Appendix B: Testing and Troubleshooting

Here are the relevant policy requirements to be expressed:

DNS lookups are restricted except for a site being hosted.

There is no access to reverse DNS so that is completely restricted.

Any requests not addressed to the hosted site either by name or subnet should be rejected.

FTP POST requests should be rejected.

Request URLs for the hosted site are to be rewritten and a request header on the way into the site.

The Sample Policy

;DNS lookups are restricted except for one site that is being hosted restrict dns

.

except my_site.com

end

;No access to RDNS

restrict rdns all

end

define subnet my_subnet 10.11.12.0/24

end

<proxy>

trace.request(yes) trace.rules(all)

proxy>

;

deny url.host.is_numeric=no url.domain=!my_site.com deny url.address=!my_subnet

<proxy>

deny ftp.method=STOR

<proxy>

url.domain=my_site.com action.test(yes)

define action test set(request.x_header.test, “test”)

rewrite(url, “(.*)\.my_site.com”, “$(1).his_site.com”) end

Since trace.request() is set to yes, a policy trace is performed when client requests are evaluated. Since trace.rules() is set to all, all rule evaluations for misses and matched rules are displayed.

The following is the trace output produced for an HTTP GET request for

http://www.my_site.com/home.html.

Note: The line numbers shown at the left do not appear in actual trace output. They are added here for annotation purposes.

277

Page 277
Image 277
Blue Coat Systems Proxy SG manual Sample Policy