Gebruiksaanwijzing /service van het product Proxy SG van de fabrikant Blue Coat Systems
Ga naar pagina of 314
Blue Coat Systems TM Pro xy SG Content P olicy Language Guide Content P olicy Language Guide.
Proxy SG Content Policy Language Guide 2 Blue Coat Systems Inc. (408) 220-2200 V oice 650 Almanor A venue (408) 220-2250 F AX Sunnyvale, California 94086 (866) 302-2628 T echnical Support (866) 362-2628 info@bluecoat.com www .bluecoat.com Copyright (c) 2002, 2003 Blue Co at Systems, Inc.
Copyrights 3 THIRD P ARTY COPYRIGHT NO TICE S Blue Coat Systems, Inc. Security Gateway Operating System (SGO S) version 3 utilizes third party software fr om various sources. Portions of this software ar e copyrighted by their respective owne rs as indicated in the copyright notices below .
Proxy SG Content Policy Language Guide 4 Redistribution and use of this software and associated document ation ("Software"), with or without modification, ar e permitted provided that the following conditions are met: 1. Redistributions of so urce code must retain copyright statements and notices, 2.
Copyrights 5 A F AILURE OF THE PROGRAM TO OPERA TE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER O R OTHER P ARTY HAS BEEN ADVISED OF THE POSSI BILITY OF SUCH DAMAGES. 2) The 32-bit CRC compensation attack de tector in deattack.c was contributed by CORE SDI S.
Proxy SG Content Policy Language Guide 6 2. Redistributions in binary form must reproduce the above copy right notice, this list of condit ions and the following disclaim er in the documentation and/or other materials provided with the distribution.
Copyrights 7 This produc t includes cryptographic softwar e written by Eric Y o ung (eay@c ryptsoft .com). This pr oduct includes software written by T im Hudson (tjh@cr yptsoft.c om). PCRE Copyright (c) 1997-2001 University of Cambridge University of Cambridge Computing Service, Cambridge, England.
Proxy SG Content Policy Language Guide 8 documentation. Moscow Center for SP ARC T e chnology makes no repr esentations about the suitability of this software for any purpos e. It is provided "as is" without express or implied warranty . SmartFilter Copyright (c) 2003 Secure Computing Corporation.
Pref ace: Introducing the Content P o licy Language The Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a variety of W eb-access policies. Proxy SG policy is written in CPL, and ever y W e b request is evaluated based on the installed policy .
Proxy SG Content Policy Language Guide x Suppor ted Bro wsers The Proxy SG Management Console supports Micr osoft ® Internet Explorer 5 and 6, and Netscape ® Communicator 4. 78, 6.2, and 7.1. The Management Console uses the Java Runtime En vironment.
Contents Preface: Introducing t he Content Policy Language About the Document Organization ............ .................... .................... ................... .................... ..... ............... ..ix Supported Browsers ..................
Proxy SG Content Policy Language Guide xii <Forward> Layers ..................... ................. ................... .................... .................... .............. ........ ............. 39 <Proxy> Layers ...... ..............
Contents xiii http.method= ............ .................... ................... .................... ................. .................... ....... ............ ............. 79 http.request.version= ............. .................... ...............
Proxy SG Content Policy Language Guide xiv server_url= .......... .................... .................... ................. ................... .................... .......... ............. ............. 125 socks= .............. ................ ..
Contents xv force_cache( ) ................. .................... .................... .................... ................... ................. .................... ..... 180 force_deny( )................. ................... ................. .....
Proxy SG Content Policy Language Guide xvi trace.request( ) ........................ ................. .................... ................... .................... .......... ....... ................... 223 trace.rules( ) ...................... .....
Contents xvii Appendix B: T esting and Troubleshooting Enabling Rule Tracing ................... .................... .................... .................... ................... ........ ............ ..... 275 Enabling Request Tracing ........... ..
Proxy SG Content Policy Language Guide xviii.
Chapter 1: Ov er view of Content P olicy Language The Content Policy Language (CPL) is a programming langu age with its own concepts and rules that you must follow .
Proxy SG Content Policy Language Guide 20 This provides the abi lity to test various aspects of a re quest, such as the IP address of the client and the URL used, or the response, such as th e contents of any HTTP headers. • Ensures policy integ rity during processing.
Chapter 1: Overview of Content Policy Language 21 For new Proxy SG appliances, the default is to deny all requests . For Proxy SG appliances being upgraded fr om 4.x, the default is to allo w all requests. In ei ther case, the P roxy SG can be configured for either default.
Proxy SG Content Policy Language Guide 22 W ith a few notable exceptions, trigge rs te st on e as pe c t o f re qu e st, re sponse, or associated state against a boolean expression of values. For the conditions in a rule, each of the triggers is logically anded together .
Chapter 1: Overview of Content Policy Language 23 • More complex boolean expressions ar e allowed for the pattern_expres sion in the triggers. For example, the second part of the condition in the simple rule shown above could be “the request is made between 9 a.
Proxy SG Content Policy Language Guide 24 La y ers A policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating decisions helps contr ol policy complexi ty , and is do ne through writing each decision in a separate layer .
Chapter 1: Overview of Content Policy Language 25 [ section_type [ label ]] [ section_condition ][ sect ion_properties ] section_content where: • The section_type defines the syn tax of the rules used in the se ction, and the evaluation strategy used to evaluate those rules.
Proxy SG Content Policy Language Guide 26 Named Definitions There ar e various types of named definitions. Each defi nition is given a user defined name that is then used in rules to refer to the definition. This sectio n highlights a few of the definition types, as an overview of the topic.
Chapter 1: Overview of Content Policy Language 27 policy that does not requir e the realm. Once all outs tanding transactions that r equir ed refer ence to the realm have completed, the realm can be removed fr om configuration.
Proxy SG Content Policy Language Guide 28 A uthentication and Denial One of the most important timing relationships to be awar e of is the relation between authentication and denial. Denial can be done eithe r before or af ter authentication, and dif f erent or ganizations have diffe rent requir ements.
Chapter 1: Overview of Content Policy Language 29 <Proxy> client.address=!corporate_subnet deny ; filter out strangers socks.authenticate(MyRealm) ; this happe ns earlier than the category test .
Proxy SG Content Policy Language Guide 30 T roub leshooting P olicy When installed policy does not behave as expected, use policy tracing to understand the behavior of the installed policy .
Chapter 1: Overview of Content Policy Language 31 Conditional Compilation Occasionally , y ou might be requir ed to maintain poli cy that can be applied to appliances running diffe rent versions of SGOS and requiring dif ferent CPL . CPL provides the foll owing conditional compilation dir ective that tes ts the SGOS version (suc h as 2.
Proxy SG Content Policy Language Guide 32.
Chapter 2: Managing Content P olicy Language As discussed in Chapter 1, Content Policy Language policies are composed of transactions that are placed into rules and tested against various conditions.
Proxy SG Content Policy Language Guide 34 Each of the protocol-specific pr oxy transact ions has specific information that can be tested—informati on that may not be available fr om or relevant to othe r protocols. HTTP Headers and Instant Messaging buddy names ar e two exam ples of protocol-specific information.
Chapter 2: Managing Content Policy Language 35 Some conditions cannot be evaluated during th e first stage; for example, the user and group information will not be known until stage two. Likewise, the response headers and MIME type are unavailable for testing until stage three.
Proxy SG Content Policy Language Guide 36 An HTTP cache transaction is examined in two stages: • Before the object is retrieved from the origin s erver .
Chapter 2: Managing Content Policy Language 37 But policy cannot determine th e value of the Conten t-type re sponse header until the response is returned. The Pr oxy SG ca nnot contact the server to get the response until pol icy determines what hosts or gateways to route thr ough to get th ere.
Proxy SG Content Policy Language Guide 38 • The optional admin_properties is a list of properties set if an y of the rules in the layer match. These act as defaults, and can be overridden by prop erty settings in specific rules in the layer . For more informatio n on using properties, see Chapter 4: " Property Refer ence".
Chapter 2: Managing Content Policy Language 39 <Exception> La y ers <Exception> layers ar e evaluated when a proxy transaction is terminated by an exception. This could be caused by a bad r equest (for example, the r equ est URL names a non-existent server) or by setting the deny or exception() pr operties in policy .
Proxy SG Content Policy Language Guide 40 <Pro xy> La y ers <Proxy> layers define policy for authenticating and auth orizing users’ requests for service over one of the configur ed proxy service ports (r efer to Chapter 6:”Managing Port Services” in the Pr oxy SG Configuration and Management Guide .
Chapter 2: Managing Content Policy Language 41 Timing The “late guards early” timing errors that can occu r wi thin a rule can ar ise across r ules in a layer .
Proxy SG Content Policy Language Guide 42 url.domain=nbc.com/athletics deny ; etc, suppose it's a substantial list url.regex="sports|athletics" access_serv er(no) url.regex=".mail." deny ; etc url=www.bluecoat.com/internal group=!blu ecoat_employees deny url=www.
