Blue Coat Systems Proxy SG Notes

ProxySG Content Policy Language Guide

With a few notable exceptions, triggers test one aspect of requ est, response, or associated state against

a boolean expression of values.

For the conditions in a rule, each of the triggers is logically anded together. In other words, the

condition is only true if each one of the trigger expressions is true.

Properties are settings that control transaction processing, such as deny, or the handling of the object,

such as cache(no), indicating that the object is not to be cached locally. At the beginning of a

transaction, all properties are set to their default values. As the policy is evaluated in sequence, rules

that match might set a property to a particular value. A property retains the final value setting when

evaluation ends, and the transaction is processed accordingly. Properties that are not set within the

policy maintain their default values.

The logical form of a policy rule could be expressed as:

if condition is true then set all listed properties as specified

The following is an example of a simple policy rule:

url.domain=example.com time=0900..1700 exception(policy_denied)

It states that the exception( ) property is set to policy_denied if both of the following triggers test

true:

•The request is made for a page from the domain example.com

•The request is made between 9 a.m. and 5 p.m.

Notes

•CPL triggers have the form trigger_name=pattern_expression

•CPL properties have the form property_name(setting), except for a few imperative gestures

such as allow and deny.

•The text in policy rules is case-insensitive, with a few exceptions identified in the following

chapters.

•Policy listings are normalized in several ways. First, condition and action definitions which may

appear anywhere in the source, will be grouped following the policy rules. Second, the order of

the conditions and properties on a rule may change, since the CPL compiler always puts a deny or

allow at the beginning of the rule, and orders conditions to optimize evaluation. Finally, several

phrases are synonyms for phrases that are preferred. In the output of show policy, the preferred

form is listed instead of the synonym.

Four such synonyms are:

❐exception(authorization_failed), which is a synonym for the preferred

deny.unauthorized

❐force_exception(authorization_failed), which is a synonym for the preferred

force_deny.unauthorized

❐exception(policy_denied), which is a synonym for the preferred deny

❐exception(no), which is a synonym for the preferred allow.