Blue Coat Systems Time Clock Proxy SG Manual de usuario

Blue Coat SystemsTMProxySG Content Policy Language Guide Content Policy Language Guide

ProxySG Content Policy Language GuidexSupported BrowsersThe ProxySG Management Console supports Microsoft® Internet Explorer 5 and 6, and Netscape® Co

ProxySG Content Policy Language Guide100im.message.type=Tests the message type of an instant messaging transaction.Syntaxim.message.type=text|invite|v

Chapter 3: Condition Reference101im.method=Tests the method associated with the instant messaging transaction. Syntaxim.method=open|create|join|join_u

ProxySG Content Policy Language Guide102im.user_id=Tests the user_id associated with the instant messaging transaction.Syntaxim.user_id[.case_sensitiv

Chapter 3: Condition Reference103live=Tests if the streaming content is a live stream. Syntaxlive=yes|noLayer and Transaction Notes•Use in <Cache&g

ProxySG Content Policy Language Guide104method=Tests the protocol method name associated with the transaction. Appropriate method names depend on the

Chapter 3: Condition Reference105Examples<proxy>http.method=GET response.header.Pragma=”no-cache" deny; This example is applicable to a bla

ProxySG Content Policy Language Guide106minute=Tests if the minute of the hour is in the specified range or an exact match. By default, the ProxySG ap

Chapter 3: Condition Reference107month=Tests if the month is in the specified range or an exact match. By default, the ProxySG appliance’s date and ti

ProxySG Content Policy Language Guide108protocol=The protocol= condition has been deprecated in favor of url.scheme=. For more information see "u

Chapter 3: Condition Reference109proxy.address=Tests the destination address of the arriving IP packet. The expression can include an IP address or su

ContentsPreface: Introducing the Content Policy LanguageAbout the Document Organization ...

ProxySG Content Policy Language Guide110proxy.card=Tests the ordinal number of the network interface card (NIC) used by a request. Replaces: proxy_car

Chapter 3: Condition Reference111proxy.port=Tests if the IP port used by a request is within the specified range or an exact match.The numeric pattern

ProxySG Content Policy Language Guide112realm=Tests if the client is authenticated and if the client has logged into the specified realm. If both of t

Chapter 3: Condition Reference113•Properties: authenticate( ), authenticate.force( ), check_authorization( )

ProxySG Content Policy Language Guide114release.id=Tests the release ID of the ProxySG software. The release ID of the ProxySG software currently runn

Chapter 3: Condition Reference115release.version=Tests the release version of the ProxySG software. The release version of the ProxySG software curren

ProxySG Content Policy Language Guide116request.header.header_name=Tests the specified request header (header_name) against a regular expression. Any

Chapter 3: Condition Reference117request.header.header_name.address=Tests if the specified request header can be parsed as an IP address; otherwise, f

ProxySG Content Policy Language Guide118request.header.Referer.url=Test if the URL specified by the Referer header matches the specified criteria. The

Chapter 3: Condition Reference119; Relative URLs, such as docs subdirectories and pages, will match.deny request.header.Referer.url=http://www.example

ProxySG Content Policy Language Guidexii<Forward> Layers...

ProxySG Content Policy Language Guide120<proxy>request.header.Referer.url.host.regex=mycompany; request.header.Referer.url.path tests; The follo

Chapter 3: Condition Reference121request.x_header.header_name=Tests the specified request header (header_name) against a regular expression. Any HTTP

ProxySG Content Policy Language Guide122request.x_header.header_name.address=Tests if the specified request header can be parsed as an IP address; oth

Chapter 3: Condition Reference123response.header.header_name=Tests the specified response header (header_name) against a regular expression. Any recog

ProxySG Content Policy Language Guide124response.x_header.header_name=Tests the specified response header (header_name) against a regular expression.

Chapter 3: Condition Reference125server_url=Tests if a portion of the URL used in server connections matches the specified criteria. The basic server_

ProxySG Content Policy Language Guide126• Applies to all non-administrator transactions.Examples; Test if the server URL includes this pattern, and bl

Chapter 3: Condition Reference127;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the first request

ProxySG Content Policy Language Guide128socks=This condition is true whenever the session for the current transaction involves SOCKS to the client. Th

Chapter 3: Condition Reference129socks.accelerated= Tests whether the SOCKS proxy will hand off this transaction to other protocol agents for accelera

Contentsxiiihttp.method= ...

ProxySG Content Policy Language Guide130socks.method=Tests the SOCKS protocol method name associated with the transaction. Syntaxsocks.method=CONNECT|

Chapter 3: Condition Reference131socks.version=Tests whether the version of the SOCKS protocol used to communicate to the client is SOCKS 4/4a or SOCK

ProxySG Content Policy Language Guide132streaming.client=Tests the client agent associated with the current transaction.Syntaxstreaming.client=yes|no|

Chapter 3: Condition Reference133streaming.content=Tests the content of the current transaction to determine whether or not it is streaming media, and

ProxySG Content Policy Language Guide134time=Tests if the time of day is in the specified range or an exact match. The current time is determined by t

Chapter 3: Condition Reference135; This example restricts the times during which certain; stations can log in with administrative privileges.define su

ProxySG Content Policy Language Guide136tunneled=Tests if the current transaction represents a tunneled request. A tunneled request is one of:• TCP tu

Chapter 3: Condition Reference137url=Tests if a portion of the requested URL matches the specified criteria. The basic url= test attempts to match the

ProxySG Content Policy Language Guide138//host:port//host:port/path_query//host/path_queryhosthost:porthost:port/path_queryhost/path_query/path_query•

Chapter 3: Condition Reference139include a filename extension, such as http://example.com/ and http://example.com/test. To test multiple extensions, u

ProxySG Content Policy Language Guidexivserver_url= ...

