Blue Coat SystemsTMProxySG Content Policy Language Guide Content Policy Language Guide
ProxySG Content Policy Language GuidexSupported BrowsersThe ProxySG Management Console supports Microsoft® Internet Explorer 5 and 6, and Netscape® Co
ProxySG Content Policy Language Guide100im.message.type=Tests the message type of an instant messaging transaction.Syntaxim.message.type=text|invite|v
Chapter 3: Condition Reference101im.method=Tests the method associated with the instant messaging transaction. Syntaxim.method=open|create|join|join_u
ProxySG Content Policy Language Guide102im.user_id=Tests the user_id associated with the instant messaging transaction.Syntaxim.user_id[.case_sensitiv
Chapter 3: Condition Reference103live=Tests if the streaming content is a live stream. Syntaxlive=yes|noLayer and Transaction Notes•Use in <Cache&g
ProxySG Content Policy Language Guide104method=Tests the protocol method name associated with the transaction. Appropriate method names depend on the
Chapter 3: Condition Reference105Examples<proxy>http.method=GET response.header.Pragma=”no-cache" deny; This example is applicable to a bla
ProxySG Content Policy Language Guide106minute=Tests if the minute of the hour is in the specified range or an exact match. By default, the ProxySG ap
Chapter 3: Condition Reference107month=Tests if the month is in the specified range or an exact match. By default, the ProxySG appliance’s date and ti
ProxySG Content Policy Language Guide108protocol=The protocol= condition has been deprecated in favor of url.scheme=. For more information see "u
Chapter 3: Condition Reference109proxy.address=Tests the destination address of the arriving IP packet. The expression can include an IP address or su
ContentsPreface: Introducing the Content Policy LanguageAbout the Document Organization ...
ProxySG Content Policy Language Guide110proxy.card=Tests the ordinal number of the network interface card (NIC) used by a request. Replaces: proxy_car
Chapter 3: Condition Reference111proxy.port=Tests if the IP port used by a request is within the specified range or an exact match.The numeric pattern
ProxySG Content Policy Language Guide112realm=Tests if the client is authenticated and if the client has logged into the specified realm. If both of t
Chapter 3: Condition Reference113•Properties: authenticate( ), authenticate.force( ), check_authorization( )
ProxySG Content Policy Language Guide114release.id=Tests the release ID of the ProxySG software. The release ID of the ProxySG software currently runn
Chapter 3: Condition Reference115release.version=Tests the release version of the ProxySG software. The release version of the ProxySG software curren
ProxySG Content Policy Language Guide116request.header.header_name=Tests the specified request header (header_name) against a regular expression. Any
Chapter 3: Condition Reference117request.header.header_name.address=Tests if the specified request header can be parsed as an IP address; otherwise, f
ProxySG Content Policy Language Guide118request.header.Referer.url=Test if the URL specified by the Referer header matches the specified criteria. The
Chapter 3: Condition Reference119; Relative URLs, such as docs subdirectories and pages, will match.deny request.header.Referer.url=http://www.example
ProxySG Content Policy Language Guidexii<Forward> Layers...
ProxySG Content Policy Language Guide120<proxy>request.header.Referer.url.host.regex=mycompany; request.header.Referer.url.path tests; The follo
Chapter 3: Condition Reference121request.x_header.header_name=Tests the specified request header (header_name) against a regular expression. Any HTTP
ProxySG Content Policy Language Guide122request.x_header.header_name.address=Tests if the specified request header can be parsed as an IP address; oth
Chapter 3: Condition Reference123response.header.header_name=Tests the specified response header (header_name) against a regular expression. Any recog
ProxySG Content Policy Language Guide124response.x_header.header_name=Tests the specified response header (header_name) against a regular expression.
Chapter 3: Condition Reference125server_url=Tests if a portion of the URL used in server connections matches the specified criteria. The basic server_
ProxySG Content Policy Language Guide126• Applies to all non-administrator transactions.Examples; Test if the server URL includes this pattern, and bl
Chapter 3: Condition Reference127;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the first request
ProxySG Content Policy Language Guide128socks=This condition is true whenever the session for the current transaction involves SOCKS to the client. Th
Chapter 3: Condition Reference129socks.accelerated= Tests whether the SOCKS proxy will hand off this transaction to other protocol agents for accelera
Contentsxiiihttp.method= ...
ProxySG Content Policy Language Guide130socks.method=Tests the SOCKS protocol method name associated with the transaction. Syntaxsocks.method=CONNECT|
Chapter 3: Condition Reference131socks.version=Tests whether the version of the SOCKS protocol used to communicate to the client is SOCKS 4/4a or SOCK
ProxySG Content Policy Language Guide132streaming.client=Tests the client agent associated with the current transaction.Syntaxstreaming.client=yes|no|
Chapter 3: Condition Reference133streaming.content=Tests the content of the current transaction to determine whether or not it is streaming media, and
ProxySG Content Policy Language Guide134time=Tests if the time of day is in the specified range or an exact match. The current time is determined by t
Chapter 3: Condition Reference135; This example restricts the times during which certain; stations can log in with administrative privileges.define su
ProxySG Content Policy Language Guide136tunneled=Tests if the current transaction represents a tunneled request. A tunneled request is one of:• TCP tu
Chapter 3: Condition Reference137url=Tests if a portion of the requested URL matches the specified criteria. The basic url= test attempts to match the
ProxySG Content Policy Language Guide138//host:port//host:port/path_query//host/path_queryhosthost:porthost:port/path_queryhost/path_query/path_query•
Chapter 3: Condition Reference139include a filename extension, such as http://example.com/ and http://example.com/test. To test multiple extensions, u
ProxySG Content Policy Language Guidexivserver_url= ...
