Blue Coat Systems Proxy SG manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones Blue Coat Systems Proxy SG. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica Blue Coat Systems Proxy SG o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual Blue Coat Systems Proxy SG se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales Blue Coat Systems Proxy SG, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones Blue Coat Systems Proxy SG debe contener:
- información acerca de las especificaciones técnicas del dispositivo Blue Coat Systems Proxy SG
- nombre de fabricante y año de fabricación del dispositivo Blue Coat Systems Proxy SG
- condiciones de uso, configuración y mantenimiento del dispositivo Blue Coat Systems Proxy SG
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de Blue Coat Systems Proxy SG no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de Blue Coat Systems Proxy SG y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico Blue Coat Systems en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de Blue Coat Systems Proxy SG, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo Blue Coat Systems Proxy SG, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual Blue Coat Systems Proxy SG. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    Blue Coat Systems TM Pro xy SG Content P olicy Language Guide Content P olicy Language Guide[...]

  • Página 2

    Proxy SG Content Policy Language Guide 2 Blue Coat Systems Inc. (408) 220-2200 V oice 650 Almanor A venue (408) 220-2250 F AX Sunnyvale, California 94086 (866) 302-2628 T echnical Support (866) 362-2628 info@bluecoat.com www .bluecoat.com Copyright (c) 2002, 2003 Blue Co at Systems, Inc. All rights reserved worldwide. No part of this document m ay [...]

  • Página 3

    Copyrights 3 THIRD P ARTY COPYRIGHT NO TICE S Blue Coat Systems, Inc. Security Gateway Operating System (SGO S) version 3 utilizes third party software fr om various sources. Portions of this software ar e copyrighted by their respective owne rs as indicated in the copyright notices below . The following lists the copyright notices for: BPF Copyrig[...]

  • Página 4

    Proxy SG Content Policy Language Guide 4 Redistribution and use of this software and associated document ation ("Software"), with or without modification, ar e permitted provided that the following conditions are met: 1. Redistributions of so urce code must retain copyright statements and notices, 2. Redistributions in binary form must re[...]

  • Página 5

    Copyrights 5 A F AILURE OF THE PROGRAM TO OPERA TE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER O R OTHER P ARTY HAS BEEN ADVISED OF THE POSSI BILITY OF SUCH DAMAGES. 2) The 32-bit CRC compensation attack de tector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license. Cryptographic attack detector for ssh - sour ce code Copyrig[...]

  • Página 6

    Proxy SG Content Policy Language Guide 6 2. Redistributions in binary form must reproduce the above copy right notice, this list of condit ions and the following disclaim er in the documentation and/or other materials provided with the distribution. THIS SOFTW ARE IS PROVIDED BY THE AU THOR ``AS IS'' AND ANY EX PRESS OR IMPLIED W ARRANTIE[...]

  • Página 7

    Copyrights 7 This produc t includes cryptographic softwar e written by Eric Y o ung (eay@c ryptsoft .com). This pr oduct includes software written by T im Hudson (tjh@cr yptsoft.c om). PCRE Copyright (c) 1997-2001 University of Cambridge University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. W ritten by: P hilip Haze[...]

  • Página 8

    Proxy SG Content Policy Language Guide 8 documentation. Moscow Center for SP ARC T e chnology makes no repr esentations about the suitability of this software for any purpos e. It is provided "as is" without express or implied warranty . SmartFilter Copyright (c) 2003 Secure Computing Corporation. All rights reserved. SurfControl Copyrigh[...]

  • Página 9

    Pref ace: Introducing the Content P o licy Language The Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a variety of W eb-access policies. Proxy SG policy is written in CPL, and ever y W e b request is evaluated based on the installed policy . The language is designed so that policies can be customiz ed to[...]

  • Página 10

    Proxy SG Content Policy Language Guide x Suppor ted Bro wsers The Proxy SG Management Console supports Micr osoft ® Internet Explorer 5 and 6, and Netscape ® Communicator 4. 78, 6.2, and 7.1. The Management Console uses the Java Runtime En vironment. All br owsers come with a default, built-in JRE, and you should us e this default JRE rather than[...]

  • Página 11

    Contents Preface: Introducing t he Content Policy Language About the Document Organization ............ .................... .................... ................... .................... ..... ............... ..ix Supported Browsers .................. .................... .................... .................... ................... ............ ..[...]

  • Página 12

    Proxy SG Content Policy Language Guide xii <Forward> Layers ..................... ................. ................... .................... .................... .............. ........ ............. 39 <Proxy> Layers ...... .................... ................... .................... .................... .................... ........ [...]

  • Página 13

    Contents xiii http.method= ............ .................... ................... .................... ................. .................... ....... ............ ............. 79 http.request.version= ............. .................... ................... .................... ................. ................. ... .................. 8 0 http.respo[...]

  • Página 14

    Proxy SG Content Policy Language Guide xiv server_url= .......... .................... .................... ................. ................... .................... .......... ............. ............. 125 socks= .............. ................ .................... .................... .................... ................... ............ .....[...]

  • Página 15

    Contents xv force_cache( ) ................. .................... .................... .................... ................... ................. .................... ..... 180 force_deny( )................. ................... ................. .................... .................... .................... . ..................... ..... 181 force_e[...]

  • Página 16

    Proxy SG Content Policy Language Guide xvi trace.request( ) ........................ ................. .................... ................... .................... .......... ....... ................... 223 trace.rules( ) ...................... .................... .................... ................. ................... .............. ... .....[...]

  • Página 17

    Contents xvii Appendix B: T esting and Troubleshooting Enabling Rule Tracing ................... .................... .................... .................... ................... ........ ............ ..... 275 Enabling Request Tracing ........... ................... .................... .................... .................... ............. ....[...]

  • Página 18

    Proxy SG Content Policy Language Guide xviii[...]

  • Página 19

    Chapter 1: Ov er view of Content P olicy Language The Content Policy Language (CPL) is a programming langu age with its own concepts and rules that you must follow . This chapter pr ovides an overview of CPL, including the following topics: • "Concepts" • "CPL Language Basics" • "W riting Policy Using CP L" • &[...]

  • Página 20

    Proxy SG Content Policy Language Guide 20 This provides the abi lity to test various aspects of a re quest, such as the IP address of the client and the URL used, or the response, such as th e contents of any HTTP headers. • Ensures policy integ rity during processing. The lifetime of a transaction may be rel atively long, especially if a large o[...]

  • Página 21

    Chapter 1: Overview of Content Policy Language 21 For new Proxy SG appliances, the default is to deny all requests . For Proxy SG appliances being upgraded fr om 4.x, the default is to allo w all requests. In ei ther case, the P roxy SG can be configured for either default. The default setti ng is displayed in policy listing s. The proper appr oach[...]

  • Página 22

    Proxy SG Content Policy Language Guide 22 W ith a few notable exceptions, trigge rs te st on e as pe c t o f re qu e st, re sponse, or associated state against a boolean expression of values. For the conditions in a rule, each of the triggers is logically anded together . In other words, the condition is only true if each one of the trigger express[...]

  • Página 23

    Chapter 1: Overview of Content Policy Language 23 • More complex boolean expressions ar e allowed for the pattern_expres sion in the triggers. For example, the second part of the condition in the simple rule shown above could be “the request is made between 9 a.m. and noon or between 1 p.m. and 5 p.m”, expressed as: ... time=(0900..1200 || 13[...]

  • Página 24

    Proxy SG Content Policy Language Guide 24 La y ers A policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating decisions helps contr ol policy complexi ty , and is do ne through writing each decision in a separate layer . Each layer has the form: < layer_type [ label ] > [ layer_condition ][ l ayer_pro[...]

  • Página 25

    Chapter 1: Overview of Content Policy Language 25 [ section_type [ label ]] [ section_condition ][ sect ion_properties ] section_content where: • The section_type defines the syn tax of the rules used in the se ction, and the evaluation strategy used to evaluate those rules. The square brackets [ ] surrounding the section name (and optional label[...]

  • Página 26

    Proxy SG Content Policy Language Guide 26 Named Definitions There ar e various types of named definitions. Each defi nition is given a user defined name that is then used in rules to refer to the definition. This sectio n highlights a few of the definition types, as an overview of the topic. Refer to the Definitions refer ence chapter for more deta[...]

  • Página 27

    Chapter 1: Overview of Content Policy Language 27 policy that does not requir e the realm. Once all outs tanding transactions that r equir ed refer ence to the realm have completed, the realm can be removed fr om configuration. Substitutions The actions used to r ewrite the URL request or to modify HTTP request he aders or HTTP r esponse headers of[...]

  • Página 28

    Proxy SG Content Policy Language Guide 28 A uthentication and Denial One of the most important timing relationships to be awar e of is the relation between authentication and denial. Denial can be done eithe r before or af ter authentication, and dif f erent or ganizations have diffe rent requir ements. For example, suppose an organization r equire[...]

  • Página 29

    Chapter 1: Overview of Content Policy Language 29 <Proxy> client.address=!corporate_subnet deny ; filter out strangers socks.authenticate(MyRealm) ; this happe ns earlier than the category test <Proxy> ; user names be displayed in the access log for the denied requests category=Gambling exception(content_filt er_denied) Note that t his [...]

  • Página 30

    Proxy SG Content Policy Language Guide 30 T roub leshooting P olicy When installed policy does not behave as expected, use policy tracing to understand the behavior of the installed policy . T racing r ecords additional information about a transa ction and re-evaluates the transaction when it is terminated; however , it does not show the timing of [...]

  • Página 31

    Chapter 1: Overview of Content Policy Language 31 Conditional Compilation Occasionally , y ou might be requir ed to maintain poli cy that can be applied to appliances running diffe rent versions of SGOS and requiring dif ferent CPL . CPL provides the foll owing conditional compilation dir ective that tes ts the SGOS version (suc h as 2.1.06): relea[...]

  • Página 32

    Proxy SG Content Policy Language Guide 32[...]

  • Página 33

    Chapter 2: Managing Content P olicy Language As discussed in Chapter 1, Content Policy Language policies are composed of transactions that are placed into rules and tested against various conditions. This chapter discusses the followi ng: • "Understanding T ransactions and T iming" • "Understanding Layers" • "Understa[...]

  • Página 34

    Proxy SG Content Policy Language Guide 34 Each of the protocol-specific pr oxy transact ions has specific information that can be tested—informati on that may not be available fr om or relevant to othe r protocols. HTTP Headers and Instant Messaging buddy names ar e two exam ples of protocol-specific information. Other key differ entiators among [...]

  • Página 35

    Chapter 2: Managing Content Policy Language 35 Some conditions cannot be evaluated during th e first stage; for example, the user and group information will not be known until stage two. Likewise, the response headers and MIME type are unavailable for testing until stage three. For conditions, this is known as the earliest available time . Policy d[...]

  • Página 36

    Proxy SG Content Policy Language Guide 36 An HTTP cache transaction is examined in two stages: • Before the object is retrieved from the origin s erver . • After the object is retrieved. F orwarding T r ansactions A forwar ding transaction is cr eated when th e Proxy SG needs to evaluate forwarding policy befor e accessing a remote host and no [...]

  • Página 37

    Chapter 2: Managing Content Policy Language 37 But policy cannot determine th e value of the Conten t-type re sponse header until the response is returned. The Pr oxy SG ca nnot contact the server to get the response until pol icy determines what hosts or gateways to route thr ough to get th ere. In othe r words, policy must s et the forward() prop[...]

  • Página 38

    Proxy SG Content Policy Language Guide 38 • The optional admin_properties is a list of properties set if an y of the rules in the layer match. These act as defaults, and can be overridden by prop erty settings in specific rules in the layer . For more informatio n on using properties, see Chapter 4: " Property Refer ence". See also the [...]

  • Página 39

    Chapter 2: Managing Content Policy Language 39 <Exception> La y ers <Exception> layers ar e evaluated when a proxy transaction is terminated by an exception. This could be caused by a bad r equest (for example, the r equ est URL names a non-existent server) or by setting the deny or exception() pr operties in policy . Policy in an excep[...]

  • Página 40

    Proxy SG Content Policy Language Guide 40 <Pro xy> La y ers <Proxy> layers define policy for authenticating and auth orizing users’ requests for service over one of the configur ed proxy service ports (r efer to Chapter 6:”Managing Port Services” in the Pr oxy SG Configuration and Management Guide .). Proxy layer policy inv olves [...]