ProxySG Content Policy Language Guide140• .suffix—Test if the string pattern is a suffix of the URL or component. The suffix need not match on a bound

Chapter 3: Condition Reference141slash is always present in the request URL being tested, because the URL is normalized before any comparison is perfo

ProxySG Content Policy Language Guide142If you are testing a large number of URLs using the url.domain= condition, consider the performance benefits o

Chapter 3: Condition Reference143; http://www.example.com<proxy>url.host.is_numeric=yes;; In the example below we assume that 1.2.3.4 is the IP

ProxySG Content Policy Language Guide144user=Tests the authenticated username associated with the transaction. This trigger is only available if the t

Chapter 3: Condition Reference145See Also• Conditions: attribute.name=, authenticated=, group=, has_attribute.name=, http.transparent_authentication=,

ProxySG Content Policy Language Guide146user.domain=Tests if the client is authenticated, the logged-into realm is an NTLM realm, and the domain compo

Chapter 3: Condition Reference147user.x509.issuer=Tests the issuer of the x509 certificate used in authentication to certificate realms. The user.x509

ProxySG Content Policy Language Guide148user.x509.serialNumber=Tests the serial number of the x509 certificate used to authenticate the user against a

Chapter 3: Condition Reference149user.x509.subject=Tests the subject field of the x509 certificate used to authenticate the user against a certificate

Contentsxvforce_cache( ) ...

ProxySG Content Policy Language Guide150weekday=Tests if the day of the week is in the specified range or an exact match. By default, the ProxySG appl

Chapter 3: Condition Reference151year=Tests if the year is in the specified range or an exact match. The current year is determined by the date set on

ProxySG Content Policy Language Guide152

Chapter 4: Property ReferenceA property is a variable that can be set to a value. At the beginning of a transaction, all properties are set to their d

ProxySG Content Policy Language Guide154access_log( )Selects the access log used for this transaction. Multiple access logs can be selected to record

Chapter 4: Property Reference155access_server( ) Determines whether the client can receive streaming content directly from the origin content server o

ProxySG Content Policy Language Guide156action( ) Selectively enables or disables a specified define action block. The default value is no. Note: Seve

Chapter 4: Property Reference157advertisement( ) Determines whether to treat the objects at a particular URL as banner ads to improve performance. If

ProxySG Content Policy Language Guide158allowAllows the transaction to be served. Allow can be overridden by the access_server( ), deny( ), force_deny

Chapter 4: Property Reference159always_verify( ) Determines whether each request for the objects at a particular URL must be verified with the origin

ProxySG Content Policy Language Guidexvitrace.request( ) ...

ProxySG Content Policy Language Guide160authenticate( )Identifies the realm used to authenticate the user associated with the current transaction. Aut

Chapter 4: Property Reference161url.domain = !corporate.com authenticate(OurRealm, “log in for internet access”)The next example illustrates the relat

ProxySG Content Policy Language Guide162authenticate.force( ) This property controls the relation between authentication and denial.Syntaxauthenticate

Chapter 4: Property Reference163authenticate.mode( )Using the authentication.mode( ) property selects a combination of challenge type and surrogate cr

ProxySG Content Policy Language Guide164• origin-cookie (origin/cookie)—Used in forward proxies to support pass-through authentication more securely t

Chapter 4: Property Reference165authenticate.use_url_cookie( )This property is used to authenticate users who have third party cookies explicitly disa

ProxySG Content Policy Language Guide166block_category( )This property has been deprecated. In current CPL, the use of block_category(category_list) h

Chapter 4: Property Reference167bypass_cache( ) Determines whether the cache is bypassed for a request. If set to yes, the cache is not queried and th

ProxySG Content Policy Language Guide168cache( ) Controls HTTP and FTP caching behavior. A number of CPL properties affect caching behavior. •If bypas

Chapter 4: Property Reference169See Also•Properties: advertisement( ), always_verify( ), bypass_cache( ), cookie_sensitive( ), direct( ), dynamic_bypa

ContentsxviiAppendix B: Testing and TroubleshootingEnabling Rule Tracing ...

