Blue Coat Systems Proxy SG User Manual

Blue Coat Systems
TM
ProxySG Content Policy Language Guide
Content Policy Language Guide
ProxySG Content Policy Language Guide
Blue Coat Systems Inc. (408) 220-2200 Voice
650 Almanor Avenue (408) 220-2250 FAX
Technical Support (866) 362-2628
info@bluecoat.com
www.bluecoat.com
Copyright (c) 2002, 2003 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. Without Blue Coat Systems, Inc. consent, the Software may not be modified, reproduced (except to the extent specifically allowed by local law), removed from the product on which it was installed, reverse engineered, decompiled, disassembled, or derived source code. In addition to the above restrictions, the Software may not be (i) published, distributed, rented, leased, sold, sublicensed, assigned or otherwise transferred or any part thereof, (ii) used for competitive analysis or derivative works thereof or translated, (iii) permitted application development use of the Software, (iv) used to publish or distribute the results of any benchmark tests run on the Software without the express written permission of Blue Coat Systems, Inc., or (v) removed or obscured of any Blue Coat Systems, Inc. or licensor copyrights, trademarks or other proprietary notices or legends from any portion of the Software or any associated documentation.
All right, title and interest
in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. Blue Coat Systems, Inc. specifications and documentation are subject to change with notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat™, ProxySG™, CacheOS™, are trademarks of Blue Coat Systems, Inc. and CacheFlow®, and Accelerating The Internet® are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The Software and all related technical information, documents and materials are subject to export controls under the U.S. Export Administration Regulations and the export regulations of other countries.
Printed in U.S.A.
Document Number: 231-02586
Document Revision: 3.1.2
2
Copyrights
THIRD PARTY COPYRIGHT NOTICES
Blue Coat Systems, Inc. Security Gateway Operating System (SGOS) version 3 utilizes third party software from various sources. Portions of this software are copyrighted by their respective owners as indicated in the copyright notices below.
The following lists the copyright notices for:
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this software display the following acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim Gillogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
ISODE
ISODE 8.0 NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the Preface in the User's Manual for the full terms of this agreement.
4BSD/ISODE SMP NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME.
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.
THE BEER-WARE LICENSE" (Revision 42):
<phk@FreeBSD.org <mailto:phk@FreeBSD.org> we meet some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
Microsoft Windows Media Streaming
Copyright (c) 2003 Microsoft Corporation. All rights reserved.
OpenLDAP
Copyright (c) 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.
http://www.openldap.org/software/release/license.html
The OpenLDAP Public License Version 2.7, 7 September 2001
> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If
3
ProxySG Content Policy Language Guide
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
OpenSSH
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, or a licence more free than that.
OpenSSH contains no GPL code.
1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under my direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose (the GNU license being the most restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been removed from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any responsibility on your behalf.
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR
NO WARRANTY
4
Copyrights
A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE.
Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com>
3) ssh-keygen was contributed by David Mazieres under a BSD-style license.
Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original Berkeley code.
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesl ey G r i ffin
Per Allansson
Nils Nordman
Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
5
ProxySG Content Policy Language Guide
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com
http://www.openssl.org/about/
http://www.openssl.org/about/
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young <mailto:eay@cryptsoft.com>
<mailto:tjh@cryptsoft.com>.
The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and non-commercial purposes.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License.]
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
). All rights reserved.
and Tim J . Huds on
). The implementation was written so as to conform with
).
6
Copyrights
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
PCRE
Copyright (c) 1997-2001 University of Cambridge
University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.
Written by: Philip Hazel <ph10@cam.ac.uk>
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following restrictions:
1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England.
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
PHAOS SSLava and SSLavaThin Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved.
The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the design and development of which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. The software and any portions or copies thereof shall at all times remain the property of Phaos.
PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION ALONE OR IN COMBINATION WITH ANY OTHER SOFTWARE.
PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES.
RealSystem
The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All rights reserved.
SNMP
Copyright (C) 1992-2001 by SNMP Research, Incorporated.
This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by SNMP Research, Incorporated.
Restricted Rights Legend:
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted Rights Clause, FAR 52.227-19; and in similar clauses in the NASA FAR Supplement and other corresponding governmental regulations.
PROPRIETARY NOTICE
This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law. Unauthorized copying, redistribution or other use of this work is prohibited. The above notice of copyright on this source code product does not indicate any actual or intended publication of such source code.
STLport
Copyright (c) 1999, 2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk. Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies. Permission to modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code was modified is included with the above copyright notice.
The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Silicon Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting
7
ProxySG Content Policy Language Guide
documentation. Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec AntiVirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Tre nd M icro
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved.
zlib
Copyright (c) 2003 by the Open Source Initiative
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
8

Preface: Introducing the Content Policy Language

The Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a variety of Web-access policies. ProxySG policy is written in CPL, and every Web request is evaluated based on the installed policy. The language is designed so that policies can be customized to an organization’s specific set of users and unique enforcement needs.
CPL uses the settings created when you configured the ProxySG to your specifications.
CPL has the following capabilities:
Fine-grained control over various aspects of ProxySG behavior.
Layered policy, allowing for multiple policy decisions for each request.
Multiple actions triggered by a particular condition.
Flexibility of user-defined conditions and actions.
Convenience of predefined common actions and transformations.
Authentication-aware policy, including user and group configuration.
Support for multiple authentication realms.
Configurable policy event logging.
Built-in debugging.

