Filter
Top Products
ProxySG Content Policy Language Guide
40
<Proxy> Layers
<Proxy> layers define policy for authenticating and authorizing users’ requests for service over one of
the configured proxy service ports (refer to Chapter 6:”Managing Port Services” in the ProxySG
Configuration and Management Guide.). Proxy layer policy involves both both client identity and
content. Only proxy transactions are evaluated against
<Proxy> layers.
The syntax is:
<Proxy [label]> [proxy_condition][proxy_properties] ...
proxy_content
where:
• The
<Proxy> layer defines the transactions evaluated against this policy, and restricts the triggers
and properties allowed in the rules used in the layer.
• The optional
label, separated from the layer type by space, is a CPL User-defined Identifier.
• The optional
proxy_condition is a list of triggers, all of which must evaluate to true before the
layer content is evaluated. For more information on using conditions, see Chapter 3: "Condition
Reference". See also the following Layer Guards section.
• The optional
proxy_properties is a list of properties set if any of the rules in the layer match.
These act as defaults, and can be overridden by property settings in specific rules in the layer. For
more information on using properties, see Chapter 4: "Property Reference". See also the following
Layer Guards section.
Layer Guards
Often, the same set of conditions or properties appears in every rule in a layer. For example, a specific
user group for which a number of individual cases exist where some things are denied:
<Proxy>
group=general_staff url.domain=competitor.com/jobs deny
group=general_staff url.host=bad_host deny
group=general_staff condition=whatever deny
; etc.
group=general_staff allow
You can factor out the common elements into guard expressions. Notice that the common elements are
group=general_staff and deny. The following is the same policy, expressed as a layer employing a
guard expression:
<Proxy> group=general_staff deny
url.domain=competitor.com/jobs
url.host=bad_host
condition=whatever
; etc.
allow
Note that the explicit allow overrides the deny specified in the layer guard. This is an instance of a
rule specific property setting overriding the default property settings specified in a guard expression.