Chapter 2: Managing Content Policy Language 43 • Rules in [Rule] s ections are evaluated sequentially , top to bottom. The time taken is pr oportional to the number of rules in the sec tion. • [Rule] sections can be used in any la yer . [url] The [url] section type is used to group a number of rules that test the URL.
Proxy SG Content Policy Language Guide 44 • [server_url.domain] sections ar e allowed only in <Exception> or <Forward> layers. Section Guards Just as you can with layers, you can impr ov.
Chapter 2: Managing Content Policy Language 45 • Do not mix the CacheOS 4. x filter-file syntax with CPL syntax. Although the Content Polic y Language is backwa rd-compatible with the filter -file syntax, avoid using the older syntax with the new .
Proxy SG Content Policy Language Guide 46 The following example is an exception defined wi thin a layer . A company wants access to payroll information limited to Human Resou rces staf f on ly .
Chapter 2: Managing Content Policy Language 47 evaluation or der as currently configur ed. Changes to the policy file evaluation order must be managed with great car e.
Proxy SG Content Policy Language Guide 48 Best Practices • Express s eparate decisions in separate layer s. As policy gr ows and becomes more complex, mainten ance becomes a significant issue. Maintenance will be easier if the logic for each aspect of policy is separate and distinct.
Chapter 3: Condition Ref erence A condition is an express ion that yields true or fals e when evaluated. Conditions can appear in: • Policy r ules. • Section and layer headers, as guards; for exam.
Proxy SG Content Policy Language Guide 50 • condition ::= trigger "=" expression • trigger ::= identifier | identifier "." word • expression ::= term | list • list ::= &quo.
Chapter 3: Con dition Reference 51 Una v ailable T riggers Some triggers can be unavailable in some transactions. If a trigger is unavai lable, then any condition containing that tr igger is false, regardless of the pattern expression.
Proxy SG Content Policy Language Guide 52 acl= Deprecated syntax. See "client.addr ess=" on page 60 for mor e information..
Chapter 3: Con dition Reference 53 admin.access= T ests the administrative access requ ested by the current transaction. It evaluates to null if the transaction is not an admi nistrative transaction, whic h may occur if the test is included in an <Exception> layer .
Proxy SG Content Policy Language Guide 54 attribute . name = T ests if the curr ent transaction is authenticated in a RADIUS or LDAP realm, and if the authenticated user has the specified attribute with the specified value.
Chapter 3: Con dition Reference 55 <proxy> authenticate(RADIUSRealm) ; This rule would restrict non-authorize d users. <proxy> deny condition=!ProxyAllowed ; This rule would serve to overr.
Proxy SG Content Policy Language Guide 56 authenticated= T rue if authentication was requested and the cr edentials could be verified; otherwise, false. Syntax authenticated=(yes|no) Lay er and T ransa ction Notes •U s e i n <Admin> and <Proxy> layers.
Chapter 3: Con dition Reference 57 bitrate= T ests if a streaming tr ansaction re quests bandwidth within the specif ied range or an exact match. When providing a range, either value can be left empt y , implying either no lower or no upper limit on the test.
Proxy SG Content Policy Language Guide 58 <Proxy> ; Use this layer to override a d eny in a previous layer ; Grant everybody access to streams up to 56K, sales group up to 2M allow bitrate=..56K allow group=sales bitrate=..2M See Also • Conditions: live= , streaming.
Chapter 3: Con dition Reference 59 categor y= T ests the content categor ies of the requested URL as assigned by policy def i nitions or an installed content filter database.
Proxy SG Content Policy Language Guide 60 client.address= T ests the IP address of the client. The expr ession can include an IP address or subnet or the label of a subnet definit ion block.
Chapter 3: Con dition Reference 61 client.protocol= T ests true if the client transport protocol matches the specification. Replaces: client_protocol= syntax client.protocol=http|https|ftp|tcp|socks |mms|rtsp|icp|aol-im|msn-im|yahoo-im Note that tcp specifies a tunneled t ransaction.
Proxy SG Content Policy Language Guide 62 condition= T ests if the specified defined condition is true. Syntax condition= condition_label where conditi on_label is the label of a custom condition as defined in a define condition , define url.domain conditi on , or define url condition definition block.
Chapter 3: Con dition Reference 63 http://www.x.com time=0800..1000 http://www.y.com month=1 http://www.z.com hour=9..10 end <proxy> condition=test deny ; Example of a define domain-suffix (or domain) condition define url.domain condition test com ; Matches all domains ending in .
Proxy SG Content Policy Language Guide 64 console_access= T ests if the cur rent request is destined for the <Admin> layer . This test can be used to distinguish access to the management console by admininstrators who are explicitly pr oxied to the Proxy SG being admininstered.
Chapter 3: Con dition Reference 65 content_admin= The content_admin= condition has bee n deprecated. For mor e information, see "content_management" on page 66.
Proxy SG Content Policy Language Guide 66 content_management T ests if the curr ent request is a content management transaction. Replaces: content_admin=yes|no Syntax content_management=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Forward> layers.
Chapter 3: Con dition Reference 67 date[.utc]= T ests true if the curr ent time is within the startdate..enddate range, inclusive. The co mparison is made against local time unless the .utc qualifier is sp ecified. syntax date[.utc]=YYYYMMDD..YYYYMMDD date[.
Proxy SG Content Policy Language Guide 68 da y= T ests if the day of the month is in the spe cified range or an exact match. The Pr oxy SG appliance’s configured date and time zone ar e used to determine the curr ent day of the month. T o specify the UTC time zone, use the form day.
Chapter 3: Con dition Reference 69 e xception.id= T ests whether the exception being r eturned to the client is the specified exception. It can also be used to determine whether the exception be ing returned is a built-in or user -defined exception.
Proxy SG Content Policy Language Guide 70 ; thrown by deny or force_deny exception.id=policy_denied action.log_in terloper(yes) <Exception> exception.id=user_defined.re stricted_content ; any policy required for this user defi ned exception ... See Also •P r o p e r t i e s : deny( ) , deny.
Chapter 3: Con dition Reference 71 ftp .method= T ests FTP r equest methods against any of a well-k nown set of FTP methods. A CPL parse erro r is given if an unrecognized method is specified. • ftp.method= evaluates to true if the r equest method matches any of the methods specified.
Proxy SG Content Policy Language Guide 72 group= T ests if the client is authenticated, and the client belongs to the specified gr oup. If both of these conditions are met, the r esult is true. In addition, the realm= condition can be used to test whether the user is authenticated in the specified r ealm.
Chapter 3: Con dition Reference 73 • Applies to proxy and administrator transactions. • This condition cannot be combined with the authe nticate( ) , proxy_authentication( ) , or socks.authenticate( ) pr operties. Examples ; Test if user is authenticated in group all_staff and specified realm.
Proxy SG Content Policy Language Guide 74 has_attribute . name = T ests if the current transaction is authenticated in an LDAP realm and if the authenticated user has the specified LDAP attribute. If the at tribute specif ied is not configur ed in the LDAP schema and yes is used in the expr ession, the condition always yields fal se.
Chapter 3: Con dition Reference 75 See Also • Conditions: attribute. name = , authenticated= , group=, http.transparent_authentication= , re alm= , user= , user.
Proxy SG Content Policy Language Guide 76 has_client= The has_cl ient= condition is used to test whether or not the current transaction has a client. This can be used to guard triggers that depend on client identity in a <Forward> layer . Syntax has_client=yes|no Lay er and T ransa ction Notes •U s e i n <Forward> layers.
Chapter 3: Con dition Reference 77 hour= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form hour.
Proxy SG Content Policy Language Guide 78 <proxy> allow server_url.domain=xyz.com ; intern al site always available allow weekday=6..7 ; unrestricted weekends allow hour=17..8; Inverted range for out side business hours See Also • Conditions: date[.
Chapter 3: Con dition Reference 79 http .method= T ests HTTP r equest methods agains t any of a common set of HTTP methods. A CPL parse error is given if an unrecognized method is specified.
Proxy SG Content Policy Language Guide 80 http .request.version= T ests the vers ion of HTTP used by the client in making the re quest to the appliance. syntax http.request.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers.
Chapter 3: Con dition Reference 81 http .response.code= T ests true if the curr ent transaction is an HTTP tr ansaction and the response code r eceived from the origin server is as sp ecified. Replac es: http.response_code syntax http.response.code= nnn where nnn is a standard numeric range test with values in the range 100 to 999 inclusive.
Proxy SG Content Policy Language Guide 82 http .response.v ersion= T ests the vers ion of HTTP used by the origin server to deliver the response to the Pr oxy SG . Syntax http.response.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers.
Chapter 3: Con dition Reference 83 http .transparent_authentication= This trigger evaluates to true if HTTP uses tr ansparent proxy authentication for this r equest. The trigger can be used with the authenticate( ) or authentica te.force( ) p r o p e r t i e s t o s e l e c t a n authentication realm.
Proxy SG Content Policy Language Guide 84 http .x_method= T ests HTTP request me thods against any unc ommon HTTP methods . A CPL parse warning is given if the method specified is a recognized method (in which case, http.