About the Document Organization

This document is organized for easy reference, and is divided into the following sections and chapters:
Table 2.1: Manual Organization
Chapter 1 – Overview of Content Policy
Language
Chapter 2 –
Chapter 3 –
Chapter 4 –
Chapter 5 –
Chapter 6 –
Appendix A –
Appendix B – Troubleshooting
Appendix C – Recognized HTTP Headers This appendix lists all recognized HTTP 1.1 headers and
Managing CPL
Conditions
Properties
Actions
Definitions
Glossary
This chapter provides an overview of CPL, including concepts, CPL basics, writing and troubleshooting policy and upgrade/downgrade issues.
Building upon Chapter 1, this chapter discusses understanding transactions, timing, layers, and sections, defining policies, and best practices.
This reference guide contains the list of conditions that are supported by CPL and provides an explanation for the usage.
This reference guide contains the list of properties that are supported by CPL and provides an explanation for the usage.
This reference guide contains the list of actions that are supported by CPL and provides an explanation for the usage.
This reference guide contains the list of definitions that are supported by CPL and provides an explanation for the usage.
Terms used in this manual are defined in this appendix.
Using policy trace properties is explained in this appendix.
indicates how the
ProxySG interacts with them.
ProxySG Content Policy Language Guide
Table 2.1: Manual Organization (Continued)
Appendix D – CPL Substitutions
Appendix E –
Filter File Syntax This appendix provides a summary of the syntax and
This appendix lists all substitution variables available in CPL.
evaluation order used in CacheOS version 4.x filter files.
Appendix F – Upgrading from CacheOS
4.x
If you upgrade from CacheOS 4.x, you need to be aware of the concerns and issues that affect a policy upgrade to SGOS 3.x.

Supported Browsers

The ProxySG Management Console supports Microsoft® Internet Explorer 5 and 6, and Netscape® Communicator 4.78, 6.2, and 7.1.
The Management Console uses the Java Runtime Environment. All browsers come with a default, built-in JRE, and you should use this default JRE rather than an independent JRE version downloaded
from Sun
®
Microsystems.

Related Blue Coat Documentation

Blue Coat 6000 and 7000 Installation Guide
Blue Coat 400 Series Installation Guide
Blue Coat 800 Series Installation Guidel
ProxySG Command Line Interface Reference

Document Conventions

The following section lists the typographical and Command Line Interface (CLI) syntax conventions used in this manual.
Table 2.2: Typographic Conventions
Conventions Definition
Italics The first use of a new or Blue Coat-proprietary term.
Courier font Command line text that appears on your administrator workstation.
Courier Italics A command line variable that is to be substituted with a literal name or value
Courier Boldface
{ } One of the parameters enclosed within the braces must be supplied [ ] An optional parameter or parameters. | Either the parameter before or after the pipe character can or must be selected, but
pertaining to the appropriate facet of your network system.
A ProxySG literal to be entered as shown.
not both. To more clearly indicate that only one can be chosen, no spaces are put between the pipe and the options.
x

Contents

Preface: Introducing the Content Policy Language
About the Document Organization .................................................................................................................ix
Supported Browsers...........................................................................................................................................ix
Related Blue Coat Documentation....................................................................................................................x
Document Conventions......................................................................................................................................x

Chapter 1: Overview of Content Policy Language

Concepts .............................................................................................................................................................19
Transactions...............................................................................................................................................19
Policy Model..............................................................................................................................................20
Role of CPL ................................................................................................................................................21
CPL Language Basics........................................................................................................................................21
Comments..................................................................................................................................................21
Rules ...........................................................................................................................................................21
Notes...........................................................................................................................................................22
Quoting ......................................................................................................................................................23
Layers .........................................................................................................................................................24
Sections.......................................................................................................................................................24
Definitions..................................................................................................................................................25
Referential Integrity..................................................................................................................................26
Substitutions..............................................................................................................................................27
Writing Policy Using CPL................................................................................................................................27
Authentication and Denial ......................................................................................................................28
Installing Policy.........................................................................................................................................29
CPL General Use Characters and Formatting ......................................................................................29
Troubleshooting Policy.....................................................................................................................................30
Upgrade/Downgrade Issues...........................................................................................................................30
CPL Syntax Deprecations ........................................................................................................................30
Conditional Compilation.........................................................................................................................31

Chapter 2: Managing Content Policy Language

Understanding Transactions and Timing......................................................................................................33
Administrator Transactions ....................................................................................................................33
Proxy Transactions ...................................................................................................................................33
Cache Transactions...................................................................................................................................35
Forwarding Transactions.........................................................................................................................36
Timing ........................................................................................................................................................36
Understanding Layers ......................................................................................................................................37
<Admin> Layers.......................................................................................................................................37
<Cache> Layers.........................................................................................................................................38
<Exception> Layers..................................................................................................................................39
ProxySG Content Policy Language Guide
<Forward> Layers....................................................................................................................................39
<Proxy> Layers......................................................................................................................................... 40
Layer Guards.............................................................................................................................................40
Timing ........................................................................................................................................................41
Understanding Sections ................................................................................................................................... 41
[Rule] ..........................................................................................................................................................42
............................................................................................................................................................. [url]43
[url.domain] ..............................................................................................................................................43
[url.regex] ..................................................................................................................................................43
[server_url.domain]..................................................................................................................................43
Section Guards..........................................................................................................................................44
Defining Policies................................................................................................................................................ 44
Blacklists and Whitelists..........................................................................................................................45
General Rules and Exceptions to a General Rule ................................................................................45
Best Practices...................................................................................................................................................... 48