  • Página 41

    Chapter 2: Managing Content Policy Language 41 Timing The “late guards early” timing errors that can occu r wi thin a rule can ar ise across r ules in a layer . When a trigger cannot yet be evaluated, policy also has to postpone evaluating all following r ules in that layer (since if the trigger turns out to be true and the rule matches, then e[...]

  • Página 42

    Proxy SG Content Policy Language Guide 42 url.domain=nbc.com/athletics deny ; etc, suppose it's a substantial list url.regex="sports|athletics" access_serv er(no) url.regex=".mail." deny ; etc url=www.bluecoat.com/internal group=!blu ecoat_employees deny url=www.bluecoat.com/proteus group=!blue coat_development deny ; etc[...]

  • Página 43

    Chapter 2: Managing Content Policy Language 43 • Rules in [Rule] s ections are evaluated sequentially , top to bottom. The time taken is pr oportional to the number of rules in the sec tion. • [Rule] sections can be used in any la yer . [url] The [url] section type is used to group a number of rules that test the URL. The [url] section restrict[...]

  • Página 44

    Proxy SG Content Policy Language Guide 44 • [server_url.domain] sections ar e allowed only in <Exception> or <Forward> layers. Section Guards Just as you can with layers, you can impr ove policy clarity and maintainability by gr ouping rules into sections and converting the common conditions and properties into guard expressions that [...]

  • Página 45

    Chapter 2: Managing Content Policy Language 45 • Do not mix the CacheOS 4. x filter-file syntax with CPL syntax. Although the Content Polic y Language is backwa rd-compatible with the filter -file syntax, avoid using the older syntax with the new . For example, as the filter-file syntax uses a differ ent order of evaluation, mixing the old and ne[...]

  • Página 46

    Proxy SG Content Policy Language Guide 46 The following example is an exception defined wi thin a layer . A company wants access to payroll information limited to Human Resou rces staf f on ly . The administrator uses membership in the HR_staff gr oup to define the exception for HR staff, foll owed by the general policy: <Proxy> ; Blue Coat u[...]

  • Página 47

    Chapter 2: Managing Content Policy Language 47 evaluation or der as currently configur ed. Changes to the policy file evaluation order must be managed with great car e. Remember that pr operties maintain any setting unless overridden later in th e file, so you could implement general poli cy in early layers by setting a wi de number of propertie s,[...]

  • Página 48

    Proxy SG Content Policy Language Guide 48 Best Practices • Express s eparate decisions in separate layer s. As policy gr ows and becomes more complex, mainten ance becomes a significant issue. Maintenance will be easier if the logic for each aspect of policy is separate and distinct. T ry to make policy decisions as independent as po ssible, and [...]

  • Página 49

    Chapter 3: Condition Ref erence A condition is an express ion that yields true or fals e when evaluated. Conditions can appear in: • Policy r ules. • Section and layer headers, as guards; for example, [Rule] group=(“bankabchr” || “cn=hu manresources,ou=groups,o=westernnational”) • define condition , define domain condition , and defi[...]

  • Página 50

    Proxy SG Content Policy Language Guide 50 • condition ::= trigger "=" expression • trigger ::= identifier | identifier "." word • expression ::= term | list • list ::= "(" ((pattern ",")* pattern)? " )" • disjunction ::= conjunction | disjunctio n "||" conjunction • conjunction[...]

  • Página 51

    Chapter 3: Con dition Reference 51 Una v ailable T riggers Some triggers can be unavailable in some transactions. If a trigger is unavai lable, then any condition containing that tr igger is false, regardless of the pattern expression. For example, if the current transaction is not authenticated (that is , the authenticate pr operty was set to no )[...]

  • Página 52

    Proxy SG Content Policy Language Guide 52 acl= Deprecated syntax. See "client.addr ess=" on page 60 for mor e information.[...]

  • Página 53

    Chapter 3: Con dition Reference 53 admin.access= T ests the administrative access requ ested by the current transaction. It evaluates to null if the transaction is not an admi nistrative transaction, whic h may occur if the test is included in an <Exception> layer . Replac es: method= Syntax admin.access=READ|WRITE Lay er and T ransa ction No[...]

  • Página 54

    Proxy SG Content Policy Language Guide 54 attribute . name = T ests if the curr ent transaction is authenticated in a RADIUS or LDAP realm, and if the authenticated user has the specified attribute with the specified value. This trigger is unavai lable if the curr ent transaction i s not authenticated ( that is, the authenticate pr operty is set to[...]

  • Página 55

    Chapter 3: Con dition Reference 55 <proxy> authenticate(RADIUSRealm) ; This rule would restrict non-authorize d users. <proxy> deny condition=!ProxyAllowed ; This rule would serve to override a previous denial and gr ant access to authorized ; users <proxy> allow condition=ProxyAllowed See Also • Conditions: authenticated= , gro[...]

  • Página 56

    Proxy SG Content Policy Language Guide 56 authenticated= T rue if authentication was requested and the cr edentials could be verified; otherwise, false. Syntax authenticated=(yes|no) Lay er and T ransa ction Notes •U s e i n <Admin> and <Proxy> layers. • Applies to proxy and administrator transactions. • This condition cannot be c[...]

  • Página 57

    Chapter 3: Con dition Reference 57 bitrate= T ests if a streaming tr ansaction re quests bandwidth within the specif ied range or an exact match. When providing a range, either value can be left empt y , implying either no lower or no upper limit on the test. Bitrate can change dynamically during a transaction, so this poli cy is re-evaluated for e[...]

  • Página 58

    Proxy SG Content Policy Language Guide 58 <Proxy> ; Use this layer to override a d eny in a previous layer ; Grant everybody access to streams up to 56K, sales group up to 2M allow bitrate=..56K allow group=sales bitrate=..2M See Also • Conditions: live= , streaming.client= , streaming.content= •P r o p e r t i e s : access_server( ) , ma[...]

  • Página 59

    Chapter 3: Con dition Reference 59 categor y= T ests the content categor ies of the requested URL as assigned by policy def i nitions or an installed content filter database. A URL that is not categori zed is assigned the cate gory none . If a content filter provid er is selected in configuration, but an error occurs in determini ng the category , [...]

  • Página 60

    Proxy SG Content Policy Language Guide 60 client.address= T ests the IP address of the client. The expr ession can include an IP address or subnet or the label of a subnet definit ion block. Important: If a user is explicitly proxied to the Proxy SG , <Proxy > layer policy applies even if the URL destination is an administrative URL for the P[...]

  • Página 61

    Chapter 3: Con dition Reference 61 client.protocol= T ests true if the client transport protocol matches the specification. Replaces: client_protocol= syntax client.protocol=http|https|ftp|tcp|socks |mms|rtsp|icp|aol-im|msn-im|yahoo-im Note that tcp specifies a tunneled t ransaction. Lay er and T ransa ction Notes •U s e i n <Exception> , &[...]

  • Página 62

    Proxy SG Content Policy Language Guide 62 condition= T ests if the specified defined condition is true. Syntax condition= condition_label where conditi on_label is the label of a custom condition as defined in a define condition , define url.domain conditi on , or define url condition definition block. Lay er and T ransa ction Notes • Use in all [...]

  • Página 63

    Chapter 3: Con dition Reference 63 http://www.x.com time=0800..1000 http://www.y.com month=1 http://www.z.com hour=9..10 end <proxy> condition=test deny ; Example of a define domain-suffix (or domain) condition define url.domain condition test com ; Matches all domains ending in .com end <proxy> condition=test deny See Also • Definiti[...]

  • Página 64

    Proxy SG Content Policy Language Guide 64 console_access= T ests if the cur rent request is destined for the <Admin> layer . This test can be used to distinguish access to the management console by admininstrators who are explicitly pr oxied to the Proxy SG being admininstered. The te st can be used to guard tran sfor ms that should not apply[...]

  • Página 65

    Chapter 3: Con dition Reference 65 content_admin= The content_admin= condition has bee n deprecated. For mor e information, see "content_management" on page 66.[...]

  • Página 66

    Proxy SG Content Policy Language Guide 66 content_management T ests if the curr ent request is a content management transaction. Replaces: content_admin=yes|no Syntax content_management=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Forward> layers. • Applies to all transactions. See Also • Conditions: category= , f[...]

  • Página 67

    Chapter 3: Con dition Reference 67 date[.utc]= T ests true if the curr ent time is within the startdate..enddate range, inclusive. The co mparison is made against local time unless the .utc qualifier is sp ecified. syntax date[.utc]=YYYYMMDD..YYYYMMDD date[.utc]=MMDD..MMDD Lay er and T ransa ction Notes • Using time-related con ditions to control[...]

  • Página 68

    Proxy SG Content Policy Language Guide 68 da y= T ests if the day of the month is in the spe cified range or an exact match. The Pr oxy SG appliance’s configured date and time zone ar e used to determine the curr ent day of the month. T o specify the UTC time zone, use the form day.utc= . Note that the numeric pattern used to test the day conditi[...]

  • Página 69

    Chapter 3: Con dition Reference 69 e xception.id= T ests whether the exception being r eturned to the client is the specified exception. It can also be used to determine whether the exception be ing returned is a built-in or user -defined exception. Built-in exceptions are handled automatically by the Pr oxy SG but special handling can be defined w[...]

  • Página 70

    Proxy SG Content Policy Language Guide 70 ; thrown by deny or force_deny exception.id=policy_denied action.log_in terloper(yes) <Exception> exception.id=user_defined.re stricted_content ; any policy required for this user defi ned exception ... See Also •P r o p e r t i e s : deny( ) , deny.unauthorized( ) , exception( ) •A c t i o n s : [...]

  • Página 71

    Chapter 3: Con dition Reference 71 ftp .method= T ests FTP r equest methods against any of a well-k nown set of FTP methods. A CPL parse erro r is given if an unrecognized method is specified. • ftp.method= evaluates to true if the r equest method matches any of the methods specified. • ftp.method= evaluates to NULL if the request is not an FTP[...]

  • Página 72

    Proxy SG Content Policy Language Guide 72 group= T ests if the client is authenticated, and the client belongs to the specified gr oup. If both of these conditions are met, the r esult is true. In addition, the realm= condition can be used to test whether the user is authenticated in the specified r ealm. This trigger is unavailable if the current [...]

  • Página 73

    Chapter 3: Con dition Reference 73 • Applies to proxy and administrator transactions. • This condition cannot be combined with the authe nticate( ) , proxy_authentication( ) , or socks.authenticate( ) pr operties. Examples ; Test if user is authenticated in group all_staff and specified realm. realm=corp group=all_staff ; This example shows sam[...]

  • Página 74

    Proxy SG Content Policy Language Guide 74 has_attribute . name = T ests if the current transaction is authenticated in an LDAP realm and if the authenticated user has the specified LDAP attribute. If the at tribute specif ied is not configur ed in the LDAP schema and yes is used in the expr ession, the condition always yields fal se. This trigger i[...]

  • Página 75

    Chapter 3: Con dition Reference 75 See Also • Conditions: attribute. name = , authenticated= , group=, http.transparent_authentication= , re alm= , user= , user.domain= •P r o p e r t i e s : authenticate( ) , authenticate.force ( ) , check_authorization( )[...]

  • Página 76

    Proxy SG Content Policy Language Guide 76 has_client= The has_cl ient= condition is used to test whether or not the current transaction has a client. This can be used to guard triggers that depend on client identity in a <Forward> layer . Syntax has_client=yes|no Lay er and T ransa ction Notes •U s e i n <Forward> layers. • Applies [...]

  • Página 77

    Chapter 3: Con dition Reference 77 hour= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form hour.utc= . The numeric pattern used to test the hour= condition co[...]

  • Página 78

    Proxy SG Content Policy Language Guide 78 <proxy> allow server_url.domain=xyz.com ; intern al site always available allow weekday=6..7 ; unrestricted weekends allow hour=17..8; Inverted range for out side business hours See Also • Conditions: date[.utc]= , day= , minute= , month= , time= , weekday= , year=[...]

  • Página 79

    Chapter 3: Con dition Reference 79 http .method= T ests HTTP r equest methods agains t any of a common set of HTTP methods. A CPL parse error is given if an unrecognized method is specified. Syntax http.method=GET|CONNECT|DELETE|HEAD|POST |PUT|TRACE|OPTIONS|TUNNEL|LINK|UNLINK |PATCH|PROPFIND|PROPPATCH|MKCOL|COPY|MOV E|LOCK|UNLOCK|MKDIR|INDEX|RMDIR|[...]

