From ce8c273aa4f5f94dcca24faa9ddd666d175064bc Mon Sep 17 00:00:00 2001 From: duandongmei Date: Thu, 2 May 2019 20:50:28 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BB=A3=E7=90=86=E6=9C=80=E6=96=B0=E5=B8=AE?= =?UTF-8?q?=E5=8A=A9=E6=96=87=E6=A1=A3sql=E5=8F=8A=E5=B8=AE=E5=8A=A9?= =?UTF-8?q?=E6=96=87=E6=A1=A3md=E6=96=87=E4=BB=B6=E6=8F=90=E4=BA=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../resources/sql/20190130/help_document.sql | 636 ++++++++++++++++-- .../webapp/online-help/proxy/cache_policy.md | 136 +++- .../online-help/proxy/control_policy.md | 102 ++- .../online-help/proxy/intercept_policy.md | 72 +- .../online-help/proxy/proxy_policy_object.md | 462 +++++++++---- 5 files changed, 1159 insertions(+), 249 deletions(-) diff --git a/src/main/resources/sql/20190130/help_document.sql b/src/main/resources/sql/20190130/help_document.sql index a59adeabb..89cdd6cb3 100644 --- a/src/main/resources/sql/20190130/help_document.sql +++ b/src/main/resources/sql/20190130/help_document.sql @@ -31,47 +31,595 @@ CREATE TABLE `help_document` ( -- ---------------------------- -- Records of help_document -- ---------------------------- -INSERT INTO `help_document` VALUES ('1', 'app.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nAPP的识别和管控,配置指定APP的封堵、监视、限速功能界面。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n* 是否记录日志:是否生成日志信息。\r\n* 社交应用:选择管控的应用。\r\n* 行为类型:选择管控具体行为类型。可选项,不选则对该应用的所有行为进行管控。\r\n* 执行动作:APP有3种管控动作:阻断、监视和限速。若选择监视,用户需指定客户端IP。若选择限速,用户需指定限速比例。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nIP类配置,当执行动作选择“监视”,必须填写对应的IP配置。\r\n\r\n* IP类型:IPV4或IPV6。\r\n* 协议:可选TCP、UDP和全部。\r\n* IP格式:可选IP、IP范围和IP/子网掩码。\r\n* 源IP:IP格式选择“IP”,该文本框填合法的单IP;IP格式选择“IP范围”,IP段只能配置x.x.x.0-x.x.x.255;IP/子网掩码中子网掩码值限制为16-32。\r\n* 源端口:端口与端口掩码范围是0-65535。\r\n* 目的IP:限制同源IP。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 另:源IP与目的IP不能相同\r\n\r\n#### [4.配置生效范围](#accordion1_4)\r\n\r\n配置生效范围,分为“全部”和“选择区域”。“全部”指所有地区;“选择区域”需选择区域和运营商,并且可以同时选择多个区域和多个运营商,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:选择来函文件类型,必选项;\r\n* 类型:指明该配置的类型,可同时选多个,比如信息内容安全、网络攻击等,非必选项;\r\n* 性质:指明该配置的性质,可同时选多个,比如政治事务、暴力恐怖等,非必选项;\r\n* 用户标签:用户自定义标签,可同时选多个,非必选项;\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 执行动作选择“阻断”,未选择行为类型,该APP全部功能无法正常使用;如果选择了行为类型,该APP的对应行为无法正常使用;\r\n* 执行动作选择“监视”,该APP被正常使用。\r\n* 执行动作选择“限速”,户会感知网速变差,当限速比例高达**时,APP出现无法使用的情况。\r\n* 若指定了客户端IP,该配置只对该用户生效,其他用户不受影响。\r\n* 若选择了记录日志,日志界面出现该配置的日志。', null); -INSERT INTO `help_document` VALUES ('2', 'basic_protocol.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n基础协议的识别和管控,配置指定协议的封堵、监视界面。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n* 是否记录日志:是否生成日志信息。\r\n* 基础协议:选择管控的协议。\r\n* 执行动作:基础协议有两种管控动作:阻断、监视。若选择监视,用户需指定客户端IP相关信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nIP类配置,当执行动作选择“监视”,必须填写对应的IP配置。\r\n\r\n* IP类型:IPV4或IPV6。\r\n* 协议:可选TCP、UDP和全部。\r\n* IP格式:可选IP、IP范围和IP/子网掩码。\r\n* 源IP:IP格式选择“IP”,该文本框填合法的单IP;IP格式选择“IP范围”,IP段只能配置x.x.x.0-x.x.x.255;IP/子网掩码中子网掩码值限制为16-32。\r\n* 源端口:端口与端口掩码范围是0-65535。\r\n* 目的IP:限制同源IP。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 另:源IP与目的IP不能相同\r\n\r\n#### [4.配置生效范围](#accordion1_4)\r\n\r\n配置生效范围,分为“全部”和“选择区域”。“全部”指所有地区;“选择区域”需选择区域和运营商,并且可以同时选择多个区域和多个运营商,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:选择来函文件类型,必选项;\r\n* 类型:指明该配置的类型,可同时选多个,比如信息内容安全、网络攻击等,非必选项;\r\n* 性质:指明该配置的性质,可同时选多个,比如政治事务、暴力恐怖等,非必选项;\r\n* 用户标签:用户自定义标签,可同时选多个,非必选项;\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 执行动作选择“阻断”,使用该协议的应用全部无法正常使用;\r\n* 执行动作选择“监视”,使用该协议的应用不受影响。\r\n* 若指定了客户端IP,该配置只对该用户生效,其他用户不受影响。\r\n* 若选择了记录日志,日志界面出现该配置的日志。', null); -INSERT INTO `help_document` VALUES ('3', 'DNS_feature_advance.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n用户自定义DNS协议特征,为特定应用添加DNS协议的特征。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 社交应用:用户选择APP。\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\n* 匹配区域:只支持DNS_NAME。\r\n* 关键字:添加1个DNS请求域名(只能添加1个),最长1024个字符。\r\n* 匹配方式:包含子串匹配、左匹配、有匹配和完全匹配。\r\n* 是否十六进制:若关键字填写十六进制格式的DNS请求域名,选择十六进制,否则为非十六进制。\r\n* 表达式类型:分为“无表达式”和“与表达式”,“无表达式”可以和任意一种匹配方式组合使用,“与表达式”只能和子串匹配组合使用。\r\n\r\n#### [4.预期效果](#accordion1_4)\r\n\r\n将该DNS特征添加给了指定的APP,如用户产生具有该特征的数据,会有如下效果。* 若用户下发该APP阻断配置,该DNS被阻断,若用户选择生成日志,会有该APP的阻断日志。\r\n* 若用户下发该APP监视配置,DNS请求正常工作,若用户选择生成日志,会有该APP的监视日志。\r\n* 若用户下发该APP限速配置,户会感知DNS响应变差,若用户选择生成日志,会有该APP的限速日志。', null); -INSERT INTO `help_document` VALUES ('4', 'domain_feature_advance.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n用户自定义域名特征,为特定应用添加域名的特征。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 社交应用:用户选择APP。