Chapter 3: Condition Reference

Condition Syntax...............................................................................................................................................49
Pattern Types .....................................................................................................................................................50
Unavailable Triggers ........................................................................................................................................ 51
Layer Type Restrictions...........................................................................................................................51
Global Restrictions ................................................................................................................................... 51
Condition Reference .........................................................................................................................................51
acl=.............................................................................................................................................................. 52
admin.access= ...........................................................................................................................................53
attribute.name=.........................................................................................................................................54
authenticated= ..........................................................................................................................................56
bitrate=.......................................................................................................................................................57
category= ...................................................................................................................................................59
client.address= .......................................................................................................................................... 60
client.protocol= .........................................................................................................................................61
condition=..................................................................................................................................................62
console_access= ........................................................................................................................................64
content_admin=........................................................................................................................................65
content_management............................................................................................................................... 66
date[.utc]=..................................................................................................................................................67
day=............................................................................................................................................................ 68
exception.id=.............................................................................................................................................69
ftp.method=............................................................................................................................................... 71
group=........................................................................................................................................................72
has_attribute.name=.................................................................................................................................74
has_client=................................................................................................................................................. 76
hour=..........................................................................................................................................................77
xii
Contents
http.method= ............................................................................................................................................ 79
http.request.version=............................................................................................................................... 80
http.response.code= .................................................................................................................................81
http.response.version= ............................................................................................................................82
http.transparent_authentication= ..........................................................................................................83
http.x_method= ........................................................................................................................................84
im.buddy_id= ........................................................................................................................................... 85
im.chat_room.conference=...................................................................................................................... 86
im.chat_room.id= .....................................................................................................................................87
im.chat_room.invite_only=..................................................................................................................... 88
im.chat_room.type= .................................................................................................................................89
im.chat_room.member= .......................................................................................................................... 90
im.chat_room.voice_enabled=................................................................................................................91
im.file.extension= .....................................................................................................................................92
im.file.name= ............................................................................................................................................93
im.file.path= ..............................................................................................................................................94
im.file.size= ...............................................................................................................................................95
im.message.opcode=................................................................................................................................96
im.message.route= ................................................................................................................................... 97
im.message.size=...................................................................................................................................... 98
im.message.text= ......................................................................................................................................99
im.message.type=................................................................................................................................... 100
im.method= ............................................................................................................................................. 101
im.user_id=..............................................................................................................................................102
live=..........................................................................................................................................................103
method=................................................................................................................................................... 104
minute=.................................................................................................................................................... 106
month=..................................................................................................................................................... 107
protocol=..................................................................................................................................................108
proxy.address= .......................................................................................................................................109
proxy.card= .............................................................................................................................................110
proxy.port=.............................................................................................................................................. 111
realm= ...................................................................................................................................................... 112
release.id=................................................................................................................................................114
release.version= ......................................................................................................................................115
request.header.header_name= .............................................................................................................116
request.header.header_name.address=............................................................................................... 117
request.header.Referer.url= .................................................................................................................. 118
request.x_header.header_name= .........................................................................................................121
request.x_header.header_name.address= ..........................................................................................122
response.header.header_name=........................................................................................................... 123
response.x_header.header_name=.......................................................................................................124
xiii
ProxySG Content Policy Language Guide
server_url= ..............................................................................................................................................125
socks=.......................................................................................................................................................128
socks.accelerated= .................................................................................................................................129
socks.method= ........................................................................................................................................130
socks.version=......................................................................................................................................... 131
streaming.client= ....................................................................................................................................132
streaming.content=................................................................................................................................. 133
time=......................................................................................................................................................... 134
tunneled=.................................................................................................................................................136
url= ...........................................................................................................................................................137
user=.........................................................................................................................................................144
user.domain= ..........................................................................................................................................146
user.x509.issuer= ....................................................................................................................................147
user.x509.serialNumber= ......................................................................................................................148
user.x509.subject=...................................................................................................................................149
weekday= ................................................................................................................................................ 150
year=.........................................................................................................................................................151

