. define subnet restricted_stations 10.10.10.4/30 10.10.11.1 end subnet restricted_stations <admin> client.address=restricted_statio ns allow time=0800..1800 weekday=1..5 admin .access=(READ||WRITE)[...]

  • Seite 136

    Proxy SG Content Policy Language Guide 136 tunneled= T ests if the curr ent transaction repr esents a tunneled request. A tunneled request is one of: • TCP tunneled r equest • HTTP CONNECT request • Unaccelerated SOCKS request Note: HTTPS connections to the management console ar e not tunneled for the purposes of this test. Syntax tunneled=ye[...]

  • Seite 137

    Chapter 3: Con dition Reference 137 url= T ests if a portion of the r equested URL matches the specified criteria. The basic url= test attempts to match the complete request URL against a specifie d pattern. The pattern may include the scheme, host, port, path an d query components of the URL. If any of these is not incl uded in the pattern, then t[...]

  • Seite 138

    Proxy SG Content Policy Language Guide 138 // host : port // host : port / path_query // host / path_query host host : port host : port / path_query host / path_query / path_query • domain_suffix_pattern —A URL pattern that includes a dom ain suffix, as a minimum, using the following sy ntax: scheme :// domain_suffix : port / path Accepted doma[...]

  • Seite 139

    Chapter 3: Con dition Reference 139 include a filename extension, such as http://example.com/ and http:// example.com/test . T o test multiple extensions, use pa rentheses and a comma separator (see the Example section below). • regular_expression —A Perl r egular expres sion. The expressi on must be quoted if it contains whitespace or any of t[...]

  • Seite 140

    Proxy SG Content Policy Language Guide 140 • .suffix —T est if the s tring pattern is a suffix of the URL or component. The suffix need not match on a boundary (such as a domain component or path directory) within a URL component. Note: .prefix , .regex , .substring , and .suff ix are string comparisons that do not r equire a match on component[...]

  • Seite 141

    Chapter 3: Con dition Reference 141 slash is always pr esent in the request URL being tested, because the UR L is normaliz ed before any comparison is performed. Unless an .exact , .su bstring , or .regex modifier is used, the pattern specified must include the lead ing ‘ / ’ character . In the following URL example, bolding shows the component[...]

  • Seite 142

    Proxy SG Content Policy Language Guide 142 If you are testing a lar ge number of URLs using the url.domain= condition, consider the performance benefits of a url.domain definition block or a [url.domain] section (see Chapter 6: "Definit ion Refer ence"). Regular expr ession matches are not anchored. Y ou may want to use either or both of [...]

  • Seite 143

    Chapter 3: Con dition Reference 143 ; http://www.example.com <proxy> url.host.is_numeric=yes; ; In the example below we assume that 1. 2.3.4 is the IP of the host mycompany ; The condition will match the following two requests if the reverse DNS was ; successful: ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fai[...]

  • Seite 144

    Proxy SG Content Policy Language Guide 144 user= T ests the authenticated username associated with the transaction. This t rigger is only availa ble if the transaction was authenticated (that is, the authenticate( ) property was set to something other than no , and the proxy_authentication ( ) property was not set to no ). Syntax user= user_name wh[...]

  • Seite 145

    Chapter 3: Con dition Reference 145 See Also • Conditions: attribute. name = , authentica ted= , group= , has_attribute. name = , http.transparent_authentication= , re alm= , user.domain= •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( ) , deny.unauthorized( ) , socks.authenti cate( ) , socks.authenticate.f[...]

  • Seite 146

    Proxy SG Content Policy Language Guide 146 user .domain= T ests if the client is authenticated, the logged - into realm is an NTLM r ealm, and the domain component of the username is the specifie d domain. If all of these conditions are met, the r esponse will be true. This trig ger is unavailable if the cu rr ent transaction is not authenticated ([...]

  • Seite 147

    Chapter 3: Con dition Reference 147 user .x509.issuer= T ests the issuer of the x509 ce rtificate used in authentication to certificate realms. The user.x509.issuer= condition is primarily useful in constructi ng explicit certif icate revocation lists. This condition will only be true for users authenticated aga inst a certificate realm. Syntax use[...]

  • Seite 148

    Proxy SG Content Policy Language Guide 148 user .x509.seri alNumber= T ests the serial numbe r of the x509 certificate used to authenticate the user against a certificat e realm. The user.x509.serialNumber= condition is primarily useful in constr ucting explicit certificate revocation lists. Comparisons are case-insensitive. Syntax user.x509.serial[...]

  • Seite 149

    Chapter 3: Con dition Reference 149 user .x509.subject= T ests the subject field of the x509 certificate used to authenticate the user ag ainst a certificate realm. The user.x509.subject= condition is primarily use ful in constructing explicit certificate r evocation lists. Syntax user.x509.subject= subject where subject is an RFC2253 LDAP DN, appr[...]

  • Seite 150

    Proxy SG Content Policy Language Guide 150 weekda y= T ests if the day of the week is in the spe cified range or an exact match. By default, the Proxy SG appliance’s date is used to de termine the day of th e week. T o specify the UTC time zone, use the form weekday.utc=. The numeric pattern used to test the weekday= condition can contain no whit[...]

  • Seite 151

    Chapter 3: Con dition Reference 151 y ear= T ests i f the year is in the specified range or an exact match. The curr ent year is de termined by the date set on the Pr oxy SG by default. T o specify the UTC time zone, use the form year.utc= . Note that the numeric pattern used to test the year= condition can contain no whitespace. Syntax year[.utc]=[...]

  • Seite 152

    Proxy SG Content Policy Language Guide 152[...]

  • Seite 153

    Chapter 4: Proper ty Ref erence A property is a variable that ca n be set to a value. At th e beginning of a transactio n, all pr operties ar e set to their default values. As each layer in the policy is evaluated in sequence, it can set a pr operty to a particular value. A property r etains the final valu e setting when evaluation ends, and the tr[...]

  • Seite 154

    Proxy SG Content Policy Language Guide 154 access_log( ) Selects the access log used for this transaction . Multiple acc ess logs can be selected to recor d a single transaction. Individual access logs are r eferenced by the name given in configuration. Configuration also determines the format of the each log. For mor e information on logging, refe[...]

  • Seite 155

    Chapter 4: Property Reference 155 access_ser v er( ) Determines whether the client can receive str eaming co ntent directly from the origin content server or other upstr eam device. Se t to no to serve only cached content. Note: Since part of a stre am can be cached, and anot her part of the same stream can be uncached, access_server(no) can cause [...]

  • Seite 156

    Proxy SG Content Policy Language Guide 156 action( ) Selectively enables or disables a specified define action block. The default value is no. Note: Several define action bl ocks may be enab led for a tra nsaction. If more th an one action selected rewrites the URL o r header a specific header , the actions ar e deemed to conflict and only one will[...]

  • Seite 157

    Chapter 4: Property Reference 157 adv er tisement( ) Determines whether to treat the objects at a partic ular URL as banner ads to improve performance. If the content is not specific to a particular user or client, the n the hit count on the or igin server is maintained while the response time is optimized using the followi ng behavior: • Always [...]

