Blue Coat Systems Time Clock Proxy SG Manuale Utente
Appendix B: Testing and Troubleshooting
277
Here are the relevant policy requirements to be expressed:
•
DNS lookups are restricted except for a site being hosted.
•
There is no access to reverse DNS so that is completely restricted.
•
Any requests not addressed to the hosted site either by name or subnet should be rejected.
•
FTP POST requests should be rejected.
•
Request URLs for the hosted site are to be rewritten and a request header on the way into the site.
The Sample Policy
; DNS lookups are restricted except for one site that is being hosted
restrict dns
.
except
my_site.com
end
; No access to RDNS
restrict rdns
all
end
define subnet my_subnet
10.11.12.0/24
end
<proxy>
trace.request(yes) trace.rules(all)
proxy>
;
deny url.host.is_numeric=no url.domain=!my_site.com
deny url.address=!my_subnet
<proxy>
deny ftp.method=STOR
<proxy>
url.domain=my_site.com action.test(yes)
define action test
set(request.x_header.test, “test”)
rewrite(url, “(.*)\.my_site.com”, “$(1).his_site.com”)
end
Since
trace.request()
is set to
yes
, a policy trace is performed when client requests are evaluated.
Since
trace.rules()
is set to
all
, all rule evaluations for misses and matched rules are displayed.
The following is the trace output produced for an HTTP GET request for
http://www.my_site.com/home.html
.
Note:
The line numbers shown at the left do not appear in actual trace output. They are added here
for annotation purposes.
for annotation purposes.