Chapter 4: Property Reference

Property Reference..........................................................................................................................................153
access_log( )............................................................................................................................................. 154
access_server( ) ....................................................................................................................................... 155
action( ) .................................................................................................................................................... 156
advertisement( ) .....................................................................................................................................157
allow .........................................................................................................................................................158
always_verify( ) .....................................................................................................................................159
authenticate( )..........................................................................................................................................160
authenticate.force( ) ...............................................................................................................................162
authenticate.mode( ) .............................................................................................................................. 163
authenticate.use_url_cookie( )..............................................................................................................165
block_category( ).....................................................................................................................................166
bypass_cache( ) ......................................................................................................................................167
cache( ) .................................................................................................................................................... 168
check_authorization( ) ...........................................................................................................................170
content_filter_override( )....................................................................................................................... 171
cookie_sensitive( ) ................................................................................................................................. 172
delete_on_abandonment( ).................................................................................................................... 173
deny( ) ......................................................................................................................................................174
deny.unauthorized( ) .............................................................................................................................175
direct( ) ....................................................................................................................................................176
dynamic_bypass( )..................................................................................................................................177
exception( ) ...................................................................................................................
exception.autopad( ) ..............................................................................................................................179
...........................178
xiv
Contents
force_cache( ) ..........................................................................................................................................180
force_deny( )............................................................................................................................................181
force_exception( ) ................................................................................................................................... 182
force_patience_page( ) ...........................................................................................................................183
forward( )................................................................................................................................................. 184
forward.fail_open( ) ...............................................................................................................................185
ftp.server_connection( ).........................................................................................................................186
ftp.server_data( ).....................................................................................................................................187
ftp.transport( ).........................................................................................................................................188
http.force_ntlm_for_server_auth( )......................................................................................................189
http.request.version( )............................................................................................................................ 190
http.response.version( ) ........................................................................................................................191
icp( )..........................................................................................................................................................192
im.strip_attachments( ) .........................................................................................................................193
integrate_new_hosts( )...........................................................................................................................194
label( ) ...................................................................................................................................................... 195
log.rewrite.field-id( ).............................................................................................................................. 196
log.suppress.field-id( ) .........................................................................................................................197
max_bitrate( ) ..........................................................................................................................................198
never_refresh_before_expiry( ) ............................................................................................................199
never_serve_after_expiry( ) ..................................................................................................................200
patience_page( )......................................................................................................................................201
pipeline( ) ................................................................................................................................................202
prefetch( ).................................................................................................................................................203
reflect_ip( ) .............................................................................................................................................. 204
reflect_vip( ) ............................................................................................................................................ 205
refresh( ) ..................................................................................................................................................206
remove_IMS_from_GET( ) ....................................................................................................................207
remove_PNC_from_GET( )...................................................................................................................208
remove_reload_from_IE_GET( ) ..........................................................................................................209
request.filter_service( ) ..........................................................................................................................210
request.icap_service( ) ........................................................................................................................... 212
response.icap_service( ) ........................................................................................................................ 213
service( ) ..................................................................................................................................................214
socks.accelerate( ) ................................................................................................................................... 215
socks.authenticate( )............................................................................................................................... 216
socks.authenticate.force( ) .....................................................................................................................217
socks_gateway( ).....................................................................................................................................218
socks_gateway.fail_open( ) ................................................................................................................... 219
streaming.transport( ) ............................................................................................................................ 220
terminate_connection( ).........................................................................................................................221
trace.destination( ) .................................................................................................................................222
xv
ProxySG Content Policy Language Guide
trace.request( ) ........................................................................................................................................223
trace.rules( ) ............................................................................................................................................224
ttl( ) ...........................................................................................................................................................225
ua_sensitive( ) ........................................................................................................................................ 226

Chapter 5: Action Reference

Argument Syntax ............................................................................................................................................227
Action Reference .............................................................................................................................................227
append( ) ................................................................................................................................................. 228
delete( ) ....................................................................................................................................................229
delete_matching( ) ................................................................................................................................. 230
im.alert( )..................................................................................................................................................231
log_message( ) ........................................................................................................................................ 232
notify_email( ) ........................................................................................................................................ 233
notify_snmp( ) ........................................................................................................................................234
redirect( ) ................................................................................................................................................. 235
replace( )...................................................................................................................................................236
rewrite( ) .................................................................................................................................................. 237
set( ) ..........................................................................................................................................................240
transform .................................................................................................................................................242
virus_check( ) ..........................................................................................................................................244

Chapter 6: Definition Reference

Definition Names ............................................................................................................................................245
define action ............................................................................................................................................ 246
define active_content ............................................................................................................................. 248
define category........................................................................................................................................250
define condition...................................................................................................................................... 252
define domain condition ....................................................................................................................... 254
define javascript...................................................................................................................................... 255
define prefix condition .......................................................................................................................... 257
define server_url.domain condition ....................................................................................................258
define subnet........................................................................................................................................... 260
define url condition................................................................................................................................261
define url.domain condition ................................................................................................................. 263
define url_rewrite...................................................................................................................................265
restrict dns ...............................................................................................................................................267
restrict rdns..............................................................................................................................................268
transform active_content.......................................................................................................................269
transform url_rewrite ............................................................................................................................270
Appendix A: Glossary
xvi
Appendix B: Testing and Troubleshooting
Enabling Rule Tracing ...........................................................................................................................275
Enabling Request Tracing .....................................................................................................................276
Using Trace Information to Improve Policies .................................................................................... 276
Appendix C: Recognized HTTP Headers
Appendix D: CPL Substitutions
Appendix E: Filter File Syntax
Filter File Overview ........................................................................................................................................299
Filter File Structure ......................................................................................................................................... 299
Filter-Part Components ......................................................................................................................... 300
Action-Part Components.......................................................................................................................305
Evaluation Order.................................................................................................................................... 306
Appendix F: Upgrading from CacheOS
Contents
Index
xvii
ProxySG Content Policy Language Guide
xviii

Chapter 1: Overview of Content Policy Language

The Content Policy Language (CPL) is a programming language with its own concepts and rules that you must follow.
This chapter provides an overview of CPL, including the following topics:
"Concepts"
"CPL Language Basics"
"Writing Policy Using CPL"
"Troubleshooting Policy"
"Upgrade/Downgrade Issues"

Concepts

The term policy, as used here, refers to configuration values and rules applied to render decisions on authentication requirements, access rights, quality of service, or content transformations (including rewrites and off-box services that should be used to process the request or response). Often, the policy references system configuration for the default values for some settings and then evaluates rules to see if those settings should be overridden.
CPL is a language for specifying the policy rules for the ProxySG. Primarily, it controls the following:
User Authentication requirements
Access to Web-related resources
Cache content
Various aspects of request and response processing
Access logging
You can create policy rules using either the Visual Policy Manager (VPM), which is accessible through the Management Console, or by composing CPL.
Before reading sample CPL or trying to express your own policies in CPL, Blue Coat recommends that you understand the fundamental concepts underlying policy enforcement in the ProxySG appliances. This section provides an overview of important concepts.