  • Página 80

    Proxy SG Content Policy Language Guide 80 http .request.version= T ests the vers ion of HTTP used by the client in making the re quest to the appliance. syntax http.request.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers. • Applies to HTTP transact ions. See Also • Con[...]

  • Página 81

    Chapter 3: Con dition Reference 81 http .response.code= T ests true if the curr ent transaction is an HTTP tr ansaction and the response code r eceived from the origin server is as sp ecified. Replac es: http.response_code syntax http.response.code= nnn where nnn is a standard numeric range test with values in the range 100 to 999 inclusive. Lay er[...]

  • Página 82

    Proxy SG Content Policy Language Guide 82 http .response.v ersion= T ests the vers ion of HTTP used by the origin server to deliver the response to the Pr oxy SG . Syntax http.response.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers. • Applies to HTTP transact ions. See [...]

  • Página 83

    Chapter 3: Con dition Reference 83 http .transparent_authentication= This trigger evaluates to true if HTTP uses tr ansparent proxy authentication for this r equest. The trigger can be used with the authenticate( ) or authentica te.force( ) p r o p e r t i e s t o s e l e c t a n authentication realm. Syntax http.transparent_authentication=yes|no L[...]

  • Página 84

    Proxy SG Content Policy Language Guide 84 http .x_method= T ests HTTP request me thods against any unc ommon HTTP methods . A CPL parse warning is given if the method specified is a recognized method (in which case, http.method= is recommende d). Uncommon methods are tested using a string compar ison, so some performanc e benefit exists with using [...]

  • Página 85

    Chapter 3: Con dition Reference 85 im.b uddy_id= Te s t s t h e buddy_id associated with the inst ant messaging transaction. Syntax im.buddy_id[.case_sensitive]= user_id_str ing im.buddy_id.substring[.case_sensitive]= s ubstring im.buddy_id.regex[.case_sensitive]=“expr ” where: • user_id_string —An exact match of the complete instant messag[...]

  • Página 86

    Proxy SG Content Policy Language Guide 86 im.chat_room.conf erence= T ests whether the chat r oom associated with the instant messaging transaction has the confer ence attribute set. Syntax im.chat_room.conference=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transac[...]

  • Página 87

    Chapter 3: Con dition Reference 87 im.chat_room.id= T ests the chat r oom ID associated wi th the instant messagi ng transaction. Syntax im.chat_room.id[.case_sensitive]= user_id _string im.chat_room.id.substring[.case_sensitiv e]= substring im.chat_room.id.regex[.case_sensitive]=“ expr ” where: • user_id_string —An exact match of the compl[...]

  • Página 88

    Proxy SG Content Policy Language Guide 88 im.chat_room.in vite_only= T ests whether the chat r oom associated with the instant messaging transaction has the invite_only attribute set. Syntax im.chat_room.invite_only=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging trans[...]

  • Página 89

    Chapter 3: Con dition Reference 89 im.chat_room.type= T ests whether the chat r oom associated wi th the transaction is public or private. Syntax im.chat_room.type=public|private Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transactions . See Also •A c t i o n s : append[...]

  • Página 90

    Proxy SG Content Policy Language Guide 90 im.chat_room.member= T ests whether the chat r oom associated with the instant messaging transaction has a member matching the specified criterion. Syntax im.chat_room.id[.case_sensitive]= buddy_i d_string m.chat_room.id.substring[.case_sensitive ]= substring im.chat_room.id.regex[.case_sensitive]=“ expr [...]

  • Página 91

    Chapter 3: Con dition Reference 91 im.chat_room.v oice_enabled= T ests whether the chat r oom associated with the instant messaging transaction is voic e enabled. Syntax im.chat_room.voice_enabled=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transactions . See Also [...]

  • Página 92

    Proxy SG Content Policy Language Guide 92 im.file.e xtension= T ests the file extension of a file associated with an instant messag ing transaction. The leading ' . ' of the file extension is optional. Only supports an exact match. Syntax im.file.extension[.case-sensitive]=[.] fi lename_extension Notes By default the test is case-insensit[...]

  • Página 93

    Chapter 3: Con dition Reference 93 im.file.name= T ests the file name (the last component of the path), includ ing the extension, of a file a ssociated with an instant messaging transaction. Syntax im.file.name[.case_sensitive]= string im.file.name.prefix[.case_sensitive]= pre fix_string im.file.name.substring[.case_sensitive]= substring im.file.na[...]

  • Página 94

    Proxy SG Content Policy Language Guide 94 im.file.path= T ests the file path of a file as sociated with an instant messaging transaction against the specified criterion. Syntax im.file.path[.case_sensitive]= string im.file.path.prefix[.case_sensitive]= pre fix_string im.file.path.substring[.case_sensitive]= substring im.file.path.regex[.case_sensit[...]

  • Página 95

    Chapter 3: Con dition Reference 95 im.file.siz e= Performs a signed 64-bit range test of the size of a file associated wi th an instant messaging transaction. Syntax im.file.size= [min]..[max] The default minimum value is zer o ( 0 ); there is no default maximum value. Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> [...]

  • Página 96

    Proxy SG Content Policy Language Guide 96 im.message.opcode= T ests the value of an opcode associated wi th an instant messaging transaction whose im.method is send_unknown or receive_unknown . Note: Generally , this is used with deny( ) to r estrict interactions that are new to one of the supported i nstant messaging protocols and for wh ich direc[...]

  • Página 97

    Chapter 3: Con dition Reference 97 im.message.route= T ests how the instant messaging mes sage reaches its recipients. Syntax im.message.route=service|direct|chat where: • service —The message is r elayed through the IM service. • direct —The message is sent dir ectly to the re cipient. • chat —The message is sent to a chat room (includ[...]

  • Página 98

    Proxy SG Content Policy Language Guide 98 im.message.siz e= Performs a signed 64-bit range test on the si ze of the inst ant messaging m essage. Syntax im.message.size= [min]..[max} The default minimum value is zer o ( 0 ); there is no default maximum value. Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. •[...]

  • Página 99

    Chapter 3: Con dition Reference 99 im.message.te xt= T ests if the message text contains the specified text or pattern. Note: The .regex version of this test is limited to the first 8K of the message. The .substring version of the test does not have this r estriction. Syntax im.message.text.substring[.case_sensitiv e]= substring im.message.text.reg[...]

  • Página 100

    Proxy SG Content Policy Language Guide 100 im.message.type= T ests the message type of an instant messaging transaction. Syntax im.message.type=text|invite|voice_invite |file|file_list|application where: • text —Normal IM text message. • invite —An invitation to a chat room or to communicate directly . • voice_invite —Invitation to a vo[...]

  • Página 101

    Chapter 3: Con dition Reference 101 im.method= T ests the method associated with the i nstant messaging tr ansaction. Syntax im.method=open|create|join|join_user|log in|logout|notify_join|notify_quit| notify_state|quit|receive|receive_unknow n|send|send_unknown|set_state Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , an[...]

  • Página 102

    Proxy SG Content Policy Language Guide 102 im.user_id= Te s t s t h e user_id associated with the instant messaging transaction. Syntax im.user_id[.case_sensitive]= user_id_stri ng im.user_id.substring[.case_sensitive]= su bstring im.user_id.regex[.case_sensitive]=“ expr ” where: • user_id_string —An exact match of the complete instant mess[...]

  • Página 103

    Chapter 3: Con dition Reference 103 liv e= T ests if the str eaming content is a li ve stream. Syntax live=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Proxy> layers. • Applies to streaming transactions . Examples ; The following policy restricts access to live streams during morning hours. ; In this example, we use[...]

  • Página 104

    Proxy SG Content Policy Language Guide 104 method= T ests the pr otocol method name as sociated with the transaction. Appr opriate method names depend on the protocol. Also, a warning is is sued during policy file compilation if the name is not a rec og n iz ed m et h od . method= accepts any of the pr otocol sp ecific methods accepted by admin.acc[...]

  • Página 105

    Chapter 3: Con dition Reference 105 Examples <proxy> http.method=GET response.header.Pragma=”no-cache " deny ; This example is applicable to a blackl ist model. It denies access to ; transparent FTP by denying the OPEN me thod on port 21. <proxy> proxy.port=21 deny ftp.method=OPEN ; This example tests method=CONNECT to s ecure ag[...]

  • Página 106

    Proxy SG Content Policy Language Guide 106 minu te= T ests if the minute of the hour is in the specified range or an ex act match. By default, the Prox y SG appliance’s clock and time zone are used to dete rmine the curr ent minute. T o specify the UTC time zone, use the form min ute.utc= . The numeric pattern used to test the minute condition ca[...]

  • Página 107

    Chapter 3: Con dition Reference 107 month= T ests if the month is in the specified range or an exact match. By default, the Pr oxy SG appliance’s date and time zone ar e used to determine the curr ent month. T o specify the UTC time zone, use the form month.utc= . The numeric pattern used to test the month condition can contain no whitespace. Syn[...]

  • Página 108

    Proxy SG Content Policy Language Guide 108 protocol= The protocol= condition has been de precated in favor of url.scheme= . For more information see "url=" on page 137. See Also Conditions: client.protocol=[...]

  • Página 109

    Chapter 3: Con dition Reference 109 pro xy .address= T ests the de stination address of the arriving IP pa cket. The expr ession can in clude an IP address or subnet, or the label of a subnet definition blo ck. If the transaction was explicitly proxied, then proxy.address= tests the IP address the client used to reach the pr oxy , which is either t[...]

  • Página 110

    Proxy SG Content Policy Language Guide 110 pro xy .card= T ests the or dinal number of the network in terface car d (NIC) used by a r equest. Replac es: proxy_card Syntax proxy.card= card_number where card_nu mber is an integer that reflects the installation order . Lay er and T ransa ction Notes •U s e i n <Admin> , <Proxy> , and <[...]

  • Página 111

    Chapter 3: Con dition Reference 111 pro xy .por t= T ests if the IP port used by a r equest is within the specified range or an ex act match.The numeric pattern used to test the proxy.port= condition can contain no whitespace. If the transaction was explicitly proxied, then this tests the IP port that the client used to reach the proxy . The patter[...]

  • Página 112

    Proxy SG Content Policy Language Guide 112 realm= T ests if the client is authenticated and if the client has logged into the specified r ealm. If both of these conditions are met, the r espon se is true. In addi tion, the group= condition can be used to test whether the user belongs to the specified group. Thi s trigger is unavailable if the curre[...]

  • Página 113

    Chapter 3: Con dition Reference 113 •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( )[...]

  • Página 114

    Proxy SG Content Policy Language Guide 114 release.id= T ests the r elease ID of the Proxy SG softwar e. The release ID of the Proxy SG software curr ently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade>Systems tab of the M anageme nt Cons ol e. It also can be displayed thro ugh t[...]

  • Página 115

    Chapter 3: Con dition Reference 115 release.v ersion= T ests the r elease version of the Proxy SG s oftware. The r elease version of the Proxy SG softwar e currently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade > Systems tab of the Management Consol e. It also can be displayed t[...]

  • Página 116

    Proxy SG Content Policy Language Guide 116 request.header . header_name = T ests the specified request hea der ( header_name ) against a regular expression. Any r ecognized HTTP request header can be tested. For custom heade rs, use request_x_header. header_name = instead. For st rea m in g re qu e st s, on ly t he User-Agent header is available. R[...]

  • Página 117

    Chapter 3: Con dition Reference 117 request.header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP ad dress extracted fr om the header is tested against the specified IP addr ess. The expressio n can include an IP address or subnet, or the label of a[...]

  • Página 118

    Proxy SG Content Policy Language Guide 118 request.header .Ref erer .ur l= T est if the URL specified by the Refer er head er matches the specified criteria. The basic request.header.Referer.url= test attempts to match the complete Refer er URL ag ainst a specified pattern. The pattern may include th e scheme , host, port, path and query components[...]

  • Página 119

    Chapter 3: Con dition Reference 119 ; Relative URLs, such as docs subdirecto ries and pages, will match. deny request.header.Referer.url=http://w ww.example.com/docs ; Test if the Referer URL host’s IP addr ess is a match. request.header.Referer.url.address=10.1. 198.0 ; Test whether the Referer URL includes company.com as domain. request.header.[...]

