Manuals / Blue Coat Systems / Computer Equipment / Time Clock

Blue Coat Systems Proxy SG manual Understanding Sections

Models: Proxy SG

1 314
Download 314 pages 28.21 Kb
Page 41
Image 41

Chapter 2: Managing Content Policy Language

Timing

The “late guards early” timing errors that can occur within a rule can arise across rules in a layer. When a trigger cannot yet be evaluated, policy also has to postpone evaluating all following rules in that layer (since if the trigger turns out to be true and the rule matches, then evaluation stops for that layer. If the trigger turns out to be false and the rule misses, then evaluation continues for the rest of the rules in that layer, looking for the first match). Thus a rule inherits the earliest evaluation point timing of the latest rule above it in the layer.

For example, as noted earlier, the following rule would result in a timing conflict error:

group=xyz authenticate(MyRealm)

Error: Late condition guards early action: 'authenticate(MyRealm)'

The following layer would result in a similar error:

<Proxy> group=xyz deny authenticate(MyRealm)

Error: Late condition 'group=xyz' guards early action: 'authenticate(MyRealm)'

This also extends to guard expressions, as the guard condition must be evaluated before any rules in the layer. For example:

<Proxy> group=xyz deny authenticate(MyRealm)

Error: Late condition 'group=xyz' guards early action: 'authenticate(MyRealm)'

Understanding Sections

The rules in layers can optionally be organized in one or more sections, which is a way of grouping rules together. A section consists of a section header followed by a list of rules.

Four sections types are supported in a standard CPL file:

[Rule]

[url]

[url.domain]

[server_url.domain]

However, if a CacheOS 4.x filter file is used in place of a policy file and running in backward-compatibility mode, the [Domain-suffix], [Prefix], and [Regular-Expression]sections are also available. These deprecated sections are described in Appendix E: "Filter File Syntax".

Three of the section types, [url], [url.domain] and [server_url.domain], provide optimization for URL tests. The names for these sections correspond to the CPL URL triggers used as the first test for each rule in the section, that is url=, url.domain= and server_url.domain=. The [url.regex] section provides factoring and organization benefits, but does not provide any performance advantage over using a [Rule] section and explicit url.regex= tests.

To give an example, the following policy layer is created:

<Proxy> url.domain=abc.com/sports deny

41

Page 40 Page 42
Page 41
Image 41
Blue Coat Systems Proxy SG manual Understanding Sections, Following layer would result in a similar error
Page 40 Page 42