Transactions

In the CPL context, a transaction is the encapsulation of a request for service and any associated response for the purposes of policy evaluation and enforcement. In most cases, a transaction is created for each unique request for service, and the transaction exists for the time taken to process the request and deliver the response.
The transaction serves the following purposes:
Exposes request and response state for testing during policy evaluation.
ProxySG Content Policy Language Guide
This provides the ability to test various aspects of a request, such as the IP address of the client and the URL used, or the response, such as the contents of any HTTP headers.
Ensures policy integrity during processing.
The lifetime of a transaction may be relatively long, especially if a large object is being fetched over slow networks and subjected to off-box processing services such as content filtering and virus scanning. During this time, changes to configuration or policy rules may occur, which would result in altering the policy decisions that affect a transaction. If a request was evaluated against one version of policy, and some time later the associated response were evaluated against a different version of policy, the outcome would be unpredictable and possibly inconsistent.
The transaction ensures that both the request and the response are evaluated against the version of policy that was current when the transaction was created. To ensure that new policy is respected, long lived transactions such as those involved in streaming, or large file downloads, are re-evaluated under new policy. Re-evaluation applies to both the request and response, and any resulting new decisions that cannot be honoured (such as new authentication requirements) result in transaction termination.
Maintains policy decisions relevant to request and response processing.
Various types of transactions are used to support the different policy evaluation requirements of
the individual protocols: administrator, cache, and proxy transactions.
In a few special cases, two or more transactions can be created for a single request. For example, if
an HTTP request is made via the SOCKS proxy (on port 1080 of the ProxySG), then it is possible for two transactions to be created: a SOCKS proxy transaction, and an HTTP proxy transaction. You can see these transactions for yourself if you turn on policy tracing. A new entry is added to the policy trace file for each transaction.

Policy Model

Each transaction begins with a default set of decisions, many of which are taken from configuration of the system. These defaults include such things as forwarding hosts or SOCKS gateways. The most important default decision affects whether or not requests should be allowed or denied. The defaults for the various transaction types are:
Administrator Transaction— the default is to deny requests.
By default, administration is only available through one of the methods that bypasses policy evaluation. These are:
accessing the CLI through the serial console
accessing the CLI through RSA authenticated SSH
logging into the Management Console or CLI using the console credentials
Specific rights must be granted through policy to enable other administration methods.
Cache Transactions—the default is to allow requests.
These requests originate from the ProxySG itself, and are used primarily to maintain the state of content. Additional policy can be added to specifically deny requests for specific content, and to distinguish content management requests from other cache transactions.
Proxy Transactions—the default is taken from system configuration.
20
Chapter 1: Overview of Content Policy Language
For new ProxySG appliances, the default is to deny all requests. For ProxySG appliances being upgraded from 4.x, the default is to allow all requests. In either case, the ProxySG can be configured for either default. The default setting is displayed in policy listings.
The proper approach to writing allow or deny requests. The default proxy policy is configurable and represents the starting point for writing policy to control proxy transactions. The default proxy policy is reported at the top of every policy listing generated by the ProxySG.
; Default proxy policy is DENY
That line in a policy listing is a CPL comment, defining the starting point for proxy policy.

Role of CPL

CPL is the language used to express policy that depends on the runtime evaluation of each transaction. Policy is written in CPL, installed on the ProxySG, and is evaluated during request processing to override any default decisions taken from configuration.

CPL Language Basics

The following sections provide an overview of the CPL language. In order to concentrate on higher level themes, CPL elements are informally introduced and discussed. Detailed specifications for each of these elements is left to the reference portion of this manual.

Comments

Any line starting with ‘;’ is a comment.
<proxy> layer policy depends on whether or not the default is to
A semicolon ( (except where the semicolon appears inside quotes as part of a trigger pattern expression or property setting).
For example:
; This is a comment.
Comments can appear anywhere in policy.
;) following a space or tab introduces a comment that extends to the end of the line

Rules

A policy rule consists of a condition and some number of property settings, written in any order. Rules are generally written on a single line, but can be split across lines using a special line continuation character. When a rule is evaluated, the condition is tested for that particular transaction. If the condition evaluates to True, then all of the listed property settings are executed and evaluation of the current layer ends. The rule is said to match. If the condition evaluates to False for that transaction, it is said to miss.
In turn, a condition is a boolean combination of trigger expressions. Triggers are individual tests that can be made against components of the request ( related user (
user=, group=), or system state (time=).
url=), response (response.header.Content-Type=),
21
ProxySG Content Policy Language Guide
With a few notable exceptions, triggers test one aspect of request, response, or associated state against a boolean expression of values.
For the conditions in a rule, each of the triggers is logically anded together. In other words, the condition is only true if each one of the trigger expressions is true.
Properties are settings that control transaction processing, such as deny, or the handling of the object, such as cache(no), indicating that the object is not to be cached locally. At the beginning of a transaction, all properties are set to their default values. As the policy is evaluated in sequence, rules that match might set a property to a particular value. A property retains the final value setting when evaluation ends, and the transaction is processed accordingly. Properties that are not set within the policy maintain their default values.
The logical form of a policy rule could be expressed as:
if condition is true then set all listed properties as specified
The following is an example of a simple policy rule:
url.domain=example.com time=0900..1700 exception(policy_denied)
It states that the exception( ) property is set to policy_denied if both of the following triggers test true:
The request is made for a page from the domain
The request is made between 9 a.m. and 5 p.m.
example.com