ProxySG Content Policy Language Guide170check_authorization( )In connection with CAD (Caching Authenticated Data) and CPAD (Caching Proxy-Authenticate

Chapter 4: Property Reference171content_filter_override( )This property has been deprecated. content_filter_override(yes) has two effects: • It preven

ProxySG Content Policy Language Guide172cookie_sensitive( ) Used to modify caching behavior by declaring that the object served by the request varies

Chapter 4: Property Reference173delete_on_abandonment( )If set to yes, specifies that if all clients who may be simultaneously requesting a particular

ProxySG Content Policy Language Guide174deny( )Denies service. Denial can be overridden by allow or exception( ). To deny service in a way that cannot

Chapter 4: Property Reference175deny.unauthorized( )The deny.unauthorized property instructs the ProxySG to issue a challenge (401 Unauthorized or 407

ProxySG Content Policy Language Guide176direct( ) Used to prevent requests from being forwarded to a parent proxy or SOCKS server, when the ProxySG is

Chapter 4: Property Reference177dynamic_bypass( )Used to indicate that a particular transparent request is not to be handled by the proxy, but instead

ProxySG Content Policy Language Guide178exception( )Selects a built-in or user-defined response to be returned to the user.The exception( ) property i

Chapter 4: Property Reference179exception.autopad( )Pad an HTTP exception response by including trailing whitespace in the response body so that Conte

ProxySG Content Policy Language Guidexviii

ProxySG Content Policy Language Guide180force_cache( ) Used to force caching of HTTP responses that would otherwise be considered uncacheable. The def

Chapter 4: Property Reference181force_deny( )The force_deny( ) property is similar to deny( ) except that it:• Cannot be overridden by an allow. • Ove

ProxySG Content Policy Language Guide182force_exception( )The force_exception( ) property is similar to exception except that it:• Cannot be overridde

Chapter 4: Property Reference183force_patience_page( )This property provides control over the application of the default patience page logic. Syntaxfo

ProxySG Content Policy Language Guide184forward( )Determines forwarding behavior.There is a box-wide configuration setting (config>forwarding>se

Chapter 4: Property Reference185forward.fail_open( )Controls whether the ProxySG terminates or continues to process the request if the specified forwa

ProxySG Content Policy Language Guide186ftp.server_connection( )Determines when the control connection to the server is established. If set to deferre

Chapter 4: Property Reference187ftp.server_data( )Determines the type of data connection to be used with this FTP transaction. Syntaxftp.server_data(a

ProxySG Content Policy Language Guide188ftp.transport( )Determines the upstream transport mechanism. This setting is not definitive. It depends on the

Chapter 4: Property Reference189http.force_ntlm_for_server_auth( )Turns on/off NTLM cloaking on a per-request basis. Refer to Appendix A: “NTLM and CA

Chapter 1: Overview of Content Policy LanguageThe Content Policy Language (CPL) is a programming language with its own concepts and rules that you mus

ProxySG Content Policy Language Guide190http.request.version( )The http.request.version( ) property sets the version of the HTTP protocol to be used i

Chapter 4: Property Reference191http.response.version( ) The http.response.version( ) property sets the version of the HTTP protocol to be used in the

ProxySG Content Policy Language Guide192icp( )Determines whether to consult ICP when forwarding requests. Any forwarding host or SOCKS gateway identif

Chapter 4: Property Reference193im.strip_attachments( ) Determines whether attachments are stripped from instant messages. If set to yes, attachments

ProxySG Content Policy Language Guide194integrate_new_hosts( )Determines whether to add new host addresses to health checks and load balancing.Syntaxi

Chapter 4: Property Reference195label( ) This deprecated property is provided for backward compatibility with CacheOS 4.x filter files. For more infor

ProxySG Content Policy Language Guide196log.rewrite.field-id() The log.rewrite.field-id property controls rewrites of a specific log field in one or m

Chapter 4: Property Reference197log.suppress.field-id( ) The log.suppress.field-id( ) property controls suppression of the specified field-id in one o

ProxySG Content Policy Language Guide198max_bitrate( ) Enforces upper limits on the instantaneous bandwidth of the current streaming transaction. This

Chapter 4: Property Reference199never_refresh_before_expiry( )The never_refresh_before_expiry( ) property is similar to the CLI command:SGOS#(config)

ProxySG Content Policy Language Guide 2Blue Coat Systems Inc. (408) 220-2200 Voice650 Almanor Avenue (408) 220-2250 FAXSunnyvale, California 94086 (86

ProxySG Content Policy Language Guide20This provides the ability to test various aspects of a request, such as the IP address of the client and the UR

ProxySG Content Policy Language Guide200never_serve_after_expiry( )The never_serve_after_expiry( ) property is similar to the CLI command:SGOS#(config

Chapter 4: Property Reference201patience_page( )Controls whether or not a patience page can be served, and if so, the delay interval before serving.If

ProxySG Content Policy Language Guide202pipeline( ) Determines whether an object embedded within an HTML container object is pipelined. Set to yes to

Chapter 4: Property Reference203prefetch( )This deprecated property has been replaced by pipeline( ). For more information, see "pipeline( )"

ProxySG Content Policy Language Guide204reflect_ip( ) Determines how the client IP address is presented to the origin server for explicitly proxied re

Chapter 4: Property Reference205reflect_vip( )This deprecated syntax has been replaced by the reflect_ip( ) property. For more information, see "