  • Seite 158

    Proxy SG Content Policy Language Guide 158 allow Allows the transaction to be served. Allow can be overridden by the access_server( ) , deny( ) , force_deny( ) , authenticate( ) , exception( ) , or force_exception( ) pr operties or by the redirect( ) action. Allow overrides deny( ) and exception( ) pr operties. Note: Caution should be exer cised wh[...]

  • Seite 159

    Chapter 4: Property Reference 159 alwa ys_v er ify( ) Determines whether each r equest for the objects at a part icular URL must be verified wi th the origin server . This property pr ovides a URL-specific alternative to the global caching setting always-verify-source . If the re are multiple simultaneous accesses of an obje ct, the requests ar e r[...]

  • Seite 160

    Proxy SG Content Policy Language Guide 160 authenticate( ) Identifies the r ealm used to au thenticate the user associated with the current transaction. Authentication realms ar e refer enced by the name given in configuration. If the transaction has already been authenticated in the same r ealm by the SOCKS pr oxy , no new authentication challenge[...]

  • Seite 161

    Chapter 4: Property Reference 161 url.domain = !corporate.com authenticate (OurRealm, “log in for internet access”) The next example illustrates the r elation between authentication and denial. All users outside an allowed subnet are denied before authentication. Th ey ar e not allowed to submit credentials to the authentication server . Users [...]

  • Seite 162

    Proxy SG Content Policy Language Guide 162 authenticate .f orce( ) This propert y controls th e relation betwe en authentication and deni al. Syntax authenticate.force(yes|no) The default value is no . where: • yes —Makes an authenticate( ) higher priority than deny( ) or exception( ) . Use yes to ensure that userID's ar e available for a [...]

  • Seite 163

    Chapter 4: Property Reference 163 authenticate .mode( ) Using the authentication.mode( ) property selects a combination of challenge type and surr ogate credentials. Challenge type is what kind of challenge (proxy , origin or origin-redirect) is issued. Surrogate cr edentials are cr edentials accepted in place of the user ’s real cr edentials. Th[...]

  • Seite 164

    Proxy SG Content Policy Language Guide 164 • origin-cookie (origin/cookie)—Used in forward pr oxies to support pass-through authentication more secur ely than origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other pr otocols are automati call y downgraded to origin-ip . This mode could also be used[...]

  • Seite 165

    Chapter 4: Property Reference 165 authenticate .use_ur l_cookie( ) This property is used to authenticate users wh o have third party cookie s explicitly disabled. Note: W ith a value of yes , if there is a pr oblem loading the page (you get an err or page or you cancel an authentication challenge), the cfauth cookie is displaye d. Y ou can also see[...]

  • Seite 166

    Proxy SG Content Policy Language Guide 166 bl o ck_ c at e g o r y ( ) This property has been deprecated. In current CPL, the us e of block_category( category_list ) has be en replaced by category=category_list exception(content _filter_denied) However , block_category() will be o verridden by content_filter_override(yes) , while this is not the ca[...]

  • Seite 167

    Chapter 4: Property Reference 167 b ypass_cache( ) Determines whether the cache is bypassed for a request. If set to yes , the cache is not queried and the response is not stored in the cache. Set to no t o specify the defaul t behavior , which is to follow standar d caching behavior . While static and dynamic bypass lists allow traf fic to bypass [...]

  • Seite 168

    Proxy SG Content Policy Language Guide 168 cache( ) Contro ls HTTP and FTP caching behavior . A number of CPL pr operties affect caching behavior . •I f bypass_cache(yes) is set, then the cache is not accessed and the value of cache( ) is irrele vant. •I f cache(yes) is set, then the force_cache(all) pr operty setting modifies the definition of[...]

  • Seite 169

    Chapter 4: Property Reference 169 See Also •P r o p e r t i e s : advertisement( ) , always_verify( ) , b ypass_cache( ) , cookie_sensitive( ) , direct( ) , dynamic_bypass , force_cache() , pipeline( ) , refresh( ) , ttl( ) , ua_sensitive( )[...]

  • Seite 170

    Proxy SG Content Policy Language Guide 170 chec k_author ization( ) In connection with CAD (Caching Authenticated Data) and CP AD (Caching Proxy-Authenticated Data) support, check_authorization( ) is used when you know that the upstr eam device sometimes (not always or never) r equires the us er to authenticate and be authorized for t his object. S[...]

  • Seite 171

    Chapter 4: Property Reference 171 content_filter_ov err ide( ) This property has been deprecated. content_filter_override(yes) has two ef fects: • It prevents the r equest from being sent to the of f- box content filter , if off -box content filtering is configured. In this case, it is equivalent to request.filter_service(no). • It suppr esses [...]

  • Seite 172

    Proxy SG Content Policy Language Guide 172 cookie_sensitiv e( ) Used to modify caching behavior by declaring that the object s erved by the request varies based on cookie values. Set to yes to specify this behavior , or set to no for the default behavior , which caches based on HTTP heade rs. Using cookie_sensitiv e(yes) has the sam e effect as cac[...]

  • Seite 173

    Chapter 4: Property Reference 173 delete_on_abandonment( ) If set to yes , specifies that if all cl ients who may be simult aneously requesting a pa rticular objec t close their connections before the object is delivered, the object fetch fr om the origin server is abandoned, and any prior ins tance of the object is deleted f rom the cache. Syntax [...]

  • Seite 174

    Proxy SG Content Policy Language Guide 174 deny( ) Denies service. Denial can be overridden by allow or excep tion( ) . T o deny service i n a way th at cannot be overridden by a subsequent allow , us e force_deny( ) or force_exception( ) . The relation between aut henticate( ) and deny( ) is contro lled by the authenticate.force( ) property . By d[...]

  • Seite 175

    Chapter 4: Property Reference 175 deny .unauthor ized( ) The deny.unauthorized pr operty instructs the Proxy SG to issue a challenge (401 Unauthorized or 407 Proxy authorization requir ed). This indicates to the client that the resource canno t be accessed with their current identity , but might be accessible using a differ ent identity . The br ow[...]

  • Seite 176

    Proxy SG Content Policy Language Guide 176 direct( ) Used to preve nt requests fr om being forwarded to a par ent proxy or SOCKS server , when the Proxy SG is configur ed to forward r equests. When set to ye s , <Forward> layer policy is not evaluated for the transaction. Syntax direct(yes|no) The default value is no , which allows request fo[...]

  • Seite 177

    Chapter 4: Property Reference 177 dynamic_b ypass( ) Used to indicate tha t a particular trans parent r eques t is not to be handled by the proxy , but instead be subjected to Pr oxy SG dynamic bypass methodology . The dynamic_bypass(yes) pr operty takes precedence over authenticate() ; however , a committed denial takes prece dence over dynamic_by[...]

  • Seite 178

    Proxy SG Content Policy Language Guide 178 e xception( ) Selects a built-in or user -defined res ponse to be returned to the user . The exception( ) property is overridden by allow or deny( ) . T o set an exception that cannot be overridden by allow , use force_excep tion( ) . The identity of the exception being returned can be tested in an <Exc[...]

  • Seite 179

    Chapter 4: Property Reference 179 e xception.autopad( ) Pad an HTTP exception response by including trailing whitespa ce in the response body so that Content-Length is at lea st 513 characters. A setting of yes is used to prevent Internet Explor er from substituting friend ly err or messages in place of the exception r esponse being returned, when [...]

