Blue Coat SystemsTM ProxySG Content Policy Language Guide Content Policy Language Guide
ProxySG Content Policy Language Guide Blue Coat Systems Inc. (408) 220-2200 Voice 650 Almanor Avenue (408) 220-2250 FAX Sunnyvale, California 94086 (866) 302-2628 Technical Support (866) 362-2628 info@bluecoat.com www.bluecoat.com Copyright (c) 2002, 2003 Blue Coat Systems, Inc. All rights reserved worldwide.
Copyrights THIRD PARTY COPYRIGHT NOTICES Blue Coat Systems, Inc. Security Gateway Operating System (SGOS) version 3 utilizes third party software from various sources. Portions of this software are copyrighted by their respective owners as indicated in the copyright notices below. The following lists the copyright notices for: BPF Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 The Regents of the University of California. All rights reserved.
ProxySG Content Policy Language Guide Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain copyright statements and notices, 2.
Copyrights A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license. Cryptographic attack detector for ssh - source code Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved.
ProxySG Content Policy Language Guide 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Copyrights This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). PCRE Copyright (c) 1997-2001 University of Cambridge University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Written by: Philip Hazel
ProxySG Content Policy Language Guide documentation. Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. SmartFilter Copyright (c) 2003 Secure Computing Corporation. All rights reserved. SurfControl Copyright (c) 2003 SurfControl, Inc. All rights reserved. Symantec AntiVirus Scan Engine Copyright (c) 2003 Symantec Corporation. All rights reserved.
Preface: Introducing the Content Policy Language The Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a variety of Web-access policies. ProxySG policy is written in CPL, and every Web request is evaluated based on the installed policy. The language is designed so that policies can be customized to an organization’s specific set of users and unique enforcement needs. CPL uses the settings created when you configured the ProxySG to your specifications.
ProxySG Content Policy Language Guide Table 2.1: Manual Organization (Continued) Appendix D – CPL Substitutions This appendix lists all substitution variables available in CPL. Appendix E – Filter File Syntax This appendix provides a summary of the syntax and evaluation order used in CacheOS version 4.x filter files. Appendix F – Upgrading from CacheOS If you upgrade from CacheOS 4.x, you need to be aware of the concerns and issues that affect a policy upgrade to SGOS 3.x. 4.
Contents Preface: Introducing the Content Policy Language About the Document Organization .................................................................................................................ix Supported Browsers...........................................................................................................................................ix Related Blue Coat Documentation...................................................................................................................
ProxySG Content Policy Language Guide Layers .................................................................................................................................... 39 Layers......................................................................................................................................... 40 Layer Guards............................................................................................................................................. 40 Timing .
Contents http.method= ............................................................................................................................................ 79 http.request.version= ............................................................................................................................... 80 http.response.code= ................................................................................................................................. 81 http.response.version= ................
ProxySG Content Policy Language Guide server_url= .............................................................................................................................................. 125 socks= ....................................................................................................................................................... 128 socks.accelerated= .................................................................................................................................
Contents force_cache( ) .......................................................................................................................................... 180 force_deny( )............................................................................................................................................ 181 force_exception( ) ................................................................................................................................... 182 force_patience_page( ) ........
ProxySG Content Policy Language Guide trace.request( ) ........................................................................................................................................ 223 trace.rules( ) ............................................................................................................................................ 224 ttl( ) ....................................................................................................................................................
Contents Appendix B: Testing and Troubleshooting Enabling Rule Tracing ........................................................................................................................... 275 Enabling Request Tracing ..................................................................................................................... 276 Using Trace Information to Improve Policies ....................................................................................
ProxySG Content Policy Language Guide xviii
Chapter 1: Overview of Content Policy Language The Content Policy Language (CPL) is a programming language with its own concepts and rules that you must follow.
ProxySG Content Policy Language Guide This provides the ability to test various aspects of a request, such as the IP address of the client and the URL used, or the response, such as the contents of any HTTP headers. • Ensures policy integrity during processing. The lifetime of a transaction may be relatively long, especially if a large object is being fetched over slow networks and subjected to off-box processing services such as content filtering and virus scanning.
Chapter 1: Overview of Content Policy Language For new ProxySG appliances, the default is to deny all requests. For ProxySG appliances being upgraded from 4.x, the default is to allow all requests. In either case, the ProxySG can be configured for either default. The default setting is displayed in policy listings. The proper approach to writing layer policy depends on whether or not the default is to allow or deny requests.
ProxySG Content Policy Language Guide With a few notable exceptions, triggers test one aspect of request, response, or associated state against a boolean expression of values. For the conditions in a rule, each of the triggers is logically anded together. In other words, the condition is only true if each one of the trigger expressions is true.
Chapter 1: Overview of Content Policy Language • More complex boolean expressions are allowed for the pattern_expression in the triggers. For example, the second part of the condition in the simple rule shown above could be “the request is made between 9 a.m. and noon or between 1 p.m. and 5 p.m”, expressed as: ... time=(0900..1200 || 1300..1700) ... Boolean expression are built from the specific values allowed with the trigger, and the boolean operators ! (not), && (and), || (or) and () for grouping.
ProxySG Content Policy Language Guide Layers A policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating decisions helps control policy complexity, and is done through writing each decision in a separate layer. Each layer has the form: [layer_condition][layer_properties] ...
Chapter 1: Overview of Content Policy Language [section_type [label]] [section_condition][section_properties] section_content where: • The section_type defines the syntax of the rules used in the section, and the evaluation strategy used to evaluate those rules. The square brackets [ ] surrounding the section name (and optional label) are required. • The optional label, separated from the section type by space, is a CPL User-defined Identifier similar to a layer label.
ProxySG Content Policy Language Guide Named Definitions There are various types of named definitions. Each definition is given a user defined name that is then used in rules to refer to the definition. This section highlights a few of the definition types, as an overview of the topic. Refer to the Definitions reference chapter for more details.
Chapter 1: Overview of Content Policy Language policy that does not require the realm. Once all outstanding transactions that required reference to the realm have completed, the realm can be removed from configuration. Substitutions The actions used to rewrite the URL request or to modify HTTP request headers or HTTP response headers often need to reference the values of various elements of the transaction state when constructing the new URL or header value.
ProxySG Content Policy Language Guide Authentication and Denial One of the most important timing relationships to be aware of is the relation between authentication and denial. Denial can be done either before or after authentication, and different organizations have different requirements. For example, suppose an organization requires the following: • Protection from denial of service attacks by refusing traffic from any source other than the corporate subnet.
Chapter 1: Overview of Content Policy Language client.address=!corporate_subnet deny ; filter out strangers socks.authenticate(MyRealm) ; this happens earlier than the category test ; user names be displayed in the access log for the denied requests category=Gambling exception(content_filter_denied) Note that this only works for SOCKS authenticated users. Installing Policy Policy is installed by installing one of the four policy files (VPM, Local, Central or Forward).
ProxySG Content Policy Language Guide Equal sign (=) server_url.scheme=mms Used to indicate the value a condition is to test. Parentheses ( ) service(no) Used to enclose the value that a property is to be set to, or group components of a test. Troubleshooting Policy When installed policy does not behave as expected, use policy tracing to understand the behavior of the installed policy.
Chapter 1: Overview of Content Policy Language Conditional Compilation Occasionally, you might be required to maintain policy that can be applied to appliances running different versions of SGOS and requiring different CPL. CPL provides the following conditional compilation directive that tests the SGOS version (such as 2.1.06): release.version= The range is a standard CPL range test: min..max, where both minimum and maximum are optional. The min and max can be MAJOR.MINOR.DOT.
ProxySG Content Policy Language Guide 32
Chapter 2: Managing Content Policy Language As discussed in Chapter 1, Content Policy Language policies are composed of transactions that are placed into rules and tested against various conditions. This chapter discusses the following: • "Understanding Transactions and Timing" • "Understanding Layers" • "Understanding Sections" • "Defining Policies" • "Best Practices" Understanding Transactions and Timing Transactions are classified as administrator, proxy, cache, and forwarding.
ProxySG Content Policy Language Guide Each of the protocol-specific proxy transactions has specific information that can be tested—information that may not be available from or relevant to other protocols. HTTP Headers and Instant Messaging buddy names are two examples of protocol-specific information. Other key differentiators among the proxy transaction subtypes are the order in which information becomes available and when specific actions must be taken, as dictated by the individual protocols.
Chapter 2: Managing Content Policy Language Table 2.1: When Policy is Evaluated (Continued) Windows Media HTTP streaming transactions Before the authentication challenge. After the authentication challenge, but before the requested object is fetched. Before making an upstream connection, if necessary. (Up to this point it is similar to an HTTP transaction.
ProxySG Content Policy Language Guide An HTTP cache transaction is examined in two stages: • Before the object is retrieved from the origin server. • After the object is retrieved. Forwarding Transactions A forwarding transaction is created when the ProxySG needs to evaluate forwarding policy before accessing a remote host and no proxy or cache transaction is associated with this activity. Examples include sending a heart-beat message, and downloading an installable list from an HTTP server.
Chapter 2: Managing Content Policy Language But policy cannot determine the value of the Content-type response header until the response is returned. The ProxySG cannot contact the server to get the response until policy determines what hosts or gateways to route through to get there. In other words, policy must set the forward() property. But policy cannot commit the forwarding action until the Content-type response header has been determined.
ProxySG Content Policy Language Guide • The optional admin_properties is a list of properties set if any of the rules in the layer match. These act as defaults, and can be overridden by property settings in specific rules in the layer. For more information on using properties, see Chapter 4: "Property Reference". See also the following Layer Guards section. Layers layers hold policy that is executed by both cache and proxy transactions.
Chapter 2: Managing Content Policy Language Layers layers are evaluated when a proxy transaction is terminated by an exception. This could be caused by a bad request (for example, the request URL names a non-existent server) or by setting the deny or exception() properties in policy. Policy in an exception layer can be used to control how access logging is performed for exceptions, such as authentication_failed.
ProxySG Content Policy Language Guide Layers layers define policy for authenticating and authorizing users’ requests for service over one of the configured proxy service ports (refer to Chapter 6:”Managing Port Services” in the ProxySG Configuration and Management Guide.). Proxy layer policy involves both both client identity and content. Only proxy transactions are evaluated against layers. The syntax is: [proxy_condition][proxy_properties] ...
