cc/td/doc/product/webscale/uce/acns41
hometocprevnextglossaryfeedbacksearchhelp
PDF

Configuring the Rules Template

Rules Template

The Rules Template feature allows for requests to be matched using an arbitrary number of parameters with an arbitrary number of policies applied against the matches. Requests can be matched against regular expressions symbolizing domain names, source IP addresses and network masks, destination IP addresses and network masks, destination port numbers, MIME types, or regular expressions symbolizing a URL.

Policies that can be applied include:

The Rules Template feature is applicable only for HTTP, FTP, and HTTPS traffic and is not applicable for streaming protocols (RTSP, Progressive Networks Audio [PNA], and MMS) implemented in ACNS 4.1 software.


Note   To enter a question mark (?) character in a rule regular expression configuration from the command-line interface, use the escape character (\) followed by a question mark (?) character. This prevents the command-line interface from displaying context-sensitive help.

Actions and Patterns

A rule is an action and a pattern. An action is performed on an HTTP request if this request matches the pattern specified in the rule command.

An action is something that the Content Engine performs when processing an HTTP request, for instance, blocking the request, using an alternative proxy, and so forth.

A pattern defines the limits of an HTTP request; for instance, a pattern may specify that the source IP address fall in the subnet range 172.16.*.*.

Rules can be dynamically added, displayed, or deleted from the Content Engine. The rules are preserved across reboots because they are written into persistent storage such as NVRAM using the appropriate CLI commands. Only the system resources limit the number of rules that the Content Engine can support. Because rules consume resources, the more rules there are defined, the more Content Engine performance may be affected.

Actions

The Rules Template feature supports the following types of actions:

Setting the Type of Service (ToS) or differentiated services code point (DSCP) is called packet marking, allowing you to partition network data into multiple priority levels or types of service. You can set the ToS or DSCP values in IP packets based on a URL match, a file type, a domain, a destination IP address, a source IP address, or a destination port.

You can set specific ToS or DSCP values for the following:

The ToS or DSCP may be set based on any of the policies matching the src-ip-address, dst-ip-address, dst-port-number, domain regex, url-regex, or mime-type regex options. In addition, you can now configure global ToS or DSCP settings with the ip dscp command.

Note that the no-auth rules result in the display of multiple authentication windows in the following scenario:

To avoid multiple authentication windows, configure the http avoid-multiple-auth-prompts command in global configuration mode. Once it is configured, check the configuration with the show http avoid-multiple-auth-prompts command as shown the following example.

    ContentEngine# show http avoid-multiple-auth-prompts Avoiding multiple authentication prompts due to no-auth rules is enabled
The URL rewrite could change the domain name of the URL, which necessitates a DNS lookup to find the destination (dst) IP address of the new rewritten server to which the request must be sent. The original dst IP address derived from the WCCP redirect packet cannot be used.

The HTTP failover does not apply if the destination is on the exclude list. When in transparent mode, the setting for the original proxy takes precedence.

Among use-server, no-proxy, and use-proxy rules, the use-server rule is the first one to be checked. If it results in a rule miss, no-proxy and use-proxy rules are executed in succession (use-proxy is not checked if a no-proxy rule matches).

If a rule is configured with a fully qualified domain name (FQDN) and a request is received with the partial domain name in transparent mode, the rule fails to be executed, as the FQDN is not in the request URL. In transparent mode, if a request is destined for a particular domain (for which a domain rule is configured) and does not contain the Host header, the rule pattern match fails.

Patterns

The Rules Template feature supports the following types of patterns.

http://yenta.www.media.mit.edu/projects/Yenta/Releases/Documentation/regex-0.12/ .

Request header field patterns referer, request-line, and user-agent are supported for actions block, reset, redirect, and rewrite. The referer pattern matches against the Referer header in the request, request-line pattern matches against the first line of the request, and user-agent pattern matches against the User-Agent header in the request.

Rules Template Processing Considerations

There is a predefined order of execution among the actions and the patterns. In other words, a group of rules with the same action will always be executed either before or after another group of rules with a different action. See the "Rule Action Execution Order" section for the order of rule action execution.This order is not affected by the order in which the rules are entered using CLI commands.

Among the rules of the same action, there is a predefined execution order among the rules pattern. This means that within a group of rules of the same action, one group of rules with the same pattern will always be executed either before or after another group of rules with a different pattern. See the "Rule Pattern Execution Order" section for the order of rule pattern execution. This order is not affected by the order in which the rules are entered using CLI commands.

Rule Action Execution Order

The order of rule action execution is as follows:

    1. No-Auth—Before authentication using RADIUS/LDAP/NTLM

    2. Reset—Before cache lookup

    3. Block—Before cache lookup

    4. Redirect—Before cache lookup

    5. Rewrite—Before cache lookup

    6. Refresh—On cache hit

    7. Freshness-factor—On cache hit

    8. Use-server—On cache miss

    9. No-proxy—On cache miss

    10. Use-proxy-failover—On cache miss

    11. Use-proxy—On cache miss

    12. TOS/DSCP server—On cache miss

    13. TOS/DSCP client

    14. No-cache—On cache miss

    15. Selective-cache—On cache miss


    Note   The commands rule no-proxy, rule use-proxy-failover, and rule use-proxy take precedence over https proxy outgoing, http proxy outgoing, and ftp proxy outgoing commands.

During a request using the rules template CLI commands, rule actions 1-4 use the original URL request for pattern matches. After a URl rewrite (rule action 5), rule actions 6--15 use the transformed URL for rule executions.