\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\n* 域名:填写正确的域名,最长1024字符。\r\n* 匹配方式:包含子串匹配、左匹配、有匹配和完全匹配。\r\n* 是否十六进制:若关键字填写十六进制格式的特征,选择十六进制,否则为非十六进制。\r\n\r\n#### [4.预期效果](#accordion1_4)\r\n\r\n将该域名特征添加给了指定的APP,如用户产生具有该特征的数据,会有如下效果。* 若用户下发该APP阻断配置,请求该域名被阻断,若用户选择生成日志,会有该APP的阻断日志。\r\n* 若用户下发该APP监视配置,域名请求正常工作,若用户选择生成日志,会有该APP的监视日志。\r\n* 若用户下发该APP限速配置,户会感知域名响应变差,若用户选择生成日志,会有该APP的限速日志。', null); -INSERT INTO `help_document` VALUES ('5', 'HTTP_feature_advance.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n用户自定义HTTP协议特征,为特定应用添加HTTP协议的特征。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 社交应用:用户选择APP。\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nAPP HTTP特征限制条件:\r\n\r\n* 匹配区域:选择具体的HTTP特征,包括请求包的特征和应答包的特征。\r\n* 关键字:可填多个关键字,最长1024个字符,用回车键分割。\r\n* 匹配方式:包含子串匹配、左匹配、有匹配和完全匹配。\r\n* 表达式类型:分为“无表达式”和“与表达式”,“无表达式”可以和任意一种匹配方式组合使用,“与表达式”只能和子串匹配组合使用。\r\n* 是否十六进制:若关键字填写十六进制格式的特征,选择十六进制,否则为非十六进制。\r\n\r\nIP范围特征限制条件:\r\n\r\n* IP类型:可选IPV4或IPV6。\r\n* IP格式:可选IP、IP范围和IP/子网掩码。\r\n* 目的IP:IP格式选择“IP”,该文本框填合法的单个IP;IP格式选择“IP范围”,IP段只能配置x.x.x.0-x.x.x.255;IP/子网掩码中子网掩码值限制为16-32。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 协议:可选TCP、UDP、全部。全部表示TCP或UDP。\r\n* 可为一个应用添加最多3个APP HTTP特征和1个IP范围特征。当同时满足APP HTTP特征和IP范围特征时,该配置才生效。\r\n\r\n#### [4.预期效果](#accordion1_4)\r\n\r\n将该HTTP特征添加给了指定的APP,如用户产生具有该特征的数据,会有如下效果。* 若用户下发该APP阻断配置,请求该HTTP请求被阻断,若用户选择生成日志,会有该APP的阻断日志。\r\n* 若用户下发该APP监视配置,HTTP请求正常工作,若用户选择生成日志,会有该APP的监视日志。\r\n* 若用户下发该APP限速配置,户会感知HTTP响应变差,若用户选择生成日志,会有该APP的限速日志。', null); -INSERT INTO `help_document` VALUES ('6', 'IP_feature_advance.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n用户自定义IP特征,为特定应用添加IP的特征。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 社交应用:用户选择APP。\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\n* IP类型:可选IPV4或IPV6。\r\n* IP格式:可选IP、IP范围和IP/子网掩码。\r\n* 目的IP:IP格式选择“IP”,该文本框填合法的单个IP;IP格式选择“IP范围”,IP段只能配置x.x.x.0-x.x.x.255;IP/子网掩码中子网掩码值限制为16-32。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 协议:可选TCP、UDP、全部。全部表示TCP或UDP。\r\n\r\n#### [4.预期效果](#accordion1_4)\r\n\r\n将该IP特征添加给了指定的APP,并产生了该特征的数据流量,有如下效果。* 若用户下发该APP阻断配置,无法连接到该IP地址;\r\n* 若用户下发该APP监视配置,IP请求正常工作,若用户选择生成日志,会有该APP的监视日志。\r\n* 若用户下发该APP限速配置,户会感知响应变差,若用户选择生成日志,会有该APP的限速日志。', null); -INSERT INTO `help_document` VALUES ('7', 'payload_feature_advance.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n用户自定义数据包载荷特征,为特定应用添加载荷的特征。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 社交应用:用户选择APP。\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nAPP载荷类约束条件:\r\n\r\n* 匹配区域:共7类APP载荷特征,分别是:载荷、C2S载荷、S2C载荷,C2S方向包序列,S2C方向包序列,二层头,三层头。\r\n* 关键字:可填多个关键字,最长1024字符,用回车键分割。\r\n* 匹配方式:包含子串匹配、左匹配、有匹配和完全匹配。\r\n* 表达式类型:分为“无表达式”和“与表达式”,“无表达式”可以和任意一种匹配方式组合使用,“与表达式”只能和子串匹配组合使用。\r\n* 是否十六进制:十六进制的\r\n\r\nIP类约束条件:\r\n\r\n* IP类型:可选IPV4或IPV6。\r\n* IP格式:可选IP、IP范围和IP/子网掩码。\r\n* 目的IP:IP格式选择“IP”,该文本框填合法的单个IP;IP格式选择“IP范围”,IP段只能配置x.x.x.0-x.x.x.255;IP/子网掩码中子网掩码值限制为16-32。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 协议:可选TCP、UDP、全部。全部表示TCP或UDP。\r\n\r\n可为一个应用添加最多3个APP载荷特征和1个IP范围特征。当同时满足APP载荷特征和IP范围特征时,该配置才生效。\r\n\r\n#### [4.预期效果](#accordion1_4)\r\n\r\n将该载荷特征添加给了指定的APP,如用户产生具有该载荷特征的数据,会有如下效果。* 若用户下发该APP阻断配置,具有该载荷特征的数据流被阻断,若用户选择生成日志,会有该APP的阻断日志。;\r\n* 若用户下发该APP监视配置,具有该载荷特征的数据正常工作,若用户选择生成日志,会有该APP的监视日志。\r\n* 若用户下发该APP限速配置,户会感知响应变差,若用户选择生成日志,会有该APP的限速日志。', null); -INSERT INTO `help_document` VALUES ('8', 'ssl_feature_advance.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n用户自定义SSL协议特征,为特定应用添加SSL协议的特征。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 社交应用:用户选择APP。\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nAPP SSL类约束条件:\r\n\r\n* 匹配区域:选择具体的SSL特征。\r\n* 关键字:可填多个关键字,最长1024字符,用回车键分割。比如匹配区域选择SSL_SNI,关键字填完整的域名,用户需按实际情况填写,可参考抓包工具的数据包解析结果。\r\n* 匹配方式:包含子串匹配、左匹配、有匹配和完全匹配。\r\n* 是否十六进制:若关键字填写十六进制格式的特征,选择十六进制,否则为非十六进制。\r\n\r\nIP类约束条件:\r\n\r\n* IP类型:可选IPV4或IPV6。\r\n* IP格式:可选IP、IP范围和IP/子网掩码。\r\n* 目的IP:IP格式选择“IP”,该文本框填合法的单个IP;IP格式选择“IP范围”,IP段只能配置x.x.x.0-x.x.x.255;IP/子网掩码中子网掩码值限制为16-32。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 协议:可选TCP、UDP、全部。全部表示TCP或UDP。\r\n\r\n可为一个应用添加最多3个APP SSL特征和1个IP范围特征。当同时满足APP SSL特征和IP范围特征时,该配置才生效。\r\n\r\n#### [4.预期效果](#accordion1_4)\r\n\r\n将该SLL特征添加给了指定的APP,如用户产生具有该特征的数据,会有如下效果。* 若用户下发该APP阻断配置,具有该特征的数据流被阻断,若用户选择生成日志,会有该APP的阻断日志。\r\n* 若用户下发该APP监视配置,具有该特征的数据正常工作,若用户选择生成日志,会有该APP的监视日志。\r\n* 若用户下发该APP限速配置,户会感知响应变差,若用户选择生成日志,会有该APP的限速日志。', null); -INSERT INTO `help_document` VALUES ('9', 'tunnel_behavior.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n对用户使用加密隧道的行为进行识别和管控,比如识别用户使用加密隧道进行视频通话的行为。