  • Seite 180

    Proxy SG Content Policy Language Guide 180 f orce_cache( ) Used to force caching of HTTP r esponses that would otherwise be considered uncacheable . The default HTTP caching beha vior is restor ed using force_cache(no) . The value of the force_cache( ) property is ignor ed un less all of the fo llowing property settings are in effect: b ypass_cache[...]

  • Seite 181

    Chapter 4: Property Reference 181 f orce_deny( ) The force_deny( ) proper ty is similar to deny( ) except that it: • Cannot be overridden by an allo w . • Overrides any pending termina tion (that is, if a deny( ) has already been matched, and a force_deny or force_exception i s subsequently matched, the latter commits. • Commits immediately ([...]

  • Seite 182

    Proxy SG Content Policy Language Guide 182 f orce_e xception( ) The force_exception( ) pr operty is similar to exception except that it: • Cannot be overridden by an allow . • Overrides any pending termina tion (that is, if a deny( ) has already been matched, and a force_deny( ) or force_exception( ) is subsequently matched , the latter commits[...]

  • Seite 183

    Chapter 4: Property Reference 183 f orce_patience_page( ) This property pr ovides control over the application of the default patience page logic. Syntax force_patience_page(yes|no) force_patience_page( reason ) force_patience_page.reason(yes|no) force_patience_page[ reason , ...](yes|no) where: reason —T akes one of the following values, corr es[...]

  • Seite 184

    Proxy SG Content Policy Language Guide 184 fo r w a r d ( ) Determines forwarding behavior . There is a box-wide conf iguration setting ( config>forwarding>sequence ) for the default forwarding failover sequence. The forward( ) property is used to override the default forwarding failover sequence with a specific list of host and/or group alia[...]

  • Seite 185

    Chapter 4: Property Reference 185 f orward.f ail_open( ) Controls whether the Proxy SG terminates or continues to proc ess the request if the specified forwarding host or any de signated back up or defaul t cannot be contacted. There is a box-wide configuration sett ing ( config>forwarding>failure-mode ) for the de fault forward failure mode.[...]

  • Seite 186

    Proxy SG Content Policy Language Guide 186 ftp .ser v er_connection( ) Determines when the contr ol connection to the se rver is established. If set to deferred , the pr oxy defers establishing the control connection to the server . Syntax ftp.server_connection(deferred|immediate ) The default value is immediate. Lay er and T ransa ction Notes •U[...]

  • Seite 187

    Chapter 4: Property Reference 187 ftp .ser v er_data( ) Determines the type of data connection to be used with this FTP transaction. Syntax ftp.server_data(auto|passive|port) where: • auto —First attempt a P ASV data connection. If this fails, switch to POR T . • passive —Use a P ASV data connection. P ASV data co nnections are not allowed [...]

  • Seite 188

    Proxy SG Content Policy Language Guide 188 ftp .transpor t( ) Determines the upstream transport mechanism. This setting is not definitive. It depends on th e capabilities of the se lected for warding host. Syntax ftp_transport(auto|ftp|http) The default value is auto . where: • auto —Use the default transport for the upstream co nnection, as de[...]

  • Seite 189

    Chapter 4: Property Reference 189 http .force_ntlm_f or_ser v er_auth( ) T urns on/of f NTLM cloaking on a per-r equest basi s. Refer to Appendix A: “NTLM and CAASNT” in the Pr oxy SG Configuration and Management Guide for a discussion of NTLM cloaking. Syntax http.force_ntlm_for_server_auth(yes|no) This property overrides the default specified[...]

  • Seite 190

    Proxy SG Content Policy Language Guide 190 http .request.version( ) The http.request.version( ) property sets the version of the HTTP protocol to be used in the request to the origin content server or upstr eam pr oxy . Syntax http.request.version(1.0|1.1) The default is taken fr om the CLI configuratio n setting http version , whic h can be set to[...]

  • Seite 191

    Chapter 4: Property Reference 191 http .response.v ersion( ) The http.response.version( ) pr operty sets the version of the HTTP protocol to be used in the response to the client's user agent. Syntax http.response.version(1.0|1.1) The default is taken fr om the CLI configuration setting http version , which can be set to either 1.0 or 1.1. Cha[...]

  • Seite 192

    Proxy SG Content Policy Language Guide 192 icp( ) Determines whether to consult ICP when forwar ding r equests. Any forw ar ding host or SOCKS gateway identified as an ups tream tar get takes precede nce over consulting ICP . Syntax icp(yes|no) The default is yes if ICP hosts ar e configur ed, no otherwise. where: • yes —Consult ICP u nless for[...]

  • Seite 193

    Chapter 4: Property Reference 193 im.strip_attachments( ) Determines whether attachments ar e stripped fr om instant messages. If set to yes , attachments are stripped fr om instant messages. Syntax im.strip_attachments(yes|no) The default value is no . Lay er and T ransa ction Notes •U s e i n <Proxy> layers. • Applies to insta nt messag[...]

  • Seite 194

    Proxy SG Content Policy Language Guide 194 integr ate_new_hosts( ) Determines whether to add new host addre sses to he alth checks and load balancing. Syntax integrate_new_hosts(yes|no) The default is no . If it is set to yes , any new host addr esses encountered duri ng DNS resolution of forwarding hosts ar e added to he alth checks and load balan[...]

  • Seite 195

    Chapter 4: Property Reference 195 label( ) This deprecated pr operty is provided for backward compatibility with CacheOS 4.x filter files. For more information, see "action( )" on page 156.[...]

  • Seite 196

    Proxy SG Content Policy Language Guide 196 log.re wr ite. field-id () The log.rewrite. field-id pr operty controls r ewrites of a specific log field in one or more access logs. Individual access l ogs are r eferenced by the name given in configuratio n. Configuration also determines the format of the each log. For more information on logg ing, refe[...]

  • Seite 197

    Chapter 4: Property Reference 197 log.suppress. field-id ( ) The log.suppress. field-id ( ) pr operty control s suppression of the specified field-id in one or more access l ogs. Individual access logs are r eferenced by the name given in configuration. Configuration also determines the format of the each log. For mor e information on logging, refe[...]

  • Seite 198

    Proxy SG Content Policy Language Guide 198 max_bitrate( ) Enforces upper limits on the instantaneous bandwi dth of the current streaming transaction. This policy is enfor ced during initial connection setup. If the client requests a higher bit rate than al lowed by policy , the request is denied. Note: Under certain network conditions , a client ma[...]

  • Seite 199

    Chapter 4: Property Reference 199 ne v er_refresh_bef ore_e xpir y( ) The never_refresh_before_expiry( ) pr operty is similar to the CLI command: SGOS#(config) http strict-expiration ref resh except that it provides per -transaction control to allow overriding the box- wide default set by the command. Syntax never_refresh_before_expiry(yes|no) The [...]

  • Seite 200

    Proxy SG Content Policy Language Guide 200 ne v er_ser ve_after_e xpir y( ) The never_serve_after_expiry( ) property is similar to the CLI command: SGOS#(config) http strict-expiration ser ve except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax never_serve_after_expiry(yes|no) The defau[...]