The commands rule reset, rule block, rule rewrite, and rule redirect support the following additional patterns for rule templates request:

Rule Pattern Execution Order

The order of rule pattern execution is as follows:

    1. Dst-port—Destination port check.

    2. Src-ip—Source IP address check.

    3. URL-regex—URL regex check.

    4. Domain—Domain rule check.

    5. Dst-ip—Destination IP address check.

    6. MIME-type—Mime-type regex check.


    Note   Because the MIME type exists only in the response, only the actions freshness-factor, refresh, no-cache, and selective-cache apply to a rule of MIME type.

A search for a rule match with the remaining pattern will not be performed if a match has already been found. For instance, if a match for the rule block action is found with a URL-regex request, then the remaining patterns Domain, Dst-ip, or MIME-type are not searched.

Rules are ORed together. Multiple rules may all match a request; then all actions are taken, with precedence among conflicting actions. Each rule contains one pattern; patterns cannot be ANDed together. In future releases, ANDed patterns may be supported.

It is possible to circumvent some rules. For example, to circumvent a rule with the domain pattern, enter the web server IP address instead of the domain name in the browser. A rule may have unintended effects. For instance, a rule with the domain pattern specified as "ibm" that is intended to match "www.ibm.com" can also match domain names like www.ribman.com.

A src-ip rule may not apply as intended to requests that are received by a Content Engine from another proxy or Content Engine because the original client IP address is in an X-forwarded-for header. This means that the original request source IP address is transparently replaced with the sending Content Engine IP address to another proxy or Content Engine and then to the origin server.

If a rule pattern match occurs, then the rest of the patterns are not searched. If the server has already marked an object as non-cacheable, no-cache rules are not checked at all, since the server already recognizes that this object is not cached. Any no-cache rule checks are performed only for cacheable requests.

Order of Execution Among Rules of Same Action and Same Pattern

Among the rules of the same action and the same pattern, the order of execution of rules is in the reverse order in which the rules are entered. For instance, if the use-proxy commands are entered in the following order:

use-proxy 1.2.3.4 abc.abc.com

use-proxy 2.3.4.5 *.abc.com

then a request to abc.abc.com is sent to proxy 2.3.4.5 because the use-proxy 2.3.4.5 *.abc.com command is entered last and evaluated first. However, if the same commands are entered in a reverse order as follows:

use-proxy 2.3.4.5 *.abc.com

use-proxy 1.2.3.4 abc.abc.com

then a request to abc.abc.com is sent to proxy 1.2.3.4, as the use-proxy 1.2.3.4 abc.abc.com command is entered last and evaluated first.

Examples

In the following example the rule block command (action) blocks all domains that contain .foo.com in the URL request using the domain \.foo.com pattern.

ContentEngine(config)# rule block domain \.foo.com ? LINE <cr>

Multiple patterns can be entered on the same line. If any of them matches the incoming HTTP request, the corresponding action is taken. In the following example the rule block command (action) block all domains that contain .foo.com and bar.com in the URL request pattern.

ContentEngine(config)# rule block domain \.foo.com bar.com ContentEngine(config)#

The following example prevents caching of requests that match a URL request which contains the *cgi-bin* string.

ContentEngine(config)# rule no-cache url-regex \.*cgi-bin.* ContentEngine(config)#

Most actions do not have any parameters, as in the preceding examples. Exceptions to this are use-server, freshness-factor, and use-proxy, as in the following example.

ContentEngine(config)# rule use-proxy CE.foo.com 8080 url-regex .*\.jpg$ .*\.gif$ .*\.pdf$ ContentEngine(config)#

To delete rules, use no in front of the rule creation command.

ContentEngine(config)# no rule block url-regex .*\.jpg$ .*\.gif$ .*\.pdf$

The following example sets the freshness factor for MIME-type images.

ContentEngine(config)# rule freshness-factor 75 mime-type image/.*

The following example redirects a request for old-domain-name, which has been changed to new-domain-name.

ContentEngine(config)# rule redirect url-regsub http://old-domain-name/ http://new-domain-name/

The following example redirects requests from an IETF site to one that is locally mirrored:

ContentEngine(config)# rule redirect url-regsub http://www.ietf.org/rfc/(.*) http://wwwin-eng.cisco.com/RFC/RFC/\1

For the preceding example, if the request URL is http://www.ietf.org/rfc/rfc1111.txt, the Content Engine rewrites the URL as http://wwwin-eng.cisco.com/RFC/RFC/rfc1111.txt and sends a 302 Temporary Redirect response with the rewritten URL in the Location header to the client. The browser automatically initiates a request to the rewritten URL.

The following example redirects all requests for linux.org to a local server in India that is closer to where the Content Engine is located:

ContentEngine(config)# rule redirect url-regsub http://linux.org/(.*) http://linux.org.in/\1

The following example rewrites requests from an IETF site to one that is locally mirrored:

ContentEngine(config)# rule rewrite url-regsub http://www.ietf.org/rfc/.* http://wwwin-eng.cisco.com/RFC/$1

The following example replaces the string internal.domain.com in the URL request to dummy while forwarding the request to the server.

ContentEngine(config)# rule rewrite header-field referer internal.domain.com dummy ContentEngine(config)#

If an empty string is given as a replacement pattern, then the Referer header is stripped. The same usage applies to the user-agent pattern.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Mon Nov 18 11:31:12 PST 2002
Copyright 1989-2000©Cisco Systems Inc.