Manuals / Blue Coat Systems / Computer Equipment / Time Clock

Blue Coat Systems Proxy SG manual Defining Policies, Section Guards

Models: Proxy SG

1 314
Download 314 pages 28.21 Kb
Page 44
Image 44

ProxySG Content Policy Language Guide

[server_url.domain] sections are allowed only in <Exception> or <Forward> layers.

Section Guards

Just as you can with layers, you can improve policy clarity and maintainability by grouping rules into sections and converting the common conditions and properties into guard expressions that follow the section header. A guard expression allows you to take a condition that applies to all the rules and put the common condition next to the section header, as in [Rule] group=sales.

Guards are essentially a way of factoring out common sets of triggers and properties, to avoid having to repeat them each time.

Defining Policies

This section includes some guidelines for defining policies using CPL.

Write an explicit layer header (<Proxy>, <Cache>, <Admin>, <Forward>, or <Exception>) before writing any rules or sections. The only constructs that should occur before the first layer header are the condition-related definitions and comments.

Do not begin a policy file with a section, such as [Rule]. Ensure all sections occur within layers.

Do not use [Rule] sections unnecessarily.

Avoid empty or badly formed policy. While some CPL may look well-formed, make sure it actually does something.

While the following example appears like proper CPL, it actually has no effect. It has a layer header and a [Rule] section header, but no rule lines. As no rules exist, no policy exists either:

<Admin> group=Administrators [Rule] allow

Correct policy that allows access for the group “administrators” would be:

<Admin> group=Administrators allow

In the following example, the layer is deceptive because only the first rule can ever be executed:

<Proxy>

authenticate(MyRealm) ; this rule is unconditional ;all following rules are unreachable

allow group=administrator

allow group=clerk time=0900..1700 deny

At most, one rule is executed in any given layer. The first one that meets the conditions is acted upon; all other rules in the layer are ignored. To execute more than one rule, use more than one layer. To correctly define the above policy, two layers are required:

<Proxy>

authenticate(MyRealm)

<Proxy>

allow group=administrator

allow group=clerk time=0900..1700 deny

44

Page 43 Page 45
Page 44
Image 44
Blue Coat Systems Proxy SG manual Defining Policies, Section Guards
Page 43 Page 45