Chapter 2: Managing Content Policy Language Timing The “late guards early” timing errors that can occur within a rule can arise across rules in a layer. When a trigger cannot yet be evaluated, policy also has to postpone evaluating all following rules in that layer (since if the trigger turns out to be true and the rule matches, then evaluation stops for that layer.
ProxySG Content Policy Language Guide url.domain=nbc.com/athletics deny ; etc, suppose it's a substantial list url.regex="sports|athletics" access_server(no) url.regex="\.mail\." deny ; etc url=www.bluecoat.com/internal group=!bluecoat_employees deny url=www.bluecoat.com/proteus group=!bluecoat_development deny ; etc This can be recast into three sections: [url.domain] abc.com/sports deny nbc.com/athletics deny ; etc. [Rule] url.regex="sports|athletics" access_server(no) url.regex="\.mail\.
Chapter 2: Managing Content Policy Language • Rules in [Rule] sections are evaluated sequentially, top to bottom. The time taken is proportional to the number of rules in the section. • [Rule] sections can be used in any layer. [url] The [url] section type is used to group a number of rules that test the URL. The [url] section restricts the syntax of rules in the section. The first token on the rule line is expected to be a pattern appropriate to a url= trigger. The trigger name is not included.
ProxySG Content Policy Language Guide • [server_url.domain] sections are allowed only in or layers. Section Guards Just as you can with layers, you can improve policy clarity and maintainability by grouping rules into sections and converting the common conditions and properties into guard expressions that follow the section header.
Chapter 2: Managing Content Policy Language • Do not mix the CacheOS 4.x filter-file syntax with CPL syntax. Although the Content Policy Language is backward-compatible with the filter-file syntax, avoid using the older syntax with the new. For example, as the filter-file syntax uses a different order of evaluation, mixing the old and new syntax can cause problems. Blue Coat strongly recommends not mixing the two syntaxes.
ProxySG Content Policy Language Guide The following example is an exception defined within a layer. A company wants access to payroll information limited to Human Resources staff only. The administrator uses membership in the HR_staff group to define the exception for HR staff, followed by the general policy: ; Blue Coat uses groups to identify HR staff, so authentication is required authenticate(MyRealm) define condition payroll_location url=hr.my_company.
Chapter 2: Managing Content Policy Language evaluation order as currently configured. Changes to the policy file evaluation order must be managed with great care. Remember that properties maintain any setting unless overridden later in the file, so you could implement general policy in early layers by setting a wide number of properties, and then use a later layer to override selected properties.
ProxySG Content Policy Language Guide Best Practices • Express separate decisions in separate layers. As policy grows and becomes more complex, maintenance becomes a significant issue. Maintenance will be easier if the logic for each aspect of policy is separate and distinct. Try to make policy decisions as independent as possible, and express each policy in one layer or two adjacent layers. • Be consistent with the model.
Chapter 3: Condition Reference A condition is an expression that yields true or false when evaluated. Conditions can appear in: • Policy rules. • Section and layer headers, as guards; for example, [Rule] group=(“bankabc\hr” || “cn=humanresources,ou=groups,o=westernnational”) • define condition, define domain condition, and define prefix condition definition blocks. Condition Syntax A condition has the following form: trigger=pattern-expression A trigger is the name of a condition variable.
ProxySG Content Policy Language Guide • condition ::= trigger "=" expression • trigger ::= identifier | identifier ".
Chapter 3: Condition Reference Unavailable Triggers Some triggers can be unavailable in some transactions. If a trigger is unavailable, then any condition containing that trigger is false, regardless of the pattern expression. For example, if the current transaction is not authenticated (that is, the authenticate property was set to no), then the user trigger is unavailable. This means that user=kevin and user=!kevin are both false.
ProxySG Content Policy Language Guide acl= Deprecated syntax. See "client.address=" on page 60 for more information.
Chapter 3: Condition Reference admin.access= Tests the administrative access requested by the current transaction. It evaluates to null if the transaction is not an administrative transaction, which may occur if the test is included in an layer. Replaces: method= Syntax admin.access=READ|WRITE Layer and Transaction Notes • Use in layers instead of method= • Applies to administrator transactions.
ProxySG Content Policy Language Guide attribute.name= Tests if the current transaction is authenticated in a RADIUS or LDAP realm, and if the authenticated user has the specified attribute with the specified value. This trigger is unavailable if the current transaction is not authenticated (that is, the authenticate property is set to no). If you reference more than one realm in your policy, you may wish to disambiguate attribute tests by combining them with a realm= test.
Chapter 3: Condition Reference authenticate(RADIUSRealm) ; This rule would restrict non-authorized users. deny condition=!ProxyAllowed ; This rule would serve to override a previous denial and grant access to authorized ; users allow condition=ProxyAllowed See Also • Conditions: authenticated=, group=, has_attribute.name=, http.transparent_authentication=, realm=, user=, user.domain= • Properties: authenticate( ), authenticate.
ProxySG Content Policy Language Guide authenticated= True if authentication was requested and the credentials could be verified; otherwise, false. Syntax authenticated=(yes|no) Layer and Transaction Notes • Use in and layers. • Applies to proxy and administrator transactions. • This condition cannot be combined with the authenticate() property. Examples ; In this example, only users authenticated in any domain are granted access to a ; specific site. client.address=10.10.10.
Chapter 3: Condition Reference bitrate= Tests if a streaming transaction requests bandwidth within the specified range or an exact match. When providing a range, either value can be left empty, implying either no lower or no upper limit on the test. Bitrate can change dynamically during a transaction, so this policy is re-evaluated for each change. Note that the numeric pattern used to test the bitrate= condition can contain no whitespace.
ProxySG Content Policy Language Guide ; Use this layer to override a deny in a previous layer ; Grant everybody access to streams up to 56K, sales group up to 2M allow bitrate=..56K allow group=sales bitrate=..2M See Also 58 • Conditions: live=, streaming.client=, streaming.content= • Properties: access_server( ), max_bitrate( ), streaming.
Chapter 3: Condition Reference category= Tests the content categories of the requested URL as assigned by policy definitions or an installed content filter database. A URL that is not categorized is assigned the category none. If a content filter provider is selected in configuration, but an error occurs in determining the category, the URL is assigned the category unavailable (in addition to any categories assigned directly by policy). This can be the result of either a missing database or license expiry.
ProxySG Content Policy Language Guide client.address= Tests the IP address of the client. The expression can include an IP address or subnet or the label of a subnet definition block. Important: If a user is explicitly proxied to the ProxySG, layer policy applies even if the URL destination is an administrative URL for the ProxySG itself, and should therefore also be covered under layer policy. However, when the client.
Chapter 3: Condition Reference client.protocol= Tests true if the client transport protocol matches the specification. Replaces: client_protocol= syntax client.protocol=http|https|ftp|tcp|socks|mms|rtsp|icp|aol-im|msn-im|yahoo-im Note that tcp specifies a tunneled transaction. Layer and Transaction Notes • Use in , , and layers. • Applies to proxy transactions. • Tests false if the transaction is not associated with a client. See Also • Conditions: client.
ProxySG Content Policy Language Guide condition= Tests if the specified defined condition is true. Syntax condition=condition_label where condition_label is the label of a custom condition as defined in a define condition, define url.domain condition, or define url condition definition block. Layer and Transaction Notes • Use in all layers. • The defined conditions that are referenced may have usage restrictions, as they must be evaluated in the layer from which they are referenced.
Chapter 3: Condition Reference http://www.x.com time=0800..1000 http://www.y.com month=1 http://www.z.com hour=9..10 end condition=test deny ; Example of a define domain-suffix (or domain) condition define url.domain condition test com ; Matches all domains ending in .com end condition=test deny See Also • Definitions: define condition, define url.domain condition, define url condition • Properties: action.
ProxySG Content Policy Language Guide console_access= Tests if the current request is destined for the layer. This test can be used to distinguish access to the management console by admininstrators who are explicitly proxied to the ProxySG being admininstered. The test can be used to guard transforms that should not apply to the Management Console. This cannot be used to test Telnet sessions, as they do not go through a layer.
Chapter 3: Condition Reference content_admin= The content_admin= condition has been deprecated. For more information, see "content_management" on page 66.
ProxySG Content Policy Language Guide content_management Tests if the current request is a content management transaction. Replaces: content_admin=yes|no Syntax content_management=yes|no Layer and Transaction Notes • Use in and layers. • Applies to all transactions. See Also 66 • Conditions: category=, ftp.method=, http.method=, http.x_method=, method=, server_url= • Properties: http.request.version( ), http.response.
Chapter 3: Condition Reference date[.utc]= Tests true if the current time is within the startdate..enddate range, inclusive. The comparison is made against local time unless the .utc qualifier is specified. syntax date[.utc]=YYYYMMDD..YYYYMMDD date[.utc]=MMDD..MMDD Layer and Transaction Notes • Using time-related conditions to control caching behavior in a layer may cause thrashing of the cached objects.
ProxySG Content Policy Language Guide day= Tests if the day of the month is in the specified range or an exact match. The ProxySG appliance’s configured date and time zone are used to determine the current day of the month. To specify the UTC time zone, use the form day.utc=. Note that the numeric pattern used to test the day condition can contain no whitespace. Syntax day[.utc]={[first_day]..
Chapter 3: Condition Reference exception.id= Tests whether the exception being returned to the client is the specified exception. It can also be used to determine whether the exception being returned is a built-in or user-defined exception. Built-in exceptions are handled automatically by the ProxySG but special handling can be defined within an layer. Special handling is most often required for user-defined exceptions. syntax exception.
ProxySG Content Policy Language Guide ; thrown by deny or force_deny exception.id=policy_denied action.log_interloper(yes) exception.id=user_defined.restricted_content ; any policy required for this user defined exception ... See Also 70 • Properties: deny( ), deny.unauthorized( ), exception( ) • Actions: authenticate( ), authenticate.
Chapter 3: Condition Reference ftp.method= Tests FTP request methods against any of a well-known set of FTP methods. A CPL parse error is given if an unrecognized method is specified. • ftp.method= evaluates to true if the request method matches any of the methods specified. • ftp.method= evaluates to NULL if the request is not an FTP protocol request. Syntax ftp.
ProxySG Content Policy Language Guide group= Tests if the client is authenticated, and the client belongs to the specified group. If both of these conditions are met, the result is true. In addition, the realm= condition can be used to test whether the user is authenticated in the specified realm. This trigger is unavailable if the current transaction is not authenticated; that is, the authenticate( ) property is set to no.