  • Seite 201

    Chapter 4: Property Reference 201 patience_page( ) Controls whether or not a patience page can be served, and i f so, the delay interval befor e serving. If no patience_page property is explicitly set, the decision about whether to serve a patience page and the delay befor e a patience page is pr esented ar e taken from the ICAP service configurati[...]

  • Seite 202

    Proxy SG Content Policy Language Guide 202 pipeline( ) Determine s whether a n object emb edded within an HTML contain er object is pipeli ned. Set to yes to force pipelining, or set to no to prevent the embedded obje ct from being pipelined. Note that this property af fects pr ocessing of the individual URLs embedded within a container object. It [...]

  • Seite 203

    Chapter 4: Property Reference 203 pref etch( ) This deprecated pr operty has been replaced by pipeline( ). For more infor mation, see "pipeline( ) " on page 202.[...]

  • Seite 204

    Proxy SG Content Policy Language Guide 204 reflect_ip( ) Determines how the client IP addr ess is pr esented to the origin server for explicitly proxied r equests. Replac es: • reflect_ip(vip) replaces reflect_vip( yes) . • reflect_ip(auto) r eplaces reflect_vip(no) . Syntax reflect_ip(auto|no|client|vip|ip_address ) The default value is auto .[...]

  • Seite 205

    Chapter 4: Property Reference 205 reflect_ vip( ) This depre cated syntax has been replaced by the reflect_ip( ) pr operty . For more information, see "reflect_ip( )" on page 204.[...]

  • Seite 206

    Proxy SG Content Policy Language Guide 206 refresh( ) Controls r efreshing of r e quested objects. Set to no to pr event refr eshing of the object if it is cached. Set to yes to allow the cache to behave normally . Syntax refresh(yes|no) The default value is yes . Lay er and T ransa ction Notes •U s e i n <Cache> layers. •D o n o t u s e [...]

  • Seite 207

    Chapter 4: Property Reference 207 remov e_IMS_from_GET( ) The remove_IMS_from_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute if-modifie d-since except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_IMS_from_GET(yes|no) The default value is taken fr o[...]

  • Seite 208

    Proxy SG Content Policy Language Guide 208 remov e_PNC _from_GET( ) The remove_PNC_from_GET pr operty is similar to the CLI command: SGOS#(config) http substitute pragma-no- cache except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_PNC_from_GET(yes|no) The default value is taken[...]

  • Seite 209

    Chapter 4: Property Reference 209 remov e_reload_from_IE_GET( ) The remove_reload_from_IE_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute ie-reload except that it provides per transaction control to override the box-wide def ault set by the command. Syntax remove_reload_from_IE_GET(yes|no) The default value is taken fr[...]

  • Seite 210

    Proxy SG Content Policy Language Guide 210 request.filter_ser vice( ) Controls whether the request is pr ocessed by an external content filter service. The Pr oxy SG currently supports W ebsense Enterprise Server external content filtering. Dire cting the request to an exte rnal content filter service does not affect policy based on categories dete[...]

  • Seite 211

    Chapter 4: Property Reference 211 url.address=10.0.0.0/8 ; don't filter i nternal network client.address=10.1.2.3 ; don't filter this client See Also •T h e P r o x y SG Command L ine Reference for information on configurin g W ebsense off-box servi ces.[...]

  • Seite 212

    Proxy SG Content Policy Language Guide 212 request.icap_ser vice( ) Determines whether a r equest fr om a client should be pr ocessed by an external ICAP service before going out. T ypical applications include content fi ltering and virus scanni ng. Syntax request.icap_service( servicename [, fail _open | fail_closed]) request.icap_service(no) The [...]

  • Seite 213

    Chapter 4: Property Reference 213 response.icap_service( ) De te r mi ne s w h et he r a res p on se to a cl ie nt req u es t i s f i rs t s en t t o a n IC AP se r vi ce be f ore be in g g i ve n t o the client. Depending on the ICAP service, the response may be allowed, denied , or altered. T ypical applications include virus scanning. Syntax res[...]

  • Seite 214

    Proxy SG Content Policy Language Guide 214 ser vice( ) This depre cated syntax has been replaced by the allow , deny( ) and exception( ) pr operties.[...]

  • Seite 215

    Chapter 4: Property Reference 215 soc ks.acceler ate( ) The socks.accelerate pr operty controls the SOCKS pr oxy handoff to othe r protocol agents. Syntax socks.accelerate(no|auto|http|aol_im|msn _im|yahoo_im) The default value is auto . where: • no —The SOCKS proxy doe s not hand off the transaction to another pr oxy agent, but tunnels the SOC[...]

  • Seite 216

    Proxy SG Content Policy Language Guide 216 soc ks.authenticate( ) The same realms can be used for SOCKS proxy au thentication as can be used for regular pr oxy authentication. This form of authentica tion applies only to SOCKS transactions. The regular au thenticate( ) property does not apply to SOCK S transactions. However , if an accelerated SOCK[...]

  • Seite 217

    Chapter 4: Property Reference 217 soc ks.authenticate .f orce( ) This property controls the r elation be tween SOCKS authentication and denial. Syntax socks.authenticate.force(yes|no) The default value is no . where: • yes —Makes socks.authenticate( ) higher priority than deny( ) or exception( ) . Use yes to ensure that userID's ar e avail[...]

  • Seite 218

    Proxy SG Content Policy Language Guide 218 soc ks_gatew a y( ) Controls whether or not the request associated with the current transaction is sent thr ough a SOCKS gateway . There is a box-wide configuration sett ing ( config>socks-gateways>sequence ) for the de fault SOCKS gateway failover sequence. The socks_gateway( ) pr operty is used to [...]

  • Seite 219

    Chapter 4: Property Reference 219 soc ks_gatew a y .f ail_open( ) Controls whether the Proxy SG terminates or continues to proces s the request if the specified SOCKS gateway or any de signated backup or default cannot be contacted. There is a box-wide configuration sett ing ( config>socks-gateways>failure-mode ) for the default SOCKS gateway[...]

  • Seite 220

    Proxy SG Content Policy Language Guide 220 streaming.transpor t( ) Determines the upstream transport mechanism to be u sed for this streaming transaction. T his setting is not definitive. The ability to use the specified transport mechanis m depends on the capabilities of the selected forwar ding host. Syntax streaming.transport(auto|tcp|http) wher[...]

  • Seite 221

    Chapter 4: Property Reference 221 ter minate_connection( ) The terminate_connection( ) pr operty is used in an <Exception> layer to dr op the connection rather than return the exception r esponse. The yes option terminates the connection instead of returning the r esponse. (This property pr ovid es backwards compatible support with the TERMIN[...]

  • Seite 222

    Proxy SG Content Policy Language Guide 222 trace .destination( ) Used to change the default path to the trace output file. By default, policy ev aluation trace output is written to an object in the cache accessibl e using a console URL of the following form: http:// ProxySG_IP_address :8081/Policy/Tr ace/ path Syntax trace.destination( path ) where[...]

  • Seite 223

    Chapter 4: Property Reference 223 trace .request( ) Determines whether detailed trace output is genera te d for the current reque st. The default value is no , which produces no output. T r ace output is generate d at the end of a request, and includ es request parameters, property settings, and the ef fects of all actions taken. Output tracing can[...]