  • Página 120

    Proxy SG Content Policy Language Guide 120 <proxy> request.header.Referer.url.host.regex=my company ; request.header.Referer.url.path tests ; The following request.header.Referer.url.path strings would all match the examp le Referer URL: ; Referer: http://www.example.com/cgi-bi n/query.pl?q=test#fragment request.header.Referer.url.path=”/cg[...]

  • Página 121

    Chapter 3: Con dition Reference 121 request.x_header . header_name = T ests the spec ified request header ( header _name ) against a regular expression. Any HTTP request header can be tested, including custom h eaders. T o te st recognized headers, use request.header. header_name = instead, so that typing errors can be caught at compile time. For s[...]

  • Página 122

    Proxy SG Content Policy Language Guide 122 request.x_header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP addr ess extracted from the head er is tes ted against the specified IP address . The expressio n can include an IP addre ss or subnet, or th [...]

  • Página 123

    Chapter 3: Con dition Reference 123 response.header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. Any recognize d HTTP response he ader can be tested. For custom headers, use respo nse.x_header. header_name = instead. Replac es: response_header. header_name = Syntax response.header. header_name[...]

  • Página 124

    Proxy SG Content Policy Language Guide 124 response.x_header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. For HTTP requests, any response header can be tested, including cust om headers. For recognized HTTP headers, use response.header. header_name = instead so that typing errors can be caught[...]

  • Página 125

    Chapter 3: Con dition Reference 125 ser v er_ur l= T ests if a portion of the URL used in server connecti ons matches the specified criteria. The basic server_url= test attempts to match the complete possib ly-rewritte n request URL against a specified pattern. The pattern may include the scheme, host, po rt, path a nd query components of the UR L.[...]

  • Página 126

    Proxy SG Content Policy Language Guide 126 • Applies to all non-administrator transactions. Examples ; Test if the server URL includes this p attern, and block access. ; Relative URLs, such as docs subdirecto ries and pages, will match. server_url=http://www.example.com/docs a ccess_server(no) ; Test if the URL host’s IP address is a match. ser[...]

  • Página 127

    Chapter 3: Con dition Reference 127 ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the firs t request is not matched <forward> server_url.host.regex=mycompany ; server_url.path tests ; The following server_url.path strings would all match the example URL: ; http://www.example.com/cgi-bin/query.p l?q=te[...]

  • Página 128

    Proxy SG Content Policy Language Guide 128 soc ks= This condition is true whenever the session for th e current transaction involves SOCKS to the client. The SOCKS=yes trigger is intended as a way to test whether or not a r equest arrived via the SOCKS proxy . It will be true for both SOCKS r equests that the Proxy SG tunnels and for SOCKS r equest[...]

  • Página 129

    Chapter 3: Con dition Reference 129 soc ks.acceler ated= T ests whether the SOCKS pr oxy will hand off this transaction to other pr otocol agents for acceleration. Syntax socks.accelerated={yes|http|aol-im|msn-i m|yahoo-im|no} where: • yes is t ru e o n ly f or S O C KS t r an s a c ti o n s t h a t w i l l hand off to another protocol-specific p[...]

  • Página 130

    Proxy SG Content Policy Language Guide 130 soc ks.method= T ests the SOCKS pr otocol method name associated with the transaction. Syntax socks.method=CONNECT|BIND|UDP_ASSOCIATE Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to SOCKS transactions. See Also • Conditions: ftp.method= , http.method[...]

  • Página 131

    Chapter 3: Con dition Reference 131 soc ks.v ersion= T ests whether the version of the SOCKS protocol used to communicate to the cl ient is SOCKS 4/4a or SOCKS 5. SOCKS 5 has mor e security and is more high ly recommended. SOCKS 5 supports authentication and can be used to authenticate tr ansactions that may be accelerated by other protocol service[...]

  • Página 132

    Proxy SG Content Policy Language Guide 132 streaming.client= T ests the client agent associated with the current transaction. Syntax streaming.client=yes|no|windows_media|re al_media|quicktime where: • yes is true if the user agent is r ecognized as a windows media player , real media player or quicktime player . • no is true if the user agent [...]

  • Página 133

    Chapter 3: Con dition Reference 133 streaming.content= T ests the content of the curr ent transaction to determ ine whether or not it is s treaming media, and to determine the streaming media type. Syntax streaming.content=yes|no|windows_media|r eal_media|quicktime where: • yes is true if the content is r ecognized as W indows media, Real media, [...]

  • Página 134

    Proxy SG Content Policy Language Guide 134 time= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form time.utc= . The numeric pattern us ed to test the time cond[...]

  • Página 135

    Chapter 3: Con dition Reference 135 ; This example restricts the times durin g which certain ; stations can log in with administrativ e privileges. define subnet restricted_stations 10.10.10.4/30 10.10.11.1 end subnet restricted_stations <admin> client.address=restricted_statio ns allow time=0800..1800 weekday=1..5 admin .access=(READ||WRITE)[...]

  • Página 136

    Proxy SG Content Policy Language Guide 136 tunneled= T ests if the curr ent transaction repr esents a tunneled request. A tunneled request is one of: • TCP tunneled r equest • HTTP CONNECT request • Unaccelerated SOCKS request Note: HTTPS connections to the management console ar e not tunneled for the purposes of this test. Syntax tunneled=ye[...]

  • Página 137

    Chapter 3: Con dition Reference 137 url= T ests if a portion of the r equested URL matches the specified criteria. The basic url= test attempts to match the complete request URL against a specifie d pattern. The pattern may include the scheme, host, port, path an d query components of the URL. If any of these is not incl uded in the pattern, then t[...]

  • Página 138

    Proxy SG Content Policy Language Guide 138 // host : port // host : port / path_query // host / path_query host host : port host : port / path_query host / path_query / path_query • domain_suffix_pattern —A URL pattern that includes a dom ain suffix, as a minimum, using the following sy ntax: scheme :// domain_suffix : port / path Accepted doma[...]

  • Página 139

    Chapter 3: Con dition Reference 139 include a filename extension, such as http://example.com/ and http:// example.com/test . T o test multiple extensions, use pa rentheses and a comma separator (see the Example section below). • regular_expression —A Perl r egular expres sion. The expressi on must be quoted if it contains whitespace or any of t[...]

  • Página 140

    Proxy SG Content Policy Language Guide 140 • .suffix —T est if the s tring pattern is a suffix of the URL or component. The suffix need not match on a boundary (such as a domain component or path directory) within a URL component. Note: .prefix , .regex , .substring , and .suff ix are string comparisons that do not r equire a match on component[...]

  • Página 141

    Chapter 3: Con dition Reference 141 slash is always pr esent in the request URL being tested, because the UR L is normaliz ed before any comparison is performed. Unless an .exact , .su bstring , or .regex modifier is used, the pattern specified must include the lead ing ‘ / ’ character . In the following URL example, bolding shows the component[...]

  • Página 142

    Proxy SG Content Policy Language Guide 142 If you are testing a lar ge number of URLs using the url.domain= condition, consider the performance benefits of a url.domain definition block or a [url.domain] section (see Chapter 6: "Definit ion Refer ence"). Regular expr ession matches are not anchored. Y ou may want to use either or both of [...]

  • Página 143

    Chapter 3: Con dition Reference 143 ; http://www.example.com <proxy> url.host.is_numeric=yes; ; In the example below we assume that 1. 2.3.4 is the IP of the host mycompany ; The condition will match the following two requests if the reverse DNS was ; successful: ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fai[...]

  • Página 144

    Proxy SG Content Policy Language Guide 144 user= T ests the authenticated username associated with the transaction. This t rigger is only availa ble if the transaction was authenticated (that is, the authenticate( ) property was set to something other than no , and the proxy_authentication ( ) property was not set to no ). Syntax user= user_name wh[...]

  • Página 145

    Chapter 3: Con dition Reference 145 See Also • Conditions: attribute. name = , authentica ted= , group= , has_attribute. name = , http.transparent_authentication= , re alm= , user.domain= •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( ) , deny.unauthorized( ) , socks.authenti cate( ) , socks.authenticate.f[...]

  • Página 146

    Proxy SG Content Policy Language Guide 146 user .domain= T ests if the client is authenticated, the logged - into realm is an NTLM r ealm, and the domain component of the username is the specifie d domain. If all of these conditions are met, the r esponse will be true. This trig ger is unavailable if the cu rr ent transaction is not authenticated ([...]

  • Página 147

    Chapter 3: Con dition Reference 147 user .x509.issuer= T ests the issuer of the x509 ce rtificate used in authentication to certificate realms. The user.x509.issuer= condition is primarily useful in constructi ng explicit certif icate revocation lists. This condition will only be true for users authenticated aga inst a certificate realm. Syntax use[...]

  • Página 148

    Proxy SG Content Policy Language Guide 148 user .x509.seri alNumber= T ests the serial numbe r of the x509 certificate used to authenticate the user against a certificat e realm. The user.x509.serialNumber= condition is primarily useful in constr ucting explicit certificate revocation lists. Comparisons are case-insensitive. Syntax user.x509.serial[...]

  • Página 149

    Chapter 3: Con dition Reference 149 user .x509.subject= T ests the subject field of the x509 certificate used to authenticate the user ag ainst a certificate realm. The user.x509.subject= condition is primarily use ful in constructing explicit certificate r evocation lists. Syntax user.x509.subject= subject where subject is an RFC2253 LDAP DN, appr[...]

  • Página 150

    Proxy SG Content Policy Language Guide 150 weekda y= T ests if the day of the week is in the spe cified range or an exact match. By default, the Proxy SG appliance’s date is used to de termine the day of th e week. T o specify the UTC time zone, use the form weekday.utc=. The numeric pattern used to test the weekday= condition can contain no whit[...]

  • Página 151

    Chapter 3: Con dition Reference 151 y ear= T ests i f the year is in the specified range or an exact match. The curr ent year is de termined by the date set on the Pr oxy SG by default. T o specify the UTC time zone, use the form year.utc= . Note that the numeric pattern used to test the year= condition can contain no whitespace. Syntax year[.utc]=[...]

  • Página 152

    Proxy SG Content Policy Language Guide 152[...]

  • Página 153

    Chapter 4: Proper ty Ref erence A property is a variable that ca n be set to a value. At th e beginning of a transactio n, all pr operties ar e set to their default values. As each layer in the policy is evaluated in sequence, it can set a pr operty to a particular value. A property r etains the final valu e setting when evaluation ends, and the tr[...]

  • Página 154

    Proxy SG Content Policy Language Guide 154 access_log( ) Selects the access log used for this transaction . Multiple acc ess logs can be selected to recor d a single transaction. Individual access logs are r eferenced by the name given in configuration. Configuration also determines the format of the each log. For mor e information on logging, refe[...]

  • Página 155

    Chapter 4: Property Reference 155 access_ser v er( ) Determines whether the client can receive str eaming co ntent directly from the origin content server or other upstr eam device. Se t to no to serve only cached content. Note: Since part of a stre am can be cached, and anot her part of the same stream can be uncached, access_server(no) can cause [...]

  • Página 156

    Proxy SG Content Policy Language Guide 156 action( ) Selectively enables or disables a specified define action block. The default value is no. Note: Several define action bl ocks may be enab led for a tra nsaction. If more th an one action selected rewrites the URL o r header a specific header , the actions ar e deemed to conflict and only one will[...]

  • Página 157

    Chapter 4: Property Reference 157 adv er tisement( ) Determines whether to treat the objects at a partic ular URL as banner ads to improve performance. If the content is not specific to a particular user or client, the n the hit count on the or igin server is maintained while the response time is optimized using the followi ng behavior: • Always [...]

  • Página 158

    Proxy SG Content Policy Language Guide 158 allow Allows the transaction to be served. Allow can be overridden by the access_server( ) , deny( ) , force_deny( ) , authenticate( ) , exception( ) , or force_exception( ) pr operties or by the redirect( ) action. Allow overrides deny( ) and exception( ) pr operties. Note: Caution should be exer cised wh[...]

  • Página 159

    Chapter 4: Property Reference 159 alwa ys_v er ify( ) Determines whether each r equest for the objects at a part icular URL must be verified wi th the origin server . This property pr ovides a URL-specific alternative to the global caching setting always-verify-source . If the re are multiple simultaneous accesses of an obje ct, the requests ar e r[...]