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* 配置描述:用户自定义该条配置的描述信息。\r\n* 是否记录日志:是否生成日志信息。\r\n* 加密隧道协议:选择一种加密隧道协议。\r\n* 行为类型:包括“视频”和“其他”,视频指实时视频通话,注意,使用youtube播放视频属于“其他”。\r\n* 执行动作:加密隧道行为有两种管控动作:阻断、监视。若选择监视,用户需指定客户端相关信息。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nIP类配置,当执行动作选择“监视”,必须填写对应的IP配置。\r\n\r\n* IP类型:IPV4或IPV6。\r\n* 协议:可选TCP、UDP和全部。\r\n* IP格式:可选IP、IP范围和IP/子网掩码。\r\n* 源IP:IP格式选择“IP”,该文本框填合法的单IP;IP格式选择“IP范围”,IP段只能配置x.x.x.0-x.x.x.255;IP/子网掩码中子网掩码值限制为16-32。\r\n* 源端口:端口与端口掩码范围是0-65535。\r\n* 目的IP:限制同源IP。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 另:源IP与目的IP不能相同\r\n\r\n#### [4.配置生效范围](#accordion1_4)\r\n\r\n配置生效范围,分为“全部”和“选择区域”。“全部”指所有地区;“选择区域”需选择区域和运营商,并且可以同时选择多个区域和多个运营商,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:选择来函文件类型,必选项;\r\n* 类型:指明该配置的类型,可同时选多个,比如信息内容安全、网络攻击等,非必选项;\r\n* 性质:指明该配置的性质,可同时选多个,比如政治事务、暴力恐怖等,非必选项;\r\n* 用户标签:用户自定义标签,可同时选多个,非必选项;\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 执行动作选择“阻断”,使用该协议的应用全部无法正常使用;若指定了行为,只有该行为无法正常使用。\r\n* 执行动作选择“监视”,使用该协议的应用不受影响。\r\n* 若指定了客户端IP,该配置只对该用户生效,其他用户不受影响。\r\n* 若选择了记录日志,日志界面出现该配置的日志。', null); -INSERT INTO `help_document` VALUES ('10', 'BGP.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对BGP流量的配置,从而对包含特定IP或AS特征的BGP流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中BGP协议配置的流量信息,包括发现时间、IP、AS等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nBGP协议管控的流量属性信息:\r\n\r\n* AS:配置自治系统的关键词,精确匹配,非二进制,大小写不敏感。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nBGP协议管控配置的属性信息:\r\n\r\n* 源IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 源端口:端口与端口掩码范围是0-65535。\r\n* 目的IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 目的端口:端口与端口掩码范围是0-65535。\r\n* 另:源IP与目的IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的BGP流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的BGP流量,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('11', 'DNS.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对DNS流量的配置,从而对包含特定IP或DNS关键词特征的DNS流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中DNS协议配置的流量信息,包括发现时间、IP、请求内容等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nDNS协议管控的流量属性信息:\r\n\r\n* keyword:DNS关键词。匹配字段选择,例如QNAME;关键字填写;表达式类型选择,支持选择与表达式;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nDNS协议管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的DNS流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的DNS请求或对符合配置条件的DNS请求抢答欺骗包,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('12', 'FTP.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对FTP流量的配置,从而对包含特定IP、URL或内容特征的FTP流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中FTP协议配置的流量信息,包括发现时间、IP、URL等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nFTP协议扩展管控的流量属性信息:\r\n\r\n* URL:FTP的URL。关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;非二进制;大小写不敏感。\r\n* FTP内容:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nFTP协议管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的FTP流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的FTP访问,即无法获取到该FTP内容,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('13', 'HTTP_advanced.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对HTTP流量的扩展配置,从而对包含特定IP、URL、字段或内容特征的HTTP流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中HTTP扩展配置的流量信息,包括发现时间、IP、URL、请求头、请求体、响应头、响应体等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nHTTP协议扩展管控的流量属性信息,分为请求侧与响应侧。 请求侧:\r\n\r\n* URL:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* 字段:匹配字段选择,例如User Agent、Cookie等;关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* 请求消息体:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n响应侧:\r\n\r\n* 响应头域字段:匹配字段选择,例如set-cookie、Content-Type等;关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* 响应消息体:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nHTTP协议扩展管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的HTTP流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的HTTP访问,即访问页面无响应,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('14', 'HTTP_URL.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对HTTP流量的配置,从而对包含特定URL特征的HTTP流量进行加入白名单、监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为白名单、阻断、监测三选一。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nHTTP协议管控的流量属性信息:\r\n\r\n* URL:HTTP统一资源定位符关键词。关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;非二进制;大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的HTTP流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的HTTP访问,即访问页面无响应,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('15', 'HTTP_website.