  • Seite 224

    Proxy SG Content Policy Language Guide 224 trace .rules( ) Determines whether trace output is generated show ing policy rule evaluation for the transaction. By default, trace output is written to an object accessible using the following console URL: http:// ProxySG_IP_address :8081/Policy/Tr ace/default_trace.html The trace output location can be c[...]

  • Seite 225

    Chapter 4: Property Reference 225 ttl( ) Sets the time-to-live (TTL) value of an object in the cache, in seconds. Upon expiration, the cached copy is considered stale and will be re-obtained fr om the origin server when next accessed. However , this property has an effect only if the following HTTP command line option is enabled : Force explicit ex[...]

  • Seite 226

    Proxy SG Content Policy Language Guide 226 ua_sensitiv e( ) Used to modify caching behavior by declaring that the response for a given object is expected to vary based on the user agent used to r etrieve the object. Set to yes to specify this behavior . Using ua_sensitive(ye s) has the same effect as cache(no) . Note: Remember that any conflict amo[...]

  • Seite 227

    Chapter 5: Action Ref erence An action takes arguments and is wrapped in a user -named action definition block. When the action definition is called fr om a policy rule, any actions it contains operate on th eir respective arguments. W ithin a rule, named action definitions are enabled and disabled using the action( ) property . Actions take the f [...]

  • Seite 228

    Proxy SG Content Policy Language Guide 228 append( ) Appends a new component to the specified head er . Note: An err or results if two head er modification actions modify the same header . This r esults in a compile time error if the conflicting actions ar e within the same action definition block. A runtime err or is r ecorded in the event log if [...]

  • Seite 229

    Chapter 5: Action Refe rence 229 delete( ) Deletes all compone nts of the specified header . Note: An err or results if two header modification actions modify the same head er . The error is noted at compile time if the conflicting actions ar e within the same action definition block. A runtime err or is r ecorded in the event log if the conflictin[...]

  • Seite 230

    Proxy SG Content Policy Language Guide 230 delete_matching( ) Deletes all components of the specified header that contain a substring matchi ng a regular -expression pattern. Note: An error r esults if two header modification acti ons modify the same header . The err or is noted at compile time if the conflicting actions ar e within the same action[...]

  • Seite 231

    Chapter 5: Action Refe rence 231 im.aler t( ) Deliver a message in-band to the instant messaging user . The text appears in the instant message window . This action is similar to log_message( ) , except that it appends entries to a list in the instant messaging transaction that the IM protocol r enders in an appropriate way . Multiple alerts can be[...]

  • Seite 232

    Proxy SG Content Policy Language Guide 232 log_message( ) W rites the specified string to the Proxy SG event log. Events generated by log_message( ) ar e viewed by selecting the Policy messages event logging level in the Management Console. Note: This is independent of acce ss logging. Syntax log_message( string ) Where stri ng is a quoted string t[...]

  • Seite 233

    Chapter 5: Action Refe rence 233 notify_email( ) Sends an email notif ication to the list of r ecipients specified in the Event Log mail configuration. The sender of the email appears as Primary_ProxySG_IP_address - configured_appliance_hostname >. Y ou can speci fy multiple notify_email actions, which may result in multiple mail messages for a [...]

  • Seite 234

    Proxy SG Content Policy Language Guide 234 notify_snmp( ) Multiple notify_snmp actions may be specified, resulting in multiple SNMP traps for a s ingle transaction. The SNMP trap is sent when the transaction terminates. Syntax notify_snmp( message ) where messag e is a quoted string that ca n optionally include one or mor e variable su bstitutions.[...]

  • Seite 235

    Chapter 5: Action Refe rence 235 redirect( ) Ends the current HTTP transaction and r eturns an HTTP r edirect r esponse to the client by setting the policy_redirect exception. Use this action to specify an HTTP 3 xx r esponse code, optionally set substitution variables based on the request URL, and generate the new Location r esponse-header URL aft[...]

  • Seite 236

    Proxy SG Content Policy Language Guide 236 replace( ) This depre cated action has been replaced by rewrite( ) . For more information, see "rewrite( )" on page 237.[...]

  • Seite 237

    Chapter 5: Action Refe rence 237 re wr ite( ) Rewrites the r equest URL, URL host, or componen ts of the specified header if it matches the regular-expr ession pattern. This action is often us ed in conjunction with the URL rewr ite form of the transform acti on in a server portal application. Note: The URL form of the rewrite( ) action does not r [...]

  • Seite 238

    Proxy SG Content Policy Language Guide 238 URL is considered complete, and replaces any URL that contains a su bstring matching the regex_pattern substring. Sub-patterns of the regex_pattern matched can be substituted in replacement_url using the $( n ) syntax, where n is an integer fr om 1 to 32, specifyi ng the matched sub-pattern. For mor e info[...]

  • Seite 239

    Chapter 5: Action Refe rence 239 See Also • Actions: append( ) , delete( ) , delete_match ing( ) , redirect( ) , set( ) , transform • Conditions: request.header. header_name = , request.header. header_name .address= , request.x_header. header_name = , request.x_header. heade r_name .address= , response.header. header_name = , respon se.x_header[...]

  • Seite 240

    Proxy SG Content Policy Language Guide 240 set( ) Sets the specified header to the specified string after delet ing all components of the header . Note: An error r esults if two header modification acti ons modify the same header . The err or is noted at compile time if the conflicting actions ar e within the same action definition block. A runtime[...]

  • Seite 241

    Chapter 5: Action Refe rence 241 Discussion An y c h an ge t o t he se rv er f or m o f t h e re qu es t U R L m us t be res pe ct ed b y p ol ic y co nt rol l in g u ps tre a m connections. The server form o f the URL is tested by the server_url= conditions, which ar e the only URL tests al lowed in <Forward> layers. All forms of the URL are[...]

  • Seite 242

    Proxy SG Content Policy Language Guide 242 transf or m Invokes an active content or URL rewrite transformer . The invoked transformer takes effect only if the transform action is used in a define ac tion definition block, and that block is in turn enabled by an action( ) property . See chapters 1 1 and 13 in the Configuration and Management Guide f[...]

  • Seite 243

    Chapter 5: Action Refe rence 243 See Also • Properties: action( ) • Definitions: define action , transform a ctive_content , transform url.rewrite[...]

  • Seite 244

    Proxy SG Content Policy Language Guide 244 virus_check( ) This depre cated action sends the r equested do cument to a virus scanning ser ver . For more information, see "r esponse.icap_service( )" on page 213.[...]

  • Seite 245

    Chapter 6: Definition Ref erence In policy files, definitions serv e to bind a set of conditions, ac tions, or transformations to a user-defined labe l. T wo types of definitions e xist: • Named definition s—Explicitly r eferenced by policy . • Anonymous definitions—Apply to all policy evaluation and are no t ref e ren ce d d i rec tl y i n[...]

  • Seite 246

    Proxy SG Content Policy Language Guide 246 define action Binds a user -defined label to a sequence of action statements. The action( ) pr operty has synt ax that allows for individual action de finition blocks to be enabled and disabled independ ently , based on the policy evaluation for the transaction. When an action definition block is enabled, [...]

  • Seite 247

    Chapter 6: Definition Reference 247 • Definitions: transform active_content , transform url_rewrite • Chapter 5: "Action Refer ence".[...]

