ProxySG Content Policy Language Guide
44
• [server_url.domain] sections are allowed only in <Exception> or <Forward> layers.
Section Guards
Just as you can with layers, you can improve policy clarity and maintainability by grouping rules into
sections and converting the common conditions and properties into guard expressions that follow the
section header. A guard expression allows you to take a condition that applies to all the rules and put
the common condition next to the section header, as in
[Rule] group=sales.
Guards are essentially a way of factoring out common sets of triggers and properties, to avoid having
to repeat them each time.
Defining Policies
This section includes some guidelines for defining policies using CPL.
• Write an explicit layer header (
<Proxy>, <Cache>, <Admin>, <Forward>, or <Exception>) before
writing any rules or sections. The only constructs that should occur before the first layer header
are the condition-related definitions and comments.
• Do not begin a policy file with a section, such as
[Rule]. Ensure all sections occur within layers.
• Do not use
[Rule] sections unnecessarily.
• Avoid empty or badly formed policy. While some CPL may look well-formed, make sure it
actually does something.
While the following example appears like proper CPL, it actually has no effect. It has a layer header
and a
[Rule] section header, but no rule lines. As no rules exist, no policy exists either:
<Admin> group=Administrators
[Rule] allow
Correct policy that allows access for the group “administrators” would be:
<Admin>
group=Administrators allow
In the following example, the layer is deceptive because only the first rule can ever be executed:
<Proxy>
authenticate(MyRealm) ; this rule is unconditional
;all following rules are unreachable
allow group=administrator
allow group=clerk time=0900..1700
deny
At most, one rule is executed in any given layer. The first one that meets the conditions is acted upon;
all other rules in the layer are ignored. To execute more than one rule, use more than one layer. To
correctly define the above policy, two layers are required:
<Proxy>
authenticate(MyRealm)
<Proxy>
allow group=administrator
allow group=clerk time=0900..1700
deny