Chapter 3: Condition Reference • • Applies to proxy and administrator transactions. This condition cannot be combined with the authenticate( ), proxy_authentication( ), or socks.authenticate( ) properties. Examples ; Test if user is authenticated in group all_staff and specified realm. realm=corp group=all_staff ; ; ; ; This example shows sample group tests for each type of realm.
ProxySG Content Policy Language Guide has_attribute.name= Tests if the current transaction is authenticated in an LDAP realm and if the authenticated user has the specified LDAP attribute. If the attribute specified is not configured in the LDAP schema and yes is used in the expression, the condition always yields false. This trigger is unavailable if the current transaction is not authenticated (that is, the authenticate property is set to no).
Chapter 3: Condition Reference See Also • Conditions: attribute.name=, authenticated=, group=, http.transparent_authentication=, realm=, user=, user.domain= • Properties: authenticate( ), authenticate.
ProxySG Content Policy Language Guide has_client= The has_client= condition is used to test whether or not the current transaction has a client. This can be used to guard triggers that depend on client identity in a layer. Syntax has_client=yes|no Layer and Transaction Notes • Use in layers. • Applies to all transactions. See Also • 76 Conditions: client.address=, client.protocol=, proxy.address=, proxy.card=, proxy.port=, streaming.
Chapter 3: Condition Reference hour= Tests if the time of day is in the specified range or an exact match. The current time is determined by the ProxySG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by using the form hour.utc=. The numeric pattern used to test the hour= condition contains no whitespace. Note: Any range of hours or exact hour includes all the minutes in the final hour. See the “Examples” section. Syntax hour[.utc]={first_hour]..
ProxySG Content Policy Language Guide allow server_url.domain=xyz.com ; internal site always available allow weekday=6..7 ; unrestricted weekends allow hour=17..8; Inverted range for outside business hours See Also • 78 Conditions: date[.
Chapter 3: Condition Reference http.method= Tests HTTP request methods against any of a common set of HTTP methods. A CPL parse error is given if an unrecognized method is specified. Syntax http.method=GET|CONNECT|DELETE|HEAD|POST|PUT|TRACE|OPTIONS|TUNNEL|LINK|UNLINK |PATCH|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|MKDIR|INDEX|RMDIR|COPY| MOVE where: • http.method= evaluates to true if the request method matches any of the methods specified. • http.
ProxySG Content Policy Language Guide http.request.version= Tests the version of HTTP used by the client in making the request to the appliance. syntax http.request.version=0.9|1.0|1.1 Layer and Transaction Notes • Use in , , and layers. • Applies to HTTP transactions. See Also 80 • Conditions: http.response.code=, http.response.version= • Properties: http.request.version( ), http.response.
Chapter 3: Condition Reference http.response.code= Tests true if the current transaction is an HTTP transaction and the response code received from the origin server is as specified. Replaces: http.response_code syntax http.response.code=nnn where nnn is a standard numeric range test with values in the range 100 to 999 inclusive. Layer and Transaction Notes • Use in , , and layers. • Applies to HTTP transactions. See Also • Conditions: http.request.version=, http.response.
ProxySG Content Policy Language Guide http.response.version= Tests the version of HTTP used by the origin server to deliver the response to the ProxySG. Syntax http.response.version=0.9|1.0|1.1 Layer and Transaction Notes • Use in , , and layers. • Applies to HTTP transactions. See Also 82 • Conditions: http.request.version=, http.response.code= • Properties: http.response.
Chapter 3: Condition Reference http.transparent_authentication= This trigger evaluates to true if HTTP uses transparent proxy authentication for this request. The trigger can be used with the authenticate( ) or authenticate.force( ) properties to select an authentication realm. Syntax http.transparent_authentication=yes|no Layer and Transaction Notes • Use in , , and layers. • Applies to HTTP transactions. See Also • Conditions: attribute.
ProxySG Content Policy Language Guide http.x_method= Tests HTTP request methods against any uncommon HTTP methods. A CPL parse warning is given if the method specified is a recognized method (in which case, http.method= is recommended). Uncommon methods are tested using a string comparison, so some performance benefit exists with using http.method= when testing for common methods. Syntax http.x_method=method_name_list where http.x_method= evaluates to NULL if the request is not an HTTP protocol request.
Chapter 3: Condition Reference im.buddy_id= Tests the buddy_id associated with the instant messaging transaction. Syntax im.buddy_id[.case_sensitive]=user_id_string im.buddy_id.substring[.case_sensitive]=substring im.buddy_id.regex[.case_sensitive]=“expr” where: • user_id_string—An exact match of the complete instant messaging buddy name. • substring . . . substring—Specifies a substring of an instant messaging buddy name. • regex . . . ”expr”—Takes a regular expression.
ProxySG Content Policy Language Guide im.chat_room.conference= Tests whether the chat room associated with the instant messaging transaction has the conference attribute set. Syntax im.chat_room.conference=yes|no Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions. See Also 86 • Actions: append(), im.alert( ), set( ) • Conditions: im.buddy_id=, im.chat_room.id=, im.chat_room.invite_only=, im.chat_room.type=, im.chat_room.member=, im.
Chapter 3: Condition Reference im.chat_room.id= Tests the chat room ID associated with the instant messaging transaction. Syntax im.chat_room.id[.case_sensitive]=user_id_string im.chat_room.id.substring[.case_sensitive]=substring im.chat_room.id.regex[.case_sensitive]=“expr” where: • user_id_string—An exact match of the complete chat room ID. • substring . . . substring—Specifies a substring of a chat room ID. • regex . . . ”expr”—Takes a regular expression.
ProxySG Content Policy Language Guide im.chat_room.invite_only= Tests whether the chat room associated with the instant messaging transaction has the invite_only attribute set. Syntax im.chat_room.invite_only=yes|no Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions. See Also 88 • Actions: append(), im.alert( ), set( ) • Conditions: im.buddy_id=, im.chat_room.conference=, im.chat_room.id=, im.chat_room.type=, im.chat_room.member=, im.
Chapter 3: Condition Reference im.chat_room.type= Tests whether the chat room associated with the transaction is public or private. Syntax im.chat_room.type=public|private Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions. See Also • Actions: append(), im.alert( ), set( ) • Conditions: im.buddy_id=, im.chat_room.conference=, im.chat_room.id=, im.chat_room.invite_only=, im.chat_room.member=, im.chat_room.voice_enabled=, im.file.
ProxySG Content Policy Language Guide im.chat_room.member= Tests whether the chat room associated with the instant messaging transaction has a member matching the specified criterion. Syntax im.chat_room.id[.case_sensitive]=buddy_id_string m.chat_room.id.substring[.case_sensitive]=substring im.chat_room.id.regex[.case_sensitive]=“expr” where: • string—An exact match of the complete instant messaging buddy ID. • substring . . . substring—Specifies a substring of the instant messaging buddy ID.
Chapter 3: Condition Reference im.chat_room.voice_enabled= Tests whether the chat room associated with the instant messaging transaction is voice enabled. Syntax im.chat_room.voice_enabled=yes|no Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions. See Also • Actions: append(), im.alert( ), set( ) • Conditions: im.buddy_id=, im.chat_room.conference=, im.chat_room.id=, im.chat_room.invite_only=, im.chat_room.type=, im.chat_room.
ProxySG Content Policy Language Guide im.file.extension= Tests the file extension of a file associated with an instant messaging transaction. The leading '.' of the file extension is optional. Only supports an exact match. Syntax im.file.extension[.case-sensitive]=[.]filename_extension Notes By default the test is case-insensitive. Specifying .case_sensitive makes the test case-sensitive. Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions.
Chapter 3: Condition Reference im.file.name= Tests the file name (the last component of the path), including the extension, of a file associated with an instant messaging transaction. Syntax im.file.name[.case_sensitive]=string im.file.name.prefix[.case_sensitive]=prefix_string im.file.name.substring[.case_sensitive]=substring im.file.name.regex[.case_sensitive]=“expr” where: • string—An exact match of the complete file name with extension. • prefix . . . prefix_string—Specifies a prefix match.
ProxySG Content Policy Language Guide im.file.path= Tests the file path of a file associated with an instant messaging transaction against the specified criterion. Syntax im.file.path[.case_sensitive]=string im.file.path.prefix[.case_sensitive]=prefix_string im.file.path.substring[.case_sensitive]=substring im.file.path.regex[.case_sensitive]=“expr” where: • string—An exact match of the complete path. • prefix . . . prefix_string—Specifies a prefix match. • substring . . .
Chapter 3: Condition Reference im.file.size= Performs a signed 64-bit range test of the size of a file associated with an instant messaging transaction. Syntax im.file.size=[min]..[max] The default minimum value is zero (0); there is no default maximum value. Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions. See Also • Actions: append(), im.alert( ), set( ) • Conditions: im.buddy_id=, im.chat_room.conference=, im.chat_room.id=, im.
ProxySG Content Policy Language Guide im.message.opcode= Tests the value of an opcode associated with an instant messaging transaction whose im.method is send_unknown or receive_unknown. Note: Generally, this is used with deny( ) to restrict interactions that are new to one of the supported instant messaging protocols and for which direct policy control is not yet available. Use of this trigger requires specific values for the opcode as determined by Blue Coat Systems technical support. Syntax im.
Chapter 3: Condition Reference im.message.route= Tests how the instant messaging message reaches its recipients. Syntax im.message.route=service|direct|chat where: • service—The message is relayed through the IM service. • direct—The message is sent directly to the recipient. • chat—The message is sent to a chat room (includes conferences). Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions. See Also • Actions: append(), im.
ProxySG Content Policy Language Guide im.message.size= Performs a signed 64-bit range test on the size of the instant messaging message. Syntax im.message.size=[min]..[max} The default minimum value is zero (0); there is no default maximum value. Layer and Transaction Notes • Use in and layers. • Applies to instant messaging transactions. See Also • Actions: append(), im.alert( ), set( ) • Conditions: im.buddy_id=, im.chat_room.conference=, im.chat_room.id=, im.chat_room.
Chapter 3: Condition Reference im.message.text= Tests if the message text contains the specified text or pattern. Note: The .regex version of this test is limited to the first 8K of the message. The .substring version of the test does not have this restriction. Syntax im.message.text.substring[.case_sensitive]=substring im.message.text.regex[.case_sensitive]=expr where: • substring . . . substring—Specifies a substring match of the message text. • regex . . . ”expr”—Takes a regular expression.
