Blue Coat Systems Time Clock Proxy SG Manuale Utente
ProxySG Content Policy Language Guide
36
An HTTP cache transaction is examined in two stages:
•
Before the object is retrieved from the origin server.
•
After the object is retrieved.
Forwarding Transactions
A forwarding transaction is created when the ProxySG needs to evaluate forwarding policy before
accessing a remote host and no proxy or cache transaction is associated with this activity. Examples
include sending a heart-beat message, and downloading an installable list from an HTTP server.
accessing a remote host and no proxy or cache transaction is associated with this activity. Examples
include sending a heart-beat message, and downloading an installable list from an HTTP server.
A forwarding transaction only evaluates policy in
<Forward>
layers.
Timing
As stated in the discussion of proxy transactions, various portions of the transaction information
become available at different points in the evaluation, and each protocol has specific requirements for
when each decision must be made. The CPL triggers and properties are designed so that wherever
possible, the policy writer is shielded from the variations among protocols by making the timing
requirements imposed by the CPL accommodate all the protocols. Where this is not possible (because
using the most restrictive timing causes significant loss of functionality for the other protocols),
protocol specific triggers have been introduced. When evaluated against other protocols, these
triggers return the
become available at different points in the evaluation, and each protocol has specific requirements for
when each decision must be made. The CPL triggers and properties are designed so that wherever
possible, the policy writer is shielded from the variations among protocols by making the timing
requirements imposed by the CPL accommodate all the protocols. Where this is not possible (because
using the most restrictive timing causes significant loss of functionality for the other protocols),
protocol specific triggers have been introduced. When evaluated against other protocols, these
triggers return the
not applicable
value or
N/A
. This results in the rule being skipped (the
expression evaluates to false, no matter what it is). It is possible to explicitly guard such rules so that
they are only evaluated against appropriate transactions.
they are only evaluated against appropriate transactions.
The variation in trigger and property timings implies that within a policy rule a conflict is possible
between a condition that can only be tested relatively late in the evaluation sequence and a property
that must be set relatively early in the evaluation sequence. Such a rule results in a compile-time error.
between a condition that can only be tested relatively late in the evaluation sequence and a property
that must be set relatively early in the evaluation sequence. Such a rule results in a compile-time error.
For example, here is a rule that would be incorrect for evaluating any transaction:
If the user is in group xyz, require authentication.
The rule is incorrect because group membership can only be determined after authentication and the
rule tests group membership and specifies the authentication realm, a property that must be set before
the authentication challenge can be issued. The following code illustrates this incorrect rule and the
resulting message at compile time:
rule tests group membership and specifies the authentication realm, a property that must be set before
the authentication challenge can be issued. The following code illustrates this incorrect rule and the
resulting message at compile time:
group=xyz authenticate(MyRealm)
Error: Late condition guards early action: 'authenticate(MyRealm)'
It is, however, correct for the authentication requirement to be conditional on the client address
(
(
client.address=
) or proxy port (
proxy.port=
), as these can be determined at the time the client
connection is established and therefore are available from the beginning of a proxy transaction.
For the HTTP protocol,
authenticate()
can be conditional on the URL (
url=
), but for MMS
streaming, only the Host portion of the URL can be tested (
url.host=
). Recall the outline of the
evaluation model for Windows Media transactions presented in "Understanding Transactions and
Timing" on page 33.
Timing" on page 33.
As another example, consider the following:
response.header.Content-type=”text/html” forward( somehost )