  • Seite 248

    Proxy SG Content Policy Language Guide 248 define activ e_content Defines rules for removing or r eplacing active cont ent in HTML or ASX docu ments. This definition takes ef fect only if it is invoked by a transform action in a define action definition block, and that block is in turn enabled an action( ) pr operty as a result of policy evaluation[...]

  • Seite 249

    Chapter 6: Definition Reference 249 Lay er and T ransa ction Notes • Applies to proxy transactions. • Only alph anumeric, und erscore, dash, and slas h characters can be used with the defin e action name. Example <proxy> url.domain=!my_site.com action.strip_active_cont ent(yes) define active_content strip_with_indication tag_replace apple[...]

  • Seite 250

    Proxy SG Content Policy Language Guide 250 define categor y Category definitions are used to extend vendor content categories or to create your own. The category_name definition can be used anywher e a conten t filter category name would normally be used, including in catego ry= test s. Definitions can includ e other definitions to cr eate a hierar[...]

  • Seite 251

    Chapter 6: Definition Reference 251 sportsworld.com category=football ; include subcategory end define category football nfl.com cfl.ca end The following policy need s only to ref er to the sports category to also test the sub- category football: <Proxy> deny category=sports ; includes subc ategories For more information on using categor y= t[...]

  • Seite 252

    Proxy SG Content Policy Language Guide 252 define condition Binds a user -defined label to a set of conditions for use in a condition= expr ession. For condition definitions, the manner in which the condition expressions are listed is significant. Multiple condition expressions on one line, separate d by whitespace, are conside red to have a Boolea[...]

  • Seite 253

    Chapter 6: Definition Reference 253 define condition extension_low_risk ; fi le types assumed to be low risk. url.extension=(asf,asx,gif,jpeg,mov,m p3,ram,rm,smi,smil,swf,txt,wax,wma,wmv,wvx) end define condition internal_prescanned ; will be prescanned so we can assum e safe server_url.domain=internal.myco.com s erver_url.extension=(doc,dot,hlp,ht[...]

  • Seite 254

    Proxy SG Content Policy Language Guide 254 define domain This depre cated syntax has been replaced by the url.domain condition. For mor e information see "define url.domain con dition" on page 263.[...]

  • Seite 255

    Chapter 6: Definition Reference 255 define ja v ascr ipt A javascript definition is used to define a javascript transformer , which adds javascrip t that you supply to HTML responses. Syntax define javascript transformer_id javascript-statement [ javascript-stateme nt] … end where: • transformer_id —A user -defined identifier for a transforme[...]

  • Seite 256

    Proxy SG Content Policy Language Guide 256 See Also •A c t i o n s : transform • Definitions: define action •P r o p e r t i e s : action ( )[...]

  • Seite 257

    Chapter 6: Definition Reference 257 define prefix condition This depre cated syntax has been replaced by th e define url condition. For mor e information see "define url condition" on page 261.[...]

  • Seite 258

    Proxy SG Content Policy Language Guide 258 define ser ver_url.domain condition Binds a user-defined label to a set of domain-s uffix patterns for use in a condition= expr ession. Using this definition block allows you to quickl y test a large set of server_url.domain= conditions. Although the define condition definition blo ck could be used in a si[...]

  • Seite 259

    Chapter 6: Definition Reference 259 affinityclub.example.com end <Forward> condition=!allowed access_server(no) See Also Condition: condition= , server_url.domain= Definitions: define url.domain condition[...]

  • Seite 260

    Proxy SG Content Policy Language Guide 260 define subnet Binds a user-defi ned label to a set of IP addresses or IP subnet patterns. Use a subnet definiti on label with any of the conditions th at test part of the transaction as an IP address, including: client.address= , proxy.address= , request.header. header_name .address= , request.x_header. he[...]

  • Seite 261

    Chapter 6: Definition Reference 261 define url condition Binds a user -defined label to a set of URL pr efix patterns for use in a condition= expression. U sing this definition block allows you to quickl y test a large set of url= conditions. Although the define condition definition block coul d be used in a similar way to encapsulate a set of URL [...]

  • Seite 262

    Proxy SG Content Policy Language Guide 262 timing restrictions for the defined condition will depend on the layer and timing restrictions of the contained expressions. The conditio n= condi tion is on e of the ex pressions th at can be included in the body of a define url condition definition block, following a URL patter n. In this way , one pr ef[...]

  • Seite 263

    Chapter 6: Definition Reference 263 define url.domain condition Binds a user -defined label to a set of domain-suf fix patterns for us e in a condition= expressi on. Using this def inition block allows y ou to test a lar ge set of serv er_url.domain= conditions very quickly . Although the de fine condition definition block could be used in a si mil[...]

  • Seite 264

    Proxy SG Content Policy Language Guide 264 See Also • Condition: condition= , server_url.domain= • Definitions: define url condition , define server_url.domain condition[...]

  • Seite 265

    Chapter 6: Definition Reference 265 define url_rewrite Defines rules f or rewriting URLs embedded in tags within HTML, CSS, JavaScript or ASX documents. This transformer takes ef fect only if it is also invoked by a transfor m action in a define action definition block, and that block is in turn called fr om an action( ) pr operty . For each url fo[...]

  • Seite 266

    Proxy SG Content Policy Language Guide 266 • server_url_substring —A string that, if found in the serv er URL, will be r eplaced by the client_url_substring . The comparison is done against original normalized URLs embedded in the document. Note: Both client_url_substring and server_url_substring ar e literal strings. W ildcard characters and r[...]

  • Seite 267

    Chapter 6: Definition Reference 267 restrict dns This definition r estricts DNS lookups and is useful in installations wher e access to DNS resolution is limited or problematic. The definition has no name beca use it is not directly r eferenced by any rules. It is global to policy eval uation and intended to prev ent any DNS lookups caused by polic[...]

  • Seite 268

    Proxy SG Content Policy Language Guide 268 restrict rdns This definition r estricts reverse DNS lookups and is useful in i nstallations where acces s to reverse DNS resolution is limited or pr oblema tic. The definition has no name. It is global to po licy evaluatio n and is not directly referenced by any rules. If the requested URL specifies the h[...]

  • Seite 269

    Chapter 6: Definition Reference 269 transf or m activ e_content This depre cated syntax has been replaced by define active_content . For more inf ormation see "define active_content" on page 248.[...]

  • Seite 270

    Proxy SG Content Policy Language Guide 270 transf or m url_rewrite This depre cated syntax has been r eplaced by define url_rewrite . For more inform ation see "define url_rewrite" on page 265.[...]

  • Seite 271

    Appendix A: Glossar y actions A class of definitions. CPL has two gene ral classes of actions: request or response modifications and notifications. An act ion takes arguments (such as the portion of the request or r esponse to modify) and is wrapped in a named action defi nition block. When the action definition is turned on by the policy rules, an[...]

  • Seite 272

    Proxy SG Content Policy Language Guide 272 Forwar d Policy File A file you cr eate or that mi ght be created during an upgrade from prior SGOS versions, and that you maintain to supplement any policy descri bed in th e other three policy files. It is normally used for forwar ding policy . The Forwar d policy file is always last in the evaluation or[...]