Notes

CPL triggers have the form trigger_name=pattern_expression
CPL properties have the form property_name(setting), except for a few imperative gestures
such as
The text in policy rules is case-insensitive, with a few exceptions identified in the following
chapters.
Policy listings are normalized in several ways. First, condition and action definitions which may
appear anywhere in the source, will be grouped following the policy rules. Second, the order of the conditions and properties on a rule may change, since the CPL compiler always puts a deny or allow at the beginning of the rule, and orders conditions to optimize evaluation. Finally, several phrases are synonyms for phrases that are preferred. In the output of form is listed instead of the synonym.
Four such synonyms are:
exception(authorization_failed), which is a synonym for the preferred
force_exception(authorization_failed), which is a synonym for the preferred
exception(policy_denied), which is a synonym for the preferred deny exception(no), which is a synonym for the preferred allow.
allow and deny.
show policy, the preferred
deny.unauthorized
force_deny.unauthorized
22
Chapter 1: Overview of Content Policy Language
More complex boolean expressions are allowed for the pattern_expression in the triggers. For
example, the second part of the condition in the simple rule shown above could be “the request is made between 9 a.m. and noon or between 1 p.m. and 5 p.m”, expressed as:
... time=(0900..1200 || 1300..1700) ...
Boolean expression are built from the specific values allowed with the trigger, and the boolean operators
! (not), && (and), || (or) and () for grouping. More details are found in the Trigger
Reference chapter. Alternative values may also be separated by a comma—this is often more readable than using the ‘
||’ operator. For example, the following rule will deny service to requests
for pages in either one of the two domains listed.
url.domain=(example.com, another.com) deny
Long lines can be split using ‘\’ as a line continuation character. The ‘\’ must be the last character
on the line and be preceded by space or Tab. For example:
url.domain=example.com time=0900..1700 \
deny
Do not use a semicolon to add comments within such a continued line: everything following the semicolon, including text on the continued lines, will be treated as part of the comment. For example:
url.domain=example.com \ ; missplaced comment
deny
becomes
url.domain=example.com ; missplaced comment deny
In other words, the effect was to continue the comment.

Quoting

Certain characters are considered special by CPL and have meaning as punctuation elements of the language. For example separates expressions in a rule. To use a value that contains one of these characters, the value must be quoted with either single ( interpreted as punctuation. Text within single quotation marks can include any character other than a single quotation mark. Text within double quotation marks can include any character other than a double quotation mark. Here are some examples of where quoting is necessary:
user="John Doe" ; value contains a space url="www.example.com/script.cgi?param=value" ; value contains ‘=’ deny( "You don’t have access to that page!" ) ; several special chars
The full list of characters that should be quoted when they appear can be found in the reference manual. Note that you can quote any string in CPL without affecting interpretation, even if the quotes are not strictly needed. For convenience, you can quote any value that consists of more than letters and/or numbers.
user="john.doe" ; quotes not required, but can be used
= (equal) separates a trigger name from its associated value, and blank space
') or double (") quotation marks, so that the special characters are not
Important: Within a define action or define url_rewrite statement, you must use double
quotes (
"), not single quotes (') to delimit a string.
23
ProxySG Content Policy Language Guide

Layers

A policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating decisions helps control policy complexity, and is done through writing each decision in a separate layer. Each layer has the form:
<layer_type [label]> [layer_condition][layer_properties] ...
layer_content
where:
The
The optional
layer_type defines the transactions evaluated against this policy, and restricts the triggers
and properties allowed in the rules used in the layer. See the following Layer Types section.
label, separated from the layer type by space, is a CPL User-defined Identifier (see
section Chapter 2), basically an alphabetic character followed by alphanumeric or underscore characters.
The optional
layer_condition is a list of triggers, all of which must evaluate to true before the
layer content is evaluated.
The optional
layer_properties is a list of properties that will become the default settings for
those properties for any rule matched in the layer. These can be overridden by explicitly setting a different value for that property in a specific rule within the layer.
The
layer_content is a list of rules, possibly organized in sections. (see following). A layer must
contain at least one rule.
Collectively, the layer_condition and layer_properties are often referred to as a layer guard expression.
If a rule has the logical form “if (condition is true) then set properties”, a layer has the form:
if (layer_condition is true) then { if (rule1_condition is true) then
set layer_properties then set rule1 properties
else if (rule2_condition is true) then
set layer_properties then set rule2 properties
else if (rule3_condition is true) then
set layer_properties then set rule3 properties ... }
Within a layer, the first rule that matches terminates evaluation of that layer.
Layers within a policy are evaluated from top to bottom, with rules in later layers taking precedence over rules in earlier layers.
24
In CPL, all policy rules are written in a layer. A rule cannot appear in policy preceding any layer header.