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对HTTP流量的配置,从而对包含特定网站关键词特征的HTTP流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中配置的HTTP流量信息,包括发现时间、IP、URL、请求头、请求体、响应头、响应体等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nHTTP协议网站管控的流量属性信息,分为请求侧与响应侧:\r\n\r\n* 请求侧消息体关键词:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* 响应侧消息体关键词:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的HTTP流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的HTTP访问,即访问页面无响应,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('16', 'ip_address.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成对网络流量IP特征的配置,对包含特定IP特征的流量进行阻断、监测、丢弃或限速。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测、丢弃、限速四选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否命中IP配置的网络流量信息,包括发现时间、IP、端口等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nIP地址管控的流量属性信息:\r\n\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* ASN:自治系统号选择,可以选择下拉菜单中的自治系统。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nIP管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的IP监测流量日志。\r\n* 阻断预期效果:阻断承载于配置IP或IP组之上的TCP流量,即发送TCP的RST报文,并记录阻断日志。\r\n* 限速预期效果:限制承载于配置IP或IP组之上网络流量的传输速率。\r\n* 丢弃预期效果:丢弃承载于配置IP或IP组之上的网络流量报文,使得目的端无法收到报文。', null); -INSERT INTO `help_document` VALUES ('17', 'ip_white_list.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对网络流量的IP白名单配置,将特定IP或IP组设置为白名单。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为单一选项白名单。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\n此处指流量的IP属性:即配置特定IP为白名单。\r\n\r\n* IP Type:IP类型,可以选择IPv4或者IPv6。\r\n* IP Pattern:IP配置模式,可以选择特定IP、IP段或者IP掩码三种模式。\r\n* Client IP:具体的IP白名单配置。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nIP白名单配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置标签](#accordion1_6)\r\n\r\n#### [5.预期效果](#accordion1_7)\r\n\r\n设置为白名单的IP或IP组上的网络流量不受其他配置的控制与影响,其上所有网络行为皆可正常无虞。', null); -INSERT INTO `help_document` VALUES ('18', 'Mail.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对Mail流量的配置,从而对包含特定IP、收发件人特征的Mail流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中Mail协议配置的流量信息,包括发现时间、IP、收发件人等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nMAIL协议管控的流量属性信息:\r\n\r\n* Mail头部关键词:匹配字段选择,例如发件人From与收件人To;关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nMAIL协议管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的Mail流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的Mail邮件,即该邮件无法正常发送或接收,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('19', 'Mail_advanced.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对Mail流量的扩展配置,从而对包含特定IP、收发件人、主题或邮件正文特征的Mail流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中Mail协议扩展配置的流量信息,包括发现时间、IP、收发件人等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nMAIL协议扩展管控的流量属性信息:\r\n\r\n* Mail头部关键词:匹配字段选择,例如发件人From、收件人To、主题;关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* Mail正文关键词:匹配字段选择,例如正文内容、附件名称、附件内容;关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nMAIL协议管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的Mail流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的Mail邮件,即该邮件无法正常发送或接收,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('20', 'p2p.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对P2P流量(包括EMULE协议与BT协议)的配置,从而对包含特定IP、EMULE搜索关键词与文件标识的P2P流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中配置的P2P流量信息,包括发现时间、IP、文件标识等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nP2P协议扩展管控的流量属性信息:\r\n\r\n* EMULE 搜索关键词:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* 文件标识:首先选择标识类型,BT INFO 或者EMULE fileid;关键字填写十六进制数标识;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是二进制;大小写敏感。\r\n* IP:IP配置类型,EMULE SERVER、BT TRACKER分别为客户端与EMULE、BT服务器的通信,EMULE NODE、BT NODE分别为客户端与客户端之间的通信,IP配置类型四选一;选择IP类型、协议与客户端与服务端的IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字。关键字填写;子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nP2P协议管控配置的属性信息:\r\n\r\n* BT INFO:长度不超过20Byte。\r\n* EMULE Fileid:长度不超过16Byte。\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* IP封堵效果:BT客户端(关闭utp及DHT相关设置)新添加的种子文件速度为0;Emule客户端(关闭迷惑协议)新添加的下载文件速度为0,Emule客户端服务器(不包括KAD网络)连接失败,无法进行Servers搜索。\r\n* IP监测效果:BT返回该链接含有的infohash值,Emule返回该链接含有的fileid和keywordhash或搜素关键词等信息。\r\n* BT INFOHASH封堵:客户端中对应要封堵的INFOHASH无下载速度(需先下配置,再新建bt下载任务),如果选择记录日志,则返回相应的INFOHASH封堵日志。\r\n* BT INFOHASH监测:客户端中对应监测INFOHASH无影响(需先下配置,再新建bt下载任务),返回对应的INFOHASH监测日志。\r\n* EMULE FILEID封堵:客户端中对应要封堵的FILEID无下载速度(需先下配置,再新建文件下载任务),如果选择记录日志,则返回相应的EMULE封堵日志。\r\n* EMULE FILEID监测:客户端中对应监测FILEID无影响(需先下配置,再新建文件下载任务),返回对应的监测日志。\r\n* EMULE搜索关键词命中封堵配置时,显示搜索结果列表为空,返回相应的EMULE封堵日志。