Chapter 3: Con dition Reference 85 im.b uddy_id= Te s t s t h e buddy_id associated with the inst ant messaging transaction. Syntax im.buddy_id[.case_sensitive]= user_id_str ing im.
Proxy SG Content Policy Language Guide 86 im.chat_room.conf erence= T ests whether the chat r oom associated with the instant messaging transaction has the confer ence attribute set. Syntax im.chat_room.conference=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers.
Chapter 3: Con dition Reference 87 im.chat_room.id= T ests the chat r oom ID associated wi th the instant messagi ng transaction. Syntax im.chat_room.id[.case_sensitive]= user_id _string im.chat_room.id.substring[.case_sensitiv e]= substring im.chat_room.
Proxy SG Content Policy Language Guide 88 im.chat_room.in vite_only= T ests whether the chat r oom associated with the instant messaging transaction has the invite_only attribute set. Syntax im.chat_room.invite_only=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers.
Chapter 3: Con dition Reference 89 im.chat_room.type= T ests whether the chat r oom associated wi th the transaction is public or private. Syntax im.chat_room.type=public|private Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers.
Proxy SG Content Policy Language Guide 90 im.chat_room.member= T ests whether the chat r oom associated with the instant messaging transaction has a member matching the specified criterion. Syntax im.chat_room.id[.case_sensitive]= buddy_i d_string m.chat_room.
Chapter 3: Con dition Reference 91 im.chat_room.v oice_enabled= T ests whether the chat r oom associated with the instant messaging transaction is voic e enabled. Syntax im.chat_room.voice_enabled=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers.
Proxy SG Content Policy Language Guide 92 im.file.e xtension= T ests the file extension of a file associated with an instant messag ing transaction. The leading ' . ' of the file extension is optional. Only supports an exact match. Syntax im.
Chapter 3: Con dition Reference 93 im.file.name= T ests the file name (the last component of the path), includ ing the extension, of a file a ssociated with an instant messaging transaction. Syntax im.file.name[.case_sensitive]= string im.file.name.prefix[.
Proxy SG Content Policy Language Guide 94 im.file.path= T ests the file path of a file as sociated with an instant messaging transaction against the specified criterion. Syntax im.file.path[.case_sensitive]= string im.file.path.prefix[.case_sensitive]= pre fix_string im.
Chapter 3: Con dition Reference 95 im.file.siz e= Performs a signed 64-bit range test of the size of a file associated wi th an instant messaging transaction. Syntax im.file.size= [min]..[max] The default minimum value is zer o ( 0 ); there is no default maximum value.
Proxy SG Content Policy Language Guide 96 im.message.opcode= T ests the value of an opcode associated wi th an instant messaging transaction whose im.method is send_unknown or receive_unknown .
Chapter 3: Con dition Reference 97 im.message.route= T ests how the instant messaging mes sage reaches its recipients. Syntax im.message.route=service|direct|chat where: • service —The message is r elayed through the IM service. • direct —The message is sent dir ectly to the re cipient.
Proxy SG Content Policy Language Guide 98 im.message.siz e= Performs a signed 64-bit range test on the si ze of the inst ant messaging m essage. Syntax im.message.size= [min]..[max} The default minimum value is zer o ( 0 ); there is no default maximum value.
Chapter 3: Con dition Reference 99 im.message.te xt= T ests if the message text contains the specified text or pattern. Note: The .regex version of this test is limited to the first 8K of the message. The .substring version of the test does not have this r estriction.
Proxy SG Content Policy Language Guide 100 im.message.type= T ests the message type of an instant messaging transaction. Syntax im.message.type=text|invite|voice_invite |file|file_list|application where: • text —Normal IM text message. • invite —An invitation to a chat room or to communicate directly .
Chapter 3: Con dition Reference 101 im.method= T ests the method associated with the i nstant messaging tr ansaction. Syntax im.method=open|create|join|join_user|log in|logout|notify_join|notify_quit|.
Proxy SG Content Policy Language Guide 102 im.user_id= Te s t s t h e user_id associated with the instant messaging transaction. Syntax im.user_id[.case_sensitive]= user_id_stri ng im.
Chapter 3: Con dition Reference 103 liv e= T ests if the str eaming content is a li ve stream. Syntax live=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Proxy> layers. • Applies to streaming transactions . Examples ; The following policy restricts access to live streams during morning hours.
Proxy SG Content Policy Language Guide 104 method= T ests the pr otocol method name as sociated with the transaction. Appr opriate method names depend on the protocol. Also, a warning is is sued during policy file compilation if the name is not a rec og n iz ed m et h od .
Chapter 3: Con dition Reference 105 Examples <proxy> http.method=GET response.header.Pragma=”no-cache " deny ; This example is applicable to a blackl ist model. It denies access to ; transparent FTP by denying the OPEN me thod on port 21.
Proxy SG Content Policy Language Guide 106 minu te= T ests if the minute of the hour is in the specified range or an ex act match. By default, the Prox y SG appliance’s clock and time zone are used to dete rmine the curr ent minute. T o specify the UTC time zone, use the form min ute.
Chapter 3: Con dition Reference 107 month= T ests if the month is in the specified range or an exact match. By default, the Pr oxy SG appliance’s date and time zone ar e used to determine the curr ent month. T o specify the UTC time zone, use the form month.
Proxy SG Content Policy Language Guide 108 protocol= The protocol= condition has been de precated in favor of url.scheme= . For more information see "url=" on page 137.
Chapter 3: Con dition Reference 109 pro xy .address= T ests the de stination address of the arriving IP pa cket. The expr ession can in clude an IP address or subnet, or the label of a subnet definition blo ck. If the transaction was explicitly proxied, then proxy.
Proxy SG Content Policy Language Guide 110 pro xy .card= T ests the or dinal number of the network in terface car d (NIC) used by a r equest. Replac es: proxy_card Syntax proxy.card= card_number where card_nu mber is an integer that reflects the installation order .
Chapter 3: Con dition Reference 111 pro xy .por t= T ests if the IP port used by a r equest is within the specified range or an ex act match.The numeric pattern used to test the proxy.port= condition can contain no whitespace. If the transaction was explicitly proxied, then this tests the IP port that the client used to reach the proxy .
Proxy SG Content Policy Language Guide 112 realm= T ests if the client is authenticated and if the client has logged into the specified r ealm. If both of these conditions are met, the r espon se is true. In addi tion, the group= condition can be used to test whether the user belongs to the specified group.
Chapter 3: Con dition Reference 113 •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( ).
Proxy SG Content Policy Language Guide 114 release.id= T ests the r elease ID of the Proxy SG softwar e. The release ID of the Proxy SG software curr ently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade>Systems tab of the M anageme nt Cons ol e.
Chapter 3: Con dition Reference 115 release.v ersion= T ests the r elease version of the Proxy SG s oftware. The r elease version of the Proxy SG softwar e currently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade > Systems tab of the Management Consol e.
Proxy SG Content Policy Language Guide 116 request.header . header_name = T ests the specified request hea der ( header_name ) against a regular expression. Any r ecognized HTTP request header can be tested. For custom heade rs, use request_x_header. header_name = instead.
Chapter 3: Con dition Reference 117 request.header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP ad dress extracted fr om the header is tested against the specified IP addr ess.
Proxy SG Content Policy Language Guide 118 request.header .Ref erer .ur l= T est if the URL specified by the Refer er head er matches the specified criteria. The basic request.header.Referer.url= test attempts to match the complete Refer er URL ag ainst a specified pattern.
Chapter 3: Con dition Reference 119 ; Relative URLs, such as docs subdirecto ries and pages, will match. deny request.header.Referer.url=http://w ww.example.com/docs ; Test if the Referer URL host’s IP addr ess is a match. request.header.Referer.url.
Proxy SG Content Policy Language Guide 120 <proxy> request.header.Referer.url.host.regex=my company ; request.header.Referer.url.path tests ; The following request.header.Referer.url.path strings would all match the examp le Referer URL: ; Referer: http://www.
Chapter 3: Con dition Reference 121 request.x_header . header_name = T ests the spec ified request header ( header _name ) against a regular expression. Any HTTP request header can be tested, including custom h eaders. T o te st recognized headers, use request.
Proxy SG Content Policy Language Guide 122 request.x_header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP addr ess extracted from the head er is tes ted against the specified IP address .
Chapter 3: Con dition Reference 123 response.header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. Any recognize d HTTP response he ader can be tested. For custom headers, use respo nse.x_header. header_name = instead.
Proxy SG Content Policy Language Guide 124 response.x_header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. For HTTP requests, any response header can be tested, including cust om headers. For recognized HTTP headers, use response.
Chapter 3: Con dition Reference 125 ser v er_ur l= T ests if a portion of the URL used in server connecti ons matches the specified criteria. The basic server_url= test attempts to match the complete possib ly-rewritte n request URL against a specified pattern.