ProxySG Content Policy Language Guide140• .suffix—Test if the string pattern is a suffix of the URL or component. The suffix need not match on a bound
Chapter 3: Condition Reference141slash is always present in the request URL being tested, because the URL is normalized before any comparison is perfo
ProxySG Content Policy Language Guide142If you are testing a large number of URLs using the url.domain= condition, consider the performance benefits o
Chapter 3: Condition Reference143; http://www.example.com<proxy>url.host.is_numeric=yes;; In the example below we assume that 1.2.3.4 is the IP
ProxySG Content Policy Language Guide144user=Tests the authenticated username associated with the transaction. This trigger is only available if the t
Chapter 3: Condition Reference145See Also• Conditions: attribute.name=, authenticated=, group=, has_attribute.name=, http.transparent_authentication=,
ProxySG Content Policy Language Guide146user.domain=Tests if the client is authenticated, the logged-into realm is an NTLM realm, and the domain compo
Chapter 3: Condition Reference147user.x509.issuer=Tests the issuer of the x509 certificate used in authentication to certificate realms. The user.x509
ProxySG Content Policy Language Guide148user.x509.serialNumber=Tests the serial number of the x509 certificate used to authenticate the user against a
Chapter 3: Condition Reference149user.x509.subject=Tests the subject field of the x509 certificate used to authenticate the user against a certificate
Contentsxvforce_cache( ) ...
ProxySG Content Policy Language Guide150weekday=Tests if the day of the week is in the specified range or an exact match. By default, the ProxySG appl
Chapter 3: Condition Reference151year=Tests if the year is in the specified range or an exact match. The current year is determined by the date set on
ProxySG Content Policy Language Guide152
Chapter 4: Property ReferenceA property is a variable that can be set to a value. At the beginning of a transaction, all properties are set to their d
ProxySG Content Policy Language Guide154access_log( )Selects the access log used for this transaction. Multiple access logs can be selected to record
Chapter 4: Property Reference155access_server( ) Determines whether the client can receive streaming content directly from the origin content server o
ProxySG Content Policy Language Guide156action( ) Selectively enables or disables a specified define action block. The default value is no. Note: Seve
Chapter 4: Property Reference157advertisement( ) Determines whether to treat the objects at a particular URL as banner ads to improve performance. If
ProxySG Content Policy Language Guide158allowAllows the transaction to be served. Allow can be overridden by the access_server( ), deny( ), force_deny
Chapter 4: Property Reference159always_verify( ) Determines whether each request for the objects at a particular URL must be verified with the origin
ProxySG Content Policy Language Guidexvitrace.request( ) ...
ProxySG Content Policy Language Guide160authenticate( )Identifies the realm used to authenticate the user associated with the current transaction. Aut
Chapter 4: Property Reference161url.domain = !corporate.com authenticate(OurRealm, “log in for internet access”)The next example illustrates the relat
ProxySG Content Policy Language Guide162authenticate.force( ) This property controls the relation between authentication and denial.Syntaxauthenticate
Chapter 4: Property Reference163authenticate.mode( )Using the authentication.mode( ) property selects a combination of challenge type and surrogate cr
ProxySG Content Policy Language Guide164• origin-cookie (origin/cookie)—Used in forward proxies to support pass-through authentication more securely t
Chapter 4: Property Reference165authenticate.use_url_cookie( )This property is used to authenticate users who have third party cookies explicitly disa
ProxySG Content Policy Language Guide166block_category( )This property has been deprecated. In current CPL, the use of block_category(category_list) h
Chapter 4: Property Reference167bypass_cache( ) Determines whether the cache is bypassed for a request. If set to yes, the cache is not queried and th
ProxySG Content Policy Language Guide168cache( ) Controls HTTP and FTP caching behavior. A number of CPL properties affect caching behavior. •If bypas
Chapter 4: Property Reference169See Also•Properties: advertisement( ), always_verify( ), bypass_cache( ), cookie_sensitive( ), direct( ), dynamic_bypa
ContentsxviiAppendix B: Testing and TroubleshootingEnabling Rule Tracing ...