ProxySG Content Policy Language Guide206refresh( ) Controls refreshing of requested objects. Set to no to prevent refreshing of the object if it is ca

Chapter 4: Property Reference207remove_IMS_from_GET( )The remove_IMS_from_GET( ) property is similar to the CLI command:SGOS#(config) http substitute

ProxySG Content Policy Language Guide208remove_PNC_from_GET( )The remove_PNC_from_GET property is similar to the CLI command:SGOS#(config) http substi

Chapter 4: Property Reference209remove_reload_from_IE_GET( )The remove_reload_from_IE_GET( ) property is similar to the CLI command:SGOS#(config) http

Chapter 1: Overview of Content Policy Language21For new ProxySG appliances, the default is to deny all requests. For ProxySG appliances being upgraded

ProxySG Content Policy Language Guide210request.filter_service( )Controls whether the request is processed by an external content filter service. The

Chapter 4: Property Reference211url.address=10.0.0.0/8 ; don't filter internal networkclient.address=10.1.2.3 ; don't filter this clientSe

ProxySG Content Policy Language Guide212request.icap_service( ) Determines whether a request from a client should be processed by an external ICAP ser

Chapter 4: Property Reference213response.icap_service( ) Determines whether a response to a client request is first sent to an ICAP service before bei

ProxySG Content Policy Language Guide214service( ) This deprecated syntax has been replaced by the allow, deny( ) and exception( ) properties.

Chapter 4: Property Reference215socks.accelerate( )The socks.accelerate property controls the SOCKS proxy handoff to other protocol agents. Syntaxsock

ProxySG Content Policy Language Guide216socks.authenticate( ) The same realms can be used for SOCKS proxy authentication as can be used for regular pr

Chapter 4: Property Reference217socks.authenticate.force( ) This property controls the relation between SOCKS authentication and denial.Syntaxsocks.au

ProxySG Content Policy Language Guide218socks_gateway( )Controls whether or not the request associated with the current transaction is sent through a

Chapter 4: Property Reference219socks_gateway.fail_open( )Controls whether the ProxySG terminates or continues to process the request if the specified

ProxySG Content Policy Language Guide22With a few notable exceptions, triggers test one aspect of request, response, or associated state against a boo

ProxySG Content Policy Language Guide220streaming.transport( )Determines the upstream transport mechanism to be used for this streaming transaction. T

Chapter 4: Property Reference221terminate_connection( )The terminate_connection( ) property is used in an <Exception> layer to drop the connecti

ProxySG Content Policy Language Guide222trace.destination( ) Used to change the default path to the trace output file. By default, policy evaluation t

Chapter 4: Property Reference223trace.request( ) Determines whether detailed trace output is generated for the current request. The default value is n

ProxySG Content Policy Language Guide224trace.rules( ) Determines whether trace output is generated showing policy rule evaluation for the transaction

Chapter 4: Property Reference225ttl( )Sets the time-to-live (TTL) value of an object in the cache, in seconds. Upon expiration, the cached copy is con

ProxySG Content Policy Language Guide226ua_sensitive( ) Used to modify caching behavior by declaring that the response for a given object is expected

Chapter 5: Action ReferenceAn action takes arguments and is wrapped in a user-named action definition block. When the action definition is called from

ProxySG Content Policy Language Guide228append( ) Appends a new component to the specified header.Note: An error results if two header modification ac

Chapter 5: Action Reference229delete( ) Deletes all components of the specified header.Note: An error results if two header modification actions modif

Chapter 1: Overview of Content Policy Language23• More complex boolean expressions are allowed for the pattern_expression in the triggers. For example

ProxySG Content Policy Language Guide230delete_matching( ) Deletes all components of the specified header that contain a substring matching a regular-

Chapter 5: Action Reference231im.alert( ) Deliver a message in-band to the instant messaging user. The text appears in the instant message window. Thi

ProxySG Content Policy Language Guide232log_message( ) Writes the specified string to the ProxySG event log. Events generated by log_message( ) are vi

Chapter 5: Action Reference233notify_email( ) Sends an email notification to the list of recipients specified in the Event Log mail configuration. The

ProxySG Content Policy Language Guide234notify_snmp( ) Multiple notify_snmp actions may be specified, resulting in multiple SNMP traps for a single tr

Chapter 5: Action Reference235redirect( ) Ends the current HTTP transaction and returns an HTTP redirect response to the client by setting the policy_

ProxySG Content Policy Language Guide236replace( )This deprecated action has been replaced by rewrite( ). For more information, see "rewrite( )&q

Chapter 5: Action Reference237rewrite( )Rewrites the request URL, URL host, or components of the specified header if it matches the regular-expression

ProxySG Content Policy Language Guide238URL is considered complete, and replaces any URL that contains a substring matching the regex_pattern substrin

Chapter 5: Action Reference239See Also• Actions: append( ), delete( ), delete_matching( ), redirect( ), set( ), transform• Conditions: request.header.

ProxySG Content Policy Language Guide24LayersA policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating deci

ProxySG Content Policy Language Guide240set( )Sets the specified header to the specified string after deleting all components of the header.Note: An e

Chapter 5: Action Reference241DiscussionAny change to the server form of the request URL must be respected by policy controlling upstream connections.