Proxy SG Content Policy Language Guide 126 • Applies to all non-administrator transactions. Examples ; Test if the server URL includes this p attern, and block access. ; Relative URLs, such as docs subdirecto ries and pages, will match. server_url=http://www.
Chapter 3: Con dition Reference 127 ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the firs t request is not matched <forward> server_url.host.regex=mycompany ; server_url.path tests ; The following server_url.
Proxy SG Content Policy Language Guide 128 soc ks= This condition is true whenever the session for th e current transaction involves SOCKS to the client. The SOCKS=yes trigger is intended as a way to test whether or not a r equest arrived via the SOCKS proxy .
Chapter 3: Con dition Reference 129 soc ks.acceler ated= T ests whether the SOCKS pr oxy will hand off this transaction to other pr otocol agents for acceleration.
Proxy SG Content Policy Language Guide 130 soc ks.method= T ests the SOCKS pr otocol method name associated with the transaction. Syntax socks.method=CONNECT|BIND|UDP_ASSOCIATE Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers.
Chapter 3: Con dition Reference 131 soc ks.v ersion= T ests whether the version of the SOCKS protocol used to communicate to the cl ient is SOCKS 4/4a or SOCKS 5.
Proxy SG Content Policy Language Guide 132 streaming.client= T ests the client agent associated with the current transaction. Syntax streaming.client=yes|no|windows_media|re al_media|quicktime where: • yes is true if the user agent is r ecognized as a windows media player , real media player or quicktime player .
Chapter 3: Con dition Reference 133 streaming.content= T ests the content of the curr ent transaction to determ ine whether or not it is s treaming media, and to determine the streaming media type.
Proxy SG Content Policy Language Guide 134 time= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form time.
Chapter 3: Con dition Reference 135 ; This example restricts the times durin g which certain ; stations can log in with administrativ e privileges. define subnet restricted_stations 10.10.10.4/30 10.10.11.1 end subnet restricted_stations <admin> client.
Proxy SG Content Policy Language Guide 136 tunneled= T ests if the curr ent transaction repr esents a tunneled request. A tunneled request is one of: • TCP tunneled r equest • HTTP CONNECT request • Unaccelerated SOCKS request Note: HTTPS connections to the management console ar e not tunneled for the purposes of this test.
Chapter 3: Con dition Reference 137 url= T ests if a portion of the r equested URL matches the specified criteria. The basic url= test attempts to match the complete request URL against a specifie d pattern. The pattern may include the scheme, host, port, path an d query components of the URL.
Proxy SG Content Policy Language Guide 138 // host : port // host : port / path_query // host / path_query host host : port host : port / path_query host / path_query / path_query • domain_suffix_pa.
Chapter 3: Con dition Reference 139 include a filename extension, such as http://example.com/ and http:// example.com/test . T o test multiple extensions, use pa rentheses and a comma separator (see the Example section below). • regular_expression —A Perl r egular expres sion.
Proxy SG Content Policy Language Guide 140 • .suffix —T est if the s tring pattern is a suffix of the URL or component. The suffix need not match on a boundary (such as a domain component or path directory) within a URL component. Note: .prefix , .
Chapter 3: Con dition Reference 141 slash is always pr esent in the request URL being tested, because the UR L is normaliz ed before any comparison is performed. Unless an .exact , .su bstring , or .regex modifier is used, the pattern specified must include the lead ing ‘ / ’ character .
Proxy SG Content Policy Language Guide 142 If you are testing a lar ge number of URLs using the url.domain= condition, consider the performance benefits of a url.domain definition block or a [url.domain] section (see Chapter 6: "Definit ion Refer ence").
Chapter 3: Con dition Reference 143 ; http://www.example.com <proxy> url.host.is_numeric=yes; ; In the example below we assume that 1. 2.3.4 is the IP of the host mycompany ; The condition will match the following two requests if the reverse DNS was ; successful: ;request http://1.
Proxy SG Content Policy Language Guide 144 user= T ests the authenticated username associated with the transaction. This t rigger is only availa ble if the transaction was authenticated (that is, the authenticate( ) property was set to something other than no , and the proxy_authentication ( ) property was not set to no ).
Chapter 3: Con dition Reference 145 See Also • Conditions: attribute. name = , authentica ted= , group= , has_attribute. name = , http.transparent_authentication= , re alm= , user.domain= •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( ) , deny.
Proxy SG Content Policy Language Guide 146 user .domain= T ests if the client is authenticated, the logged - into realm is an NTLM r ealm, and the domain component of the username is the specifie d domain. If all of these conditions are met, the r esponse will be true.
Chapter 3: Con dition Reference 147 user .x509.issuer= T ests the issuer of the x509 ce rtificate used in authentication to certificate realms. The user.x509.issuer= condition is primarily useful in constructi ng explicit certif icate revocation lists.
Proxy SG Content Policy Language Guide 148 user .x509.seri alNumber= T ests the serial numbe r of the x509 certificate used to authenticate the user against a certificat e realm. The user.x509.serialNumber= condition is primarily useful in constr ucting explicit certificate revocation lists.
Chapter 3: Con dition Reference 149 user .x509.subject= T ests the subject field of the x509 certificate used to authenticate the user ag ainst a certificate realm. The user.x509.subject= condition is primarily use ful in constructing explicit certificate r evocation lists.
Proxy SG Content Policy Language Guide 150 weekda y= T ests if the day of the week is in the spe cified range or an exact match. By default, the Proxy SG appliance’s date is used to de termine the day of th e week. T o specify the UTC time zone, use the form weekday.
Chapter 3: Con dition Reference 151 y ear= T ests i f the year is in the specified range or an exact match. The curr ent year is de termined by the date set on the Pr oxy SG by default. T o specify the UTC time zone, use the form year.utc= . Note that the numeric pattern used to test the year= condition can contain no whitespace.
Proxy SG Content Policy Language Guide 152.
Chapter 4: Proper ty Ref erence A property is a variable that ca n be set to a value. At th e beginning of a transactio n, all pr operties ar e set to their default values. As each layer in the policy is evaluated in sequence, it can set a pr operty to a particular value.
Proxy SG Content Policy Language Guide 154 access_log( ) Selects the access log used for this transaction . Multiple acc ess logs can be selected to recor d a single transaction. Individual access logs are r eferenced by the name given in configuration.
Chapter 4: Property Reference 155 access_ser v er( ) Determines whether the client can receive str eaming co ntent directly from the origin content server or other upstr eam device.
Proxy SG Content Policy Language Guide 156 action( ) Selectively enables or disables a specified define action block. The default value is no. Note: Several define action bl ocks may be enab led for a tra nsaction.
Chapter 4: Property Reference 157 adv er tisement( ) Determines whether to treat the objects at a partic ular URL as banner ads to improve performance.
Proxy SG Content Policy Language Guide 158 allow Allows the transaction to be served. Allow can be overridden by the access_server( ) , deny( ) , force_deny( ) , authenticate( ) , exception( ) , or force_exception( ) pr operties or by the redirect( ) action.
Chapter 4: Property Reference 159 alwa ys_v er ify( ) Determines whether each r equest for the objects at a part icular URL must be verified wi th the origin server . This property pr ovides a URL-specific alternative to the global caching setting always-verify-source .
Proxy SG Content Policy Language Guide 160 authenticate( ) Identifies the r ealm used to au thenticate the user associated with the current transaction.
Chapter 4: Property Reference 161 url.domain = !corporate.com authenticate (OurRealm, “log in for internet access”) The next example illustrates the r elation between authentication and denial. All users outside an allowed subnet are denied before authentication.
Proxy SG Content Policy Language Guide 162 authenticate .f orce( ) This propert y controls th e relation betwe en authentication and deni al. Syntax authenticate.force(yes|no) The default value is no . where: • yes —Makes an authenticate( ) higher priority than deny( ) or exception( ) .
Chapter 4: Property Reference 163 authenticate .mode( ) Using the authentication.mode( ) property selects a combination of challenge type and surr ogate credentials. Challenge type is what kind of challenge (proxy , origin or origin-redirect) is issued.
Proxy SG Content Policy Language Guide 164 • origin-cookie (origin/cookie)—Used in forward pr oxies to support pass-through authentication more secur ely than origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other pr otocols are automati call y downgraded to origin-ip .
Chapter 4: Property Reference 165 authenticate .use_ur l_cookie( ) This property is used to authenticate users wh o have third party cookie s explicitly disabled. Note: W ith a value of yes , if there is a pr oblem loading the page (you get an err or page or you cancel an authentication challenge), the cfauth cookie is displaye d.
Proxy SG Content Policy Language Guide 166 bl o ck_ c at e g o r y ( ) This property has been deprecated. In current CPL, the us e of block_category( category_list ) has be en replaced by category=cat.
Chapter 4: Property Reference 167 b ypass_cache( ) Determines whether the cache is bypassed for a request. If set to yes , the cache is not queried and the response is not stored in the cache. Set to no t o specify the defaul t behavior , which is to follow standar d caching behavior .