Sections

The rules in layers can optionally be organized in one or more sections, which is a way of grouping rules together. A section consists of a section header followed by a list of rules.
A section has the form:
Chapter 1: Overview of Content Policy Language
[section_type [label]] [section_condition][section_properties]
section_content
where:
The
section_type defines the syntax of the rules used in the section, and the evaluation strategy
used to evaluate those rules. The square brackets [ ] surrounding the section name (and optional label) are required.
The optional
label, separated from the section type by space, is a CPL User-defined Identifier
similar to a layer label.
The optional
section_condition is a list of triggers, all of which must evaluate to true before the
section content is evaluated.
The optional
section_properties is a list of properties that will become the default settings for
those properties for any rule matched in the section. These override any layer property defaults and can in turn be overridden by explicitly setting a different value for that property in a rule within the section.
The
section_content is a list of rules. A section must contain at least one rule.
Collectively, the section_condition and section_properties are often referred to as a section guard expression.
A layer with sections has the logical form:
if (layer_condition is true) then { if (section1_condition is true then { if (rule1A_condition is true) then set layer_properties then section_properties then rule1A properties else if (rule1B_condition is true) then set layer_properties then section_properties then set rule1B properties
....
} else if (section2_condition is true then { if (rule2A_condition is true) then set layer_properties then section_properties then rule2A properties else ... } ... }

Definitions

Two types of definitions are used in CPL:
Named definitions that are explicitly referenced by policy
Anonymous definitions that apply to all policy evaluation and are not referenced directly in rules.
25
ProxySG Content Policy Language Guide
Named Definitions
There are various types of named definitions. Each definition is given a user defined name that is then used in rules to refer to the definition. This section highlights a few of the definition types, as an overview of the topic. Refer to the Definitions reference chapter for more details.
Subnet Definitions
Subnet definitions are used to define a list of IP addresses or IP subnet masks that can be used to test any of the IP addresses associated with the transaction, for example, the client’s address or the request’s destination address.
Condition Definitions
Condition definitions can include any triggers that are legal in the layer referencing the condition. The
condition= trigger is the exception to the rule that triggers can test only one aspect of a transaction.
Since conditions definitions can include other triggers, the transaction state. Also, condition definitions allow for arbitrary boolean combinations of trigger expressions.
Category Definitions
Category definitions are used to extend vendor content categories or to create your own. These categories are tested (along with any vendor defined categories) using the
condition= triggers can test multiple parts of
category= trigger.
Action Definitions
An action takes arguments and is wrapped in a named action definition block. Actions are turned on or off for a transaction through setting the
action( ) property. The action property has syntax that
allows for individual actions to be turned on and off independently. When the action definition is turned on, any actions it contains operate on their respective arguments.
Transformer Definitions
A transformer definition is a kind of named definition that specifies a transformation that is to be applied to an HTTP response. There are three types: definitions, and
javascript definitions.
url_rewrite definitions, active_content
Anonymous Definitions
Two types of anonymous definitions modify policy evaluation, but are not referenced by any rules. These definitions serve to restrict DNS and Reverse-DNS lookups and are useful in installations where access to DNS or Reverse-DNS resolution is limited or problematic.

Referential Integrity

Policy references many objects defined in system configuration, such as authentication realms, forward hosts, SOCKS gateways, and the like. CPL enforces the integrity of those references by ensuring that the entities named in policy exist and have appropriate characteristics at the time the policy is compiled. During runtime, any attempts to remove a configured object that is referenced by currently active policy will fail.
26
To remove a configured entity, such as a realm, that is referenced by policy, new policy must be installed with all references to that realm removed. New transactions will open against a version of
policy that does not require the realm. Once all outstanding transactions that required reference to the realm have completed, the realm can be removed from configuration.

Substitutions

The actions used to rewrite the URL request or to modify HTTP request headers or HTTP response headers often need to reference the values of various elements of the transaction state when constructing the new URL or header value. CPL provides support for various substitutions, which will expand at runtime to the indicated transaction value. Substitutions have the form:
$(name)
For example, the substitution $(user) expands to the authenticated user name associated with the transaction. If policy did not require that user to authenticate, the substitution expands to an empty string.
Substitutions can also be used directly in the values specified to some CPL properties, such as when setting text in a message that will be displayed to users.
Substitutions are available for a variety of purposes. For a categorized list of the substitutions available, see Appendix D: "CPL Substitutions".

Writing Policy Using CPL

Chapter 1: Overview of Content Policy Language
A policy file is the unit of integration used to assemble policy.
Policy written in CPL is stored in one of four files on the ProxySG. These files are the following:
VPM: This file is reserved for use by the Visual Policy Manager.
Local: When the VPM is not being used, the Local file will typically contain the majority of the
policy rules for a system. When the VPM is being used, this file might be empty, it might include rules for advanced policy features that are not available in the VPM, or it might otherwise supplement VPM policy.
Central: This file is typically managed by Blue Coat, although you can have the ProxySG point to a
custom Central policy file instead.
Forward: The Forward policy file is normally used for all Forward policy, although you can use it
to supplement any policy created in the other three policy files. The Forward policy file will contain Advanced Forwarding rules when the system is upgraded from a previous version of SGOS (2.x) or CacheOS (4.x).
Each of the files may contain rules and definitions, but an empty file is also legal. (An empty file specifies no policy and has no effect on the ProxySG.)
Cross file references are allowed but the definitions must be installed before the references, and references must be removed before definitions are removed.
The final installed policy is assembled from the policy stored in the four files by concatenating their contents. The order of assembly of the VPM, Central and Local policy files is configurable. The recommended evaluation order is VPM, Local, Central. The Forward policy file is always last.
27
ProxySG Content Policy Language Guide