ProxySG Content Policy Language Guide im.message.type= Tests the message type of an instant messaging transaction. Syntax im.message.type=text|invite|voice_invite|file|file_list|application where: • text—Normal IM text message. • invite—An invitation to a chat room or to communicate directly. • voice_invite—Invitation to a voice chat. • file—The message contains a file. • file_list—The message contains a list of exported files.
Chapter 3: Condition Reference im.method= Tests the method associated with the instant messaging transaction. Syntax im.method=open|create|join|join_user|login|logout|notify_join|notify_quit| notify_state|quit|receive|receive_unknown|send|send_unknown|set_state Layer and Transaction Notes • Use in , , and layers. • Applies to instant messaging transactions. See Also • Actions: append(), im.alert( ), set( ) • Conditions: ftp.method=, http.method=, http.
ProxySG Content Policy Language Guide im.user_id= Tests the user_id associated with the instant messaging transaction. Syntax im.user_id[.case_sensitive]=user_id_string im.user_id.substring[.case_sensitive]=substring im.user_id.regex[.case_sensitive]=“expr” where: • user_id_string—An exact match of the complete instant messaging username. • substring . . . substring—Specifies a substring of an instant messaging username. • regex . . . ”expr”—Takes a regular expression.
Chapter 3: Condition Reference live= Tests if the streaming content is a live stream. Syntax live=yes|no Layer and Transaction Notes • Use in and layers. • Applies to streaming transactions. Examples ; The following policy restricts access to live streams during morning hours. ; In this example, we use a policy layer to define policy just for the live streams. ; This example uses the restrict form and integrates with other layers. deny live=yes time=1200..
ProxySG Content Policy Language Guide method= Tests the protocol method name associated with the transaction. Appropriate method names depend on the protocol. Also, a warning is issued during policy file compilation if the name is not a recognized method. method= accepts any of the protocol specific methods accepted by admin.access=, ftp.method=, http.method=, im.method=, or socks.method=. It also recognizes ICP_QUERY, MMS_PLAY, and RTSP_PLAY.
Chapter 3: Condition Reference Examples http.method=GET response.header.Pragma=”no-cache" deny ; This example is applicable to a blacklist model. It denies access to ; transparent FTP by denying the OPEN method on port 21. proxy.port=21 deny ftp.method=OPEN ; This example tests method=CONNECT to secure against firewall bypass deny method=CONNECT server_url.port=!443 See Also • Conditions: admin.access=, category=, console_access=, content_management=, ftp.method=, http.
ProxySG Content Policy Language Guide minute= Tests if the minute of the hour is in the specified range or an exact match. By default, the ProxySG appliance’s clock and time zone are used to determine the current minute. To specify the UTC time zone, use the form minute.utc=. The numeric pattern used to test the minute condition can contain no whitespace. Syntax minute[.utc]={[first_minute]..
Chapter 3: Condition Reference month= Tests if the month is in the specified range or an exact match. By default, the ProxySG appliance’s date and time zone are used to determine the current month. To specify the UTC time zone, use the form month.utc=. The numeric pattern used to test the month condition can contain no whitespace. Syntax month[.utc]={[first_month]..
ProxySG Content Policy Language Guide protocol= The protocol= condition has been deprecated in favor of url.scheme=. For more information see "url=" on page 137. See Also Conditions: client.
Chapter 3: Condition Reference proxy.address= Tests the destination address of the arriving IP packet. The expression can include an IP address or subnet, or the label of a subnet definition block. If the transaction was explicitly proxied, then proxy.address= tests the IP address the client used to reach the proxy, which is either the IP address of the NIC on which the request arrived or a virtual IP address.
ProxySG Content Policy Language Guide proxy.card= Tests the ordinal number of the network interface card (NIC) used by a request. Replaces: proxy_card Syntax proxy.card=card_number where card_number is an integer that reflects the installation order. Layer and Transaction Notes • Use in , , and layers. • Applies to proxy transactions. Examples ; Deny all incoming traffic through proxy card 0. proxy.card=0 deny See Also • 110 Conditions: client.address=, client.
Chapter 3: Condition Reference proxy.port= Tests if the IP port used by a request is within the specified range or an exact match.The numeric pattern used to test the proxy.port= condition can contain no whitespace. If the transaction was explicitly proxied, then this tests the IP port that the client used to reach the proxy. The pattern is a number between 1 and 65535 or a numeric range. If the transaction was transparently proxied, however, then proxy.
ProxySG Content Policy Language Guide realm= Tests if the client is authenticated and if the client has logged into the specified realm. If both of these conditions are met, the response is true. In addition, the group= condition can be used to test whether the user belongs to the specified group. This trigger is unavailable if the current transaction is not authenticated (for example, the authenticate property is set to no).
Chapter 3: Condition Reference • Properties: authenticate( ), authenticate.
ProxySG Content Policy Language Guide release.id= Tests the release ID of the ProxySG software. The release ID of the ProxySG software currently running is displayed on the main page of the Management Console and in the Management>Maintenance>Upgrade>Systems tab of the Management Console. It also can be displayed through the CLI using the show version command. Replaces: release_id= Syntax release.id=number where number is a five-digit number that increases with each new release of ProxySG.
Chapter 3: Condition Reference release.version= Tests the release version of the ProxySG software. The release version of the ProxySG software currently running is displayed on the main page of the Management Console and in the Management>Maintenance>Upgrade>Systems tab of the Management Console. It also can be displayed through the CLI using the show version command. Replaces: release_version= Syntax release.version={[minimum_version]..
ProxySG Content Policy Language Guide request.header.header_name= Tests the specified request header (header_name) against a regular expression. Any recognized HTTP request header can be tested. For custom headers, use request_x_header.header_name= instead. For streaming requests, only the User-Agent header is available. Replaces: request_header.header_name= Syntax request.header.header_name=regular_expression where: • header_name—A recognized HTTP header.
Chapter 3: Condition Reference request.header.header_name.address= Tests if the specified request header can be parsed as an IP address; otherwise, false. If parsing succeeds, then the IP address extracted from the header is tested against the specified IP address. The expression can include an IP address or subnet, or the label of a subnet definition block. The header must be a common HTTP header. This condition is commonly used with the X-Forwarded-For and Client-IP headers.
ProxySG Content Policy Language Guide request.header.Referer.url= Test if the URL specified by the Referer header matches the specified criteria. The basic request.header.Referer.url= test attempts to match the complete Referer URL against a specified pattern. The pattern may include the scheme, host, port, path and query components of the URL. If any of these is not included in the pattern, then the corresponding component of the URL is not tested and can have any value.
Chapter 3: Condition Reference ; Relative URLs, such as docs subdirectories and pages, will match. deny request.header.Referer.url=http://www.example.com/docs ; Test if the Referer URL host’s IP address is a match. request.header.Referer.url.address=10.1.198.0 ; Test whether the Referer URL includes company.com as domain. request.header.Referer.url.domain=company.com ; Test whether the Referer URL includes .com. request.header.Referer.url.domain=.
ProxySG Content Policy Language Guide request.header.Referer.url.host.regex=mycompany ; request.header.Referer.url.path tests ; The following request.header.Referer.url.path strings would all match the example Referer URL: ; Referer: http://www.example.com/cgi-bin/query.pl?q=test#fragment request.header.Referer.url.path=”/cgi-bin/query.pl?q=test” request.header.Referer.url.path=”/cgi-bin/query.pl” request.header.Referer.url.path=”/cgi-bin/” request.header.Referer.url.
Chapter 3: Condition Reference request.x_header.header_name= Tests the specified request header (header_name) against a regular expression. Any HTTP request header can be tested, including custom headers. To test recognized headers, use request.header.header_name= instead, so that typing errors can be caught at compile time. For streaming requests, only the User-Agent header is available. Replaces: request_x_header.header_name= Syntax request.x_header.
ProxySG Content Policy Language Guide request.x_header.header_name.address= Tests if the specified request header can be parsed as an IP address; otherwise, false. If parsing succeeds, then the IP address extracted from the header is tested against the specified IP address. The expression can include an IP address or subnet, or the label of a subnet definition block. This condition is intended for use with custom headers other than X-Forwarded-For and Client-IP headers; for these, use request.header.
Chapter 3: Condition Reference response.header.header_name= Tests the specified response header (header_name) against a regular expression. Any recognized HTTP response header can be tested. For custom headers, use response.x_header.header_name= instead. Replaces: response_header.header_name= Syntax response.header.header_name=regular_expression where: • header_name—A recognized HTTP header. For a list of recognized headers, see Appendix C: "Recognized HTTP Headers".
ProxySG Content Policy Language Guide response.x_header.header_name= Tests the specified response header (header_name) against a regular expression. For HTTP requests, any response header can be tested, including custom headers. For recognized HTTP headers, use response.header.header_name= instead so that typing errors can be caught at compile time. Replaces: response_x_header.header_name= Syntax response.x_header.
Chapter 3: Condition Reference server_url= Tests if a portion of the URL used in server connections matches the specified criteria. The basic server_url= test attempts to match the complete possibly-rewritten request URL against a specified pattern. The pattern may include the scheme, host, port, path and query components of the URL. If any of these is not included in the pattern, then the corresponding component of the URL is not tested and can have any value.
ProxySG Content Policy Language Guide • Applies to all non-administrator transactions. Examples ; Test if the server URL includes this pattern, and block access. ; Relative URLs, such as docs subdirectories and pages, will match. server_url=http://www.example.com/docs access_server(no) ; Test if the URL host’s IP address is a match. server_url.address=10.1.198.0 ; Test whether the URL includes company.com as domain. server_url.domain=company.com ; Test whether the URL includes .com. server_url.
Chapter 3: Condition Reference ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the first request is not matched server_url.host.regex=mycompany ; server_url.path tests ; The following server_url.path strings would all match the example URL: ; http://www.example.com/cgi-bin/query.pl?q=test#fragment server_url.path=”/cgi-bin/query.pl?q=test” server_url.path=”/cgi-bin/query.pl” server_url.path=”/cgi-bin/” server_url.
