Blue Coat Systems Time Clock Proxy SG Manuale Utente
Chapter 2: Managing Content Policy Language
41
Timing
The “late guards early” timing errors that can occur within a rule can arise across rules in a layer.
When a trigger cannot yet be evaluated, policy also has to postpone evaluating all following rules in
that layer (since if the trigger turns out to be true and the rule matches, then evaluation stops for that
layer. If the trigger turns out to be false and the rule misses, then evaluation continues for the rest of
the rules in that layer, looking for the first match). Thus a rule inherits the earliest evaluation point
timing of the latest rule above it in the layer.
When a trigger cannot yet be evaluated, policy also has to postpone evaluating all following rules in
that layer (since if the trigger turns out to be true and the rule matches, then evaluation stops for that
layer. If the trigger turns out to be false and the rule misses, then evaluation continues for the rest of
the rules in that layer, looking for the first match). Thus a rule inherits the earliest evaluation point
timing of the latest rule above it in the layer.
For example, as noted earlier, the following rule would result in a timing conflict error:
group=xyz authenticate(MyRealm)
Error: Late condition guards early action: 'authenticate(MyRealm)'
The following layer would result in a similar error:
<Proxy>
group=xyz deny
authenticate(MyRealm)
Error: Late condition 'group=xyz' guards early action: 'authenticate(MyRealm)'
This also extends to guard expressions, as the guard condition must be evaluated before any rules in
the layer. For example:
the layer. For example:
<Proxy> group=xyz deny
authenticate(MyRealm)
Error: Late condition 'group=xyz' guards early action: 'authenticate(MyRealm)'
Understanding Sections
The rules in layers can optionally be organized in one or more sections, which is a way of grouping
rules together. A section consists of a section header followed by a list of rules.
rules together. A section consists of a section header followed by a list of rules.
Four sections types are supported in a standard CPL file:
•
[Rule]
•
[url]
•
[url.domain]
•
[server_url.domain]
However, if a CacheOS 4.x filter file is used in place of a policy file and running in
backward-compatibility mode, the
backward-compatibility mode, the
[Domain-suffix]
,
[Prefix]
, and
[Regular-Expression]
sections are also available. These deprecated sections are described in Appendix E: "Filter File Syntax".
Three of the section types,
[url]
,
[url.domain]
and
[server_url.domain]
, provide optimization
for URL tests. The names for these sections correspond to the CPL URL triggers used as the first test
for each rule in the section, that is
for each rule in the section, that is
url=, url.domain=
and
server_url.domain=
. The
[url.regex]
section provides factoring and organization benefits, but does not provide any
performance advantage over using a
[Rule]
section and explicit
url.regex=
tests.
To give an example, the following policy layer is created:
<Proxy>
url.domain=abc.com/sports deny