ProxySG Content Policy Language Guide242transformInvokes an active content or URL rewrite transformer. The invoked transformer takes effect only if th

Chapter 5: Action Reference243See Also• Properties: action( )• Definitions: define action, transform active_content, transform url.rewrite

ProxySG Content Policy Language Guide244virus_check( )This deprecated action sends the requested document to a virus scanning server. For more informa

Chapter 6: Definition ReferenceIn policy files, definitions serve to bind a set of conditions, actions, or transformations to a user-defined label. Tw

ProxySG Content Policy Language Guide246define actionBinds a user-defined label to a sequence of action statements. The action( ) property has syntax

Chapter 6: Definition Reference247• Definitions: transform active_content, transform url_rewrite• Chapter 5: "Action Reference".

ProxySG Content Policy Language Guide248define active_contentDefines rules for removing or replacing active content in HTML or ASX documents. This def

Chapter 6: Definition Reference249Layer and Transaction Notes• Applies to proxy transactions.• Only alphanumeric, underscore, dash, and slash characte

Chapter 1: Overview of Content Policy Language25[section_type [label]] [section_condition][section_properties]section_contentwhere:• The section_type

ProxySG Content Policy Language Guide250define category Category definitions are used to extend vendor content categories or to create your own. The c

Chapter 6: Definition Reference251sportsworld.comcategory=football ; include subcategoryenddefine category footballnfl.comcfl.caendThe following polic

ProxySG Content Policy Language Guide252define condition Binds a user-defined label to a set of conditions for use in a condition= expression.For cond

Chapter 6: Definition Reference253define condition extension_low_risk ; file types assumed to be low risk.url.extension=(asf,asx,gif,jpeg,mov,mp3,ram,

ProxySG Content Policy Language Guide254define domainThis deprecated syntax has been replaced by the url.domain condition. For more information see &q

Chapter 6: Definition Reference255define javascriptA javascript definition is used to define a javascript transformer, which adds javascript that you

ProxySG Content Policy Language Guide256See Also•Actions: transform• Definitions: define action•Properties: action( )

Chapter 6: Definition Reference257define prefix conditionThis deprecated syntax has been replaced by the define url condition. For more information se

ProxySG Content Policy Language Guide258define server_url.domain conditionBinds a user-defined label to a set of domain-suffix patterns for use in a c

Chapter 6: Definition Reference259 affinityclub.example.comend<Forward> condition=!allowed access_server(no)See AlsoCondition: condition=, serve

ProxySG Content Policy Language Guide26Named DefinitionsThere are various types of named definitions. Each definition is given a user defined name tha

ProxySG Content Policy Language Guide260define subnetBinds a user-defined label to a set of IP addresses or IP subnet patterns. Use a subnet definitio

Chapter 6: Definition Reference261define url conditionBinds a user-defined label to a set of URL prefix patterns for use in a condition= expression. U

ProxySG Content Policy Language Guide262timing restrictions for the defined condition will depend on the layer and timing restrictions of the containe

Chapter 6: Definition Reference263define url.domain conditionBinds a user-defined label to a set of domain-suffix patterns for use in a condition= exp

ProxySG Content Policy Language Guide264See Also• Condition: condition=, server_url.domain=• Definitions: define url condition, define server_url.doma

Chapter 6: Definition Reference265define url_rewriteDefines rules for rewriting URLs embedded in tags within HTML, CSS, JavaScript or ASX documents. T

ProxySG Content Policy Language Guide266• server_url_substring—A string that, if found in the server URL, will be replaced by the client_url_substring

Chapter 6: Definition Reference267restrict dnsThis definition restricts DNS lookups and is useful in installations where access to DNS resolution is l

ProxySG Content Policy Language Guide268restrict rdnsThis definition restricts reverse DNS lookups and is useful in installations where access to reve

Chapter 6: Definition Reference269transform active_contentThis deprecated syntax has been replaced by define active_content. For more information see

Chapter 1: Overview of Content Policy Language27policy that does not require the realm. Once all outstanding transactions that required reference to t

ProxySG Content Policy Language Guide270transform url_rewriteThis deprecated syntax has been replaced by define url_rewrite. For more information see

Appendix A: Glossaryactions A class of definitions. CPL has two general classes of actions: request or response modifications and notifications. An ac

ProxySG Content Policy Language Guide272Forward Policy File A file you create or that might be created during an upgrade from prior SGOS versions, and

Appendix A: Glossary273response transformationa modification of the object being returned. This modification can be to either the protocol headers ass

ProxySG Content Policy Language Guide274

Appendix B: Testing and TroubleshootingIf you are experiencing problems with your policy files or would like to monitor evaluation for brief periods o

ProxySG Content Policy Language Guide276Enabling Request TracingUse the trace.request( ) property to enable request tracing. Request tracing logs a su

Appendix B: Testing and Troubleshooting277Here are the relevant policy requirements to be expressed:• DNS lookups are restricted except for a site bei

ProxySG Content Policy Language Guide2781 start transaction ------------------------------2 CPL Evaluation Trace:3 <Proxy> 4 MATCH: trace.rule