ProxySG Content Policy Language Guide170check_authorization( )In connection with CAD (Caching Authenticated Data) and CPAD (Caching Proxy-Authenticate
Chapter 4: Property Reference171content_filter_override( )This property has been deprecated. content_filter_override(yes) has two effects: • It preven
ProxySG Content Policy Language Guide172cookie_sensitive( ) Used to modify caching behavior by declaring that the object served by the request varies
Chapter 4: Property Reference173delete_on_abandonment( )If set to yes, specifies that if all clients who may be simultaneously requesting a particular
ProxySG Content Policy Language Guide174deny( )Denies service. Denial can be overridden by allow or exception( ). To deny service in a way that cannot
Chapter 4: Property Reference175deny.unauthorized( )The deny.unauthorized property instructs the ProxySG to issue a challenge (401 Unauthorized or 407
ProxySG Content Policy Language Guide176direct( ) Used to prevent requests from being forwarded to a parent proxy or SOCKS server, when the ProxySG is
Chapter 4: Property Reference177dynamic_bypass( )Used to indicate that a particular transparent request is not to be handled by the proxy, but instead
ProxySG Content Policy Language Guide178exception( )Selects a built-in or user-defined response to be returned to the user.The exception( ) property i
Chapter 4: Property Reference179exception.autopad( )Pad an HTTP exception response by including trailing whitespace in the response body so that Conte
ProxySG Content Policy Language Guidexviii
ProxySG Content Policy Language Guide180force_cache( ) Used to force caching of HTTP responses that would otherwise be considered uncacheable. The def
Chapter 4: Property Reference181force_deny( )The force_deny( ) property is similar to deny( ) except that it:• Cannot be overridden by an allow. • Ove
ProxySG Content Policy Language Guide182force_exception( )The force_exception( ) property is similar to exception except that it:• Cannot be overridde
Chapter 4: Property Reference183force_patience_page( )This property provides control over the application of the default patience page logic. Syntaxfo
ProxySG Content Policy Language Guide184forward( )Determines forwarding behavior.There is a box-wide configuration setting (config>forwarding>se
Chapter 4: Property Reference185forward.fail_open( )Controls whether the ProxySG terminates or continues to process the request if the specified forwa
ProxySG Content Policy Language Guide186ftp.server_connection( )Determines when the control connection to the server is established. If set to deferre
Chapter 4: Property Reference187ftp.server_data( )Determines the type of data connection to be used with this FTP transaction. Syntaxftp.server_data(a
ProxySG Content Policy Language Guide188ftp.transport( )Determines the upstream transport mechanism. This setting is not definitive. It depends on the
Chapter 4: Property Reference189http.force_ntlm_for_server_auth( )Turns on/off NTLM cloaking on a per-request basis. Refer to Appendix A: “NTLM and CA
Chapter 1: Overview of Content Policy LanguageThe Content Policy Language (CPL) is a programming language with its own concepts and rules that you mus
ProxySG Content Policy Language Guide190http.request.version( )The http.request.version( ) property sets the version of the HTTP protocol to be used i
Chapter 4: Property Reference191http.response.version( ) The http.response.version( ) property sets the version of the HTTP protocol to be used in the
ProxySG Content Policy Language Guide192icp( )Determines whether to consult ICP when forwarding requests. Any forwarding host or SOCKS gateway identif
Chapter 4: Property Reference193im.strip_attachments( ) Determines whether attachments are stripped from instant messages. If set to yes, attachments
ProxySG Content Policy Language Guide194integrate_new_hosts( )Determines whether to add new host addresses to health checks and load balancing.Syntaxi
Chapter 4: Property Reference195label( ) This deprecated property is provided for backward compatibility with CacheOS 4.x filter files. For more infor
ProxySG Content Policy Language Guide196log.rewrite.field-id() The log.rewrite.field-id property controls rewrites of a specific log field in one or m
Chapter 4: Property Reference197log.suppress.field-id( ) The log.suppress.field-id( ) property controls suppression of the specified field-id in one o
ProxySG Content Policy Language Guide198max_bitrate( ) Enforces upper limits on the instantaneous bandwidth of the current streaming transaction. This
Chapter 4: Property Reference199never_refresh_before_expiry( )The never_refresh_before_expiry( ) property is similar to the CLI command:SGOS#(config)
ProxySG Content Policy Language Guide 2Blue Coat Systems Inc. (408) 220-2200 Voice650 Almanor Avenue (408) 220-2250 FAXSunnyvale, California 94086 (86
ProxySG Content Policy Language Guide20This provides the ability to test various aspects of a request, such as the IP address of the client and the UR
ProxySG Content Policy Language Guide200never_serve_after_expiry( )The never_serve_after_expiry( ) property is similar to the CLI command:SGOS#(config
Chapter 4: Property Reference201patience_page( )Controls whether or not a patience page can be served, and if so, the delay interval before serving.If
ProxySG Content Policy Language Guide202pipeline( ) Determines whether an object embedded within an HTML container object is pipelined. Set to yes to
Chapter 4: Property Reference203prefetch( )This deprecated property has been replaced by pipeline( ). For more information, see "pipeline( )"
ProxySG Content Policy Language Guide204reflect_ip( ) Determines how the client IP address is presented to the origin server for explicitly proxied re
Chapter 4: Property Reference205reflect_vip( )This deprecated syntax has been replaced by the reflect_ip( ) property. For more information, see "
ProxySG Content Policy Language Guide206refresh( ) Controls refreshing of requested objects. Set to no to prevent refreshing of the object if it is ca
Chapter 4: Property Reference207remove_IMS_from_GET( )The remove_IMS_from_GET( ) property is similar to the CLI command:SGOS#(config) http substitute
ProxySG Content Policy Language Guide208remove_PNC_from_GET( )The remove_PNC_from_GET property is similar to the CLI command:SGOS#(config) http substi
Chapter 4: Property Reference209remove_reload_from_IE_GET( )The remove_reload_from_IE_GET( ) property is similar to the CLI command:SGOS#(config) http
Chapter 1: Overview of Content Policy Language21For new ProxySG appliances, the default is to deny all requests. For ProxySG appliances being upgraded
ProxySG Content Policy Language Guide210request.filter_service( )Controls whether the request is processed by an external content filter service. The
Chapter 4: Property Reference211url.address=10.0.0.0/8 ; don't filter internal networkclient.address=10.1.2.3 ; don't filter this clientSe
ProxySG Content Policy Language Guide212request.icap_service( ) Determines whether a request from a client should be processed by an external ICAP ser
Chapter 4: Property Reference213response.icap_service( ) Determines whether a response to a client request is first sent to an ICAP service before bei
ProxySG Content Policy Language Guide214service( ) This deprecated syntax has been replaced by the allow, deny( ) and exception( ) properties.