Proxy SG Content Policy Language Guide 168 cache( ) Contro ls HTTP and FTP caching behavior . A number of CPL pr operties affect caching behavior . •I f bypass_cache(yes) is set, then the cache is not accessed and the value of cache( ) is irrele vant.
Chapter 4: Property Reference 169 See Also •P r o p e r t i e s : advertisement( ) , always_verify( ) , b ypass_cache( ) , cookie_sensitive( ) , direct( ) , dynamic_bypass , force_cache() , pipeline.
Proxy SG Content Policy Language Guide 170 chec k_author ization( ) In connection with CAD (Caching Authenticated Data) and CP AD (Caching Proxy-Authenticated Data) support, check_authorization( ) is used when you know that the upstr eam device sometimes (not always or never) r equires the us er to authenticate and be authorized for t his object.
Chapter 4: Property Reference 171 content_filter_ov err ide( ) This property has been deprecated. content_filter_override(yes) has two ef fects: • It prevents the r equest from being sent to the of f- box content filter , if off -box content filtering is configured.
Proxy SG Content Policy Language Guide 172 cookie_sensitiv e( ) Used to modify caching behavior by declaring that the object s erved by the request varies based on cookie values. Set to yes to specify this behavior , or set to no for the default behavior , which caches based on HTTP heade rs.
Chapter 4: Property Reference 173 delete_on_abandonment( ) If set to yes , specifies that if all cl ients who may be simult aneously requesting a pa rticular objec t close their connections before the object is delivered, the object fetch fr om the origin server is abandoned, and any prior ins tance of the object is deleted f rom the cache.
Proxy SG Content Policy Language Guide 174 deny( ) Denies service. Denial can be overridden by allow or excep tion( ) . T o deny service i n a way th at cannot be overridden by a subsequent allow , us e force_deny( ) or force_exception( ) . The relation between aut henticate( ) and deny( ) is contro lled by the authenticate.
Chapter 4: Property Reference 175 deny .unauthor ized( ) The deny.unauthorized pr operty instructs the Proxy SG to issue a challenge (401 Unauthorized or 407 Proxy authorization requir ed). This indicates to the client that the resource canno t be accessed with their current identity , but might be accessible using a differ ent identity .
Proxy SG Content Policy Language Guide 176 direct( ) Used to preve nt requests fr om being forwarded to a par ent proxy or SOCKS server , when the Proxy SG is configur ed to forward r equests. When set to ye s , <Forward> layer policy is not evaluated for the transaction.
Chapter 4: Property Reference 177 dynamic_b ypass( ) Used to indicate tha t a particular trans parent r eques t is not to be handled by the proxy , but instead be subjected to Pr oxy SG dynamic bypass methodology .
Proxy SG Content Policy Language Guide 178 e xception( ) Selects a built-in or user -defined res ponse to be returned to the user . The exception( ) property is overridden by allow or deny( ) . T o set an exception that cannot be overridden by allow , use force_excep tion( ) .
Chapter 4: Property Reference 179 e xception.autopad( ) Pad an HTTP exception response by including trailing whitespa ce in the response body so that Content-Length is at lea st 513 characters.
Proxy SG Content Policy Language Guide 180 f orce_cache( ) Used to force caching of HTTP r esponses that would otherwise be considered uncacheable . The default HTTP caching beha vior is restor ed using force_cache(no) .
Chapter 4: Property Reference 181 f orce_deny( ) The force_deny( ) proper ty is similar to deny( ) except that it: • Cannot be overridden by an allo w . • Overrides any pending termina tion (that is, if a deny( ) has already been matched, and a force_deny or force_exception i s subsequently matched, the latter commits.
Proxy SG Content Policy Language Guide 182 f orce_e xception( ) The force_exception( ) pr operty is similar to exception except that it: • Cannot be overridden by an allow .
Chapter 4: Property Reference 183 f orce_patience_page( ) This property pr ovides control over the application of the default patience page logic. Syntax force_patience_page(yes|no) force_patience_page( reason ) force_patience_page.reason(yes|no) force_patience_page[ reason , .
Proxy SG Content Policy Language Guide 184 fo r w a r d ( ) Determines forwarding behavior . There is a box-wide conf iguration setting ( config>forwarding>sequence ) for the default forwarding failover sequence.
Chapter 4: Property Reference 185 f orward.f ail_open( ) Controls whether the Proxy SG terminates or continues to proc ess the request if the specified forwarding host or any de signated back up or defaul t cannot be contacted. There is a box-wide configuration sett ing ( config>forwarding>failure-mode ) for the de fault forward failure mode.
Proxy SG Content Policy Language Guide 186 ftp .ser v er_connection( ) Determines when the contr ol connection to the se rver is established. If set to deferred , the pr oxy defers establishing the control connection to the server . Syntax ftp.server_connection(deferred|immediate ) The default value is immediate.
Chapter 4: Property Reference 187 ftp .ser v er_data( ) Determines the type of data connection to be used with this FTP transaction. Syntax ftp.server_data(auto|passive|port) where: • auto —First attempt a P ASV data connection. If this fails, switch to POR T .
Proxy SG Content Policy Language Guide 188 ftp .transpor t( ) Determines the upstream transport mechanism. This setting is not definitive. It depends on th e capabilities of the se lected for warding host. Syntax ftp_transport(auto|ftp|http) The default value is auto .
Chapter 4: Property Reference 189 http .force_ntlm_f or_ser v er_auth( ) T urns on/of f NTLM cloaking on a per-r equest basi s. Refer to Appendix A: “NTLM and CAASNT” in the Pr oxy SG Configuration and Management Guide for a discussion of NTLM cloaking.
Proxy SG Content Policy Language Guide 190 http .request.version( ) The http.request.version( ) property sets the version of the HTTP protocol to be used in the request to the origin content server or upstr eam pr oxy . Syntax http.request.version(1.0|1.
Chapter 4: Property Reference 191 http .response.v ersion( ) The http.response.version( ) pr operty sets the version of the HTTP protocol to be used in the response to the client's user agent. Syntax http.response.version(1.0|1.1) The default is taken fr om the CLI configuration setting http version , which can be set to either 1.
Proxy SG Content Policy Language Guide 192 icp( ) Determines whether to consult ICP when forwar ding r equests. Any forw ar ding host or SOCKS gateway identified as an ups tream tar get takes precede nce over consulting ICP . Syntax icp(yes|no) The default is yes if ICP hosts ar e configur ed, no otherwise.
Chapter 4: Property Reference 193 im.strip_attachments( ) Determines whether attachments ar e stripped fr om instant messages. If set to yes , attachments are stripped fr om instant messages. Syntax im.strip_attachments(yes|no) The default value is no .
Proxy SG Content Policy Language Guide 194 integr ate_new_hosts( ) Determines whether to add new host addre sses to he alth checks and load balancing. Syntax integrate_new_hosts(yes|no) The default is no .
Chapter 4: Property Reference 195 label( ) This deprecated pr operty is provided for backward compatibility with CacheOS 4.x filter files. For more information, see "action( )" on page 156.
Proxy SG Content Policy Language Guide 196 log.re wr ite. field-id () The log.rewrite. field-id pr operty controls r ewrites of a specific log field in one or more access logs. Individual access l ogs are r eferenced by the name given in configuratio n.
Chapter 4: Property Reference 197 log.suppress. field-id ( ) The log.suppress. field-id ( ) pr operty control s suppression of the specified field-id in one or more access l ogs. Individual access logs are r eferenced by the name given in configuration.
Proxy SG Content Policy Language Guide 198 max_bitrate( ) Enforces upper limits on the instantaneous bandwi dth of the current streaming transaction. This policy is enfor ced during initial connection setup. If the client requests a higher bit rate than al lowed by policy , the request is denied.
Chapter 4: Property Reference 199 ne v er_refresh_bef ore_e xpir y( ) The never_refresh_before_expiry( ) pr operty is similar to the CLI command: SGOS#(config) http strict-expiration ref resh except that it provides per -transaction control to allow overriding the box- wide default set by the command.
Proxy SG Content Policy Language Guide 200 ne v er_ser ve_after_e xpir y( ) The never_serve_after_expiry( ) property is similar to the CLI command: SGOS#(config) http strict-expiration ser ve except that it provides per transaction control to allow overriding the box-wide default set by the command.
Chapter 4: Property Reference 201 patience_page( ) Controls whether or not a patience page can be served, and i f so, the delay interval befor e serving.
Proxy SG Content Policy Language Guide 202 pipeline( ) Determine s whether a n object emb edded within an HTML contain er object is pipeli ned. Set to yes to force pipelining, or set to no to prevent the embedded obje ct from being pipelined. Note that this property af fects pr ocessing of the individual URLs embedded within a container object.
Chapter 4: Property Reference 203 pref etch( ) This deprecated pr operty has been replaced by pipeline( ). For more infor mation, see "pipeline( ) " on page 202.
Proxy SG Content Policy Language Guide 204 reflect_ip( ) Determines how the client IP addr ess is pr esented to the origin server for explicitly proxied r equests. Replac es: • reflect_ip(vip) replaces reflect_vip( yes) . • reflect_ip(auto) r eplaces reflect_vip(no) .