Appendix B: Testing and Troubleshooting279The following is a trace of the same policy, but for a transaction in which the request URL has an IP addres

ProxySG Content Policy Language Guide28Authentication and DenialOne of the most important timing relationships to be aware of is the relation between

ProxySG Content Policy Language Guide280Policy: Action discarded, 'set_header_1' conflicts with an action already committedThe conflict is r

Appendix C: Recognized HTTP HeadersThe tables provided in this appendix list all recognized HTTP 1.1 headers and indicate how the ProxySG is able to i

ProxySG Content Policy Language Guide282The following table lists custom headers that are recognized by the ProxySG.If-Match Request XIf-Modified-Sinc

Appendix D: CPL SubstitutionsThis appendix lists all substitution variables available in CPL.To use a variable in CPL, it is expressed as: $(<field

ProxySG Content Policy Language Guide284sr-bytes Number of bytes sent from appliance to upstream host.sr-headerlength Number of bytes in the header se

Appendix D: CPL Substitutions285x-bluecoat-transaction-idtransaction.id Unique per-request identifier generated by the appliance (note: this value is

ProxySG Content Policy Language Guide286cs-version request.version Protocol and version from the client's request; for example, HTTP/1.1.x-blueco

Appendix D: CPL Substitutions287x-bluecoat-special-esc esc Resolves to the escape character (ASCII HEX 1B).x-bluecoat-special-gt gt The greater-than c

ProxySG Content Policy Language Guide288x-bluecoat-surfcontrol-reporter-idSpecialized value for SurfControl reporter.x-bluecoat-websense-category-idTh

Appendix D: CPL Substitutions289x-patience-url patience_url The url to be requested for more patience information.x-virus-id Identifier of a virus if

Chapter 1: Overview of Content Policy Language29<Proxy>client.address=!corporate_subnet deny ; filter out strangerssocks.authenticate(MyRealm) ;

ProxySG Content Policy Language Guide290x-bluecoat-day day Localtime day (as a number) formatted to take up two spaces; for example, 07 for the 7th of

Appendix D: CPL Substitutions291cs-uri-hostname log_url.hostname Hostname from the 'log' URL. RDNS is used if the URL uses an IP address.cs-

ProxySG Content Policy Language Guide292sr-uri-query server_url.query Query from the upstream request URL.sr-uri-scheme server_url.scheme Scheme from

Appendix D: CPL Substitutions293Category: userELFF CPL Descriptioncs-auth-group group One group that an authenticated client is a member of. The group

ProxySG Content Policy Language Guide294cs(Accept-Language) request.header.Accept-LanguageRequest header: Accept-Languagecs(Accept-Ranges) request.hea

Appendix D: CPL Substitutions295cs(If-Unmodified-Since)request.header.If-Unmodified-SinceRequest header: If-Unmodified-Sincecs(Last-Modified) request.

ProxySG Content Policy Language Guide296cs(X-Forwarded-For) request.header.X-Forwarded-ForRequest header: X-Forwarded-ForCategory: si_response_headerE

Appendix D: CPL Substitutions297rs(From) response.header.From Response header: From rs(Front-End-HTTPS) response.header.Front-End-HTTPSResponse header

ProxySG Content Policy Language Guide298rs(Vary) response.header.Vary Response header: Varyrs(Via) response.header.Via Response header: Via rs(WWW-Aut

Appendix E: Filter File SyntaxThis appendix provides a summary of the syntax and evaluation order used in CacheOS version 4.x filter files. While it i

Copyrights3THIRD PARTY COPYRIGHT NOTICESBlue Coat Systems, Inc. Security Gateway Operating System (SGOS) version 3 utilizes third party software from

ProxySG Content Policy Language Guide30Troubleshooting PolicyWhen installed policy does not behave as expected, use policy tracing to understand the b

ProxySG Content Policy Language Guide300Filter-Part ComponentsThe filter part of a filter file can contain the following:• Filters that are not part o

Appendix E: Filter File Syntax301• The only condition available in filter lines is the acl= condition, which is a synonym for the CPL condition client

ProxySG Content Policy Language Guide302ALL StatementsAn ALL statement is a line beginning with the keyword ALL, followed by zero or more conditions a

Appendix E: Filter File Syntax303• protocol=value—An optional protocol= condition expression. Available values are http, https, ftp, mms, rtsp, tcp, a

ProxySG Content Policy Language Guide304While prefix-pattern filters are commonly used outside of any section, the Prefix section is provided to help

Appendix E: Filter File Syntax305• The domain-suffix filter http://company.com/ denies service to all URLs where company.com is a proper super-domain

ProxySG Content Policy Language Guide306Evaluation OrderCacheOS 4.x filter files have a different order of evaluation than CPL files. A compiled filte

Appendix F: Upgrading from CacheOSWhen upgrading from CacheOS version 4.x to the ProxySG, the default policy files are created as follows:• The CacheO

ProxySG Content Policy Language Guide308For the CPL compiler, the correct filter will be selected at run time based on the ACL if the filters are dist