Chapter 4: Property Reference215socks.accelerate( )The socks.accelerate property controls the SOCKS proxy handoff to other protocol agents. Syntaxsock
ProxySG Content Policy Language Guide216socks.authenticate( ) The same realms can be used for SOCKS proxy authentication as can be used for regular pr
Chapter 4: Property Reference217socks.authenticate.force( ) This property controls the relation between SOCKS authentication and denial.Syntaxsocks.au
ProxySG Content Policy Language Guide218socks_gateway( )Controls whether or not the request associated with the current transaction is sent through a
Chapter 4: Property Reference219socks_gateway.fail_open( )Controls whether the ProxySG terminates or continues to process the request if the specified
ProxySG Content Policy Language Guide22With a few notable exceptions, triggers test one aspect of request, response, or associated state against a boo
ProxySG Content Policy Language Guide220streaming.transport( )Determines the upstream transport mechanism to be used for this streaming transaction. T
Chapter 4: Property Reference221terminate_connection( )The terminate_connection( ) property is used in an <Exception> layer to drop the connecti
ProxySG Content Policy Language Guide222trace.destination( ) Used to change the default path to the trace output file. By default, policy evaluation t
Chapter 4: Property Reference223trace.request( ) Determines whether detailed trace output is generated for the current request. The default value is n
ProxySG Content Policy Language Guide224trace.rules( ) Determines whether trace output is generated showing policy rule evaluation for the transaction
Chapter 4: Property Reference225ttl( )Sets the time-to-live (TTL) value of an object in the cache, in seconds. Upon expiration, the cached copy is con
ProxySG Content Policy Language Guide226ua_sensitive( ) Used to modify caching behavior by declaring that the response for a given object is expected
Chapter 5: Action ReferenceAn action takes arguments and is wrapped in a user-named action definition block. When the action definition is called from
ProxySG Content Policy Language Guide228append( ) Appends a new component to the specified header.Note: An error results if two header modification ac
Chapter 5: Action Reference229delete( ) Deletes all components of the specified header.Note: An error results if two header modification actions modif
Chapter 1: Overview of Content Policy Language23• More complex boolean expressions are allowed for the pattern_expression in the triggers. For example
ProxySG Content Policy Language Guide230delete_matching( ) Deletes all components of the specified header that contain a substring matching a regular-
Chapter 5: Action Reference231im.alert( ) Deliver a message in-band to the instant messaging user. The text appears in the instant message window. Thi
ProxySG Content Policy Language Guide232log_message( ) Writes the specified string to the ProxySG event log. Events generated by log_message( ) are vi
Chapter 5: Action Reference233notify_email( ) Sends an email notification to the list of recipients specified in the Event Log mail configuration. The
ProxySG Content Policy Language Guide234notify_snmp( ) Multiple notify_snmp actions may be specified, resulting in multiple SNMP traps for a single tr
Chapter 5: Action Reference235redirect( ) Ends the current HTTP transaction and returns an HTTP redirect response to the client by setting the policy_
ProxySG Content Policy Language Guide236replace( )This deprecated action has been replaced by rewrite( ). For more information, see "rewrite( )&q
Chapter 5: Action Reference237rewrite( )Rewrites the request URL, URL host, or components of the specified header if it matches the regular-expression
ProxySG Content Policy Language Guide238URL is considered complete, and replaces any URL that contains a substring matching the regex_pattern substrin
Chapter 5: Action Reference239See Also• Actions: append( ), delete( ), delete_matching( ), redirect( ), set( ), transform• Conditions: request.header.
ProxySG Content Policy Language Guide24LayersA policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating deci
ProxySG Content Policy Language Guide240set( )Sets the specified header to the specified string after deleting all components of the header.Note: An e
Chapter 5: Action Reference241DiscussionAny change to the server form of the request URL must be respected by policy controlling upstream connections.
ProxySG Content Policy Language Guide242transformInvokes an active content or URL rewrite transformer. The invoked transformer takes effect only if th
Chapter 5: Action Reference243See Also• Properties: action( )• Definitions: define action, transform active_content, transform url.rewrite
ProxySG Content Policy Language Guide244virus_check( )This deprecated action sends the requested document to a virus scanning server. For more informa
Chapter 6: Definition ReferenceIn policy files, definitions serve to bind a set of conditions, actions, or transformations to a user-defined label. Tw
ProxySG Content Policy Language Guide246define actionBinds a user-defined label to a sequence of action statements. The action( ) property has syntax
Chapter 6: Definition Reference247• Definitions: transform active_content, transform url_rewrite• Chapter 5: "Action Reference".
ProxySG Content Policy Language Guide248define active_contentDefines rules for removing or replacing active content in HTML or ASX documents. This def
Chapter 6: Definition Reference249Layer and Transaction Notes• Applies to proxy transactions.• Only alphanumeric, underscore, dash, and slash characte
Chapter 1: Overview of Content Policy Language25[section_type [label]] [section_condition][section_properties]section_contentwhere:• The section_type
ProxySG Content Policy Language Guide250define category Category definitions are used to extend vendor content categories or to create your own. The c
Chapter 6: Definition Reference251sportsworld.comcategory=football ; include subcategoryenddefine category footballnfl.comcfl.caendThe following polic
ProxySG Content Policy Language Guide252define condition Binds a user-defined label to a set of conditions for use in a condition= expression.For cond
Chapter 6: Definition Reference253define condition extension_low_risk ; file types assumed to be low risk.url.extension=(asf,asx,gif,jpeg,mov,mp3,ram,
ProxySG Content Policy Language Guide254define domainThis deprecated syntax has been replaced by the url.domain condition. For more information see &q
Chapter 6: Definition Reference255define javascriptA javascript definition is used to define a javascript transformer, which adds javascript that you
ProxySG Content Policy Language Guide256See Also•Actions: transform• Definitions: define action•Properties: action( )
Chapter 6: Definition Reference257define prefix conditionThis deprecated syntax has been replaced by the define url condition. For more information se
ProxySG Content Policy Language Guide258define server_url.domain conditionBinds a user-defined label to a set of domain-suffix patterns for use in a c
Chapter 6: Definition Reference259 affinityclub.example.comend<Forward> condition=!allowed access_server(no)See AlsoCondition: condition=, serve
ProxySG Content Policy Language Guide26Named DefinitionsThere are various types of named definitions. Each definition is given a user defined name tha
ProxySG Content Policy Language Guide260define subnetBinds a user-defined label to a set of IP addresses or IP subnet patterns. Use a subnet definitio
Chapter 6: Definition Reference261define url conditionBinds a user-defined label to a set of URL prefix patterns for use in a condition= expression. U
ProxySG Content Policy Language Guide262timing restrictions for the defined condition will depend on the layer and timing restrictions of the containe
Chapter 6: Definition Reference263define url.domain conditionBinds a user-defined label to a set of domain-suffix patterns for use in a condition= exp
ProxySG Content Policy Language Guide264See Also• Condition: condition=, server_url.domain=• Definitions: define url condition, define server_url.doma
Chapter 6: Definition Reference265define url_rewriteDefines rules for rewriting URLs embedded in tags within HTML, CSS, JavaScript or ASX documents. T
ProxySG Content Policy Language Guide266• server_url_substring—A string that, if found in the server URL, will be replaced by the client_url_substring
Chapter 6: Definition Reference267restrict dnsThis definition restricts DNS lookups and is useful in installations where access to DNS resolution is l
ProxySG Content Policy Language Guide268restrict rdnsThis definition restricts reverse DNS lookups and is useful in installations where access to reve
Chapter 6: Definition Reference269transform active_contentThis deprecated syntax has been replaced by define active_content. For more information see
Chapter 1: Overview of Content Policy Language27policy that does not require the realm. Once all outstanding transactions that required reference to t
ProxySG Content Policy Language Guide270transform url_rewriteThis deprecated syntax has been replaced by define url_rewrite. For more information see
Appendix A: Glossaryactions A class of definitions. CPL has two general classes of actions: request or response modifications and notifications. An ac
ProxySG Content Policy Language Guide272Forward Policy File A file you create or that might be created during an upgrade from prior SGOS versions, and
Appendix A: Glossary273response transformationa modification of the object being returned. This modification can be to either the protocol headers ass
ProxySG Content Policy Language Guide274
Appendix B: Testing and TroubleshootingIf you are experiencing problems with your policy files or would like to monitor evaluation for brief periods o
ProxySG Content Policy Language Guide276Enabling Request TracingUse the trace.request( ) property to enable request tracing. Request tracing logs a su
Appendix B: Testing and Troubleshooting277Here are the relevant policy requirements to be expressed:• DNS lookups are restricted except for a site bei
ProxySG Content Policy Language Guide2781 start transaction ------------------------------2 CPL Evaluation Trace:3 <Proxy> 4 MATCH: trace.rule
Appendix B: Testing and Troubleshooting279The following is a trace of the same policy, but for a transaction in which the request URL has an IP addres
ProxySG Content Policy Language Guide28Authentication and DenialOne of the most important timing relationships to be aware of is the relation between
ProxySG Content Policy Language Guide280Policy: Action discarded, 'set_header_1' conflicts with an action already committedThe conflict is r
Appendix C: Recognized HTTP HeadersThe tables provided in this appendix list all recognized HTTP 1.1 headers and indicate how the ProxySG is able to i
ProxySG Content Policy Language Guide282The following table lists custom headers that are recognized by the ProxySG.If-Match Request XIf-Modified-Sinc
Appendix D: CPL SubstitutionsThis appendix lists all substitution variables available in CPL.To use a variable in CPL, it is expressed as: $(<field
ProxySG Content Policy Language Guide284sr-bytes Number of bytes sent from appliance to upstream host.sr-headerlength Number of bytes in the header se
Appendix D: CPL Substitutions285x-bluecoat-transaction-idtransaction.id Unique per-request identifier generated by the appliance (note: this value is
ProxySG Content Policy Language Guide286cs-version request.version Protocol and version from the client's request; for example, HTTP/1.1.x-blueco
Appendix D: CPL Substitutions287x-bluecoat-special-esc esc Resolves to the escape character (ASCII HEX 1B).x-bluecoat-special-gt gt The greater-than c
ProxySG Content Policy Language Guide288x-bluecoat-surfcontrol-reporter-idSpecialized value for SurfControl reporter.x-bluecoat-websense-category-idTh
Appendix D: CPL Substitutions289x-patience-url patience_url The url to be requested for more patience information.x-virus-id Identifier of a virus if
Chapter 1: Overview of Content Policy Language29<Proxy>client.address=!corporate_subnet deny ; filter out strangerssocks.authenticate(MyRealm) ;
ProxySG Content Policy Language Guide290x-bluecoat-day day Localtime day (as a number) formatted to take up two spaces; for example, 07 for the 7th of
Appendix D: CPL Substitutions291cs-uri-hostname log_url.hostname Hostname from the 'log' URL. RDNS is used if the URL uses an IP address.cs-
ProxySG Content Policy Language Guide292sr-uri-query server_url.query Query from the upstream request URL.sr-uri-scheme server_url.scheme Scheme from
Appendix D: CPL Substitutions293Category: userELFF CPL Descriptioncs-auth-group group One group that an authenticated client is a member of. The group
ProxySG Content Policy Language Guide294cs(Accept-Language) request.header.Accept-LanguageRequest header: Accept-Languagecs(Accept-Ranges) request.hea
Appendix D: CPL Substitutions295cs(If-Unmodified-Since)request.header.If-Unmodified-SinceRequest header: If-Unmodified-Sincecs(Last-Modified) request.
ProxySG Content Policy Language Guide296cs(X-Forwarded-For) request.header.X-Forwarded-ForRequest header: X-Forwarded-ForCategory: si_response_headerE
Appendix D: CPL Substitutions297rs(From) response.header.From Response header: From rs(Front-End-HTTPS) response.header.Front-End-HTTPSResponse header
ProxySG Content Policy Language Guide298rs(Vary) response.header.Vary Response header: Varyrs(Via) response.header.Via Response header: Via rs(WWW-Aut
Appendix E: Filter File SyntaxThis appendix provides a summary of the syntax and evaluation order used in CacheOS version 4.x filter files. While it i
Copyrights3THIRD PARTY COPYRIGHT NOTICESBlue Coat Systems, Inc. Security Gateway Operating System (SGOS) version 3 utilizes third party software from
ProxySG Content Policy Language Guide30Troubleshooting PolicyWhen installed policy does not behave as expected, use policy tracing to understand the b
ProxySG Content Policy Language Guide300Filter-Part ComponentsThe filter part of a filter file can contain the following:• Filters that are not part o
Appendix E: Filter File Syntax301• The only condition available in filter lines is the acl= condition, which is a synonym for the CPL condition client
ProxySG Content Policy Language Guide302ALL StatementsAn ALL statement is a line beginning with the keyword ALL, followed by zero or more conditions a
Appendix E: Filter File Syntax303• protocol=value—An optional protocol= condition expression. Available values are http, https, ftp, mms, rtsp, tcp, a
ProxySG Content Policy Language Guide304While prefix-pattern filters are commonly used outside of any section, the Prefix section is provided to help
Appendix E: Filter File Syntax305• The domain-suffix filter http://company.com/ denies service to all URLs where company.com is a proper super-domain
ProxySG Content Policy Language Guide306Evaluation OrderCacheOS 4.x filter files have a different order of evaluation than CPL files. A compiled filte
Appendix F: Upgrading from CacheOSWhen upgrading from CacheOS version 4.x to the ProxySG, the default policy files are created as follows:• The CacheO
ProxySG Content Policy Language Guide308For the CPL compiler, the correct filter will be selected at run time based on the ACL if the filters are dist
IndexA<Admin> layers, understanding 37access_log( ) property 154access_server() property 155action definition block 246action part, filter file
Chapter 1: Overview of Content Policy Language31Conditional CompilationOccasionally, you might be required to maintain policy that can be applied to a
ProxySG Configuration and Management Guide310Ddate= condition 67day= condition 68define acl definition block, filter file 303define action definition
Index311Hhas_attribute.name= condition 74has_client= condition 76hour= condition 77HTTP cache transactions 36http.method= condition 79http.request.ver
ProxySG Configuration and Management Guide312rules, conflicting 47statistics, example 276testing 275tips on writing 44troubleshooting 275whitelists 45
Index313Qquoting, understanding 22Rrealm= condition 112redirect() action 235referencesrelated Blue Coat documentation xreferential integrity, understa
ProxySG Configuration and Management Guide314Ttime= condition 134timingin layers, understanding 41understanding 36trace.destination( ) 276trace.destin
ProxySG Content Policy Language Guide32
Chapter 2: Managing Content Policy LanguageAs discussed in Chapter 1, Content Policy Language policies are composed of transactions that are placed in
ProxySG Content Policy Language Guide34Each of the protocol-specific proxy transactions has specific information that can be tested—information that m
Chapter 2: Managing Content Policy Language35Some conditions cannot be evaluated during the first stage; for example, the user and group information w
ProxySG Content Policy Language Guide36An HTTP cache transaction is examined in two stages: • Before the object is retrieved from the origin server.•
Chapter 2: Managing Content Policy Language37But policy cannot determine the value of the Content-type response header until the response is returned.
ProxySG Content Policy Language Guide38• The optional admin_properties is a list of properties set if any of the rules in the layer match. These act a
Chapter 2: Managing Content Policy Language39<Exception> Layers<Exception> layers are evaluated when a proxy transaction is terminated by
ProxySG Content Policy Language Guide 4Redistribution and use of this software and associated documentation ("Software"), with or without mo
ProxySG Content Policy Language Guide40<Proxy> Layers<Proxy> layers define policy for authenticating and authorizing users’ requests for s
Chapter 2: Managing Content Policy Language41TimingThe “late guards early” timing errors that can occur within a rule can arise across rules in a laye
ProxySG Content Policy Language Guide42url.domain=nbc.com/athletics deny ; etc, suppose it's a substantial list url.regex="sports|athletics&
Chapter 2: Managing Content Policy Language43• Rules in [Rule] sections are evaluated sequentially, top to bottom. The time taken is proportional to t
ProxySG Content Policy Language Guide44• [server_url.domain] sections are allowed only in <Exception> or <Forward> layers.Section GuardsJu
Chapter 2: Managing Content Policy Language45• Do not mix the CacheOS 4.x filter-file syntax with CPL syntax. Although the Content Policy Language is
ProxySG Content Policy Language Guide46The following example is an exception defined within a layer. A company wants access to payroll information lim
Chapter 2: Managing Content Policy Language47evaluation order as currently configured. Changes to the policy file evaluation order must be managed wit
ProxySG Content Policy Language Guide48Best Practices• Express separate decisions in separate layers.As policy grows and becomes more complex, mainten
Chapter 3: Condition ReferenceA condition is an expression that yields true or false when evaluated. Conditions can appear in:• Policy rules.• Section
Copyrights5A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUC
ProxySG Content Policy Language Guide50• condition ::= trigger "=" expression • trigger ::= identifier | identifier "." word • exp
Chapter 3: Condition Reference51Unavailable Triggers Some triggers can be unavailable in some transactions. If a trigger is unavailable, then any cond
ProxySG Content Policy Language Guide52acl=Deprecated syntax. See "client.address=" on page 60 for more information.
Chapter 3: Condition Reference53admin.access=Tests the administrative access requested by the current transaction. It evaluates to null if the transac
ProxySG Content Policy Language Guide54attribute.name=Tests if the current transaction is authenticated in a RADIUS or LDAP realm, and if the authenti
Chapter 3: Condition Reference55<proxy>authenticate(RADIUSRealm); This rule would restrict non-authorized users.<proxy>deny condition=!Pro
ProxySG Content Policy Language Guide56authenticated=True if authentication was requested and the credentials could be verified; otherwise, false.Synt
Chapter 3: Condition Reference57bitrate=Tests if a streaming transaction requests bandwidth within the specified range or an exact match. When providi
ProxySG Content Policy Language Guide58<Proxy> ; Use this layer to override a deny in a previous layer; Grant everybody access to streams up to
Chapter 3: Condition Reference59category=Tests the content categories of the requested URL as assigned by policy definitions or an installed content f
ProxySG Content Policy Language Guide 62. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the fo
ProxySG Content Policy Language Guide60client.address=Tests the IP address of the client. The expression can include an IP address or subnet or the la
Chapter 3: Condition Reference61client.protocol=Tests true if the client transport protocol matches the specification.Replaces: client_protocol=syntax
ProxySG Content Policy Language Guide62condition=Tests if the specified defined condition is true.Syntaxcondition=condition_labelwhere condition_label
Chapter 3: Condition Reference63http://www.x.com time=0800..1000http://www.y.com month=1http://www.z.com hour=9..10end<proxy>condition=test deny
ProxySG Content Policy Language Guide64console_access=Tests if the current request is destined for the <Admin> layer. This test can be used to d
Chapter 3: Condition Reference65content_admin=The content_admin= condition has been deprecated. For more information, see "content_management&quo
ProxySG Content Policy Language Guide66content_managementTests if the current request is a content management transaction.Replaces: content_admin=yes|
Chapter 3: Condition Reference67date[.utc]=Tests true if the current time is within the startdate..enddate range, inclusive. The comparison is made ag
ProxySG Content Policy Language Guide68day=Tests if the day of the month is in the specified range or an exact match. The ProxySG appliance’s configur
Chapter 3: Condition Reference69exception.id=Tests whether the exception being returned to the client is the specified exception. It can also be used
Copyrights7This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudso
ProxySG Content Policy Language Guide70; thrown by deny or force_denyexception.id=policy_denied action.log_interloper(yes)<Exception> exception.