  • Página 160

    Proxy SG Content Policy Language Guide 160 authenticate( ) Identifies the r ealm used to au thenticate the user associated with the current transaction. Authentication realms ar e refer enced by the name given in configuration. If the transaction has already been authenticated in the same r ealm by the SOCKS pr oxy , no new authentication challenge[...]

  • Página 161

    Chapter 4: Property Reference 161 url.domain = !corporate.com authenticate (OurRealm, “log in for internet access”) The next example illustrates the r elation between authentication and denial. All users outside an allowed subnet are denied before authentication. Th ey ar e not allowed to submit credentials to the authentication server . Users [...]

  • Página 162

    Proxy SG Content Policy Language Guide 162 authenticate .f orce( ) This propert y controls th e relation betwe en authentication and deni al. Syntax authenticate.force(yes|no) The default value is no . where: • yes —Makes an authenticate( ) higher priority than deny( ) or exception( ) . Use yes to ensure that userID's ar e available for a [...]

  • Página 163

    Chapter 4: Property Reference 163 authenticate .mode( ) Using the authentication.mode( ) property selects a combination of challenge type and surr ogate credentials. Challenge type is what kind of challenge (proxy , origin or origin-redirect) is issued. Surrogate cr edentials are cr edentials accepted in place of the user ’s real cr edentials. Th[...]

  • Página 164

    Proxy SG Content Policy Language Guide 164 • origin-cookie (origin/cookie)—Used in forward pr oxies to support pass-through authentication more secur ely than origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other pr otocols are automati call y downgraded to origin-ip . This mode could also be used[...]

  • Página 165

    Chapter 4: Property Reference 165 authenticate .use_ur l_cookie( ) This property is used to authenticate users wh o have third party cookie s explicitly disabled. Note: W ith a value of yes , if there is a pr oblem loading the page (you get an err or page or you cancel an authentication challenge), the cfauth cookie is displaye d. Y ou can also see[...]

  • Página 166

    Proxy SG Content Policy Language Guide 166 bl o ck_ c at e g o r y ( ) This property has been deprecated. In current CPL, the us e of block_category( category_list ) has be en replaced by category=category_list exception(content _filter_denied) However , block_category() will be o verridden by content_filter_override(yes) , while this is not the ca[...]

  • Página 167

    Chapter 4: Property Reference 167 b ypass_cache( ) Determines whether the cache is bypassed for a request. If set to yes , the cache is not queried and the response is not stored in the cache. Set to no t o specify the defaul t behavior , which is to follow standar d caching behavior . While static and dynamic bypass lists allow traf fic to bypass [...]

  • Página 168

    Proxy SG Content Policy Language Guide 168 cache( ) Contro ls HTTP and FTP caching behavior . A number of CPL pr operties affect caching behavior . •I f bypass_cache(yes) is set, then the cache is not accessed and the value of cache( ) is irrele vant. •I f cache(yes) is set, then the force_cache(all) pr operty setting modifies the definition of[...]

  • Página 169

    Chapter 4: Property Reference 169 See Also •P r o p e r t i e s : advertisement( ) , always_verify( ) , b ypass_cache( ) , cookie_sensitive( ) , direct( ) , dynamic_bypass , force_cache() , pipeline( ) , refresh( ) , ttl( ) , ua_sensitive( )[...]

  • Página 170

    Proxy SG Content Policy Language Guide 170 chec k_author ization( ) In connection with CAD (Caching Authenticated Data) and CP AD (Caching Proxy-Authenticated Data) support, check_authorization( ) is used when you know that the upstr eam device sometimes (not always or never) r equires the us er to authenticate and be authorized for t his object. S[...]

  • Página 171

    Chapter 4: Property Reference 171 content_filter_ov err ide( ) This property has been deprecated. content_filter_override(yes) has two ef fects: • It prevents the r equest from being sent to the of f- box content filter , if off -box content filtering is configured. In this case, it is equivalent to request.filter_service(no). • It suppr esses [...]

  • Página 172

    Proxy SG Content Policy Language Guide 172 cookie_sensitiv e( ) Used to modify caching behavior by declaring that the object s erved by the request varies based on cookie values. Set to yes to specify this behavior , or set to no for the default behavior , which caches based on HTTP heade rs. Using cookie_sensitiv e(yes) has the sam e effect as cac[...]

  • Página 173

    Chapter 4: Property Reference 173 delete_on_abandonment( ) If set to yes , specifies that if all cl ients who may be simult aneously requesting a pa rticular objec t close their connections before the object is delivered, the object fetch fr om the origin server is abandoned, and any prior ins tance of the object is deleted f rom the cache. Syntax [...]

  • Página 174

    Proxy SG Content Policy Language Guide 174 deny( ) Denies service. Denial can be overridden by allow or excep tion( ) . T o deny service i n a way th at cannot be overridden by a subsequent allow , us e force_deny( ) or force_exception( ) . The relation between aut henticate( ) and deny( ) is contro lled by the authenticate.force( ) property . By d[...]

  • Página 175

    Chapter 4: Property Reference 175 deny .unauthor ized( ) The deny.unauthorized pr operty instructs the Proxy SG to issue a challenge (401 Unauthorized or 407 Proxy authorization requir ed). This indicates to the client that the resource canno t be accessed with their current identity , but might be accessible using a differ ent identity . The br ow[...]

  • Página 176

    Proxy SG Content Policy Language Guide 176 direct( ) Used to preve nt requests fr om being forwarded to a par ent proxy or SOCKS server , when the Proxy SG is configur ed to forward r equests. When set to ye s , <Forward> layer policy is not evaluated for the transaction. Syntax direct(yes|no) The default value is no , which allows request fo[...]

  • Página 177

    Chapter 4: Property Reference 177 dynamic_b ypass( ) Used to indicate tha t a particular trans parent r eques t is not to be handled by the proxy , but instead be subjected to Pr oxy SG dynamic bypass methodology . The dynamic_bypass(yes) pr operty takes precedence over authenticate() ; however , a committed denial takes prece dence over dynamic_by[...]

  • Página 178

    Proxy SG Content Policy Language Guide 178 e xception( ) Selects a built-in or user -defined res ponse to be returned to the user . The exception( ) property is overridden by allow or deny( ) . T o set an exception that cannot be overridden by allow , use force_excep tion( ) . The identity of the exception being returned can be tested in an <Exc[...]

  • Página 179

    Chapter 4: Property Reference 179 e xception.autopad( ) Pad an HTTP exception response by including trailing whitespa ce in the response body so that Content-Length is at lea st 513 characters. A setting of yes is used to prevent Internet Explor er from substituting friend ly err or messages in place of the exception r esponse being returned, when [...]

  • Página 180

    Proxy SG Content Policy Language Guide 180 f orce_cache( ) Used to force caching of HTTP r esponses that would otherwise be considered uncacheable . The default HTTP caching beha vior is restor ed using force_cache(no) . The value of the force_cache( ) property is ignor ed un less all of the fo llowing property settings are in effect: b ypass_cache[...]

  • Página 181

    Chapter 4: Property Reference 181 f orce_deny( ) The force_deny( ) proper ty is similar to deny( ) except that it: • Cannot be overridden by an allo w . • Overrides any pending termina tion (that is, if a deny( ) has already been matched, and a force_deny or force_exception i s subsequently matched, the latter commits. • Commits immediately ([...]

  • Página 182

    Proxy SG Content Policy Language Guide 182 f orce_e xception( ) The force_exception( ) pr operty is similar to exception except that it: • Cannot be overridden by an allow . • Overrides any pending termina tion (that is, if a deny( ) has already been matched, and a force_deny( ) or force_exception( ) is subsequently matched , the latter commits[...]

  • Página 183

    Chapter 4: Property Reference 183 f orce_patience_page( ) This property pr ovides control over the application of the default patience page logic. Syntax force_patience_page(yes|no) force_patience_page( reason ) force_patience_page.reason(yes|no) force_patience_page[ reason , ...](yes|no) where: reason —T akes one of the following values, corr es[...]

  • Página 184

    Proxy SG Content Policy Language Guide 184 fo r w a r d ( ) Determines forwarding behavior . There is a box-wide conf iguration setting ( config>forwarding>sequence ) for the default forwarding failover sequence. The forward( ) property is used to override the default forwarding failover sequence with a specific list of host and/or group alia[...]

  • Página 185

    Chapter 4: Property Reference 185 f orward.f ail_open( ) Controls whether the Proxy SG terminates or continues to proc ess the request if the specified forwarding host or any de signated back up or defaul t cannot be contacted. There is a box-wide configuration sett ing ( config>forwarding>failure-mode ) for the de fault forward failure mode.[...]

  • Página 186

    Proxy SG Content Policy Language Guide 186 ftp .ser v er_connection( ) Determines when the contr ol connection to the se rver is established. If set to deferred , the pr oxy defers establishing the control connection to the server . Syntax ftp.server_connection(deferred|immediate ) The default value is immediate. Lay er and T ransa ction Notes •U[...]

  • Página 187

    Chapter 4: Property Reference 187 ftp .ser v er_data( ) Determines the type of data connection to be used with this FTP transaction. Syntax ftp.server_data(auto|passive|port) where: • auto —First attempt a P ASV data connection. If this fails, switch to POR T . • passive —Use a P ASV data connection. P ASV data co nnections are not allowed [...]

  • Página 188

    Proxy SG Content Policy Language Guide 188 ftp .transpor t( ) Determines the upstream transport mechanism. This setting is not definitive. It depends on th e capabilities of the se lected for warding host. Syntax ftp_transport(auto|ftp|http) The default value is auto . where: • auto —Use the default transport for the upstream co nnection, as de[...]

  • Página 189

    Chapter 4: Property Reference 189 http .force_ntlm_f or_ser v er_auth( ) T urns on/of f NTLM cloaking on a per-r equest basi s. Refer to Appendix A: “NTLM and CAASNT” in the Pr oxy SG Configuration and Management Guide for a discussion of NTLM cloaking. Syntax http.force_ntlm_for_server_auth(yes|no) This property overrides the default specified[...]

  • Página 190

    Proxy SG Content Policy Language Guide 190 http .request.version( ) The http.request.version( ) property sets the version of the HTTP protocol to be used in the request to the origin content server or upstr eam pr oxy . Syntax http.request.version(1.0|1.1) The default is taken fr om the CLI configuratio n setting http version , whic h can be set to[...]

  • Página 191

    Chapter 4: Property Reference 191 http .response.v ersion( ) The http.response.version( ) pr operty sets the version of the HTTP protocol to be used in the response to the client's user agent. Syntax http.response.version(1.0|1.1) The default is taken fr om the CLI configuration setting http version , which can be set to either 1.0 or 1.1. Cha[...]

  • Página 192

    Proxy SG Content Policy Language Guide 192 icp( ) Determines whether to consult ICP when forwar ding r equests. Any forw ar ding host or SOCKS gateway identified as an ups tream tar get takes precede nce over consulting ICP . Syntax icp(yes|no) The default is yes if ICP hosts ar e configur ed, no otherwise. where: • yes —Consult ICP u nless for[...]

  • Página 193

    Chapter 4: Property Reference 193 im.strip_attachments( ) Determines whether attachments ar e stripped fr om instant messages. If set to yes , attachments are stripped fr om instant messages. Syntax im.strip_attachments(yes|no) The default value is no . Lay er and T ransa ction Notes •U s e i n <Proxy> layers. • Applies to insta nt messag[...]

  • Página 194

    Proxy SG Content Policy Language Guide 194 integr ate_new_hosts( ) Determines whether to add new host addre sses to he alth checks and load balancing. Syntax integrate_new_hosts(yes|no) The default is no . If it is set to yes , any new host addr esses encountered duri ng DNS resolution of forwarding hosts ar e added to he alth checks and load balan[...]

  • Página 195

    Chapter 4: Property Reference 195 label( ) This deprecated pr operty is provided for backward compatibility with CacheOS 4.x filter files. For more information, see "action( )" on page 156.[...]

  • Página 196

    Proxy SG Content Policy Language Guide 196 log.re wr ite. field-id () The log.rewrite. field-id pr operty controls r ewrites of a specific log field in one or more access logs. Individual access l ogs are r eferenced by the name given in configuratio n. Configuration also determines the format of the each log. For more information on logg ing, refe[...]

