Appendix B: Testing and Troubleshooting
277
Here are the relevant policy requirements to be expressed:
•DNS lookups are restricted except for a site being hosted.
•There is no access to reverse DNS so that is completely restricted.
•Any requests not addressed to the hosted site either by name or subnet should be rejected.
•FTP POST requests should be rejected.
•Request URLs for the hosted site are to be rewritten and a request header on the way into the site.
The Sample Policy
; DNS lookups are restricted except for one site that is being hosted
restrict dns
.
except
my_site.com
end
; No access to RDNS
restrict rdns
all
end
define subnet my_subnet
10.11.12.0/24
end
<proxy>
trace.request(yes) trace.rules(all)
proxy>
;
deny url.host.is_numeric=no url.domain=!my_site.com
deny url.address=!my_subnet
<proxy>
deny ftp.method=STOR
<proxy>
url.domain=my_site.com action.test(yes)
define action test
set(request.x_header.test, “test”)
rewrite(url, “(.*)\.my_site.com”, “$(1).his_site.com”)
end
Since trace.request() is set to yes, a policy trace is performed when client requests are evaluated.
Since trace.rules() is set to all, all rule evaluations for misses and matched rules are displayed.
The following is the trace output produced for an HTTP GET request for
http://www.my_site.com/home.html.
Note: The line numbers shown at the left do not appear in actual trace output. They are added here
for annotation purposes.