ProxySG Content Policy Language Guide socks= This condition is true whenever the session for the current transaction involves SOCKS to the client. The SOCKS=yes trigger is intended as a way to test whether or not a request arrived via the SOCKS proxy. It will be true for both SOCKS requests that the ProxySG tunnels and for SOCKS requests the ProxySG accelerates by handing them off to HTTP or IM. In particular, socks=yes remains true even in the resulting HTTP or IM transactions.
Chapter 3: Condition Reference socks.accelerated= Tests whether the SOCKS proxy will hand off this transaction to other protocol agents for acceleration. Syntax socks.accelerated={yes|http|aol-im|msn-im|yahoo-im|no} where: • yes is true only for SOCKS transactions that will hand off to another protocol-specific proxy agent. • no implies the transaction is a SOCKS tunnel. • http is true if the transaction will be accelerated by the http proxy.
ProxySG Content Policy Language Guide socks.method= Tests the SOCKS protocol method name associated with the transaction. Syntax socks.method=CONNECT|BIND|UDP_ASSOCIATE Layer and Transaction Notes • Use in and layers. • Applies to SOCKS transactions. See Also • Conditions: ftp.method=, http.method=, http.x_method=, im.method=, method=, server_url=, socks.version= • Properties: socks_gateway( ), socks.accelerate( ), socks.authenticate( ), socks.authenticate.force( ).
Chapter 3: Condition Reference socks.version= Tests whether the version of the SOCKS protocol used to communicate to the client is SOCKS 4/4a or SOCKS 5. SOCKS 5 has more security and is more highly recommended. SOCKS 5 supports authentication and can be used to authenticate transactions that may be accelerated by other protocol services. SOCKS 4/4a does not support authentication. If socks.authenticate() or socks.authenticate.
ProxySG Content Policy Language Guide streaming.client= Tests the client agent associated with the current transaction. Syntax streaming.client=yes|no|windows_media|real_media|quicktime where: • yes is true if the user agent is recognized as a windows media player, real media player or quicktime player. • no is true if the user agent is not recognized as a windows media player, real media player or quicktime player.
Chapter 3: Condition Reference streaming.content= Tests the content of the current transaction to determine whether or not it is streaming media, and to determine the streaming media type. Syntax streaming.content=yes|no|windows_media|real_media|quicktime where: • yes is true if the content is recognized as Windows media, Real media, or QuickTime content. • no is true if the content is not recognized as Windows media, Real media, or QuickTime content.
ProxySG Content Policy Language Guide time= Tests if the time of day is in the specified range or an exact match. The current time is determined by the ProxySG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by using the form time.utc=. The numeric pattern used to test the time condition can contain no whitespace. Syntax time[.utc]={[start_time]..
Chapter 3: Condition Reference ; This example restricts the times during which certain ; stations can log in with administrative privileges. define subnet restricted_stations 10.10.10.4/30 10.10.11.1 end subnet restricted_stations client.address=restricted_stations allow time=0800..1800 weekday=1..5 admin.access=(READ||WRITE); deny See Also • Conditions: date[.
ProxySG Content Policy Language Guide tunneled= Tests if the current transaction represents a tunneled request. A tunneled request is one of: • TCP tunneled request • HTTP CONNECT request • Unaccelerated SOCKS request Note: HTTPS connections to the management console are not tunneled for the purposes of this test. Syntax tunneled=yes|no Layer and Transaction Notes • Use in layers. • Applies to proxy transactions.
Chapter 3: Condition Reference url= Tests if a portion of the requested URL matches the specified criteria. The basic url= test attempts to match the complete request URL against a specified pattern. The pattern may include the scheme, host, port, path and query components of the URL. If any of these is not included in the pattern, then the corresponding component of the request URL is not tested and can have any value.
ProxySG Content Policy Language Guide //host:port //host:port/path_query //host/path_query host host:port host:port/path_query host/path_query /path_query • domain_suffix_pattern—A URL pattern that includes a domain suffix, as a minimum, using the following syntax: scheme://domain_suffix:port/path Accepted domain suffix patterns include the following: scheme://domain_suffix scheme://domain_suffix:port scheme://domain_suffix:port/path_query scheme://domain_suffix/path_query //domain_suffix //domain_suff
Chapter 3: Condition Reference include a filename extension, such as http://example.com/ and http://example.com/test. To test multiple extensions, use parentheses and a comma separator (see the Example section below). • regular_expression—A Perl regular expression. The expression must be quoted if it contains whitespace or any of the following: & | ( ) < > { } ; ! . = " '. For more information, refer to Appendix E: “Using Regular Expressions,” in the Blue Coat ProxySG Configuration and Management Guide.
ProxySG Content Policy Language Guide • .suffix—Test if the string pattern is a suffix of the URL or component. The suffix need not match on a boundary (such as a domain component or path directory) within a URL component. Note: .prefix, .regex, .substring, and .suffix are string comparisons that do not require a match on component boundaries. For this reason, url.host.suffix= differs from the host comparison used in url.domain= tests, which does require component level matches.
Chapter 3: Condition Reference slash is always present in the request URL being tested, because the URL is normalized before any comparison is performed. Unless an .exact, .substring, or .regex modifier is used, the pattern specified must include the leading ‘/’ character. In the following URL example, bolding shows the components used in the comparison; ?q=test is the included query component and #fragment is the ignored fragment identifier: http://www.example.com/cgi-bin/query.
ProxySG Content Policy Language Guide If you are testing a large number of URLs using the url.domain= condition, consider the performance benefits of a url.domain definition block or a [url.domain] section (see Chapter 6: "Definition Reference"). Regular expression matches are not anchored. You may want to use either or both of the ^ and $ operators to anchor the match. Alternately, use the .exact, .prefix, or .suffix form of the test, as appropriate.
Chapter 3: Condition Reference ; http://www.example.com url.host.is_numeric=yes; ; In the example below we assume that 1.2.3.4 is the IP of the host mycompany ; The condition will match the following two requests if the reverse DNS was ; successful: ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the first request is not matched url.host.regex=mycompany ; url.path tests ; The following server_url.
ProxySG Content Policy Language Guide user= Tests the authenticated username associated with the transaction. This trigger is only available if the transaction was authenticated (that is, the authenticate( ) property was set to something other than no, and the proxy_authentication( ) property was not set to no). Syntax user=user_name where user_name is a username. • NTLM realm: Usernames are case-insensitive.
Chapter 3: Condition Reference See Also • Conditions: attribute.name=, authenticated=, group=, has_attribute.name=, http.transparent_authentication=, realm=, user.domain= • Properties: authenticate( ), authenticate.force( ), check_authorization( ), deny.unauthorized( ), socks.authenticate( ), socks.authenticate.
ProxySG Content Policy Language Guide user.domain= Tests if the client is authenticated, the logged-into realm is an NTLM realm, and the domain component of the username is the specified domain. If all of these conditions are met, the response will be true. This trigger is unavailable if the current transaction is not authenticated (that is, the authenticate( ) property is set to no). Replaces: user_domain= Syntax user.domain=windows_domain_name where windows_domain_name is a Windows domain name.
Chapter 3: Condition Reference user.x509.issuer= Tests the issuer of the x509 certificate used in authentication to certificate realms. The user.x509.issuer= condition is primarily useful in constructing explicit certificate revocation lists. This condition will only be true for users authenticated against a certificate realm. Syntax user.x509.issuer=issuer_DN where issuer_DN is an RFC2253 LDAP DN, appropriately escaped. Comparisons are case-sensitive.
ProxySG Content Policy Language Guide user.x509.serialNumber= Tests the serial number of the x509 certificate used to authenticate the user against a certificate realm. The user.x509.serialNumber= condition is primarily useful in constructing explicit certificate revocation lists. Comparisons are case-insensitive. Syntax user.x509.serialNumber=serial_number where serial_number is a string representation of the certificate’s serial number in HEX.
Chapter 3: Condition Reference user.x509.subject= Tests the subject field of the x509 certificate used to authenticate the user against a certificate realm. The user.x509.subject= condition is primarily useful in constructing explicit certificate revocation lists. Syntax user.x509.subject=subject where subject is an RFC2253 LDAP DN, appropriately escaped. Comparisons are case-sensitive. Layer and Transaction Notes • Use in , , and Layers. • Applies to proxy transactions.
ProxySG Content Policy Language Guide weekday= Tests if the day of the week is in the specified range or an exact match. By default, the ProxySG appliance’s date is used to determine the day of the week. To specify the UTC time zone, use the form weekday.utc=. The numeric pattern used to test the weekday= condition can contain no whitespace Syntax weekday[.utc]={[first_weekday]..
Chapter 3: Condition Reference year= Tests if the year is in the specified range or an exact match. The current year is determined by the date set on the ProxySG by default. To specify the UTC time zone, use the form year.utc=. Note that the numeric pattern used to test the year= condition can contain no whitespace. Syntax year[.utc]={[first_year]..[last_year]|exact_year} where: • first_year—Four digits (nnnn) representing the start of a range of years; for example, 2002.
ProxySG Content Policy Language Guide 152
Chapter 4: Property Reference A property is a variable that can be set to a value. At the beginning of a transaction, all properties are set to their default values. As each layer in the policy is evaluated in sequence, it can set a property to a particular value. A property retains the final value setting when evaluation ends, and the transaction is processed accordingly. Properties that are not set within the policy maintain their default values.
ProxySG Content Policy Language Guide access_log( ) Selects the access log used for this transaction. Multiple access logs can be selected to record a single transaction. Individual access logs are referenced by the name given in configuration. Configuration also determines the format of the each log. For more information on logging, refer to Chapter 19: “Access Logging,” in the ProxySG Configuration and Management Guide. To record entries in the event log, see "log_message( )" on page 232.
Chapter 4: Property Reference access_server( ) Determines whether the client can receive streaming content directly from the origin content server or other upstream device. Set to no to serve only cached content. Note: Since part of a stream can be cached, and another part of the same stream can be uncached, access_server(no) can cause a streaming transaction to be terminated after some of the content has been served from the cache. Syntax access_server(yes|no) The default value is yes.
ProxySG Content Policy Language Guide action( ) Selectively enables or disables a specified define action block. The default value is no. Note: Several define action blocks may be enabled for a transaction. If more than one action selected rewrites the URL or header a specific header, the actions are deemed to conflict and only one will be executed. When detected at runtime, action conflicts will be reported in the event log as a severe event. Action conflicts may also be reported at compilation time.