  • Página 197

    Chapter 4: Property Reference 197 log.suppress. field-id ( ) The log.suppress. field-id ( ) pr operty control s suppression of the specified field-id in one or more access l ogs. Individual access logs are r eferenced by the name given in configuration. Configuration also determines the format of the each log. For mor e information on logging, refe[...]

  • Página 198

    Proxy SG Content Policy Language Guide 198 max_bitrate( ) Enforces upper limits on the instantaneous bandwi dth of the current streaming transaction. This policy is enfor ced during initial connection setup. If the client requests a higher bit rate than al lowed by policy , the request is denied. Note: Under certain network conditions , a client ma[...]

  • Página 199

    Chapter 4: Property Reference 199 ne v er_refresh_bef ore_e xpir y( ) The never_refresh_before_expiry( ) pr operty is similar to the CLI command: SGOS#(config) http strict-expiration ref resh except that it provides per -transaction control to allow overriding the box- wide default set by the command. Syntax never_refresh_before_expiry(yes|no) The [...]

  • Página 200

    Proxy SG Content Policy Language Guide 200 ne v er_ser ve_after_e xpir y( ) The never_serve_after_expiry( ) property is similar to the CLI command: SGOS#(config) http strict-expiration ser ve except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax never_serve_after_expiry(yes|no) The defau[...]

  • Página 201

    Chapter 4: Property Reference 201 patience_page( ) Controls whether or not a patience page can be served, and i f so, the delay interval befor e serving. If no patience_page property is explicitly set, the decision about whether to serve a patience page and the delay befor e a patience page is pr esented ar e taken from the ICAP service configurati[...]

  • Página 202

    Proxy SG Content Policy Language Guide 202 pipeline( ) Determine s whether a n object emb edded within an HTML contain er object is pipeli ned. Set to yes to force pipelining, or set to no to prevent the embedded obje ct from being pipelined. Note that this property af fects pr ocessing of the individual URLs embedded within a container object. It [...]

  • Página 203

    Chapter 4: Property Reference 203 pref etch( ) This deprecated pr operty has been replaced by pipeline( ). For more infor mation, see "pipeline( ) " on page 202.[...]

  • Página 204

    Proxy SG Content Policy Language Guide 204 reflect_ip( ) Determines how the client IP addr ess is pr esented to the origin server for explicitly proxied r equests. Replac es: • reflect_ip(vip) replaces reflect_vip( yes) . • reflect_ip(auto) r eplaces reflect_vip(no) . Syntax reflect_ip(auto|no|client|vip|ip_address ) The default value is auto .[...]

  • Página 205

    Chapter 4: Property Reference 205 reflect_ vip( ) This depre cated syntax has been replaced by the reflect_ip( ) pr operty . For more information, see "reflect_ip( )" on page 204.[...]

  • Página 206

    Proxy SG Content Policy Language Guide 206 refresh( ) Controls r efreshing of r e quested objects. Set to no to pr event refr eshing of the object if it is cached. Set to yes to allow the cache to behave normally . Syntax refresh(yes|no) The default value is yes . Lay er and T ransa ction Notes •U s e i n <Cache> layers. •D o n o t u s e [...]

  • Página 207

    Chapter 4: Property Reference 207 remov e_IMS_from_GET( ) The remove_IMS_from_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute if-modifie d-since except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_IMS_from_GET(yes|no) The default value is taken fr o[...]

  • Página 208

    Proxy SG Content Policy Language Guide 208 remov e_PNC _from_GET( ) The remove_PNC_from_GET pr operty is similar to the CLI command: SGOS#(config) http substitute pragma-no- cache except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_PNC_from_GET(yes|no) The default value is taken[...]

  • Página 209

    Chapter 4: Property Reference 209 remov e_reload_from_IE_GET( ) The remove_reload_from_IE_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute ie-reload except that it provides per transaction control to override the box-wide def ault set by the command. Syntax remove_reload_from_IE_GET(yes|no) The default value is taken fr[...]

  • Página 210

    Proxy SG Content Policy Language Guide 210 request.filter_ser vice( ) Controls whether the request is pr ocessed by an external content filter service. The Pr oxy SG currently supports W ebsense Enterprise Server external content filtering. Dire cting the request to an exte rnal content filter service does not affect policy based on categories dete[...]

  • Página 211

    Chapter 4: Property Reference 211 url.address=10.0.0.0/8 ; don't filter i nternal network client.address=10.1.2.3 ; don't filter this client See Also •T h e P r o x y SG Command L ine Reference for information on configurin g W ebsense off-box servi ces.[...]

  • Página 212

    Proxy SG Content Policy Language Guide 212 request.icap_ser vice( ) Determines whether a r equest fr om a client should be pr ocessed by an external ICAP service before going out. T ypical applications include content fi ltering and virus scanni ng. Syntax request.icap_service( servicename [, fail _open | fail_closed]) request.icap_service(no) The [...]

  • Página 213

    Chapter 4: Property Reference 213 response.icap_service( ) De te r mi ne s w h et he r a res p on se to a cl ie nt req u es t i s f i rs t s en t t o a n IC AP se r vi ce be f ore be in g g i ve n t o the client. Depending on the ICAP service, the response may be allowed, denied , or altered. T ypical applications include virus scanning. Syntax res[...]

  • Página 214

    Proxy SG Content Policy Language Guide 214 ser vice( ) This depre cated syntax has been replaced by the allow , deny( ) and exception( ) pr operties.[...]

  • Página 215

    Chapter 4: Property Reference 215 soc ks.acceler ate( ) The socks.accelerate pr operty controls the SOCKS pr oxy handoff to othe r protocol agents. Syntax socks.accelerate(no|auto|http|aol_im|msn _im|yahoo_im) The default value is auto . where: • no —The SOCKS proxy doe s not hand off the transaction to another pr oxy agent, but tunnels the SOC[...]

  • Página 216

    Proxy SG Content Policy Language Guide 216 soc ks.authenticate( ) The same realms can be used for SOCKS proxy au thentication as can be used for regular pr oxy authentication. This form of authentica tion applies only to SOCKS transactions. The regular au thenticate( ) property does not apply to SOCK S transactions. However , if an accelerated SOCK[...]

  • Página 217

    Chapter 4: Property Reference 217 soc ks.authenticate .f orce( ) This property controls the r elation be tween SOCKS authentication and denial. Syntax socks.authenticate.force(yes|no) The default value is no . where: • yes —Makes socks.authenticate( ) higher priority than deny( ) or exception( ) . Use yes to ensure that userID's ar e avail[...]

  • Página 218

    Proxy SG Content Policy Language Guide 218 soc ks_gatew a y( ) Controls whether or not the request associated with the current transaction is sent thr ough a SOCKS gateway . There is a box-wide configuration sett ing ( config>socks-gateways>sequence ) for the de fault SOCKS gateway failover sequence. The socks_gateway( ) pr operty is used to [...]

  • Página 219

    Chapter 4: Property Reference 219 soc ks_gatew a y .f ail_open( ) Controls whether the Proxy SG terminates or continues to proces s the request if the specified SOCKS gateway or any de signated backup or default cannot be contacted. There is a box-wide configuration sett ing ( config>socks-gateways>failure-mode ) for the default SOCKS gateway[...]

  • Página 220

    Proxy SG Content Policy Language Guide 220 streaming.transpor t( ) Determines the upstream transport mechanism to be u sed for this streaming transaction. T his setting is not definitive. The ability to use the specified transport mechanis m depends on the capabilities of the selected forwar ding host. Syntax streaming.transport(auto|tcp|http) wher[...]

  • Página 221

    Chapter 4: Property Reference 221 ter minate_connection( ) The terminate_connection( ) pr operty is used in an <Exception> layer to dr op the connection rather than return the exception r esponse. The yes option terminates the connection instead of returning the r esponse. (This property pr ovid es backwards compatible support with the TERMIN[...]

  • Página 222

    Proxy SG Content Policy Language Guide 222 trace .destination( ) Used to change the default path to the trace output file. By default, policy ev aluation trace output is written to an object in the cache accessibl e using a console URL of the following form: http:// ProxySG_IP_address :8081/Policy/Tr ace/ path Syntax trace.destination( path ) where[...]

  • Página 223

    Chapter 4: Property Reference 223 trace .request( ) Determines whether detailed trace output is genera te d for the current reque st. The default value is no , which produces no output. T r ace output is generate d at the end of a request, and includ es request parameters, property settings, and the ef fects of all actions taken. Output tracing can[...]

  • Página 224

    Proxy SG Content Policy Language Guide 224 trace .rules( ) Determines whether trace output is generated show ing policy rule evaluation for the transaction. By default, trace output is written to an object accessible using the following console URL: http:// ProxySG_IP_address :8081/Policy/Tr ace/default_trace.html The trace output location can be c[...]

  • Página 225

    Chapter 4: Property Reference 225 ttl( ) Sets the time-to-live (TTL) value of an object in the cache, in seconds. Upon expiration, the cached copy is considered stale and will be re-obtained fr om the origin server when next accessed. However , this property has an effect only if the following HTTP command line option is enabled : Force explicit ex[...]

  • Página 226

    Proxy SG Content Policy Language Guide 226 ua_sensitiv e( ) Used to modify caching behavior by declaring that the response for a given object is expected to vary based on the user agent used to r etrieve the object. Set to yes to specify this behavior . Using ua_sensitive(ye s) has the same effect as cache(no) . Note: Remember that any conflict amo[...]

  • Página 227

    Chapter 5: Action Ref erence An action takes arguments and is wrapped in a user -named action definition block. When the action definition is called fr om a policy rule, any actions it contains operate on th eir respective arguments. W ithin a rule, named action definitions are enabled and disabled using the action( ) property . Actions take the f [...]

  • Página 228

    Proxy SG Content Policy Language Guide 228 append( ) Appends a new component to the specified head er . Note: An err or results if two head er modification actions modify the same header . This r esults in a compile time error if the conflicting actions ar e within the same action definition block. A runtime err or is r ecorded in the event log if [...]

  • Página 229

    Chapter 5: Action Refe rence 229 delete( ) Deletes all compone nts of the specified header . Note: An err or results if two header modification actions modify the same head er . The error is noted at compile time if the conflicting actions ar e within the same action definition block. A runtime err or is r ecorded in the event log if the conflictin[...]

  • Página 230

    Proxy SG Content Policy Language Guide 230 delete_matching( ) Deletes all components of the specified header that contain a substring matchi ng a regular -expression pattern. Note: An error r esults if two header modification acti ons modify the same header . The err or is noted at compile time if the conflicting actions ar e within the same action[...]

  • Página 231

    Chapter 5: Action Refe rence 231 im.aler t( ) Deliver a message in-band to the instant messaging user . The text appears in the instant message window . This action is similar to log_message( ) , except that it appends entries to a list in the instant messaging transaction that the IM protocol r enders in an appropriate way . Multiple alerts can be[...]

  • Página 232

    Proxy SG Content Policy Language Guide 232 log_message( ) W rites the specified string to the Proxy SG event log. Events generated by log_message( ) ar e viewed by selecting the Policy messages event logging level in the Management Console. Note: This is independent of acce ss logging. Syntax log_message( string ) Where stri ng is a quoted string t[...]

  • Página 233

    Chapter 5: Action Refe rence 233 notify_email( ) Sends an email notif ication to the list of r ecipients specified in the Event Log mail configuration. The sender of the email appears as Primary_ProxySG_IP_address - configured_appliance_hostname >. Y ou can speci fy multiple notify_email actions, which may result in multiple mail messages for a [...]

  • Página 234

    Proxy SG Content Policy Language Guide 234 notify_snmp( ) Multiple notify_snmp actions may be specified, resulting in multiple SNMP traps for a s ingle transaction. The SNMP trap is sent when the transaction terminates. Syntax notify_snmp( message ) where messag e is a quoted string that ca n optionally include one or mor e variable su bstitutions.[...]

  • Página 235

    Chapter 5: Action Refe rence 235 redirect( ) Ends the current HTTP transaction and r eturns an HTTP r edirect r esponse to the client by setting the policy_redirect exception. Use this action to specify an HTTP 3 xx r esponse code, optionally set substitution variables based on the request URL, and generate the new Location r esponse-header URL aft[...]