IndexA<Admin> layers, understanding 37access_log( ) property 154access_server() property 155action definition block 246action part, filter file

Chapter 1: Overview of Content Policy Language31Conditional CompilationOccasionally, you might be required to maintain policy that can be applied to a

ProxySG Configuration and Management Guide310Ddate= condition 67day= condition 68define acl definition block, filter file 303define action definition

Index311Hhas_attribute.name= condition 74has_client= condition 76hour= condition 77HTTP cache transactions 36http.method= condition 79http.request.ver

ProxySG Configuration and Management Guide312rules, conflicting 47statistics, example 276testing 275tips on writing 44troubleshooting 275whitelists 45

Index313Qquoting, understanding 22Rrealm= condition 112redirect() action 235referencesrelated Blue Coat documentation xreferential integrity, understa

ProxySG Configuration and Management Guide314Ttime= condition 134timingin layers, understanding 41understanding 36trace.destination( ) 276trace.destin

ProxySG Content Policy Language Guide32

Chapter 2: Managing Content Policy LanguageAs discussed in Chapter 1, Content Policy Language policies are composed of transactions that are placed in

ProxySG Content Policy Language Guide34Each of the protocol-specific proxy transactions has specific information that can be tested—information that m

Chapter 2: Managing Content Policy Language35Some conditions cannot be evaluated during the first stage; for example, the user and group information w

ProxySG Content Policy Language Guide36An HTTP cache transaction is examined in two stages: • Before the object is retrieved from the origin server.•

Chapter 2: Managing Content Policy Language37But policy cannot determine the value of the Content-type response header until the response is returned.

ProxySG Content Policy Language Guide38• The optional admin_properties is a list of properties set if any of the rules in the layer match. These act a

Chapter 2: Managing Content Policy Language39<Exception> Layers<Exception> layers are evaluated when a proxy transaction is terminated by

ProxySG Content Policy Language Guide 4Redistribution and use of this software and associated documentation ("Software"), with or without mo

ProxySG Content Policy Language Guide40<Proxy> Layers<Proxy> layers define policy for authenticating and authorizing users’ requests for s

Chapter 2: Managing Content Policy Language41TimingThe “late guards early” timing errors that can occur within a rule can arise across rules in a laye

ProxySG Content Policy Language Guide42url.domain=nbc.com/athletics deny ; etc, suppose it's a substantial list url.regex="sports|athletics&

Chapter 2: Managing Content Policy Language43• Rules in [Rule] sections are evaluated sequentially, top to bottom. The time taken is proportional to t

ProxySG Content Policy Language Guide44• [server_url.domain] sections are allowed only in <Exception> or <Forward> layers.Section GuardsJu

Chapter 2: Managing Content Policy Language45• Do not mix the CacheOS 4.x filter-file syntax with CPL syntax. Although the Content Policy Language is

ProxySG Content Policy Language Guide46The following example is an exception defined within a layer. A company wants access to payroll information lim

Chapter 2: Managing Content Policy Language47evaluation order as currently configured. Changes to the policy file evaluation order must be managed wit

ProxySG Content Policy Language Guide48Best Practices• Express separate decisions in separate layers.As policy grows and becomes more complex, mainten

Chapter 3: Condition ReferenceA condition is an expression that yields true or false when evaluated. Conditions can appear in:• Policy rules.• Section

Copyrights5A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUC

ProxySG Content Policy Language Guide50• condition ::= trigger "=" expression • trigger ::= identifier | identifier "." word • exp

Chapter 3: Condition Reference51Unavailable Triggers Some triggers can be unavailable in some transactions. If a trigger is unavailable, then any cond

ProxySG Content Policy Language Guide52acl=Deprecated syntax. See "client.address=" on page 60 for more information.

Chapter 3: Condition Reference53admin.access=Tests the administrative access requested by the current transaction. It evaluates to null if the transac

ProxySG Content Policy Language Guide54attribute.name=Tests if the current transaction is authenticated in a RADIUS or LDAP realm, and if the authenti

Chapter 3: Condition Reference55<proxy>authenticate(RADIUSRealm); This rule would restrict non-authorized users.<proxy>deny condition=!Pro

ProxySG Content Policy Language Guide56authenticated=True if authentication was requested and the credentials could be verified; otherwise, false.Synt

Chapter 3: Condition Reference57bitrate=Tests if a streaming transaction requests bandwidth within the specified range or an exact match. When providi

ProxySG Content Policy Language Guide58<Proxy> ; Use this layer to override a deny in a previous layer; Grant everybody access to streams up to

Chapter 3: Condition Reference59category=Tests the content categories of the requested URL as assigned by policy definitions or an installed content f

ProxySG Content Policy Language Guide 62. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the fo

ProxySG Content Policy Language Guide60client.address=Tests the IP address of the client. The expression can include an IP address or subnet or the la

Chapter 3: Condition Reference61client.protocol=Tests true if the client transport protocol matches the specification.Replaces: client_protocol=syntax

ProxySG Content Policy Language Guide62condition=Tests if the specified defined condition is true.Syntaxcondition=condition_labelwhere condition_label