\r\n* EMULE搜索关键词命中监测配置时,对搜索结果没有影响,界面返回实际对应的搜索关键词信息。', null); -INSERT INTO `help_document` VALUES ('21', 'SSL.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对SSL流量的配置,从而对包含特定IP、SNI、SAN或CN特征的SSL流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中SSL协议配置的流量信息,包括发现时间、IP、SNI、SAN、CN等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nSSL协议管控的流量属性信息:\r\n\r\n* SNI:SSL请求服务器名称指示关键词。关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* SAN:SSL域名主体替代名称关键词。关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* CN:SSL域名通用名关键词。关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流);是否大小写敏感选择。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nSSL协议管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的SSL流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的SSL网络流量,例如阻止某次特定HTTPS访问,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('22', 'stream_media.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对流媒体流量(包括 RTSP协议与RTMP协议)的配置,从而对包含特定IP或URL特征的流媒体流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中流媒体配置的流量信息,包括发现时间、IP、URL等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\n流媒体协议扩展管控的流量属性信息:\r\n\r\n* URL:流媒体的URL。关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;非二进制;大小写不敏感。\r\n* IP:选择IP类型、协议、IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字,子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\n流媒体协议管控配置的属性信息:\r\n\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的流媒体流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的流媒体流量,即客户端无法正常访问并播放该流媒体音视频内容,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('23', 'voip.md', '#### [0.功能简介](#accordion1_0)\r\n\r\n本页面完成针对VoIP流量(包括SIP协议与RTP协议)的配置,从而对包含特定IP、VoIP账号特征的VoIP流量进行监测或阻断。\r\n\r\n#### [1.配置基础信息](#accordion1_1)\r\n\r\n配置基础信息包括:规则名称,执行动作,是否记录管控日志。\r\n\r\n* 规则名称:用户自定义的该条配置的描述信息。\r\n* 执行动作:配置施加于网络传输单元时,对网络流量施加什么样的动作,此处为阻断、监测二选一。\r\n* 是否记录日志:对网络流量施加执行动作时,是否记录命中配置的VoIP流量信息,包括发现时间、IP、VoIP主被叫账号、通话语音等。\r\n\r\n#### [2.业务配置属性](#accordion1_2)\r\n\r\nVoIP协议扩展管控的流量属性信息:\r\n\r\n* VoIP账号:关键字填写;匹配方式选择,例如子串匹配、前缀匹配、后缀匹配与精确匹配;是否二进制选择(此处是指关键字内容是否为二进制原始码流,选择是,则关键字处填写十六进制数);是否大小写敏感选择。\r\n* IP:选择IP类型、协议与客户端与服务端的IP模式、端口模式,并且填写对应的具体IP与端口值,选择匹配方向是单向还是双向匹配。\r\n* Subscribe ID:IP地址对应的用户信息关键字。关键字填写;子串匹配,非二进制,大小写不敏感。\r\n\r\n#### [3.配置约束条件](#accordion1_3)\r\n\r\nVoIP协议管控配置的属性信息:\r\n\r\n* VoIP账号:长度不超过1500Byte。\r\n* 客户端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 客户端端口:端口与端口掩码范围是0-65535。\r\n* 服务端IP:合法的单IP;IP段只能配置x.x.x.0-x.x.x.255;IP/mask中mask值限制为16-32。\r\n* 服务端端口:端口与端口掩码范围是0-65535。\r\n* 另:客户端IP与服务端IP不能相同。\r\n\r\n#### [4.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效。\r\n\r\n#### [5.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。\r\n\r\n#### [6.预期效果](#accordion1_7)\r\n\r\n* 监测预期效果:记录符合配置条件的VoIP流量监测日志。\r\n* 阻断预期效果:阻断符合配置条件的VoIP通话,即客户端无法拨通本次VoIP电话,客户端与服务端均收到挂断、通话超时、服务器异常的虚假报文,并记录阻断日志。', null); -INSERT INTO `help_document` VALUES ('24', 'cache_policy.md', '#### [1.Function Introduction](#accordion1_1)\r\n\r\nOn National Proxy System, Individual Cache policy rules determine whether to cache or not based on traffic attributes, such as URL and Cookies.\r\n\r\n#### [2.Action](#accordion1_2)\r\n\r\nFor cache action, the optimization parameters are:\r\n\r\n* A Cache key:is a unique string that lets the National Proxy System look for web content when requests hit them. It’s made up of a hostname, path, and cookie parts. By default, the Proxy use the entire URL as the cache key. Selecting the correct cache key will ensure maximum cache footprint and increase cache hits.\r\n* Ignore Query String in URL:in case the query strings doesn’t actually indicate that the object need to be different then you could EXCLUDE them from the cache key. For example, after ignoring “sqp” and “rs” of URL: “https://example.com/pic.jpg?sqp=UAAI&rs=AOn4”.\r\n* Include Cookie Values:in case the server send different content for the same URL based on the cookie value, you can include that cookie value as a part of cache key. For example, the server may set a cookie at the client called \"prefLang=ru\" to record user preferred language, you could add \"prefLang\" to distinguish different web content.\r\n* Disable Revalidate:is an ON-OFF switch. The pragma-no-cache header in a client’s request causes the proxy to re-fetch the entire object from the original server, even if the cached copy of the object is fresh. By default this option is switch OFF, which means a client’s non-conditional request results in a conditional GET request sent to the original server if the object is already in cache. The conditional request allows the original server to return the 304 Not Modified response, if the content in cache is still fresh. Thereby, the server-side bandwidth and latency consumed are lesser as the full content is not retrieved again from the original server.