Authentication and Denial

One of the most important timing relationships to be aware of is the relation between authentication and denial. Denial can be done either before or after authentication, and different organizations have different requirements. For example, suppose an organization requires the following:
Protection from denial of service attacks by refusing traffic from any source other than the
corporate subnet.
The user name of corporate users is to be displayed in access logs, even when the user request has
been denied.
The following example demonstrates how to choose the correct CPL properties. First, the following is a sample policy that is not quite correct:
define subnet corporate_subnet
10.10.12.0/24
end <Proxy>
client.address=!corporate_subnet deny ; filter out strangers authenticate(MyRealm) ; this has lower precedence than deny
<Proxy>
; user names will NOT be displayed in the access log for the denied requests category=Gambling exception(content_filter_denied)
In this policy, requests coming from outside the corporate subnet are denied, while users inside the corporate subnet are asked to authenticate.
Content categories are determined from the request URL and can be determined before authentication. Deny has precedence over authentication, so this policy denies the user request before the user is challenged to authenticate. Therefore, the user name is not available for access logging. Note that the precedence relation between deny and authenticate does not depend on the order of the layers, so changing the layer order will not affect the outcome.
The CPL property
force_authenticate(), however, has higher precedence than deny, so the
following amended policy ensures that the user name is displayed in the access logs:
define subnet corporate_subnet
10.10.12.0/24 end
<Proxy>
client.address=!corporate_subnet deny ; filter out strangers force_authenticate(MyRealm) ; this has higher precedence than deny
<Proxy>
; user names will be displayed in the access log for the denied requests category=Gambling exception(content_filter_denied)
The timing for authentication over the SOCKS protocol is different. If you are using the SOCKS authentication mechanism, the challenge is issued when the connection is established, so user identities are available before the request is received, and the following policy would be correct.
define subnet corporate_subnet
10.10.12.0/24
end
28
Chapter 1: Overview of Content Policy Language
<Proxy>
client.address=!corporate_subnet deny ; filter out strangers socks.authenticate(MyRealm) ; this happens earlier than the category test
<Proxy>
; user names be displayed in the access log for the denied requests category=Gambling exception(content_filter_denied)
Note that this only works for SOCKS authenticated users.

Installing Policy

Policy is installed by installing one of the four policy files (VPM, Local, Central or Forward). Installing one new file causes the most recent versions of the other three files to be loaded, the contents concatenated in the order specified by the current configuration, and the resulting complete policy compiled.
If any compilation errors are detected, the new policy file is not installed and the policy in effect is unchanged.
Refer to Chapter 12, “Advanced Policy,” of the ProxySG Configuration and Management Guide for specific instructions on installing a policy file.

CPL General Use Characters and Formatting

The following characters and formatting have significance within policy files in general, outside of the arguments used in condition expressions, the values used in property statements, and the arguments used in actions.
Character Example Significance
Semicolon (;) ; Comment
<Proxy> ; Comment
Newline deny server_url.scheme=mms deny
server_url.domain=xyz.com
Line Continuation \ A line continuation character indicates that
Whitespace < proxy >
weekday = ( 3 || 7 ) deny
Angle brackets (< >) <Proxy> Used to mark layer headings. Square brackets ([ ]) [Rule] Used to mark section names.
Used either inline or at the beginning of a line to introduce text to be ignored during policy evaluation. Commonly used to provide comments.
CPL expects most constructs (layers, sections, rules, definitions) to begin on a new line. When not preceded by a line continuation character, a newline terminates a layer header, section header, the current rule, clause within a defined condition, or action within an action definition.
the current line is part of the previous line.
Used to enhance readability. Whitespace can be inserted between tokens, as shown in this example, without affecting processing. In addition, quoted strings can include whitespace. However, numeric ranges, such as weekday = 1..7, cannot contain whitespace.
29
ProxySG Content Policy Language Guide
Equal sign (=) server_url.scheme=mms Used to indicate the value a condition is to
Parentheses ( ) service(no) Used to enclose the value that a property is

Troubleshooting Policy

When installed policy does not behave as expected, use policy tracing to understand the behavior of the installed policy.
Tracing records additional information about a transaction and re-evaluates the transaction when it is terminated; however, it does not show the timing of evaluations through transaction processing. The extra processing required significantly impacts performance, so do not enable tracing in production environments unless you need to reproduce and diagnose a problem. If tracing is used on a system in production, attempt to restrict which transactions are traced. For example, you can trace only requests from a test workstation by defining the tracing rules as conditional on a client.address= trigger that tests for that workstation's IP address.
For more information on generating and retrieving policy trace, see Appendix B: "Testing and Troubleshooting".
While policy traces can show the rule evaluation behavior, they do not show the final effect of policy actions like HTTP header or URL modifications. To see the result of these policy actions it is often useful to actually view the packets sent and received. The PCAP facility can be used in conjunction with tracing to see the effect of the actions set by the matching rules.
test.
to be set to, or group components of a test.

Upgrade/Downgrade Issues

Specific upgrade downgrade issues will be mentioned in the release notes accompanying your version of SGOS. This section highlights general upgrade downgrade issues related to policy written in CPL.

CPL Syntax Deprecations

As the power of CPL has increased, the CPL language has evolved. To allow continuous evolution, the CPL language constructs are now more regular and flexible. Older language constructs have been replaced with new constructs of equal or greater power.
However, this also implies that support for old language constructs will eventually be dropped to help maintain the runtime efficiency of evaluation. As part of the migration strategy, the CPL compilation warnings might include warnings regarding the use of deprecated constructs. This class of warning is special, and indicates use of a CPL language element that will not be supported in the next major release of SGOS. Eliminate deprecation warnings by migrating the policy identified by the warning to more modern syntax, which is usually indicated in the warning message. Attempts to upgrade to the next major release might fail, or result in a failure to load policy, unless all deprecation warnings are eliminated.
30
Loading...
+ 284 hidden pages