Chapter 4: Property Reference 205 reflect_ vip( ) This depre cated syntax has been replaced by the reflect_ip( ) pr operty . For more information, see "reflect_ip( )" on page 204.
Proxy SG Content Policy Language Guide 206 refresh( ) Controls r efreshing of r e quested objects. Set to no to pr event refr eshing of the object if it is cached. Set to yes to allow the cache to behave normally . Syntax refresh(yes|no) The default value is yes .
Chapter 4: Property Reference 207 remov e_IMS_from_GET( ) The remove_IMS_from_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute if-modifie d-since except that it provides per transaction control to allow overriding the box-wide default set by the command.
Proxy SG Content Policy Language Guide 208 remov e_PNC _from_GET( ) The remove_PNC_from_GET pr operty is similar to the CLI command: SGOS#(config) http substitute pragma-no- cache except that it provides per transaction control to allow overriding the box-wide default set by the command.
Chapter 4: Property Reference 209 remov e_reload_from_IE_GET( ) The remove_reload_from_IE_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute ie-reload except that it provides per transaction control to override the box-wide def ault set by the command.
Proxy SG Content Policy Language Guide 210 request.filter_ser vice( ) Controls whether the request is pr ocessed by an external content filter service.
Chapter 4: Property Reference 211 url.address=10.0.0.0/8 ; don't filter i nternal network client.address=10.1.2.3 ; don't filter this client See Also •T h e P r o x y SG Command L ine Reference for information on configurin g W ebsense off-box servi ces.
Proxy SG Content Policy Language Guide 212 request.icap_ser vice( ) Determines whether a r equest fr om a client should be pr ocessed by an external ICAP service before going out. T ypical applications include content fi ltering and virus scanni ng. Syntax request.
Chapter 4: Property Reference 213 response.icap_service( ) De te r mi ne s w h et he r a res p on se to a cl ie nt req u es t i s f i rs t s en t t o a n IC AP se r vi ce be f ore be in g g i ve n t o the client. Depending on the ICAP service, the response may be allowed, denied , or altered.
Proxy SG Content Policy Language Guide 214 ser vice( ) This depre cated syntax has been replaced by the allow , deny( ) and exception( ) pr operties..
Chapter 4: Property Reference 215 soc ks.acceler ate( ) The socks.accelerate pr operty controls the SOCKS pr oxy handoff to othe r protocol agents. Syntax socks.
Proxy SG Content Policy Language Guide 216 soc ks.authenticate( ) The same realms can be used for SOCKS proxy au thentication as can be used for regular pr oxy authentication. This form of authentica tion applies only to SOCKS transactions. The regular au thenticate( ) property does not apply to SOCK S transactions.
Chapter 4: Property Reference 217 soc ks.authenticate .f orce( ) This property controls the r elation be tween SOCKS authentication and denial. Syntax socks.authenticate.force(yes|no) The default value is no . where: • yes —Makes socks.authenticate( ) higher priority than deny( ) or exception( ) .
Proxy SG Content Policy Language Guide 218 soc ks_gatew a y( ) Controls whether or not the request associated with the current transaction is sent thr ough a SOCKS gateway . There is a box-wide configuration sett ing ( config>socks-gateways>sequence ) for the de fault SOCKS gateway failover sequence.
Chapter 4: Property Reference 219 soc ks_gatew a y .f ail_open( ) Controls whether the Proxy SG terminates or continues to proces s the request if the specified SOCKS gateway or any de signated backup or default cannot be contacted.
Proxy SG Content Policy Language Guide 220 streaming.transpor t( ) Determines the upstream transport mechanism to be u sed for this streaming transaction. T his setting is not definitive. The ability to use the specified transport mechanis m depends on the capabilities of the selected forwar ding host.
Chapter 4: Property Reference 221 ter minate_connection( ) The terminate_connection( ) pr operty is used in an <Exception> layer to dr op the connection rather than return the exception r esponse. The yes option terminates the connection instead of returning the r esponse.
Proxy SG Content Policy Language Guide 222 trace .destination( ) Used to change the default path to the trace output file. By default, policy ev aluation trace output is written to an object in the cache accessibl e using a console URL of the following form: http:// ProxySG_IP_address :8081/Policy/Tr ace/ path Syntax trace.
Chapter 4: Property Reference 223 trace .request( ) Determines whether detailed trace output is genera te d for the current reque st. The default value is no , which produces no output. T r ace output is generate d at the end of a request, and includ es request parameters, property settings, and the ef fects of all actions taken.
Proxy SG Content Policy Language Guide 224 trace .rules( ) Determines whether trace output is generated show ing policy rule evaluation for the transaction. By default, trace output is written to an object accessible using the following console URL: http:// ProxySG_IP_address :8081/Policy/Tr ace/default_trace.
Chapter 4: Property Reference 225 ttl( ) Sets the time-to-live (TTL) value of an object in the cache, in seconds. Upon expiration, the cached copy is considered stale and will be re-obtained fr om the origin server when next accessed.
Proxy SG Content Policy Language Guide 226 ua_sensitiv e( ) Used to modify caching behavior by declaring that the response for a given object is expected to vary based on the user agent used to r etrieve the object. Set to yes to specify this behavior .
Chapter 5: Action Ref erence An action takes arguments and is wrapped in a user -named action definition block. When the action definition is called fr om a policy rule, any actions it contains operate on th eir respective arguments. W ithin a rule, named action definitions are enabled and disabled using the action( ) property .
Proxy SG Content Policy Language Guide 228 append( ) Appends a new component to the specified head er . Note: An err or results if two head er modification actions modify the same header . This r esults in a compile time error if the conflicting actions ar e within the same action definition block.
Chapter 5: Action Refe rence 229 delete( ) Deletes all compone nts of the specified header . Note: An err or results if two header modification actions modify the same head er . The error is noted at compile time if the conflicting actions ar e within the same action definition block.
Proxy SG Content Policy Language Guide 230 delete_matching( ) Deletes all components of the specified header that contain a substring matchi ng a regular -expression pattern. Note: An error r esults if two header modification acti ons modify the same header .
Chapter 5: Action Refe rence 231 im.aler t( ) Deliver a message in-band to the instant messaging user . The text appears in the instant message window . This action is similar to log_message( ) , except that it appends entries to a list in the instant messaging transaction that the IM protocol r enders in an appropriate way .
Proxy SG Content Policy Language Guide 232 log_message( ) W rites the specified string to the Proxy SG event log. Events generated by log_message( ) ar e viewed by selecting the Policy messages event logging level in the Management Console. Note: This is independent of acce ss logging.
Chapter 5: Action Refe rence 233 notify_email( ) Sends an email notif ication to the list of r ecipients specified in the Event Log mail configuration. The sender of the email appears as Primary_ProxySG_IP_address - configured_appliance_hostname >.
Proxy SG Content Policy Language Guide 234 notify_snmp( ) Multiple notify_snmp actions may be specified, resulting in multiple SNMP traps for a s ingle transaction. The SNMP trap is sent when the transaction terminates. Syntax notify_snmp( message ) where messag e is a quoted string that ca n optionally include one or mor e variable su bstitutions.
Chapter 5: Action Refe rence 235 redirect( ) Ends the current HTTP transaction and r eturns an HTTP r edirect r esponse to the client by setting the policy_redirect exception.
Proxy SG Content Policy Language Guide 236 replace( ) This depre cated action has been replaced by rewrite( ) . For more information, see "rewrite( )" on page 237.
Chapter 5: Action Refe rence 237 re wr ite( ) Rewrites the r equest URL, URL host, or componen ts of the specified header if it matches the regular-expr ession pattern. This action is often us ed in conjunction with the URL rewr ite form of the transform acti on in a server portal application.
Proxy SG Content Policy Language Guide 238 URL is considered complete, and replaces any URL that contains a su bstring matching the regex_pattern substring. Sub-patterns of the regex_pattern matched can be substituted in replacement_url using the $( n ) syntax, where n is an integer fr om 1 to 32, specifyi ng the matched sub-pattern.
Chapter 5: Action Refe rence 239 See Also • Actions: append( ) , delete( ) , delete_match ing( ) , redirect( ) , set( ) , transform • Conditions: request.header. header_name = , request.header. header_name .address= , request.x_header. header_name = , request.
Proxy SG Content Policy Language Guide 240 set( ) Sets the specified header to the specified string after delet ing all components of the header . Note: An error r esults if two header modification acti ons modify the same header . The err or is noted at compile time if the conflicting actions ar e within the same action definition block.
Chapter 5: Action Refe rence 241 Discussion An y c h an ge t o t he se rv er f or m o f t h e re qu es t U R L m us t be res pe ct ed b y p ol ic y co nt rol l in g u ps tre a m connections. The server form o f the URL is tested by the server_url= conditions, which ar e the only URL tests al lowed in <Forward> layers.
Proxy SG Content Policy Language Guide 242 transf or m Invokes an active content or URL rewrite transformer . The invoked transformer takes effect only if the transform action is used in a define ac tion definition block, and that block is in turn enabled by an action( ) property .