\r\n* Cache Dynamic Content:is an ON-OFF switch. A URL is considered dynamic if it ends in “.asp(x)” or contains a question mark (?), a semicolon (;), or “cgi”. Ignore Query String overrides this option (switch on).\r\n* Cache Cookied Content:is an ON-OFF switch. By default, the Proxy does NOT cache cookied content of any type. If this option is switch on, the system cache all Cookeid content except HTML.\r\n* Ignore Request no-cache Headers:is an ON-OFF switch. By default, the proxy strictly observes client Cache-Control: no-cache directives. As known as:\r\n * i. Authorization\r\n * ii. WWW-Authenticate\r\n * iii. Cache-Control: no-store\r\n * iv. Cache-Control: no-cache\r\n* If a requested object contains a no-cache header, then proxy forwards the request to the origin server even if it has a fresh copy in cache. You can configure proxy to ignore client no-cache directives such that it ignores no-cache headers from client requests and serves the object from its cache. Ignore Response no-cache Headers — is an ON-OFF switch. By default, a response from an origin server with a no-cache header is not stored in the cache. As known as:\r\n * i. Cache-Control: no-store\r\n * ii. Cache-Control: private\r\n * iii. Set-Cookie\r\n * iv. Cache-Control: no-cache\r\n * v. WWW-Authenticate\r\n * vi. Expires header with a value of 0 (zero) or a past date.If you configure proxy to ignore no-cache headers, then proxy also ignores no-store headers. The default behavior of observing no-cache directives is appropriate in most cases.\r\n* Forcing Object Caching: is an ON-OFF switch. You can force Proxy to cache specific URLs (including dynamic URLs) for a specified duration, regardless of Cache-Control response headers.\r\n* Minimum Use: sets the number of times an item must be requested by clients before Proxy caches it. This is useful if the cache is constantly filling up, as it ensures that only the most frequently accessed items are added to the cache. By default, Proxy cache object at its first appearance. The Counter resets in every 30 minutes. Note that the requests is counted in computing unit independently.\r\n* Max Cache Object Size: sets the upper limit of an object size, larger object will not be cached. By default, Proxy does not cache object larger than 1 GB.\r\n* Cache Pinning Time: configures Proxy to keep certain objects in the cache for a specified time. You can use this option to ensure that the most popular objects are in cache when needed and to prevent cache manager from deleting important objects. Proxy observes Cache-Control headers and pins an object in the cache only if it is indeed cacheable.\r\n* Max Cache Size: sets the upper limit of the size of storage for a policy. By default, Proxy uses all available disk space. When the cache size reaches the limit, the cache manager removes the files that were least recently used to bring the cache size back under the limit.\r\n* Inactive Time: specifies how long an item can remain in the cache without being accessed. A file that has not been requested for this time is automatically deleted from the cache by the cache manager, regardless of whether or not it has expired.', null); -INSERT INTO `help_document` VALUES ('25', 'control_policy.md', '#### [1.Function Introduction](#accordion1_1)\r\n\r\nOn National Proxy System, Individual Control policy rules determine whether to allow, block, redirect or replace a session based on traffic attributes, such as URL, request header fields, request body keywords, response header fields, response body keywords, IP address, Subscribe ID and their combination. You could specify these attributes in the submenu of Control Policy.\r\n\r\n#### [2.Action](#accordion1_2)\r\n\r\nYou could select one of the five actions for above attributes, as known as:\r\n\r\n* Monitor:the Proxy produce a log to record matched HTTP session information.\r\n* Block:the Proxy terminate matched HTTP session with an error page and produce a log. You MUST specify a Response Code and a Response Content to generate an error page.