  • Seite 273

    Appendix A: Glossary 273 resp on se transformation a modification of the object being returned. This modification can be to either the protocol headers associat ed with the r esponse sent to the client, or a transformation of the object contents itself, such as the r e moval of active content fr om HTML pages. rule A list of triggers and property s[...]

  • Seite 274

    Proxy SG Content Policy Language Guide 274[...]

  • Seite 275

    Appendix B: T esting and T roub leshooting If you are experiencing pr oblems with your policy files or would like to monitor evaluation for brief periods of time, consider using the po licy tracing capabilities of the policy la nguage. Tr a c i n g allows you to examine how the Proxy SG policy is applied to a part icular request. T o configure trac[...]

  • Seite 276

    Proxy SG Content Policy Language Guide 276 Enabling Request T racing Use the trace.request( ) pr operty to enable request tracing. Request tracing l ogs a summary of information about the transaction: r equest parameter s , property settings, and th e effects of all actions taken. This property uses the following syntax: trace.request(yes|no) where[...]

  • Seite 277

    Appendix B: Testing and Troubleshoo ting 277 Here ar e the relevant policy r equirements to be expresse d: • DNS lookups are r estricted except for a site being hosted. • There is no access to reverse DNS so that is completely restricted. • Any requests not addr essed to the hosted site ei ther by name or subnet should be r ejected. • FTP P[...]

  • Seite 278

    Proxy SG Content Policy Language Guide 278 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all) trace.request(yes) 5 <Proxy> 6 miss: url.domain=!//my_site.com/ 7 miss: url.address=!my_subnet 8 <Proxy> 9 n/a : ftp.method=STOR 10 <Proxy> 11 MATCH: url.domain=//my_site.[...]

  • Seite 279

    Appendix B: Testing and Troubleshoo ting 279 The following is a trace of the same p olicy , but f or a transaction in which the request URL has an IP addres s instead of a hostname. 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all) trace.request(yes) 5 <Proxy> 6 miss: url.hos[...]

  • Seite 280

    Proxy SG Content Policy Language Guide 280 Policy: Action discarded, 'set_header_1' conflicts with an action already committed The conflict is re flected in the following trace of a r equest for //www.my_site.com/home.html : 1 start transaction ------------------------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all[...]

  • Seite 281

    Appendix C: Recogniz ed HTTP Headers The tables pr ovided in this appendix list all recogni zed HTTP 1.1 headers and indicate how the Proxy SG is able to interact wi th them. For each head er , columns show whether the header appears in req ue s t or re sp on s e f or ms , an d w he th e r t he append( ) , delete( ) , rewrite( ) , or set( ) actions[...]

  • Seite 282

    Proxy SG Content Policy Language Guide 282 The following table lists custom he ader s that are r ecognized by the Proxy SG . If-Match Request X If-Modified-Since R equest If-None-Match Request X If-Range Request If-Unmodified-S ince Request Last-Modified Requ est/Response Location Response X X Max-Forwards Request Meter Request/ Response X X Pragma[...]

  • Seite 283

    Appendix D: CPL Substitutions This appendix lists all su bstitution variables avail able in CPL. T o use a variable in CPL, it is expressed as: $(<field-id> , s uch as $(cs-bodylength). For fields that have bo th ELFF and CPL tokens, ei ther token can be used. For example, $(cs-ip) and $(proxy.address) ar e equivalent. Note that $(request.x_h[...]

  • Seite 284

    Proxy SG Content Policy Language Guide 284 sr-bytes Number of bytes sent fr om appliance to upstream host. sr-headerlength Number of bytes in the header sent from appliance to upstream host. Category: connection ELFF CPL Description cs-ip proxy.address IP addr ess of the destination of the client's connection. c-connect-type The type of co nne[...]

  • Seite 285

    Appendix D: CPL Substitutions 285 x-bluecoat- transaction-id transaction.id Unique per -request identifier generated by the appliance (note: this value is not unique across multiple appliances). x-bluecoat-appliance- name appliance.name Configured name of the appli ance. x-bluecoat-appliance- primary-address appliance. primary_address Primary IP ad[...]

  • Seite 286

    Proxy SG Content Policy Language Guide 286 cs-version request.version Protocol and version fr om the client's request; for exam ple, HTTP/1.1. x-bluecoat-proxy-via- http-version proxy.via_http_version D efault HTTP protocol v ersion of the appliance without protocol decoration (e.g. 1.1 for HTTP/1.1). x-bluecoat-redirect- location redirect.loc[...]

  • Seite 287

    Appendix D: CPL Substitutions 287 x-bluecoat-special-esc esc Resolve s to the esc ape charact er (ASCII HEX 1B). x-bluecoat-special-gt gt The gr eater-than characte r . x-bluecoat-special-lf lf The line feed character . x-bluecoat-special-lt lt The less-than characte r . x-bluecoat-special- quot quot The double quote character . x-bluecoat-special-[...]

  • Seite 288

    Proxy SG Content Policy Language Guide 288 x-bluecoat-surfcontrol- reporter-id Specialized value for SurfControl reporter . x-bluecoat-websense- category-id The W e bsense specific content category ID. x-bluecoat-websense- keyword The W ebsense specific keywo rd. x-bluecoat-websense- reporter-id The W ebsense specific reporter category ID. x-blueco[...]

  • Seite 289

    Appendix D: CPL Substitutions 289 x-patience-url patience_url The url to be requested for mor e patience information. x-virus-id Identif ier of a virus if one was det ected. Category: streaming ELFF CPL Description x-cs-streaming-client streaming.client T ype of streaming client in use (windows_media, r eal_media, or quicktim e). x-rs-streaming-con[...]

  • Seite 290

    Proxy SG Content Policy Language Guide 290 x-bluecoat-day day Localtime day (as a number) formatted to take up two spaces; for example, 07 for the 7th of the month. x-bluecoat-hour hour Localtime hour formatted to always take up two spaces; for example, 01 for 1AM. x-bluecoat-minute minute Localtime minute forma tted to always take up two spaces; f[...]

  • Seite 291

    Appendix D: CPL Substitutions 291 cs-uri-hostname log_url.hostname Hostname fr om the 'log' URL. RDNS is used if the URL uses an IP addr ess. cs-uri-path log_url.path Path from the 'log' UR L. Doe s not include query . cs-uri-pathquery log_url.pathquery Path and query fr om the 'log' URL. cs-uri-port log_url.port Port [...]

  • Seite 292

    Proxy SG Content Policy Language Guide 292 sr-uri-query server_url.query Query from the u pstream request URL . sr-uri-scheme server_url.scheme Scheme fr om the URL used in the upstream req u es t. sr-uri-stem Path from the upstr eam request URL s-uri cache_url The URL used for cache access. s-uri-address cache_url.address IP addr ess from the U RL[...]

  • Seite 293

    Appendix D: CPL Substitutions 293 Category: user ELFF CPL Description cs-auth-group group One group that an auth enticated client is a member of. The group selected is determined by either a group.log_order definition in policy or the order gr oups are refer enced in policy cs-auth-groups groups Groups that a n authenticated client is a member of. [...]

  • Seite 294

    Proxy SG Content Policy Language Guide 294 cs(Accept-Language) request.header.Accep t- Language Request header: Accept-Langua ge cs(Accept-Ranges) request.header.Accep t- Ranges Request header: Accept-Range s cs(Age) request.header.Age Request header: Age cs(Allow) request.header.Allow Request header: Allow cs(Authentication- Info) request.header. [...]