Chapter 3: Condition Reference63http://www.x.com time=0800..1000http://www.y.com month=1http://www.z.com hour=9..10end<proxy>condition=test deny

ProxySG Content Policy Language Guide64console_access=Tests if the current request is destined for the <Admin> layer. This test can be used to d

Chapter 3: Condition Reference65content_admin=The content_admin= condition has been deprecated. For more information, see "content_management&quo

ProxySG Content Policy Language Guide66content_managementTests if the current request is a content management transaction.Replaces: content_admin=yes|

Chapter 3: Condition Reference67date[.utc]=Tests true if the current time is within the startdate..enddate range, inclusive. The comparison is made ag

ProxySG Content Policy Language Guide68day=Tests if the day of the month is in the specified range or an exact match. The ProxySG appliance’s configur

Chapter 3: Condition Reference69exception.id=Tests whether the exception being returned to the client is the specified exception. It can also be used

Copyrights7This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudso

ProxySG Content Policy Language Guide70; thrown by deny or force_denyexception.id=policy_denied action.log_interloper(yes)<Exception> exception.

Chapter 3: Condition Reference71ftp.method=Tests FTP request methods against any of a well-known set of FTP methods. A CPL parse error is given if an

ProxySG Content Policy Language Guide72group=Tests if the client is authenticated, and the client belongs to the specified group. If both of these con

Chapter 3: Condition Reference73• Applies to proxy and administrator transactions.• This condition cannot be combined with the authenticate( ), proxy_

ProxySG Content Policy Language Guide74has_attribute.name=Tests if the current transaction is authenticated in an LDAP realm and if the authenticated

Chapter 3: Condition Reference75See Also• Conditions: attribute.name=, authenticated=, group=, http.transparent_authentication=, realm=, user=, user.d

ProxySG Content Policy Language Guide76has_client=The has_client= condition is used to test whether or not the current transaction has a client. This

Chapter 3: Condition Reference77hour=Tests if the time of day is in the specified range or an exact match. The current time is determined by the Proxy

ProxySG Content Policy Language Guide78<proxy>allow server_url.domain=xyz.com ; internal site always available allow weekday=6..7 ; unres

Chapter 3: Condition Reference79http.method=Tests HTTP request methods against any of a common set of HTTP methods. A CPL parse error is given if an u

ProxySG Content Policy Language Guide 8documentation. Moscow Center for SPARC Technology makes no representations about the suitability of this softwa

ProxySG Content Policy Language Guide80http.request.version=Tests the version of HTTP used by the client in making the request to the appliance. synta

Chapter 3: Condition Reference81http.response.code=Tests true if the current transaction is an HTTP transaction and the response code received from th

ProxySG Content Policy Language Guide82http.response.version=Tests the version of HTTP used by the origin server to deliver the response to the ProxyS

Chapter 3: Condition Reference83http.transparent_authentication=This trigger evaluates to true if HTTP uses transparent proxy authentication for this

ProxySG Content Policy Language Guide84http.x_method=Tests HTTP request methods against any uncommon HTTP methods. A CPL parse warning is given if the

Chapter 3: Condition Reference85im.buddy_id=Tests the buddy_id associated with the instant messaging transaction.Syntaxim.buddy_id[.case_sensitive]=us

ProxySG Content Policy Language Guide86im.chat_room.conference=Tests whether the chat room associated with the instant messaging transaction has the c

Chapter 3: Condition Reference87im.chat_room.id=Tests the chat room ID associated with the instant messaging transaction.Syntaxim.chat_room.id[.case_s

ProxySG Content Policy Language Guide88im.chat_room.invite_only=Tests whether the chat room associated with the instant messaging transaction has the

Chapter 3: Condition Reference89im.chat_room.type=Tests whether the chat room associated with the transaction is public or private.Syntaxim.chat_room.

Preface: Introducing the Content Policy LanguageThe Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a varie

ProxySG Content Policy Language Guide90im.chat_room.member=Tests whether the chat room associated with the instant messaging transaction has a member

Chapter 3: Condition Reference91im.chat_room.voice_enabled=Tests whether the chat room associated with the instant messaging transaction is voice enab

ProxySG Content Policy Language Guide92im.file.extension=Tests the file extension of a file associated with an instant messaging transaction. The lead

Chapter 3: Condition Reference93im.file.name=Tests the file name (the last component of the path), including the extension, of a file associated with

ProxySG Content Policy Language Guide94im.file.path=Tests the file path of a file associated with an instant messaging transaction against the specifi

Chapter 3: Condition Reference95im.file.size=Performs a signed 64-bit range test of the size of a file associated with an instant messaging transactio

ProxySG Content Policy Language Guide96im.message.opcode=Tests the value of an opcode associated with an instant messaging transaction whose im.method

Chapter 3: Condition Reference97im.message.route=Tests how the instant messaging message reaches its recipients.Syntaxim.message.route=service|direct|

ProxySG Content Policy Language Guide98im.message.size=Performs a signed 64-bit range test on the size of the instant messaging message. Syntaxim.mess

Chapter 3: Condition Reference99im.message.text=Tests if the message text contains the specified text or pattern.Note: The .regex version of this test