  • Página 236

    Proxy SG Content Policy Language Guide 236 replace( ) This depre cated action has been replaced by rewrite( ) . For more information, see "rewrite( )" on page 237.[...]

  • Página 237

    Chapter 5: Action Refe rence 237 re wr ite( ) Rewrites the r equest URL, URL host, or componen ts of the specified header if it matches the regular-expr ession pattern. This action is often us ed in conjunction with the URL rewr ite form of the transform acti on in a server portal application. Note: The URL form of the rewrite( ) action does not r [...]

  • Página 238

    Proxy SG Content Policy Language Guide 238 URL is considered complete, and replaces any URL that contains a su bstring matching the regex_pattern substring. Sub-patterns of the regex_pattern matched can be substituted in replacement_url using the $( n ) syntax, where n is an integer fr om 1 to 32, specifyi ng the matched sub-pattern. For mor e info[...]

  • Página 239

    Chapter 5: Action Refe rence 239 See Also • Actions: append( ) , delete( ) , delete_match ing( ) , redirect( ) , set( ) , transform • Conditions: request.header. header_name = , request.header. header_name .address= , request.x_header. header_name = , request.x_header. heade r_name .address= , response.header. header_name = , respon se.x_header[...]

  • Página 240

    Proxy SG Content Policy Language Guide 240 set( ) Sets the specified header to the specified string after delet ing all components of the header . Note: An error r esults if two header modification acti ons modify the same header . The err or is noted at compile time if the conflicting actions ar e within the same action definition block. A runtime[...]

  • Página 241

    Chapter 5: Action Refe rence 241 Discussion An y c h an ge t o t he se rv er f or m o f t h e re qu es t U R L m us t be res pe ct ed b y p ol ic y co nt rol l in g u ps tre a m connections. The server form o f the URL is tested by the server_url= conditions, which ar e the only URL tests al lowed in <Forward> layers. All forms of the URL are[...]

  • Página 242

    Proxy SG Content Policy Language Guide 242 transf or m Invokes an active content or URL rewrite transformer . The invoked transformer takes effect only if the transform action is used in a define ac tion definition block, and that block is in turn enabled by an action( ) property . See chapters 1 1 and 13 in the Configuration and Management Guide f[...]

  • Página 243

    Chapter 5: Action Refe rence 243 See Also • Properties: action( ) • Definitions: define action , transform a ctive_content , transform url.rewrite[...]

  • Página 244

    Proxy SG Content Policy Language Guide 244 virus_check( ) This depre cated action sends the r equested do cument to a virus scanning ser ver . For more information, see "r esponse.icap_service( )" on page 213.[...]

  • Página 245

    Chapter 6: Definition Ref erence In policy files, definitions serv e to bind a set of conditions, ac tions, or transformations to a user-defined labe l. T wo types of definitions e xist: • Named definition s—Explicitly r eferenced by policy . • Anonymous definitions—Apply to all policy evaluation and are no t ref e ren ce d d i rec tl y i n[...]

  • Página 246

    Proxy SG Content Policy Language Guide 246 define action Binds a user -defined label to a sequence of action statements. The action( ) pr operty has synt ax that allows for individual action de finition blocks to be enabled and disabled independ ently , based on the policy evaluation for the transaction. When an action definition block is enabled, [...]

  • Página 247

    Chapter 6: Definition Reference 247 • Definitions: transform active_content , transform url_rewrite • Chapter 5: "Action Refer ence".[...]

  • Página 248

    Proxy SG Content Policy Language Guide 248 define activ e_content Defines rules for removing or r eplacing active cont ent in HTML or ASX docu ments. This definition takes ef fect only if it is invoked by a transform action in a define action definition block, and that block is in turn enabled an action( ) pr operty as a result of policy evaluation[...]

  • Página 249

    Chapter 6: Definition Reference 249 Lay er and T ransa ction Notes • Applies to proxy transactions. • Only alph anumeric, und erscore, dash, and slas h characters can be used with the defin e action name. Example <proxy> url.domain=!my_site.com action.strip_active_cont ent(yes) define active_content strip_with_indication tag_replace apple[...]

  • Página 250

    Proxy SG Content Policy Language Guide 250 define categor y Category definitions are used to extend vendor content categories or to create your own. The category_name definition can be used anywher e a conten t filter category name would normally be used, including in catego ry= test s. Definitions can includ e other definitions to cr eate a hierar[...]

  • Página 251

    Chapter 6: Definition Reference 251 sportsworld.com category=football ; include subcategory end define category football nfl.com cfl.ca end The following policy need s only to ref er to the sports category to also test the sub- category football: <Proxy> deny category=sports ; includes subc ategories For more information on using categor y= t[...]

  • Página 252

    Proxy SG Content Policy Language Guide 252 define condition Binds a user -defined label to a set of conditions for use in a condition= expr ession. For condition definitions, the manner in which the condition expressions are listed is significant. Multiple condition expressions on one line, separate d by whitespace, are conside red to have a Boolea[...]

  • Página 253

    Chapter 6: Definition Reference 253 define condition extension_low_risk ; fi le types assumed to be low risk. url.extension=(asf,asx,gif,jpeg,mov,m p3,ram,rm,smi,smil,swf,txt,wax,wma,wmv,wvx) end define condition internal_prescanned ; will be prescanned so we can assum e safe server_url.domain=internal.myco.com s erver_url.extension=(doc,dot,hlp,ht[...]

  • Página 254

    Proxy SG Content Policy Language Guide 254 define domain This depre cated syntax has been replaced by the url.domain condition. For mor e information see "define url.domain con dition" on page 263.[...]

  • Página 255

    Chapter 6: Definition Reference 255 define ja v ascr ipt A javascript definition is used to define a javascript transformer , which adds javascrip t that you supply to HTML responses. Syntax define javascript transformer_id javascript-statement [ javascript-stateme nt] … end where: • transformer_id —A user -defined identifier for a transforme[...]

  • Página 256

    Proxy SG Content Policy Language Guide 256 See Also •A c t i o n s : transform • Definitions: define action •P r o p e r t i e s : action ( )[...]

  • Página 257

    Chapter 6: Definition Reference 257 define prefix condition This depre cated syntax has been replaced by th e define url condition. For mor e information see "define url condition" on page 261.[...]

  • Página 258

    Proxy SG Content Policy Language Guide 258 define ser ver_url.domain condition Binds a user-defined label to a set of domain-s uffix patterns for use in a condition= expr ession. Using this definition block allows you to quickl y test a large set of server_url.domain= conditions. Although the define condition definition blo ck could be used in a si[...]

  • Página 259

    Chapter 6: Definition Reference 259 affinityclub.example.com end <Forward> condition=!allowed access_server(no) See Also Condition: condition= , server_url.domain= Definitions: define url.domain condition[...]

  • Página 260

    Proxy SG Content Policy Language Guide 260 define subnet Binds a user-defi ned label to a set of IP addresses or IP subnet patterns. Use a subnet definiti on label with any of the conditions th at test part of the transaction as an IP address, including: client.address= , proxy.address= , request.header. header_name .address= , request.x_header. he[...]

  • Página 261

    Chapter 6: Definition Reference 261 define url condition Binds a user -defined label to a set of URL pr efix patterns for use in a condition= expression. U sing this definition block allows you to quickl y test a large set of url= conditions. Although the define condition definition block coul d be used in a similar way to encapsulate a set of URL [...]

  • Página 262

    Proxy SG Content Policy Language Guide 262 timing restrictions for the defined condition will depend on the layer and timing restrictions of the contained expressions. The conditio n= condi tion is on e of the ex pressions th at can be included in the body of a define url condition definition block, following a URL patter n. In this way , one pr ef[...]

  • Página 263

    Chapter 6: Definition Reference 263 define url.domain condition Binds a user -defined label to a set of domain-suf fix patterns for us e in a condition= expressi on. Using this def inition block allows y ou to test a lar ge set of serv er_url.domain= conditions very quickly . Although the de fine condition definition block could be used in a si mil[...]

  • Página 264

    Proxy SG Content Policy Language Guide 264 See Also • Condition: condition= , server_url.domain= • Definitions: define url condition , define server_url.domain condition[...]

  • Página 265

    Chapter 6: Definition Reference 265 define url_rewrite Defines rules f or rewriting URLs embedded in tags within HTML, CSS, JavaScript or ASX documents. This transformer takes ef fect only if it is also invoked by a transfor m action in a define action definition block, and that block is in turn called fr om an action( ) pr operty . For each url fo[...]

  • Página 266

    Proxy SG Content Policy Language Guide 266 • server_url_substring —A string that, if found in the serv er URL, will be r eplaced by the client_url_substring . The comparison is done against original normalized URLs embedded in the document. Note: Both client_url_substring and server_url_substring ar e literal strings. W ildcard characters and r[...]

  • Página 267

    Chapter 6: Definition Reference 267 restrict dns This definition r estricts DNS lookups and is useful in installations wher e access to DNS resolution is limited or problematic. The definition has no name beca use it is not directly r eferenced by any rules. It is global to policy eval uation and intended to prev ent any DNS lookups caused by polic[...]

  • Página 268

    Proxy SG Content Policy Language Guide 268 restrict rdns This definition r estricts reverse DNS lookups and is useful in i nstallations where acces s to reverse DNS resolution is limited or pr oblema tic. The definition has no name. It is global to po licy evaluatio n and is not directly referenced by any rules. If the requested URL specifies the h[...]

  • Página 269

    Chapter 6: Definition Reference 269 transf or m activ e_content This depre cated syntax has been replaced by define active_content . For more inf ormation see "define active_content" on page 248.[...]

  • Página 270

    Proxy SG Content Policy Language Guide 270 transf or m url_rewrite This depre cated syntax has been r eplaced by define url_rewrite . For more inform ation see "define url_rewrite" on page 265.[...]

  • Página 271

    Appendix A: Glossar y actions A class of definitions. CPL has two gene ral classes of actions: request or response modifications and notifications. An act ion takes arguments (such as the portion of the request or r esponse to modify) and is wrapped in a named action defi nition block. When the action definition is turned on by the policy rules, an[...]

  • Página 272

    Proxy SG Content Policy Language Guide 272 Forwar d Policy File A file you cr eate or that mi ght be created during an upgrade from prior SGOS versions, and that you maintain to supplement any policy descri bed in th e other three policy files. It is normally used for forwar ding policy . The Forwar d policy file is always last in the evaluation or[...]

  • Página 273

    Appendix A: Glossary 273 resp on se transformation a modification of the object being returned. This modification can be to either the protocol headers associat ed with the r esponse sent to the client, or a transformation of the object contents itself, such as the r e moval of active content fr om HTML pages. rule A list of triggers and property s[...]

  • Página 274

    Proxy SG Content Policy Language Guide 274[...]

  • Página 275

    Appendix B: T esting and T roub leshooting If you are experiencing pr oblems with your policy files or would like to monitor evaluation for brief periods of time, consider using the po licy tracing capabilities of the policy la nguage. Tr a c i n g allows you to examine how the Proxy SG policy is applied to a part icular request. T o configure trac[...]

  • Página 276

    Proxy SG Content Policy Language Guide 276 Enabling Request T racing Use the trace.request( ) pr operty to enable request tracing. Request tracing l ogs a summary of information about the transaction: r equest parameter s , property settings, and th e effects of all actions taken. This property uses the following syntax: trace.request(yes|no) where[...]

  • Página 277

    Appendix B: Testing and Troubleshoo ting 277 Here ar e the relevant policy r equirements to be expresse d: • DNS lookups are r estricted except for a site being hosted. • There is no access to reverse DNS so that is completely restricted. • Any requests not addr essed to the hosted site ei ther by name or subnet should be r ejected. • FTP P[...]

  • Página 278

    Proxy SG Content Policy Language Guide 278 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all) trace.request(yes) 5 <Proxy> 6 miss: url.domain=!//my_site.com/ 7 miss: url.address=!my_subnet 8 <Proxy> 9 n/a : ftp.method=STOR 10 <Proxy> 11 MATCH: url.domain=//my_site.[...]

  • Página 279

    Appendix B: Testing and Troubleshoo ting 279 The following is a trace of the same p olicy , but f or a transaction in which the request URL has an IP addres s instead of a hostname. 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all) trace.request(yes) 5 <Proxy> 6 miss: url.hos[...]