Chapter 4: Property Reference advertisement( ) Determines whether to treat the objects at a particular URL as banner ads to improve performance. If the content is not specific to a particular user or client, then the hit count on the origin server is maintained while the response time is optimized using the following behavior: • Always serve from the cache if a cached response is available. Ignore any request headers that bypass the cache; for example, Pragma: No-Cache.
ProxySG Content Policy Language Guide allow Allows the transaction to be served. Allow can be overridden by the access_server( ), deny( ), force_deny( ), authenticate( ), exception( ), or force_exception( ) properties or by the redirect( ) action. Allow overrides deny( ) and exception( ) properties. Note: Caution should be exercised when using allow in layers evaluated after layers containing deny, to ensure that security is not compromised.
Chapter 4: Property Reference always_verify( ) Determines whether each request for the objects at a particular URL must be verified with the origin server. This property provides a URL-specific alternative to the global caching setting always-verify-source. If there are multiple simultaneous accesses of an object, the requests are reduced to a single request to the origin server. Syntax always_verify(yes|no) The default value is no. Layer and Transaction Notes • Use in layers.
ProxySG Content Policy Language Guide authenticate( ) Identifies the realm used to authenticate the user associated with the current transaction. Authentication realms are referenced by the name given in configuration. If the transaction has already been authenticated in the same realm by the SOCKS proxy, no new authentication challenge is issued. If the realms identified in the socks.authenticate( ) and authenticate( ) actions differ however, a new challenge is issued.
Chapter 4: Property Reference url.domain = !corporate.com authenticate(OurRealm, “log in for internet access”) The next example illustrates the relation between authentication and denial. All users outside an allowed subnet are denied before authentication. They are not allowed to submit credentials to the authentication server. Users within the allowed subnet are authenticated regardless of whether they will eventually be allowed or denied, so their user names are available for the access log.
ProxySG Content Policy Language Guide authenticate.force( ) This property controls the relation between authentication and denial. Syntax authenticate.force(yes|no) The default value is no. where: • yes —Makes an authenticate( ) higher priority than deny( )or exception( ). Use yes to ensure that userID's are available for access logging (including denied requests). • no—deny( ) and exception( ) have a higher priority than authenticate( ). This setting allows early denial.
Chapter 4: Property Reference authenticate.mode( ) Using the authentication.mode( ) property selects a combination of challenge type and surrogate credentials. Challenge type is what kind of challenge (proxy, origin or origin-redirect) is issued. Surrogate credentials are credentials accepted in place of the user’s real credentials. They are used for a variety of reasons. Blue Coat supports three kinds of surrogate credentials.
ProxySG Content Policy Language Guide • origin-cookie (origin/cookie)—Used in forward proxies to support pass-through authentication more securely than origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other protocols are automatically downgraded to origin-ip. This mode could also be used in reverse proxy situations if impersonation is not possible and the origin server requires authentication. • origin-cookie-redirect (origin-redirect/cookie)—The SGOS 2.
Chapter 4: Property Reference authenticate.use_url_cookie( ) This property is used to authenticate users who have third party cookies explicitly disabled. Note: With a value of yes, if there is a problem loading the page (you get an error page or you cancel an authentication challenge), the cfauth cookie is displayed. You can also see the cookie in packet traces, but not in the browser URL window or history under normal operation. Syntax authenticate.use_url_cookie(yes|no) The default is no.
ProxySG Content Policy Language Guide block_category( ) This property has been deprecated. In current CPL, the use of block_category(category_list) has been replaced by category=category_list exception(content_filter_denied) However, block_category() will be overridden by content_filter_override(yes), while this is not the case for the replacement CPL code shown above. Note that content_filter_override() is also deprecated.
Chapter 4: Property Reference bypass_cache( ) Determines whether the cache is bypassed for a request. If set to yes, the cache is not queried and the response is not stored in the cache. Set to no to specify the default behavior, which is to follow standard caching behavior.
ProxySG Content Policy Language Guide cache( ) Controls HTTP and FTP caching behavior. A number of CPL properties affect caching behavior. • If bypass_cache(yes) is set, then the cache is not accessed and the value of cache( ) is irrelevant. • If cache(yes) is set, then the force_cache(all) property setting modifies the definition of what is considered a cacheable response. • The properties cookie_sensitive(yes) and ua_sensitive(yes) have the same effect on caching as cache(no).
Chapter 4: Property Reference See Also • Properties: advertisement( ), always_verify( ), bypass_cache( ), cookie_sensitive( ), direct( ), dynamic_bypass, force_cache(), pipeline( ), refresh( ), ttl( ), ua_sensitive( ) 169
ProxySG Content Policy Language Guide check_authorization( ) In connection with CAD (Caching Authenticated Data) and CPAD (Caching Proxy-Authenticated Data) support, check_authorization( ) is used when you know that the upstream device sometimes (not always or never) requires the user to authenticate and be authorized for this object.
Chapter 4: Property Reference content_filter_override( ) This property has been deprecated. content_filter_override(yes) has two effects: • • It prevents the request from being sent to the off-box content filter, if off-box content filtering is configured. In this case, it is equivalent to request.filter_service(no). It suppresses denial of service based on on-box content filter categories specified using block_category(), another deprecated command.
ProxySG Content Policy Language Guide cookie_sensitive( ) Used to modify caching behavior by declaring that the object served by the request varies based on cookie values. Set to yes to specify this behavior, or set to no for the default behavior, which caches based on HTTP headers. Using cookie_sensitive(yes) has the same effect as cache(no). There are a number of CPL properties that affect caching behavior, as listed in the “See Also” section below.
Chapter 4: Property Reference delete_on_abandonment( ) If set to yes, specifies that if all clients who may be simultaneously requesting a particular object close their connections before the object is delivered, the object fetch from the origin server is abandoned, and any prior instance of the object is deleted from the cache. Syntax delete_on_abandonment(yes|no) The default value is no. Layer and Transaction Notes • Use in layers. • Applies to proxy transactions.
ProxySG Content Policy Language Guide deny( ) Denies service. Denial can be overridden by allow or exception( ). To deny service in a way that cannot be overridden by a subsequent allow, use force_deny( ) or force_exception( ). The relation between authenticate( ) and deny( ) is controlled by the authenticate.force( ) property. By default, deny( ) overrides authenticate( ).
Chapter 4: Property Reference deny.unauthorized( ) The deny.unauthorized property instructs the ProxySG to issue a challenge (401 Unauthorized or 407 Proxy authorization required). This indicates to the client that the resource cannot be accessed with their current identity, but might be accessible using a different identity. The browsers typically respond by bringing up a dialog box so the user can change their identity.
ProxySG Content Policy Language Guide direct( ) Used to prevent requests from being forwarded to a parent proxy or SOCKS server, when the ProxySG is configured to forward requests. When set to yes, layer policy is not evaluated for the transaction. Syntax direct(yes|no) The default value is no, which allows request forwarding. Layer and Transaction Notes • Use in and layers. • Does not apply to FTP over HTTP or transparent FTP transactions.
Chapter 4: Property Reference dynamic_bypass( ) Used to indicate that a particular transparent request is not to be handled by the proxy, but instead be subjected to ProxySG dynamic bypass methodology. The dynamic_bypass(yes) property takes precedence over authenticate(); however, a committed denial takes precedence over dynamic_bypass(yes). Syntax dynamic_bypass(yes|no) The default value is no. Layer and Transaction Notes • Use in layers. • Applies to transparent HTTP transactions only.
ProxySG Content Policy Language Guide exception( ) Selects a built-in or user-defined response to be returned to the user. The exception( ) property is overridden by allow or deny( ). To set an exception that cannot be overridden by allow, use force_exception( ). The identity of the exception being returned can be tested in an layer using exception.id=.
Chapter 4: Property Reference exception.autopad( ) Pad an HTTP exception response by including trailing whitespace in the response body so that Content-Length is at least 513 characters. A setting of yes is used to prevent Internet Explorer from substituting friendly error messages in place of the exception response being returned, when the exception as configured would have a Content-Length of less than 512 characters. Syntax exception.autopad(yes|no) where: • yes—Enables auto-padding.
ProxySG Content Policy Language Guide force_cache( ) Used to force caching of HTTP responses that would otherwise be considered uncacheable. The default HTTP caching behavior is restored using force_cache(no). The value of the force_cache( ) property is ignored unless all of the following property settings are in effect: bypass_cache(no), cache(yes), cookie_sensitive(no), and ua_sensitive(no). Syntax force_cache(all|no) The default value is no. Layer and Transaction Notes • Use only in layers.
Chapter 4: Property Reference force_deny( ) The force_deny( ) property is similar to deny( ) except that it: • Cannot be overridden by an allow. • Overrides any pending termination (that is, if a deny( ) has already been matched, and a force_deny or force_exception is subsequently matched, the latter commits. • Commits immediately (that is, the first one matched applies). The force_deny( ) property is equivalent to force_exception(policy_denied).
ProxySG Content Policy Language Guide force_exception( ) The force_exception( ) property is similar to exception except that it: • Cannot be overridden by an allow. • Overrides any pending termination (that is, if a deny( ) has already been matched, and a force_deny( ) or force_exception( ) is subsequently matched, the latter commits. • Commits immediately (that is, the first one matched applies).
Chapter 4: Property Reference force_patience_page( ) This property provides control over the application of the default patience page logic. Syntax force_patience_page(yes|no) force_patience_page(reason ) force_patience_page.reason(yes|no) force_patience_page[reason, ...](yes|no) where: reason—Takes one of the following values, corresponding to the overridable portions of the default logic that suppresses patience pages.
ProxySG Content Policy Language Guide forward( ) Determines forwarding behavior. There is a box-wide configuration setting (config>forwarding>sequence) for the default forwarding failover sequence. The forward( ) property is used to override the default forwarding failover sequence with a specific list of host and/or group aliases. The list of aliases might contain the special token default, which expands to include the default forward failover sequence defined in configuration.
Chapter 4: Property Reference forward.fail_open( ) Controls whether the ProxySG terminates or continues to process the request if the specified forwarding host or any designated backup or default cannot be contacted. There is a box-wide configuration setting (config>forwarding>failure-mode) for the default forward failure mode. The forward.fail_open( ) property overrides the configured default. Syntax forward.
ProxySG Content Policy Language Guide ftp.server_connection( ) Determines when the control connection to the server is established. If set to deferred, the proxy defers establishing the control connection to the server. Syntax ftp.server_connection(deferred|immediate) The default value is immediate. Layer and Transaction Notes • Use in layers. • Applies to FTP transactions. See Also • 186 Properties: ftp.server_data( ), ftp.
