ProxySG Content Policy Language Guide
An HTTP cache transaction is examined in two stages:
•Before the object is retrieved from the origin server.
•After the object is retrieved.
Forwarding Transactions
A forwarding transaction is created when the ProxySG needs to evaluate forwarding policy before accessing a remote host and no proxy or cache transaction is associated with this activity. Examples include sending a
A forwarding transaction only evaluates policy in <Forward> layers.
Timing
As stated in the discussion of proxy transactions, various portions of the transaction information become available at different points in the evaluation, and each protocol has specific requirements for when each decision must be made. The CPL triggers and properties are designed so that wherever possible, the policy writer is shielded from the variations among protocols by making the timing requirements imposed by the CPL accommodate all the protocols. Where this is not possible (because using the most restrictive timing causes significant loss of functionality for the other protocols), protocol specific triggers have been introduced. When evaluated against other protocols, these triggers return the not applicable value or N/A. This results in the rule being skipped (the expression evaluates to false, no matter what it is). It is possible to explicitly guard such rules so that they are only evaluated against appropriate transactions.
The variation in trigger and property timings implies that within a policy rule a conflict is possible between a condition that can only be tested relatively late in the evaluation sequence and a property that must be set relatively early in the evaluation sequence. Such a rule results in a
For example, here is a rule that would be incorrect for evaluating any transaction:
If the user is in group xyz, require authentication.
The rule is incorrect because group membership can only be determined after authentication and the rule tests group membership and specifies the authentication realm, a property that must be set before the authentication challenge can be issued. The following code illustrates this incorrect rule and the resulting message at compile time:
group=xyz authenticate(MyRealm)
Error: Late condition guards early action: 'authenticate(MyRealm)'
It is, however, correct for the authentication requirement to be conditional on the client address
(client.address=) or proxy port (proxy.port=), as these can be determined at the time the client connection is established and therefore are available from the beginning of a proxy transaction.
For the HTTP protocol, authenticate() can be conditional on the URL (url=), but for MMS streaming, only the Host portion of the URL can be tested (url.host=). Recall the outline of the evaluation model for Windows Media transactions presented in "Understanding Transactions and Timing" on page 33.
As another example, consider the following:
36
