|
The Rules Template feature allows for requests to be matched using an arbitrary number of parameters with an arbitrary number of policies applied against the matches. Requests can be matched against regular expressions symbolizing domain names, source IP addresses and network masks, destination IP addresses and network masks, destination port numbers, MIME types, or regular expressions symbolizing a URL.
Policies that can be applied include:
The Rules Template feature is applicable only for HTTP, FTP, and HTTPS traffic and is not applicable for streaming protocols (RTSP, Progressive Networks Audio [PNA], and MMS) implemented in ACNS 4.1 software.
Note To enter a question mark (?) character in a rule regular expression configuration from the command-line interface, use the escape character (\) followed by a question mark (?) character. This prevents the command-line interface from displaying context-sensitive help. |
A rule is an action and a pattern. An action is performed on an HTTP request if this request matches the pattern specified in the rule command.
An action is something that the Content Engine performs when processing an HTTP request, for instance, blocking the request, using an alternative proxy, and so forth.
A pattern defines the limits of an HTTP request; for instance, a pattern may specify that the source IP address fall in the subnet range 172.16.*.*.
Rules can be dynamically added, displayed, or deleted from the Content Engine. The rules are preserved across reboots because they are written into persistent storage such as NVRAM using the appropriate CLI commands. Only the system resources limit the number of rules that the Content Engine can support. Because rules consume resources, the more rules there are defined, the more Content Engine performance may be affected.
The Rules Template feature supports the following types of actions:
Note The Rules Template configuration takes precedence over the ip dscp command, and the url-filter command takes precedence over the rule command to the extent that even the rule no-block command is executed only if the url-filter command has not blocked the request. |
ContentEngine# show http avoid-multiple-auth-prompts
Avoiding multiple authentication prompts due to no-auth rules is enabled
Note The command in the example is hidden, because it is applicable only to this specific scenario. |
The Rules Template feature supports the following types of patterns.
Note In regular expression syntax, the dollar sign "$" metacharacter directs that a match is made only when the pattern is found at the end of a line. |
There is a predefined order of execution among the actions and the patterns. In other words, a group of rules with the same action will always be executed either before or after another group of rules with a different action. See the "Rule Action Execution Order" section for the order of rule action execution.This order is not affected by the order in which the rules are entered using CLI commands.
Among the rules of the same action, there is a predefined execution order among the rules pattern. This means that within a group of rules of the same action, one group of rules with the same pattern will always be executed either before or after another group of rules with a different pattern. See the "Rule Pattern Execution Order" section for the order of rule pattern execution. This order is not affected by the order in which the rules are entered using CLI commands.
The order of rule action execution is as follows:
1. No-AuthBefore authentication using RADIUS/LDAP/NTLM
2. ResetBefore cache lookup
3. BlockBefore cache lookup
4. RedirectBefore cache lookup
5. RewriteBefore cache lookup
6. RefreshOn cache hit
7. Freshness-factorOn cache hit
8. Use-serverOn cache miss
9. No-proxyOn cache miss
10. Use-proxy-failoverOn cache miss
11. Use-proxyOn cache miss
12. TOS/DSCP serverOn cache miss
13. TOS/DSCP client
14. No-cacheOn cache miss
15. Selective-cacheOn cache miss
Note The commands rule no-proxy, rule use-proxy-failover, and rule use-proxy take precedence over https proxy outgoing, http proxy outgoing, and ftp proxy outgoing commands. |
During a request using the rules template CLI commands, rule actions 1-4 use the original URL request for pattern matches. After a URl rewrite (rule action 5), rule actions 6--15 use the transformed URL for rule executions.
The commands rule reset, rule block, rule rewrite, and rule redirect support the following additional patterns for rule templates request:
The order of rule pattern execution is as follows:
1. Dst-portDestination port check.
2. Src-ipSource IP address check.
3. URL-regexURL regex check.
4. DomainDomain rule check.
5. Dst-ipDestination IP address check.
6. MIME-typeMime-type regex check.
Note Because the MIME type exists only in the response, only the actions freshness-factor, refresh, no-cache, and selective-cache apply to a rule of MIME type. |
A search for a rule match with the remaining pattern will not be performed if a match has already been found. For instance, if a match for the rule block action is found with a URL-regex request, then the remaining patterns Domain, Dst-ip, or MIME-type are not searched.
Rules are ORed together. Multiple rules may all match a request; then all actions are taken, with precedence among conflicting actions. Each rule contains one pattern; patterns cannot be ANDed together. In future releases, ANDed patterns may be supported.