\r\n* Redirect: the Proxy redirect matched HTTP session to a predefined URL. Since redirection need to be performed before delivering response to client, condition of response body is not applicable in this action. You MUST configure the redirect response via Response Code and Response URL. The Response URL MUST start with a scheme (http:// or https://). You SHOULD NOT select 301 as Response Code unless you exactly know what you are doing. This action produces a log.\r\n* Replace:the Proxy Searches in a given HTTP part to Find a given string, and Replace any matches with another given string. If no match was found, the session remained untouched. For performance concerns, condition of request body and response body is not available in this action. For example, you can configure the Proxy to search in the response body of URL “www.example.com/index.html”, find every “string1” and replace with “string2”. This action produces a log.\r\n* Whitelist:the Proxy pass-through the matched sessions and produce no log.\r\n* In case of HTTP session matches one more policies, the priority order is Whitelist > Reject > Redirect > Replace > Monitor, action with higher priority overrides others.\r\n\r\n#### [3.Attibutes](#accordion1_3)\r\n\r\nThe attributes are detailed in following context:\r\n\r\n* URL:From proxy’s perspective, a HTTP URL consists of a hierarchical sequence of three components: URL = hostname/path\\[?query\\] . The URL path name can also be specified by the user in the local writing system. If not already encoded, it is converted to UTF-8, and any characters not part of the basic URL character set are escaped as hexadecimal using percent-encoding; for example, search keywords “русский” in Google produces URL: https://www.google.com/search?q=%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9 To perform policy action on above URL, you could input the whole URL in the input box. Or, you could input original keywords and let the Proxy do the decoding, e.g. “google.com/search” & “русский”. Note that the scheme string MUST be excluded from the URL, it’s “https://” in this case.\r\n* Request Header: is used to set conditions on request header fields. Header fields are colon-separated key-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. For example, “user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)“ is a header filed in request header. The Matching District is used to configure the field’s key, if the key was presented, the Proxy will search in the value for Keywords.\r\n* Response Header: is used to set conditions on response header fields. Its configuration is similar to Request Header.\r\n* Request Body:is used to set conditions on request’s body message. The Proxy searches the pre-configured Keywords in it. You can configure non-ASCII or non-utf8 keywords by turn on HEX.\r\n* Response Body:is used to set conditions on response’s body message. Its configuration is similar to Request Body.', null); -INSERT INTO `help_document` VALUES ('26', 'domain_intercept_policy.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n域名拦截主要是根据域名对网站进行拦截,主要分为域名监测,域名白名单和域名限速功能,匹配的方式为子串匹配。当检测到请求的url中包含有配置的域名,根据上述三个功能,进行相应的替换替换,证书不替换和,限速功能。\r\n\r\n#### [2\\. 基础配置信息](#accordion1_2)\r\n\r\n* 域名:监测网站的域名,或是域名的子串\r\n\r\n#### [3\\. 业务配置属性](#accordion1_2)\r\n\r\n* 域名:请求URL中的域名,或是URL中域名的子串\r\n* 限速:对被测机器限制网速,根据配置的数值比列丢包\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* 域名:配置的监测域名,合法的域名表示\r\n* 丢包率:在0.001-0.009之间\r\n\r\n#### [5.预期效果](#accordion1_5)\r\n\r\n* 黑名单:浏览器证书替换\r\n* 白名单:浏览器证书不替换\r\n* 限速:测试有等比例接近的丢包\r\n\r\n#### [6.配置生效区域](#accordion1_6)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效\r\n\r\n#### [7.配置标签](#accordion1_7)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据。\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。', null); -INSERT INTO `help_document` VALUES ('27', 'https_block_log.md', '#### [1.基础信息](#accordion1_1)\r\n\r\nProxy日志按照控制策略类型进行分类,分为HTTP(S)监测、HTTP(S)管控、HTTP(S)重定向配置、HTTP(S)替换。每类日志页面下有两个基础搜索选项:开始时间、结束时间。和三个功能按钮搜:搜索、重置、筛选和右侧的设置按钮。\r\n\r\n* 选项名称:开始时间-\r\n* 执行动作:点击“开始时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)管控日志\r\n\r\n* 选项名称:结束时间-\r\n* 执行动作:点击“结束时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)管控日志\r\n\r\n* 选项名称:搜索-\r\n* 执行动作:点击“搜索”,将返回满足时间范围和筛选条件内的HTTP(S)重定向日志\r\n\r\n* 选项名称:重置-\r\n* 执行动作:点击“重置”,将筛选条件和开始时间结束时间清空\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,扩展日志筛选条件。eg.传输层协议、传输方向等\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,选择查询结果输出的日志信息项\r\n\r\n#### [2.拓展筛选项](#accordion1_3)\r\n\r\n点开筛选按钮后,会出现扩展搜索选项:传输层协议、传输方向、出入口、处理机IP、源IP、目的IP和配置ID。