Chapter 4: Property Reference ftp.server_data( ) Determines the type of data connection to be used with this FTP transaction. Syntax ftp.server_data(auto|passive|port) where: • auto—First attempt a PASV data connection. If this fails, switch to PORT. • passive—Use a PASV data connection. PASV data connections are not allowed by some firewalls. • port—Use a PORT data connection. FTP servers can be configured to not support PORT connections. Layer and Transaction Notes • Use in layers.
ProxySG Content Policy Language Guide ftp.transport( ) Determines the upstream transport mechanism. This setting is not definitive. It depends on the capabilities of the selected forwarding host. Syntax ftp_transport(auto|ftp|http) The default value is auto. where: • auto—Use the default transport for the upstream connection, as determined by the originating transport and the capabilities of any selected forwarding host. • ftp—Use FTP as the upstream transport mechanism.
Chapter 4: Property Reference http.force_ntlm_for_server_auth( ) Turns on/off NTLM cloaking on a per-request basis. Refer to Appendix A: “NTLM and CAASNT” in the ProxySG Configuration and Management Guide for a discussion of NTLM cloaking. Syntax http.force_ntlm_for_server_auth(yes|no) This property overrides the default specified in configuration. where: • yes—Enables NTLM cloaking. • no—Disables NTLM cloaking. Layer and Transaction Notes • Use in layers.
ProxySG Content Policy Language Guide http.request.version( ) The http.request.version( ) property sets the version of the HTTP protocol to be used in the request to the origin content server or upstream proxy. Syntax http.request.version(1.0|1.1) The default is taken from the CLI configuration setting http version, which can be set to either 1.0 or 1.1. Changing this value in the CLI changes the default for both http.request.version( ) and http.response.version( ).
Chapter 4: Property Reference http.response.version( ) The http.response.version( ) property sets the version of the HTTP protocol to be used in the response to the client's user agent. Syntax http.response.version(1.0|1.1) The default is taken from the CLI configuration setting http version, which can be set to either 1.0 or 1.1. Changing this value in the CLI changes the default for both http.request.version( ) and http.response.version( ). Layer and Transaction Notes • Use in layers.
ProxySG Content Policy Language Guide icp( ) Determines whether to consult ICP when forwarding requests. Any forwarding host or SOCKS gateway identified as an upstream target takes precedence over consulting ICP. Syntax icp(yes|no) The default is yes if ICP hosts are configured, no otherwise. where: • yes—Consult ICP unless forward( ) or socks_gateway( ) properties are set. If no ICP hosts are configured, yes has no effect. • no—Do not consult ICP hosts, even if configured.
Chapter 4: Property Reference im.strip_attachments( ) Determines whether attachments are stripped from instant messages. If set to yes, attachments are stripped from instant messages. Syntax im.strip_attachments(yes|no) The default value is no. Layer and Transaction Notes • Use in layers. • Applies to instant messaging transactions. See Also • Conditions: im.buddy_id=, im.chat_room.conference=, im.chat_room.id=, im.chat_room.invite_only=, im.chat_room.type=, im.chat_room.member=, im.
ProxySG Content Policy Language Guide integrate_new_hosts( ) Determines whether to add new host addresses to health checks and load balancing. Syntax integrate_new_hosts(yes|no) The default is no. If it is set to yes, any new host addresses encountered during DNS resolution of forwarding hosts are added to health checks and load balancing. Layer and Transaction Notes • Use in layers. • Applies to everything but SOCKS and administrator transactions.
Chapter 4: Property Reference label( ) This deprecated property is provided for backward compatibility with CacheOS 4.x filter files. For more information, see "action( )" on page 156.
ProxySG Content Policy Language Guide log.rewrite.field-id( ) The log.rewrite.field-id property controls rewrites of a specific log field in one or more access logs. Individual access logs are referenced by the name given in configuration. Configuration also determines the format of the each log. For more information on logging, refer to Chapter 19: “Access Logging” in the ProxySG Configuration and Management Guide. Syntax log.rewrite.field-id(“substitution”|no) log.rewrite.
Chapter 4: Property Reference log.suppress.field-id( ) The log.suppress.field-id( ) property controls suppression of the specified field-id in one or more access logs. Individual access logs are referenced by the name given in configuration. Configuration also determines the format of the each log. For more information on logging, refer to Chapter 19: “Access Logging” in the ProxySG Configuration and Management Guide. Syntax log.suppress.field-id(yes|no) log.suppress.
ProxySG Content Policy Language Guide max_bitrate( ) Enforces upper limits on the instantaneous bandwidth of the current streaming transaction. This policy is enforced during initial connection setup. If the client requests a higher bit rate than allowed by policy, the request is denied. Note: Under certain network conditions, a client may receive a stream that temporarily exceeds the specified bit rate.
Chapter 4: Property Reference never_refresh_before_expiry( ) The never_refresh_before_expiry( ) property is similar to the CLI command: SGOS#(config) http strict-expiration refresh except that it provides per-transaction control to allow overriding the box-wide default set by the command. Syntax never_refresh_before_expiry(yes|no) The default value is taken from configuration. Layer and Transaction Notes • Use in layers. • Applies to proxy transactions.
ProxySG Content Policy Language Guide never_serve_after_expiry( ) The never_serve_after_expiry( ) property is similar to the CLI command: SGOS#(config) http strict-expiration serve except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax never_serve_after_expiry(yes|no) The default value is taken from configuration. Layer and Transaction Notes • Use in layers. • Applies to proxy transactions.
Chapter 4: Property Reference patience_page( ) Controls whether or not a patience page can be served, and if so, the delay interval before serving. If no patience_page property is explicitly set, the decision about whether to serve a patience page and the delay before a patience page is presented are taken from the ICAP service configuration (but are still subject to default patience page policy). To control the application of default patience page policy, use force_patience_page( ).
ProxySG Content Policy Language Guide pipeline( ) Determines whether an object embedded within an HTML container object is pipelined. Set to yes to force pipelining, or set to no to prevent the embedded object from being pipelined. Note that this property affects processing of the individual URLs embedded within a container object. It does not prevent parsing of the container object itself. If this property is used with a URL access condition, such as url.
Chapter 4: Property Reference prefetch( ) This deprecated property has been replaced by pipeline( ). For more information, see "pipeline( )" on page 202.
ProxySG Content Policy Language Guide reflect_ip( ) Determines how the client IP address is presented to the origin server for explicitly proxied requests. Replaces: • reflect_ip(vip) replaces reflect_vip(yes). • reflect_ip(auto) replaces reflect_vip(no). Syntax reflect_ip(auto|no|client|vip|ip_address) The default value is auto. where: • auto—Might reflect the client IP address, based on a config setting for spoofing. • no—The appliance's IP address is used to originate upstream connections.
Chapter 4: Property Reference reflect_vip( ) This deprecated syntax has been replaced by the reflect_ip( ) property. For more information, see "reflect_ip( )" on page 204.
ProxySG Content Policy Language Guide refresh( ) Controls refreshing of requested objects. Set to no to prevent refreshing of the object if it is cached. Set to yes to allow the cache to behave normally. Syntax refresh(yes|no) The default value is yes. Layer and Transaction Notes • Use in layers. • Do not use in layers.
Chapter 4: Property Reference remove_IMS_from_GET( ) The remove_IMS_from_GET( ) property is similar to the CLI command: SGOS#(config) http substitute if-modified-since except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_IMS_from_GET(yes|no) The default value is taken from configuration. Layer and Transaction Notes • Use in layers. • Applies to HTTP proxy transactions.
ProxySG Content Policy Language Guide remove_PNC_from_GET( ) The remove_PNC_from_GET property is similar to the CLI command: SGOS#(config) http substitute pragma-no-cache except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_PNC_from_GET(yes|no) The default value is taken from configuration. Layer and Transaction Notes • Use in layers. • Applies to HTTP proxy transactions.
Chapter 4: Property Reference remove_reload_from_IE_GET( ) The remove_reload_from_IE_GET( ) property is similar to the CLI command: SGOS#(config) http substitute ie-reload except that it provides per transaction control to override the box-wide default set by the command. Syntax remove_reload_from_IE_GET(yes|no) The default value is taken from configuration. Layer and Transaction Notes • Use in layers. • Applies to HTTP proxy transactions.
ProxySG Content Policy Language Guide request.filter_service( ) Controls whether the request is processed by an external content filter service. The ProxySG currently supports Websense Enterprise Server external content filtering. Directing the request to an external content filter service does not affect policy based on categories determined through an on-box vendor or CPL category definitions.
Chapter 4: Property Reference url.address=10.0.0.0/8 ; don't filter internal network client.address=10.1.2.3 ; don't filter this client See Also • The ProxySG Command Line Reference for information on configuring Websense off-box services.
ProxySG Content Policy Language Guide request.icap_service( ) Determines whether a request from a client should be processed by an external ICAP service before going out. Typical applications include content filtering and virus scanning. Syntax request.icap_service(servicename [, fail_open | fail_closed]) request.icap_service(no) The default values are no and fail_closed. where: • servicename—A configured ICAP service that supports request modification.
Chapter 4: Property Reference response.icap_service( ) Determines whether a response to a client request is first sent to an ICAP service before being given to the client. Depending on the ICAP service, the response may be allowed, denied, or altered. Typical applications include virus scanning. Syntax response.icap_service(servicename [, fail_open | fail_closed]) response.icap_service(no) The default values are no and fail_closed.
ProxySG Content Policy Language Guide service( ) This deprecated syntax has been replaced by the allow, deny( ) and exception( ) properties.
Chapter 4: Property Reference socks.accelerate( ) The socks.accelerate property controls the SOCKS proxy handoff to other protocol agents. Syntax socks.accelerate(no|auto|http|aol_im|msn_im|yahoo_im) The default value is auto. where: • no—The SOCKS proxy does not hand off the transaction to another proxy agent, but tunnels the SOCKS transaction. • auto—The handoff is determined by the URL scheme.
ProxySG Content Policy Language Guide socks.authenticate( ) The same realms can be used for SOCKS proxy authentication as can be used for regular proxy authentication. This form of authentication applies only to SOCKS transactions. The regular authenticate( ) property does not apply to SOCKS transactions. However, if an accelerated SOCKS transaction has already been authenticated in the same realm by the SOCKS proxy, no new authentication challenge is issued. If the realms identified in the socks.