Chapter 5: Action Refe rence 243 See Also • Properties: action( ) • Definitions: define action , transform a ctive_content , transform url.rewrite.
Proxy SG Content Policy Language Guide 244 virus_check( ) This depre cated action sends the r equested do cument to a virus scanning ser ver . For more information, see "r esponse.
Chapter 6: Definition Ref erence In policy files, definitions serv e to bind a set of conditions, ac tions, or transformations to a user-defined labe l.
Proxy SG Content Policy Language Guide 246 define action Binds a user -defined label to a sequence of action statements. The action( ) pr operty has synt ax that allows for individual action de finition blocks to be enabled and disabled independ ently , based on the policy evaluation for the transaction.
Chapter 6: Definition Reference 247 • Definitions: transform active_content , transform url_rewrite • Chapter 5: "Action Refer ence"..
Proxy SG Content Policy Language Guide 248 define activ e_content Defines rules for removing or r eplacing active cont ent in HTML or ASX docu ments. This definition takes ef fect only if it is invoke.
Chapter 6: Definition Reference 249 Lay er and T ransa ction Notes • Applies to proxy transactions. • Only alph anumeric, und erscore, dash, and slas h characters can be used with the defin e action name. Example <proxy> url.domain=!my_site.
Proxy SG Content Policy Language Guide 250 define categor y Category definitions are used to extend vendor content categories or to create your own. The category_name definition can be used anywher e a conten t filter category name would normally be used, including in catego ry= test s.
Chapter 6: Definition Reference 251 sportsworld.com category=football ; include subcategory end define category football nfl.com cfl.ca end The following policy need s only to ref er to the sports cat.
Proxy SG Content Policy Language Guide 252 define condition Binds a user -defined label to a set of conditions for use in a condition= expr ession. For condition definitions, the manner in which the condition expressions are listed is significant.
Chapter 6: Definition Reference 253 define condition extension_low_risk ; fi le types assumed to be low risk. url.extension=(asf,asx,gif,jpeg,mov,m p3,ram,rm,smi,smil,swf,txt,wax,wma,wmv,wvx) end define condition internal_prescanned ; will be prescanned so we can assum e safe server_url.
Proxy SG Content Policy Language Guide 254 define domain This depre cated syntax has been replaced by the url.domain condition. For mor e information see "define url.
Chapter 6: Definition Reference 255 define ja v ascr ipt A javascript definition is used to define a javascript transformer , which adds javascrip t that you supply to HTML responses.
Proxy SG Content Policy Language Guide 256 See Also •A c t i o n s : transform • Definitions: define action •P r o p e r t i e s : action ( ).
Chapter 6: Definition Reference 257 define prefix condition This depre cated syntax has been replaced by th e define url condition. For mor e information see "define url condition" on page 261.
Proxy SG Content Policy Language Guide 258 define ser ver_url.domain condition Binds a user-defined label to a set of domain-s uffix patterns for use in a condition= expr ession. Using this definition block allows you to quickl y test a large set of server_url.
Chapter 6: Definition Reference 259 affinityclub.example.com end <Forward> condition=!allowed access_server(no) See Also Condition: condition= , server_url.
Proxy SG Content Policy Language Guide 260 define subnet Binds a user-defi ned label to a set of IP addresses or IP subnet patterns. Use a subnet definiti on label with any of the conditions th at test part of the transaction as an IP address, including: client.
Chapter 6: Definition Reference 261 define url condition Binds a user -defined label to a set of URL pr efix patterns for use in a condition= expression.
Proxy SG Content Policy Language Guide 262 timing restrictions for the defined condition will depend on the layer and timing restrictions of the contained expressions. The conditio n= condi tion is on e of the ex pressions th at can be included in the body of a define url condition definition block, following a URL patter n.
Chapter 6: Definition Reference 263 define url.domain condition Binds a user -defined label to a set of domain-suf fix patterns for us e in a condition= expressi on. Using this def inition block allows y ou to test a lar ge set of serv er_url.domain= conditions very quickly .
Proxy SG Content Policy Language Guide 264 See Also • Condition: condition= , server_url.domain= • Definitions: define url condition , define server_url.
Chapter 6: Definition Reference 265 define url_rewrite Defines rules f or rewriting URLs embedded in tags within HTML, CSS, JavaScript or ASX documents. This transformer takes ef fect only if it is also invoked by a transfor m action in a define action definition block, and that block is in turn called fr om an action( ) pr operty .
Proxy SG Content Policy Language Guide 266 • server_url_substring —A string that, if found in the serv er URL, will be r eplaced by the client_url_substring . The comparison is done against original normalized URLs embedded in the document. Note: Both client_url_substring and server_url_substring ar e literal strings.
Chapter 6: Definition Reference 267 restrict dns This definition r estricts DNS lookups and is useful in installations wher e access to DNS resolution is limited or problematic. The definition has no name beca use it is not directly r eferenced by any rules.
Proxy SG Content Policy Language Guide 268 restrict rdns This definition r estricts reverse DNS lookups and is useful in i nstallations where acces s to reverse DNS resolution is limited or pr oblema tic. The definition has no name. It is global to po licy evaluatio n and is not directly referenced by any rules.
Chapter 6: Definition Reference 269 transf or m activ e_content This depre cated syntax has been replaced by define active_content . For more inf ormation see "define active_content" on page 248.
Proxy SG Content Policy Language Guide 270 transf or m url_rewrite This depre cated syntax has been r eplaced by define url_rewrite . For more inform ation see "define url_rewrite" on page 265.
Appendix A: Glossar y actions A class of definitions. CPL has two gene ral classes of actions: request or response modifications and notifications. An act ion takes arguments (such as the portion of the request or r esponse to modify) and is wrapped in a named action defi nition block.
Proxy SG Content Policy Language Guide 272 Forwar d Policy File A file you cr eate or that mi ght be created during an upgrade from prior SGOS versions, and that you maintain to supplement any policy descri bed in th e other three policy files. It is normally used for forwar ding policy .
Appendix A: Glossary 273 resp on se transformation a modification of the object being returned. This modification can be to either the protocol headers associat ed with the r esponse sent to the client, or a transformation of the object contents itself, such as the r e moval of active content fr om HTML pages.
Proxy SG Content Policy Language Guide 274.
Appendix B: T esting and T roub leshooting If you are experiencing pr oblems with your policy files or would like to monitor evaluation for brief periods of time, consider using the po licy tracing capabilities of the policy la nguage. Tr a c i n g allows you to examine how the Proxy SG policy is applied to a part icular request.
Proxy SG Content Policy Language Guide 276 Enabling Request T racing Use the trace.request( ) pr operty to enable request tracing. Request tracing l ogs a summary of information about the transaction: r equest parameter s , property settings, and th e effects of all actions taken.
Appendix B: Testing and Troubleshoo ting 277 Here ar e the relevant policy r equirements to be expresse d: • DNS lookups are r estricted except for a site being hosted. • There is no access to reverse DNS so that is completely restricted. • Any requests not addr essed to the hosted site ei ther by name or subnet should be r ejected.
Proxy SG Content Policy Language Guide 278 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all) trace.request(yes) 5 <Proxy> 6 miss: url.domain=!//my_site.com/ 7 miss: url.address=!my_subnet 8 <Proxy> 9 n/a : ftp.
Appendix B: Testing and Troubleshoo ting 279 The following is a trace of the same p olicy , but f or a transaction in which the request URL has an IP addres s instead of a hostname. 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.
Proxy SG Content Policy Language Guide 280 Policy: Action discarded, 'set_header_1' conflicts with an action already committed The conflict is re flected in the following trace of a r equest for //www.my_site.com/home.html : 1 start transaction ------------------------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.
Appendix C: Recogniz ed HTTP Headers The tables pr ovided in this appendix list all recogni zed HTTP 1.1 headers and indicate how the Proxy SG is able to interact wi th them.
Proxy SG Content Policy Language Guide 282 The following table lists custom he ader s that are r ecognized by the Proxy SG . If-Match Request X If-Modified-Since R equest If-None-Match Request X If-Ra.
Appendix D: CPL Substitutions This appendix lists all su bstitution variables avail able in CPL. T o use a variable in CPL, it is expressed as: $(<field-id> , s uch as $(cs-bodylength). For fields that have bo th ELFF and CPL tokens, ei ther token can be used.
Proxy SG Content Policy Language Guide 284 sr-bytes Number of bytes sent fr om appliance to upstream host. sr-headerlength Number of bytes in the header sent from appliance to upstream host. Category: connection ELFF CPL Description cs-ip proxy.address IP addr ess of the destination of the client's connection.
Appendix D: CPL Substitutions 285 x-bluecoat- transaction-id transaction.id Unique per -request identifier generated by the appliance (note: this value is not unique across multiple appliances). x-bluecoat-appliance- name appliance.name Configured name of the appli ance.