It is possible to circumvent some rules. For example, to circumvent a rule with the domain pattern, enter the web server IP address instead of the domain name in the browser. A rule may have unintended effects. For instance, a rule with the domain pattern specified as "ibm" that is intended to match "www.ibm.com" can also match domain names like www.ribman.com.
A src-ip rule may not apply as intended to requests that are received by a Content Engine from another proxy or Content Engine because the original client IP address is in an X-forwarded-for header. This means that the original request source IP address is transparently replaced with the sending Content Engine IP address to another proxy or Content Engine and then to the origin server.
If a rule pattern match occurs, then the rest of the patterns are not searched. If the server has already marked an object as non-cacheable, no-cache rules are not checked at all, since the server already recognizes that this object is not cached. Any no-cache rule checks are performed only for cacheable requests.
Among the rules of the same action and the same pattern, the order of execution of rules is in the reverse order in which the rules are entered. For instance, if the use-proxy commands are entered in the following order:
use-proxy 1.2.3.4 abc.abc.com
use-proxy 2.3.4.5 *.abc.com
then a request to abc.abc.com is sent to proxy 2.3.4.5 because the use-proxy 2.3.4.5 *.abc.com command is entered last and evaluated first. However, if the same commands are entered in a reverse order as follows:
use-proxy 2.3.4.5 *.abc.com
use-proxy 1.2.3.4 abc.abc.com
then a request to abc.abc.com is sent to proxy 1.2.3.4, as the use-proxy 1.2.3.4 abc.abc.com command is entered last and evaluated first.
In the following example the rule block command (action) blocks all domains that contain .foo.com in the URL request using the domain \.foo.com pattern.
ContentEngine(config)# rule block domain \.foo.com ?
LINE <cr>
Multiple patterns can be entered on the same line. If any of them matches the incoming HTTP request, the corresponding action is taken. In the following example the rule block command (action) block all domains that contain .foo.com and bar.com in the URL request pattern.
ContentEngine(config)# rule block domain \.foo.com bar.com
ContentEngine(config)#
The following example prevents caching of requests that match a URL request which contains the *cgi-bin* string.
ContentEngine(config)# rule no-cache url-regex \.*cgi-bin.*
ContentEngine(config)#
Most actions do not have any parameters, as in the preceding examples. Exceptions to this are use-server, freshness-factor, and use-proxy, as in the following example.
ContentEngine(config)# rule use-proxy CE.foo.com 8080 url-regex .*\.jpg$ .*\.gif$ .*\.pdf$
ContentEngine(config)#
To delete rules, use no in front of the rule creation command.
ContentEngine(config)# no rule block url-regex .*\.jpg$ .*\.gif$ .*\.pdf$
The following example sets the freshness factor for MIME-type images.
ContentEngine(config)# rule freshness-factor 75 mime-type image/.*
The following example redirects a request for old-domain-name, which has been changed to new-domain-name.
ContentEngine(config)# rule redirect url-regsub http://old-domain-name/
http://new-domain-name/
The following example redirects requests from an IETF site to one that is locally mirrored:
ContentEngine(config)# rule redirect url-regsub http://www.ietf.org/rfc/(.*)
http://wwwin-eng.cisco.com/RFC/RFC/\1
For the preceding example, if the request URL is http://www.ietf.org/rfc/rfc1111.txt, the Content Engine rewrites the URL as http://wwwin-eng.cisco.com/RFC/RFC/rfc1111.txt and sends a 302 Temporary Redirect response with the rewritten URL in the Location header to the client. The browser automatically initiates a request to the rewritten URL.
The following example redirects all requests for linux.org to a local server in India that is closer to where the Content Engine is located:
ContentEngine(config)# rule redirect url-regsub http://linux.org/(.*)
http://linux.org.in/\1
The following example rewrites requests from an IETF site to one that is locally mirrored:
ContentEngine(config)# rule rewrite url-regsub http://www.ietf.org/rfc/.*
http://wwwin-eng.cisco.com/RFC/$1
The following example replaces the string internal.domain.com in the URL request to dummy while forwarding the request to the server.
ContentEngine(config)# rule rewrite header-field referer internal.domain.com dummy
ContentEngine(config)#
If an empty string is given as a replacement pattern, then the Referer header is stripped. The same usage applies to the user-agent pattern.
Posted: Mon Nov 18 11:31:12 PST 2002
Copyright 1989-2000©Cisco Systems Inc.