  • Página 280

    Proxy SG Content Policy Language Guide 280 Policy: Action discarded, 'set_header_1' conflicts with an action already committed The conflict is re flected in the following trace of a r equest for //www.my_site.com/home.html : 1 start transaction ------------------------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all[...]

  • Página 281

    Appendix C: Recogniz ed HTTP Headers The tables pr ovided in this appendix list all recogni zed HTTP 1.1 headers and indicate how the Proxy SG is able to interact wi th them. For each head er , columns show whether the header appears in req ue s t or re sp on s e f or ms , an d w he th e r t he append( ) , delete( ) , rewrite( ) , or set( ) actions[...]

  • Página 282

    Proxy SG Content Policy Language Guide 282 The following table lists custom he ader s that are r ecognized by the Proxy SG . If-Match Request X If-Modified-Since R equest If-None-Match Request X If-Range Request If-Unmodified-S ince Request Last-Modified Requ est/Response Location Response X X Max-Forwards Request Meter Request/ Response X X Pragma[...]

  • Página 283

    Appendix D: CPL Substitutions This appendix lists all su bstitution variables avail able in CPL. T o use a variable in CPL, it is expressed as: $(<field-id> , s uch as $(cs-bodylength). For fields that have bo th ELFF and CPL tokens, ei ther token can be used. For example, $(cs-ip) and $(proxy.address) ar e equivalent. Note that $(request.x_h[...]

  • Página 284

    Proxy SG Content Policy Language Guide 284 sr-bytes Number of bytes sent fr om appliance to upstream host. sr-headerlength Number of bytes in the header sent from appliance to upstream host. Category: connection ELFF CPL Description cs-ip proxy.address IP addr ess of the destination of the client's connection. c-connect-type The type of co nne[...]

  • Página 285

    Appendix D: CPL Substitutions 285 x-bluecoat- transaction-id transaction.id Unique per -request identifier generated by the appliance (note: this value is not unique across multiple appliances). x-bluecoat-appliance- name appliance.name Configured name of the appli ance. x-bluecoat-appliance- primary-address appliance. primary_address Primary IP ad[...]

  • Página 286

    Proxy SG Content Policy Language Guide 286 cs-version request.version Protocol and version fr om the client's request; for exam ple, HTTP/1.1. x-bluecoat-proxy-via- http-version proxy.via_http_version D efault HTTP protocol v ersion of the appliance without protocol decoration (e.g. 1.1 for HTTP/1.1). x-bluecoat-redirect- location redirect.loc[...]

  • Página 287

    Appendix D: CPL Substitutions 287 x-bluecoat-special-esc esc Resolve s to the esc ape charact er (ASCII HEX 1B). x-bluecoat-special-gt gt The gr eater-than characte r . x-bluecoat-special-lf lf The line feed character . x-bluecoat-special-lt lt The less-than characte r . x-bluecoat-special- quot quot The double quote character . x-bluecoat-special-[...]

  • Página 288

    Proxy SG Content Policy Language Guide 288 x-bluecoat-surfcontrol- reporter-id Specialized value for SurfControl reporter . x-bluecoat-websense- category-id The W e bsense specific content category ID. x-bluecoat-websense- keyword The W ebsense specific keywo rd. x-bluecoat-websense- reporter-id The W ebsense specific reporter category ID. x-blueco[...]

  • Página 289

    Appendix D: CPL Substitutions 289 x-patience-url patience_url The url to be requested for mor e patience information. x-virus-id Identif ier of a virus if one was det ected. Category: streaming ELFF CPL Description x-cs-streaming-client streaming.client T ype of streaming client in use (windows_media, r eal_media, or quicktim e). x-rs-streaming-con[...]

  • Página 290

    Proxy SG Content Policy Language Guide 290 x-bluecoat-day day Localtime day (as a number) formatted to take up two spaces; for example, 07 for the 7th of the month. x-bluecoat-hour hour Localtime hour formatted to always take up two spaces; for example, 01 for 1AM. x-bluecoat-minute minute Localtime minute forma tted to always take up two spaces; f[...]

  • Página 291

    Appendix D: CPL Substitutions 291 cs-uri-hostname log_url.hostname Hostname fr om the 'log' URL. RDNS is used if the URL uses an IP addr ess. cs-uri-path log_url.path Path from the 'log' UR L. Doe s not include query . cs-uri-pathquery log_url.pathquery Path and query fr om the 'log' URL. cs-uri-port log_url.port Port [...]

  • Página 292

    Proxy SG Content Policy Language Guide 292 sr-uri-query server_url.query Query from the u pstream request URL . sr-uri-scheme server_url.scheme Scheme fr om the URL used in the upstream req u es t. sr-uri-stem Path from the upstr eam request URL s-uri cache_url The URL used for cache access. s-uri-address cache_url.address IP addr ess from the U RL[...]

  • Página 293

    Appendix D: CPL Substitutions 293 Category: user ELFF CPL Description cs-auth-group group One group that an auth enticated client is a member of. The group selected is determined by either a group.log_order definition in policy or the order gr oups are refer enced in policy cs-auth-groups groups Groups that a n authenticated client is a member of. [...]

  • Página 294

    Proxy SG Content Policy Language Guide 294 cs(Accept-Language) request.header.Accep t- Language Request header: Accept-Langua ge cs(Accept-Ranges) request.header.Accep t- Ranges Request header: Accept-Range s cs(Age) request.header.Age Request header: Age cs(Allow) request.header.Allow Request header: Allow cs(Authentication- Info) request.header. [...]

  • Página 295

    Appendix D: CPL Substitutions 295 cs(If-Unmodified- Since) request.header.If- Unmodified-Since Request header: If-Unmodified-Since cs(Last-Modified) request.header.Last- Modified Request header: Las t-Modified cs(Location) request.header.Location Reque st header: Location cs(Max-Forwards) request.header. Max-Forwards Request header: Max-Forwards cs[...]

  • Página 296

    Proxy SG Content Policy Language Guide 296 cs(X-Forwarded-For) request.header. X-Forwarded-For Request header: X-Forwar ded-For Category: si_response _header ELFF CPL Description rs(Accept) response.header.Accept Response header: Accept rs(Accept-Charset) response.header. Accept-Charset Response header: Accept-Charset rs(Accept-Encoding) response.h[...]

  • Página 297

    Appendix D: CPL Substitutions 297 rs(From) response.header.From Re sponse header: From rs(Front-End-HTTPS) response.header. Front-End-HTTPS Response header: Fr ont-End-HTTPS rs(Host) response.header.Host Re sponse header: Host rs(If-Match) response.header. If-Match Response header: If-Match rs(If-Modified-Since) response.header. If-Modified-Since R[...]

  • Página 298

    Proxy SG Content Policy Language Guide 298 rs(Vary) response.header.Vary Response header: V ary rs(Via) response.header.Via Response header: V ia rs(WWW-Authenticate) response.header. WWW-Authenticate Response header: WW W -Authenticate rs(Warning) response.header.Warning Response header: W arning rs(X-BlueCoat-Error) response.header. X-BlueCoat-Er[...]

  • Página 299

    Appendix E: Filter File Syntax This appendix provides a summary of the syntax and evaluation order used in CacheOS version 4. x filter files. While it is recommended that you conver t any filter fil e to take advantage of the policy features of Pr oxy SG , it is possib le to use a CacheOS 4. x filter file in the place of a policy file, and have it [...]

  • Página 300

    Proxy SG Content Policy Language Guide 300 Filter-P ar t Components The filter part of a filter file can cont ain the following: • Filters that are not part of a section •S e c t i o n s • ALL st atement s • default_filter_properties statements • Access-control list (ACL) definitions Filters that ar e not part of a section mu st occur bef[...]

  • Página 301

    Appendix E: Filter File Syntax 301 • The only condition available in filter lines is the acl= condition, which is a synonym for the CPL condition client.address= . • The only way to specif y case-sensitivity is wi th case_insensitive={yes|no}. The following are r equirements for filter lines: • A line br eak is consider ed to be a new filter [...]

  • Página 302

    Proxy SG Content Policy Language Guide 302 ALL Statements An ALL st atement is a line begi nning with the keyword ALL , f o l l o w e d b y z e ro o r m o r e c o n di ti on s a nd property settings . There ar e two conditions available in an ALL statement: acl= and protocol=. The ALL statement acts as a match of first resort, befor e any filters a[...]

  • Página 303

    Appendix E: Filter File Syntax 303 • protocol= value — An optional protocol= condition expr ession. A vailable values ar e http , https , ftp , mms , rtsp , tcp , aol-im , msn-im , or yahoo-im . For detai ls, see "url=" on page 137. • property=value — An optional property setting. For a list of properties available in filter files[...]

  • Página 304

    Proxy SG Content Policy Language Guide 304 While prefix-pattern filters are commonly used outside of any s ection, the Prefix section is pr ovided t o help differ entiate these type of filters when domain -suf fix and r egular-expr essi on filters are also used. The filters in a prefix section follow the pattern used in a CPL url= condition. For mo[...]

  • Página 305

    Appendix E: Filter File Syntax 305 • The domain-suffix filter http://company.com/ denies service to all URLs where compan y.com is a pr oper super-domain and any path r elative to th e matched domain, including the null path. For example, service is denied to the URL http://www.intranet.com pany.com/ , but not http://mycompany.com/ since mycompan[...]

  • Página 306

    Proxy SG Content Policy Language Guide 306 Ev aluation Order CacheOS 4. x filter files have a differ ent orde r of evaluation than CPL files. A compiled fi lter file behaves as if it had a single [Prefix] section, a single [Domain-Suffix] section, and a single [Regular-Expression] section. The filter file is rewritten during file compilation, as fo[...]

  • Página 307

    Appendix F: Upgr ading from CacheOS When upgrading from CacheOS version 4. x to the Proxy SG , the default policy files are cr eated as follows: • The CacheOS 4. x central filter f ile is copied to the Pr oxy SG central policy file with no changes. • The CacheOS 4. x local filter file is copied to the Proxy SG local policy file with no changes.[...]

  • Página 308

    Proxy SG Content Policy Language Guide 308 For the CPL compiler , the corr ect filter will be sele cted at run time based on the ACL if the filters are distin guished by having dif ferent ACL conditions. Conv er ting Filter-Style Files to CPL Syntax When converting your filter -style files, do not inse rt snippets of CPL syntax to take a dvantage o[...]

  • Página 309

    Inde x A <Admin> layers, understanding 37 access_log( ) property 154 access_server() property 155 action definition block 246 action part, filter file 30 5 action.action_label( ) property 156 actions append() 228 argument syntax in 227 conflicting 47 delete() 229 delete_matching() 230 log_message() 232 notify_email 233 , 234 redirect() 235 re[...]

  • Página 310

    Proxy SG Configuration and Management Guide 310 D date= condition 67 day= condition 68 define acl definition block, filter fi le 303 define action definition block 246 define category definiti on 250 define condition definition block 252 define prefix condition definition block 257 , 261 define server_url.domain condition name definition 258 define[...]

  • Página 311

    Index 311 H has_attribute.name= condition 74 has_client= condition 76 hour= condition 77 HTTP cache transactions 36 http.method= condition 79 http.request.version( ) property 190 http.request.version=condition 80 http.response.code=condition 81 http.response.version( ) property 191 http.response.version=condition 82 http.transparent_authentication=[...]

  • Página 312

    Proxy SG Configuration and Management Guide 312 rules, conflicting 47 statistics, example 276 testing 275 tips on writing 44 troubleshooting 275 whitelists 45 policy ix authentication/denial, setting 28 installing, overview 29 troubleshooting, overview 30 writing, overview 27 policy model, understanding 20 policy rules order 45 policy tracing enabl[...]

  • Página 313

    Index 313 Q quoting, understanding 22 R realm= condition 112 redirect() action 235 references related Blue Coat documentation x referential integrity, understa nding 26 reflect_ip( ) property 204 reflect_vip( ) property. See reflect_ip( ) property refresh property, filter file 30 2 refresh transactions 35 refresh( ) property 206 regular-expression [...]

  • Página 314

    Proxy SG Configuration and Management Guide 314 T time= condition 134 timing in layers, understanding 41 understanding 36 trace.destination( ) 276 trace.destination( ) property 222 trace.request( ) property 22 3 trace.rules enabling 275 trace.rules() property 224 trace.rules, enabling. 275 transactions administrator 33 cache 33 , 35 , 271 forwardin[...]