Chapter 4: Property Reference socks.authenticate.force( ) This property controls the relation between SOCKS authentication and denial. Syntax socks.authenticate.force(yes|no) The default value is no. where: • yes—Makes socks.authenticate( ) higher priority than deny( ) or exception( ). Use yes to ensure that userID's are available for access logging, even of denied requests. • no—deny( ) and exception( ) have a higher priority than socks.authenticate( ).
ProxySG Content Policy Language Guide socks_gateway( ) Controls whether or not the request associated with the current transaction is sent through a SOCKS gateway. There is a box-wide configuration setting (config>socks-gateways>sequence) for the default SOCKS gateway failover sequence. The socks_gateway( ) property is used to override the default SOCKS gateway failover sequence with a specific list of SOCKS gateway aliases.
Chapter 4: Property Reference socks_gateway.fail_open( ) Controls whether the ProxySG terminates or continues to process the request if the specified SOCKS gateway or any designated backup or default cannot be contacted. There is a box-wide configuration setting (config>socks-gateways>failure-mode) for the default SOCKS gateway failure mode. The socks_gateway.fail_open( ) property overrides the configured default. Syntax socks_gateway.fail_open(yes|no) The default value is no.
ProxySG Content Policy Language Guide streaming.transport( ) Determines the upstream transport mechanism to be used for this streaming transaction. This setting is not definitive. The ability to use the specified transport mechanism depends on the capabilities of the selected forwarding host. Syntax streaming.transport(auto|tcp|http) where: • auto—Use the default transport for the upstream connection, as determined by the originating transport and the capabilities of any selected forwarding host.
Chapter 4: Property Reference terminate_connection( ) The terminate_connection( ) property is used in an layer to drop the connection rather than return the exception response. The yes option terminates the connection instead of returning the response. (This property provides backwards compatible support with the TERMINATE_CONNECTION error pages directive supported in SGOS 2.x.) Syntax terminate_connection(yes|no) The default is no. Layer and Transaction Notes • Use in layers.
ProxySG Content Policy Language Guide trace.destination( ) Used to change the default path to the trace output file. By default, policy evaluation trace output is written to an object in the cache accessible using a console URL of the following form: http://ProxySG_IP_address:8081/Policy/Trace/path Syntax trace.destination(path) where path is, by default, default_trace.html. You can change path to a filename or directory path, or both. If only a directory is provided, the default trace filename is used.
Chapter 4: Property Reference trace.request( ) Determines whether detailed trace output is generated for the current request. The default value is no, which produces no output. Trace output is generated at the end of a request, and includes request parameters, property settings, and the effects of all actions taken. Output tracing can be set conditionally by creating a rule that combines this property with conditions such as url= or client.address=.
ProxySG Content Policy Language Guide trace.rules( ) Determines whether trace output is generated showing policy rule evaluation for the transaction. By default, trace output is written to an object accessible using the following console URL: http://ProxySG_IP_address:8081/Policy/Trace/default_trace.html The trace output location can be controlled using the trace.destination( ) property.
Chapter 4: Property Reference ttl( ) Sets the time-to-live (TTL) value of an object in the cache, in seconds. Upon expiration, the cached copy is considered stale and will be re-obtained from the origin server when next accessed. However, this property has an effect only if the following HTTP command line option is enabled: Force explicit expirations: Never serve after. If the above option is not set, the ProxySG’s freshness algorithm determines the time-to-live value.
ProxySG Content Policy Language Guide ua_sensitive( ) Used to modify caching behavior by declaring that the response for a given object is expected to vary based on the user agent used to retrieve the object. Set to yes to specify this behavior. Using ua_sensitive(yes) has the same effect as cache(no). Note: Remember that any conflict among CPL property settings is resolved by CPL’s evaluation logic, which uses the property value that was last set when evaluation ends.
Chapter 5: Action Reference An action takes arguments and is wrapped in a user-named action definition block. When the action definition is called from a policy rule, any actions it contains operate on their respective arguments. Within a rule, named action definitions are enabled and disabled using the action( )property. Actions take the following general form: action(argument1, ...) An action block is limited to the common subset among the allowed layers of each of the actions it contains.
ProxySG Content Policy Language Guide append( ) Appends a new component to the specified header. Note: An error results if two header modification actions modify the same header. This results in a compile time error if the conflicting actions are within the same action definition block. A runtime error is recorded in the event log if the conflicting actions are defined in different blocks. Syntax append(header, string) append(im.message.
Chapter 5: Action Reference delete( ) Deletes all components of the specified header. Note: An error results if two header modification actions modify the same header. The error is noted at compile time if the conflicting actions are within the same action definition block. A runtime error is recorded in the event log if the conflicting actions are defined in different blocks. Syntax delete(header) where: header—A header specified using the following form.
ProxySG Content Policy Language Guide delete_matching( ) Deletes all components of the specified header that contain a substring matching a regular-expression pattern. Note: An error results if two header modification actions modify the same header. The error is noted at compile time if the conflicting actions are within the same action definition block. A runtime error is recorded in the event log if the conflicting actions are defined in different blocks.
Chapter 5: Action Reference im.alert( ) Deliver a message in-band to the instant messaging user. The text appears in the instant message window. This action is similar to log_message( ), except that it appends entries to a list in the instant messaging transaction that the IM protocol renders in an appropriate way. Multiple alerts can be appended to a transaction. The protocol determines how multiple alerts appear to the user. Syntax im.
ProxySG Content Policy Language Guide log_message( ) Writes the specified string to the ProxySG event log. Events generated by log_message( ) are viewed by selecting the Policy messages event logging level in the Management Console. Note: This is independent of access logging. Syntax log_message(string) Where string is a quoted string that can optionally include one or more variable substitutions. Layer and Transaction Notes Can be referenced by any layer.
Chapter 5: Action Reference notify_email( ) Sends an email notification to the list of recipients specified in the Event Log mail configuration. The sender of the email appears as Primary_ProxySG_IP_address - configured_appliance_hostname>. You can specify multiple notify_email actions, which may result in multiple mail messages for a single transaction. The email is sent when the transaction terminates. The email is sent to the list of recipients specified in the Event Log mail configuration.
ProxySG Content Policy Language Guide notify_snmp( ) Multiple notify_snmp actions may be specified, resulting in multiple SNMP traps for a single transaction. The SNMP trap is sent when the transaction terminates. Syntax notify_snmp(message) where message is a quoted string that can optionally include one or more variable substitutions. Layer and Transaction Notes Can be referenced by any layer.
Chapter 5: Action Reference redirect( ) Ends the current HTTP transaction and returns an HTTP redirect response to the client by setting the policy_redirect exception. Use this action to specify an HTTP 3xx response code, optionally set substitution variables based on the request URL, and generate the new Location response-header URL after performing variable substitution. FTP over HTTP requests are redirected for Netscape Navigator clients, but not Microsoft Internet Explorer clients.
ProxySG Content Policy Language Guide replace( ) This deprecated action has been replaced by rewrite( ). For more information, see "rewrite( )" on page 237.
Chapter 5: Action Reference rewrite( ) Rewrites the request URL, URL host, or components of the specified header if it matches the regular-expression pattern. This action is often used in conjunction with the URL rewrite form of the transform action in a server portal application. Note: The URL form of the rewrite( ) action does not rewrite some URL components for Windows Media (MMS) transactions.
ProxySG Content Policy Language Guide URL is considered complete, and replaces any URL that contains a substring matching the regex_pattern substring. Sub-patterns of the regex_pattern matched can be substituted in replacement_url using the $(n) syntax, where n is an integer from 1 to 32, specifying the matched sub-pattern. For more information, see Appendix D: "CPL Substitutions".
Chapter 5: Action Reference See Also • Actions: append( ), delete( ), delete_matching( ), redirect( ), set( ), transform • Conditions: request.header.header_name=, request.header.header_name.address=, request.x_header.header_name=, request.x_header.header_name.address=, response.header.header_name=, response.x_header.header_name=, server_url= • Definitions: transform url.
ProxySG Content Policy Language Guide set( ) Sets the specified header to the specified string after deleting all components of the header. Note: An error results if two header modification actions modify the same header. The error is noted at compile time if the conflicting actions are within the same action definition block. A runtime error is recorded in the event log if the conflicting actions are defined in different blocks.
Chapter 5: Action Reference Discussion Any change to the server form of the request URL must be respected by policy controlling upstream connections. The server form of the URL is tested by the server_url= conditions, which are the only URL tests allowed in layers. All forms of the URL are available for access logging. The version of the URL that appears in a specific access log is selected by including the appropriate substitution variable in the access log format: • c-uri—The original URL.
ProxySG Content Policy Language Guide transform Invokes an active content or URL rewrite transformer. The invoked transformer takes effect only if the transform action is used in a define action definition block, and that block is in turn enabled by an action( ) property. See chapters 11 and 13 in the Configuration and Management Guide for examples of how this action is used with the active content and URL rewrite transformers.
Chapter 5: Action Reference See Also • Properties: action( ) • Definitions: define action, transform active_content, transform url.
ProxySG Content Policy Language Guide virus_check( ) This deprecated action sends the requested document to a virus scanning server. For more information, see "response.icap_service( )" on page 213.
Chapter 6: Definition Reference In policy files, definitions serve to bind a set of conditions, actions, or transformations to a user-defined label. Two types of definitions exist: • Named definitions—Explicitly referenced by policy. • Anonymous definitions—Apply to all policy evaluation and are not referenced directly in rules. There are two types of anonymous definitions: DNS and RDNS restrictions. Definition Names There are various types of named definitions.
ProxySG Content Policy Language Guide define action Binds a user-defined label to a sequence of action statements. The action( ) property has syntax that allows for individual action definition blocks to be enabled and disabled independently, based on the policy evaluation for the transaction. When an action definition block is enabled, any action statements it contains operate on the transaction as indicated by their respective arguments.
Chapter 6: Definition Reference • Definitions: transform active_content, transform url_rewrite • Chapter 5: "Action Reference".
ProxySG Content Policy Language Guide define active_content Defines rules for removing or replacing active content in HTML or ASX documents. This definition takes effect only if it is invoked by a transform action in a define action definition block, and that block is in turn enabled an action( ) property as a result of policy evaluation. Active content transformation acts on the following four HTML elements in documents:
