Blue Coat Systems Time Clock Proxy SG Manual do Utilizador descarregar pdf (Página 277)

Appendix B: Testing and Troubleshooting

277

Here are the relevant policy requirements to be expressed:

• DNS lookups are restricted except for a site being hosted.

• There is no access to reverse DNS so that is completely restricted.

• Any requests not addressed to the hosted site either by name or subnet should be rejected.

• FTP POST requests should be rejected.

• Request URLs for the hosted site are to be rewritten and a request header on the way into the site.

The Sample Policy

; DNS lookups are restricted except for one site that is being hosted

restrict dns

except

my_site.com

end

; No access to RDNS

restrict rdns

all

end

define subnet my_subnet

10.11.12.0/24

end

<proxy>

trace.request(yes) trace.rules(all)

proxy>

;

deny url.host.is_numeric=no url.domain=!my_site.com

deny url.address=!my_subnet

<proxy>

deny ftp.method=STOR

<proxy>

url.domain=my_site.com action.test(yes)

define action test

set(request.x_header.test, “test”)

rewrite(url, “(.*)\.my_site.com”, “$(1).his_site.com”)

end

Since trace.request() is set to yes, a policy trace is performed when client requests are evaluated.

Since

trace.rules() is set to all, all rule evaluations for misses and matched rules are displayed.

The following is the trace output produced for an HTTP GET request for

http://www.my_site.com/home.html.

Note: The line numbers shown at the left do not appear in actual trace output. They are added here

for annotation purposes.

1 2 ... 272 273 274 275 276 277 278 279 280 281 282 ... 313 314

Sem comentários

Blue Coat Systems Time Clock Proxy SG Manual do Utilizador Página 277