Proxy SG Content Policy Language Guide 286 cs-version request.version Protocol and version fr om the client's request; for exam ple, HTTP/1.1. x-bluecoat-proxy-via- http-version proxy.via_http_version D efault HTTP protocol v ersion of the appliance without protocol decoration (e.
Appendix D: CPL Substitutions 287 x-bluecoat-special-esc esc Resolve s to the esc ape charact er (ASCII HEX 1B). x-bluecoat-special-gt gt The gr eater-than characte r . x-bluecoat-special-lf lf The line feed character . x-bluecoat-special-lt lt The less-than characte r .
Proxy SG Content Policy Language Guide 288 x-bluecoat-surfcontrol- reporter-id Specialized value for SurfControl reporter . x-bluecoat-websense- category-id The W e bsense specific content category ID. x-bluecoat-websense- keyword The W ebsense specific keywo rd.
Appendix D: CPL Substitutions 289 x-patience-url patience_url The url to be requested for mor e patience information. x-virus-id Identif ier of a virus if one was det ected. Category: streaming ELFF CPL Description x-cs-streaming-client streaming.client T ype of streaming client in use (windows_media, r eal_media, or quicktim e).
Proxy SG Content Policy Language Guide 290 x-bluecoat-day day Localtime day (as a number) formatted to take up two spaces; for example, 07 for the 7th of the month. x-bluecoat-hour hour Localtime hour formatted to always take up two spaces; for example, 01 for 1AM.
Appendix D: CPL Substitutions 291 cs-uri-hostname log_url.hostname Hostname fr om the 'log' URL. RDNS is used if the URL uses an IP addr ess. cs-uri-path log_url.path Path from the 'log' UR L. Doe s not include query . cs-uri-pathquery log_url.
Proxy SG Content Policy Language Guide 292 sr-uri-query server_url.query Query from the u pstream request URL . sr-uri-scheme server_url.scheme Scheme fr om the URL used in the upstream req u es t. sr-uri-stem Path from the upstr eam request URL s-uri cache_url The URL used for cache access.
Appendix D: CPL Substitutions 293 Category: user ELFF CPL Description cs-auth-group group One group that an auth enticated client is a member of. The group selected is determined by either a group.log_order definition in policy or the order gr oups are refer enced in policy cs-auth-groups groups Groups that a n authenticated client is a member of.
Proxy SG Content Policy Language Guide 294 cs(Accept-Language) request.header.Accep t- Language Request header: Accept-Langua ge cs(Accept-Ranges) request.header.Accep t- Ranges Request header: Accept-Range s cs(Age) request.header.Age Request header: Age cs(Allow) request.
Appendix D: CPL Substitutions 295 cs(If-Unmodified- Since) request.header.If- Unmodified-Since Request header: If-Unmodified-Since cs(Last-Modified) request.header.Last- Modified Request header: Las t-Modified cs(Location) request.header.Location Reque st header: Location cs(Max-Forwards) request.
Proxy SG Content Policy Language Guide 296 cs(X-Forwarded-For) request.header. X-Forwarded-For Request header: X-Forwar ded-For Category: si_response _header ELFF CPL Description rs(Accept) response.header.Accept Response header: Accept rs(Accept-Charset) response.
Appendix D: CPL Substitutions 297 rs(From) response.header.From Re sponse header: From rs(Front-End-HTTPS) response.header. Front-End-HTTPS Response header: Fr ont-End-HTTPS rs(Host) response.header.Host Re sponse header: Host rs(If-Match) response.header.
Proxy SG Content Policy Language Guide 298 rs(Vary) response.header.Vary Response header: V ary rs(Via) response.header.Via Response header: V ia rs(WWW-Authenticate) response.header. WWW-Authenticate Response header: WW W -Authenticate rs(Warning) response.
Appendix E: Filter File Syntax This appendix provides a summary of the syntax and evaluation order used in CacheOS version 4. x filter files. While it is recommended that you conver t any filter fil e to take advantage of the policy features of Pr oxy SG , it is possib le to use a CacheOS 4.
Proxy SG Content Policy Language Guide 300 Filter-P ar t Components The filter part of a filter file can cont ain the following: • Filters that are not part of a section •S e c t i o n s • ALL s.
Appendix E: Filter File Syntax 301 • The only condition available in filter lines is the acl= condition, which is a synonym for the CPL condition client.
Proxy SG Content Policy Language Guide 302 ALL Statements An ALL st atement is a line begi nning with the keyword ALL , f o l l o w e d b y z e ro o r m o r e c o n di ti on s a nd property settings . There ar e two conditions available in an ALL statement: acl= and protocol=.
Appendix E: Filter File Syntax 303 • protocol= value — An optional protocol= condition expr ession. A vailable values ar e http , https , ftp , mms , rtsp , tcp , aol-im , msn-im , or yahoo-im . For detai ls, see "url=" on page 137. • property=value — An optional property setting.
Proxy SG Content Policy Language Guide 304 While prefix-pattern filters are commonly used outside of any s ection, the Prefix section is pr ovided t o help differ entiate these type of filters when domain -suf fix and r egular-expr essi on filters are also used.
Appendix E: Filter File Syntax 305 • The domain-suffix filter http://company.com/ denies service to all URLs where compan y.com is a pr oper super-domain and any path r elative to th e matched domain, including the null path. For example, service is denied to the URL http://www.
Proxy SG Content Policy Language Guide 306 Ev aluation Order CacheOS 4. x filter files have a differ ent orde r of evaluation than CPL files. A compiled fi lter file behaves as if it had a single [Prefix] section, a single [Domain-Suffix] section, and a single [Regular-Expression] section.
Appendix F: Upgr ading from CacheOS When upgrading from CacheOS version 4. x to the Proxy SG , the default policy files are cr eated as follows: • The CacheOS 4. x central filter f ile is copied to the Pr oxy SG central policy file with no changes. • The CacheOS 4.
Proxy SG Content Policy Language Guide 308 For the CPL compiler , the corr ect filter will be sele cted at run time based on the ACL if the filters are distin guished by having dif ferent ACL conditions.
Inde x A <Admin> layers, understanding 37 access_log( ) property 154 access_server() property 155 action definition block 246 action part, filter file 30 5 action.
Proxy SG Configuration and Management Guide 310 D date= condition 67 day= condition 68 define acl definition block, filter fi le 303 define action definition block 246 define category definiti on 250 define condition definition block 252 define prefix condition definition block 257 , 261 define server_url.
Index 311 H has_attribute.name= condition 74 has_client= condition 76 hour= condition 77 HTTP cache transactions 36 http.method= condition 79 http.request.version( ) property 190 http.request.version=condition 80 http.response.code=condition 81 http.response.
Proxy SG Configuration and Management Guide 312 rules, conflicting 47 statistics, example 276 testing 275 tips on writing 44 troubleshooting 275 whitelists 45 policy ix authentication/denial, setting .
Index 313 Q quoting, understanding 22 R realm= condition 112 redirect() action 235 references related Blue Coat documentation x referential integrity, understa nding 26 reflect_ip( ) property 204 reflect_vip( ) property.
Proxy SG Configuration and Management Guide 314 T time= condition 134 timing in layers, understanding 41 understanding 36 trace.destination( ) 276 trace.destination( ) property 222 trace.request( ) property 22 3 trace.rules enabling 275 trace.rules() property 224 trace.
Een belangrijk punt na aankoop van elk apparaat Blue Coat Systems Proxy SG (of zelfs voordat je het koopt) is om de handleiding te lezen. Dit moeten wij doen vanwege een paar simpele redenen:
Als u nog geen Blue Coat Systems Proxy SG heb gekocht dan nu is een goed moment om kennis te maken met de basisgegevens van het product. Eerst kijk dan naar de eerste pagina\'s van de handleiding, die je hierboven vindt. Je moet daar de belangrijkste technische gegevens Blue Coat Systems Proxy SG vinden. Op dit manier kan je controleren of het apparaat aan jouw behoeften voldoet. Op de volgende pagina's van de handleiding Blue Coat Systems Proxy SG leer je over alle kenmerken van het product en krijg je informatie over de werking. De informatie die je over Blue Coat Systems Proxy SG krijgt, zal je zeker helpen om een besluit over de aankoop te nemen.
In een situatie waarin je al een beziter van Blue Coat Systems Proxy SG bent, maar toch heb je de instructies niet gelezen, moet je het doen voor de hierboven beschreven redenen. Je zult dan weten of je goed de alle beschikbare functies heb gebruikt, en of je fouten heb gemaakt die het leven van de Blue Coat Systems Proxy SG kunnen verkorten.
Maar de belangrijkste taak van de handleiding is om de gebruiker bij het oplossen van problemen te helpen met Blue Coat Systems Proxy SG . Bijna altijd, zal je daar het vinden Troubleshooting met de meest voorkomende storingen en defecten #MANUAl# samen met de instructies over hun opplosinge. Zelfs als je zelf niet kan om het probleem op te lossen, zal de instructie je de weg wijzen naar verdere andere procedure, bijv. door contact met de klantenservice of het dichtstbijzijnde servicecentrum.