Chapter 3: Condition Reference71ftp.method=Tests FTP request methods against any of a well-known set of FTP methods. A CPL parse error is given if an
ProxySG Content Policy Language Guide72group=Tests if the client is authenticated, and the client belongs to the specified group. If both of these con
Chapter 3: Condition Reference73• Applies to proxy and administrator transactions.• This condition cannot be combined with the authenticate( ), proxy_
ProxySG Content Policy Language Guide74has_attribute.name=Tests if the current transaction is authenticated in an LDAP realm and if the authenticated
Chapter 3: Condition Reference75See Also• Conditions: attribute.name=, authenticated=, group=, http.transparent_authentication=, realm=, user=, user.d
ProxySG Content Policy Language Guide76has_client=The has_client= condition is used to test whether or not the current transaction has a client. This
Chapter 3: Condition Reference77hour=Tests if the time of day is in the specified range or an exact match. The current time is determined by the Proxy
ProxySG Content Policy Language Guide78<proxy>allow server_url.domain=xyz.com ; internal site always available allow weekday=6..7 ; unres
Chapter 3: Condition Reference79http.method=Tests HTTP request methods against any of a common set of HTTP methods. A CPL parse error is given if an u
ProxySG Content Policy Language Guide 8documentation. Moscow Center for SPARC Technology makes no representations about the suitability of this softwa
ProxySG Content Policy Language Guide80http.request.version=Tests the version of HTTP used by the client in making the request to the appliance. synta
Chapter 3: Condition Reference81http.response.code=Tests true if the current transaction is an HTTP transaction and the response code received from th
ProxySG Content Policy Language Guide82http.response.version=Tests the version of HTTP used by the origin server to deliver the response to the ProxyS
Chapter 3: Condition Reference83http.transparent_authentication=This trigger evaluates to true if HTTP uses transparent proxy authentication for this
ProxySG Content Policy Language Guide84http.x_method=Tests HTTP request methods against any uncommon HTTP methods. A CPL parse warning is given if the
Chapter 3: Condition Reference85im.buddy_id=Tests the buddy_id associated with the instant messaging transaction.Syntaxim.buddy_id[.case_sensitive]=us
ProxySG Content Policy Language Guide86im.chat_room.conference=Tests whether the chat room associated with the instant messaging transaction has the c
Chapter 3: Condition Reference87im.chat_room.id=Tests the chat room ID associated with the instant messaging transaction.Syntaxim.chat_room.id[.case_s
ProxySG Content Policy Language Guide88im.chat_room.invite_only=Tests whether the chat room associated with the instant messaging transaction has the
Chapter 3: Condition Reference89im.chat_room.type=Tests whether the chat room associated with the transaction is public or private.Syntaxim.chat_room.
Preface: Introducing the Content Policy LanguageThe Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a varie
ProxySG Content Policy Language Guide90im.chat_room.member=Tests whether the chat room associated with the instant messaging transaction has a member
Chapter 3: Condition Reference91im.chat_room.voice_enabled=Tests whether the chat room associated with the instant messaging transaction is voice enab
ProxySG Content Policy Language Guide92im.file.extension=Tests the file extension of a file associated with an instant messaging transaction. The lead
Chapter 3: Condition Reference93im.file.name=Tests the file name (the last component of the path), including the extension, of a file associated with
ProxySG Content Policy Language Guide94im.file.path=Tests the file path of a file associated with an instant messaging transaction against the specifi
Chapter 3: Condition Reference95im.file.size=Performs a signed 64-bit range test of the size of a file associated with an instant messaging transactio
ProxySG Content Policy Language Guide96im.message.opcode=Tests the value of an opcode associated with an instant messaging transaction whose im.method
Chapter 3: Condition Reference97im.message.route=Tests how the instant messaging message reaches its recipients.Syntaxim.message.route=service|direct|
ProxySG Content Policy Language Guide98im.message.size=Performs a signed 64-bit range test on the size of the instant messaging message. Syntaxim.mess
Chapter 3: Condition Reference99im.message.text=Tests if the message text contains the specified text or pattern.Note: The .regex version of this test
Comentários a estes Manuais