  • Seite 295

    Appendix D: CPL Substitutions 295 cs(If-Unmodified- Since) request.header.If- Unmodified-Since Request header: If-Unmodified-Since cs(Last-Modified) request.header.Last- Modified Request header: Las t-Modified cs(Location) request.header.Location Reque st header: Location cs(Max-Forwards) request.header. Max-Forwards Request header: Max-Forwards cs[...]

  • Seite 296

    Proxy SG Content Policy Language Guide 296 cs(X-Forwarded-For) request.header. X-Forwarded-For Request header: X-Forwar ded-For Category: si_response _header ELFF CPL Description rs(Accept) response.header.Accept Response header: Accept rs(Accept-Charset) response.header. Accept-Charset Response header: Accept-Charset rs(Accept-Encoding) response.h[...]

  • Seite 297

    Appendix D: CPL Substitutions 297 rs(From) response.header.From Re sponse header: From rs(Front-End-HTTPS) response.header. Front-End-HTTPS Response header: Fr ont-End-HTTPS rs(Host) response.header.Host Re sponse header: Host rs(If-Match) response.header. If-Match Response header: If-Match rs(If-Modified-Since) response.header. If-Modified-Since R[...]

  • Seite 298

    Proxy SG Content Policy Language Guide 298 rs(Vary) response.header.Vary Response header: V ary rs(Via) response.header.Via Response header: V ia rs(WWW-Authenticate) response.header. WWW-Authenticate Response header: WW W -Authenticate rs(Warning) response.header.Warning Response header: W arning rs(X-BlueCoat-Error) response.header. X-BlueCoat-Er[...]

  • Seite 299

    Appendix E: Filter File Syntax This appendix provides a summary of the syntax and evaluation order used in CacheOS version 4. x filter files. While it is recommended that you conver t any filter fil e to take advantage of the policy features of Pr oxy SG , it is possib le to use a CacheOS 4. x filter file in the place of a policy file, and have it [...]

  • Seite 300

    Proxy SG Content Policy Language Guide 300 Filter-P ar t Components The filter part of a filter file can cont ain the following: • Filters that are not part of a section •S e c t i o n s • ALL st atement s • default_filter_properties statements • Access-control list (ACL) definitions Filters that ar e not part of a section mu st occur bef[...]

  • Seite 301

    Appendix E: Filter File Syntax 301 • The only condition available in filter lines is the acl= condition, which is a synonym for the CPL condition client.address= . • The only way to specif y case-sensitivity is wi th case_insensitive={yes|no}. The following are r equirements for filter lines: • A line br eak is consider ed to be a new filter [...]

  • Seite 302

    Proxy SG Content Policy Language Guide 302 ALL Statements An ALL st atement is a line begi nning with the keyword ALL , f o l l o w e d b y z e ro o r m o r e c o n di ti on s a nd property settings . There ar e two conditions available in an ALL statement: acl= and protocol=. The ALL statement acts as a match of first resort, befor e any filters a[...]

  • Seite 303

    Appendix E: Filter File Syntax 303 • protocol= value — An optional protocol= condition expr ession. A vailable values ar e http , https , ftp , mms , rtsp , tcp , aol-im , msn-im , or yahoo-im . For detai ls, see "url=" on page 137. • property=value — An optional property setting. For a list of properties available in filter files[...]

  • Seite 304

    Proxy SG Content Policy Language Guide 304 While prefix-pattern filters are commonly used outside of any s ection, the Prefix section is pr ovided t o help differ entiate these type of filters when domain -suf fix and r egular-expr essi on filters are also used. The filters in a prefix section follow the pattern used in a CPL url= condition. For mo[...]

  • Seite 305

    Appendix E: Filter File Syntax 305 • The domain-suffix filter http://company.com/ denies service to all URLs where compan y.com is a pr oper super-domain and any path r elative to th e matched domain, including the null path. For example, service is denied to the URL http://www.intranet.com pany.com/ , but not http://mycompany.com/ since mycompan[...]

  • Seite 306

    Proxy SG Content Policy Language Guide 306 Ev aluation Order CacheOS 4. x filter files have a differ ent orde r of evaluation than CPL files. A compiled fi lter file behaves as if it had a single [Prefix] section, a single [Domain-Suffix] section, and a single [Regular-Expression] section. The filter file is rewritten during file compilation, as fo[...]

  • Seite 307

    Appendix F: Upgr ading from CacheOS When upgrading from CacheOS version 4. x to the Proxy SG , the default policy files are cr eated as follows: • The CacheOS 4. x central filter f ile is copied to the Pr oxy SG central policy file with no changes. • The CacheOS 4. x local filter file is copied to the Proxy SG local policy file with no changes.[...]

  • Seite 308

    Proxy SG Content Policy Language Guide 308 For the CPL compiler , the corr ect filter will be sele cted at run time based on the ACL if the filters are distin guished by having dif ferent ACL conditions. Conv er ting Filter-Style Files to CPL Syntax When converting your filter -style files, do not inse rt snippets of CPL syntax to take a dvantage o[...]

  • Seite 309

    Inde x A <Admin> layers, understanding 37 access_log( ) property 154 access_server() property 155 action definition block 246 action part, filter file 30 5 action.action_label( ) property 156 actions append() 228 argument syntax in 227 conflicting 47 delete() 229 delete_matching() 230 log_message() 232 notify_email 233 , 234 redirect() 235 re[...]

  • Seite 310

    Proxy SG Configuration and Management Guide 310 D date= condition 67 day= condition 68 define acl definition block, filter fi le 303 define action definition block 246 define category definiti on 250 define condition definition block 252 define prefix condition definition block 257 , 261 define server_url.domain condition name definition 258 define[...]

  • Seite 311

    Index 311 H has_attribute.name= condition 74 has_client= condition 76 hour= condition 77 HTTP cache transactions 36 http.method= condition 79 http.request.version( ) property 190 http.request.version=condition 80 http.response.code=condition 81 http.response.version( ) property 191 http.response.version=condition 82 http.transparent_authentication=[...]

  • Seite 312

    Proxy SG Configuration and Management Guide 312 rules, conflicting 47 statistics, example 276 testing 275 tips on writing 44 troubleshooting 275 whitelists 45 policy ix authentication/denial, setting 28 installing, overview 29 troubleshooting, overview 30 writing, overview 27 policy model, understanding 20 policy rules order 45 policy tracing enabl[...]

  • Seite 313

    Index 313 Q quoting, understanding 22 R realm= condition 112 redirect() action 235 references related Blue Coat documentation x referential integrity, understa nding 26 reflect_ip( ) property 204 reflect_vip( ) property. See reflect_ip( ) property refresh property, filter file 30 2 refresh transactions 35 refresh( ) property 206 regular-expression [...]

  • Seite 314

    Proxy SG Configuration and Management Guide 314 T time= condition 134 timing in layers, understanding 41 understanding 36 trace.destination( ) 276 trace.destination( ) property 222 trace.request( ) property 22 3 trace.rules enabling 275 trace.rules() property 224 trace.rules, enabling. 275 transactions administrator 33 cache 33 , 35 , 271 forwardin[...]