\r\n\r\n* 选项名称:传输层协议-\r\n* 执行动作:点击“筛选”——>选择“传输层协议”,可以选择:L2TP、IPv4\\_UDP、IPv6、IPv6\\_UDP、OpenVPN、MAC、MPLS、IPv4\\_TCP、IPv4、IPv6\\_TCP、PPTP、VLAN、GRE。确认筛选的传输层协议后,搜索结果将返回选定时间范围内的对应协议的HTTP(S)管控日志,不做选择时默认所有协议\r\n\r\n* 选项名称:传输方向-\r\n* 执行动作:点击“筛选”——>选择“传输方向”,可以选择:境内、境外。境内表示触发规则的源IP为内部IP,境外表示触发规则的源IP为外部IP。确认筛选的传输方向后,搜索结果将返回选定时间范围内的对应传输方向的HTTP(S)重定向日志,不做选择时默认境内外\r\n\r\n* 选项名称:出入口-\r\n* 执行动作:点击“筛选”——>选择“出入口”。暂时不支持该功能\r\n\r\n* 选项名称:处理机IP-\r\n* 执行动作:点击“筛选”——>选择“处理机IP”,输入筛选的处理机IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的处理机IP后,搜索结果将返回选定时间范围内的对应处理机IP的HTTP(S)管控日志,不做选择时默认所有IP\r\n\r\n* 选项名称:源IP-\r\n* 执行动作:点击“筛选”——>选择“源IP”,输入筛选的源IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的源IP后,搜索结果将返回选定时间范围内的对应源IP的HTTP(S)管控日志,不做选择时默认所有IP\r\n\r\n* 选项名称:目的IP-\r\n* 执行动作:点击“筛选”——>选择“目的IP”,输入筛选的目的IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应目的IP的HTTP(S)管控日志,不做选择时默认所有IP\r\n\r\n* 选项名称:配置ID-\r\n* 执行动作:点击“筛选”——>选择“配置ID”,输入筛选的配置ID。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应配置ID的HTTP(S)重定向日志,不做选择时默认所有配置\r\n\r\n#### [3.日志信息标签:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、源目的IP端口等](#accordion1_2)\r\n\r\n此处对日志信息每项标签做解析,帮助使用人员理解日志具体信息: Proxy在命中记录日志的控制策略时将会产生相应的日志信息,命中配置的消息日志信息包括:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、目的IP、源IP、目的端口、源端口、串联设备、方向、流类型、服务端地址、客户端地址、客户端ASN、服务端ASN、客户端用户名、服务端用户名、现场日志文件地址。\r\n\r\n* 配置ID:命中配置的配置ID\r\n* 发现时间:命中规则的时间\r\n* 出入口:暂不支持\r\n* URL:命中配置的URL\r\n* 处理机IP:处理这条命中规则的服务器IP\r\n* 传输层协议:这条消息的传输层协议\r\n* 目的IP:命中配置的连接的目的IP\r\n* 源IP:命中配置的连接的源IP\r\n* 目的端口:命中配置的连接的目的端口\r\n* 源端口:命中配置的连接的源端口\r\n* 串联设备:暂不支持\r\n* 方向:该日志是传输方向--境内/境外\r\n* 流类型:该流是单向或双向流\r\n* 服务端地址:该流服务端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端地址:该流客户端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端ASN:客户端的ASN号(自治系统号)\r\n* 服务端ASN:服务端的ASN号(自治系统号)\r\n* 客户端用户名:客户端账户的用户名\r\n* 服务端用户名:服务端账户的用户名\r\n* 现场日志文件地址:该日志保存的地址', null); -INSERT INTO `help_document` VALUES ('28', 'https_block_policy.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nHTTP(s)阻断主要的功能是实现浏览器无法访问网站。当配置的测试机的IP地址等信息后,被测机器无法访问网站,阻断上网的功能,主要包括IP阻断,URL阻断,请求头域阻断,应答头域阻断,请求内容阻断,应答内容阻断,账号阻断\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:“同域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* HTTP 请求内容:同“HTTP(s)监测”\r\n* HTTP 应答内容:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [2.业务配置属性](#accordion1_3)\r\n\r\n* IP:同“HTTP(s)监测”\r\n* HTTP URL:同“HTTP(s)监测”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* HTTP 请求内容:同“HTTP(s)监测”\r\n* HTTP 应答内容:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* IP:同“IP拦截”\r\n* URL:同“域名拦截”\r\n* HTTP 请求头:同“HTTP(s)监测”\r\n* HTTP 应答头:同“HTTP(s)监测”\r\n* HTTP 请求内容:同“HTTP(s)监测”\r\n* HTTP 应答内容:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [5.预期效果](#accordion1_5)\r\n\r\n* 阻断效果:浏览器无法访问页面\r\n* 日志检查:生成日志\r\n\r\n#### [6.配置生效区域](#accordion1_6)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效\r\n\r\n#### [7.配置标签](#accordion1_7)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据。\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。', null); -INSERT INTO `help_document` VALUES ('29', 'https_monitor_log.md', '#### [1.基础信息](#accordion1_1)\r\n\r\nProxy日志按照控制策略类型进行分类,分为HTTP(S)监测、HTTP(S)管控、HTTP(S)重定向配置、HTTP(S)替换。每类日志页面下有两个基础搜索选项:开始时间、结束时间。和三个功能按钮搜:搜索、重置、筛选和右侧的设置按钮。\r\n\r\n* 选项名称:开始时间-\r\n* 执行动作:点击“开始时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)监测日志\r\n\r\n* 选项名称:结束时间-\r\n* 执行动作:点击“结束时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)监测日志\r\n\r\n* 选项名称:搜索-\r\n* 执行动作:点击“搜索”,将返回满足时间范围和筛选条件内的HTTP(S)监测日志\r\n\r\n* 选项名称:重置-\r\n* 执行动作:点击“重置”,将筛选条件和开始时间结束时间清空\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,扩展日志筛选条件。eg.传输层协议、传输方向等\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,选择查询结果输出的日志信息项\r\n\r\n#### [2.拓展筛选项](#accordion1_3)\r\n\r\n点开筛选按钮后,会出现扩展搜索选项:传输层协议、传输方向、出入口、处理机IP、源IP、目的IP和配置ID。\r\n\r\n* 选项名称:传输层协议-\r\n* 执行动作:点击“筛选”——>选择“传输层协议”,可以选择:L2TP、IPv4\\_UDP、IPv6、IPv6\\_UDP、OpenVPN、MAC、MPLS、IPv4\\_TCP、IPv4、IPv6\\_TCP、PPTP、VLAN、GRE。确认筛选的传输层协议后,搜索结果将返回选定时间范围内的对应协议的HTTP(S)监测日志,不做选择时默认所有协议\r\n\r\n* 选项名称:传输方向-\r\n* 执行动作:点击“筛选”——>选择“传输方向”,可以选择:境内、境外。境内表示触发规则的源IP为内部IP,境外表示触发规则的源IP为外部IP。确认筛选的传输方向后,搜索结果将返回选定时间范围内的对应传输方向的HTTP(S)监测日志,不做选择时默认境内外\r\n\r\n* 选项名称:出入口-\r\n* 执行动作:点击“筛选”——>选择“出入口”。暂时不支持该功能\r\n\r\n* 选项名称:处理机IP-\r\n* 执行动作:点击“筛选”——>选择“处理机IP”,输入筛选的处理机IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的处理机IP后,搜索结果将返回选定时间范围内的对应处理机IP的HTTP(S)监测日志,不做选择时默认所有IP\r\n\r\n* 选项名称:源IP-\r\n* 执行动作:点击“筛选”——>选择“源IP”,输入筛选的源IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的源IP后,搜索结果将返回选定时间范围内的对应源IP的HTTP(S)监测日志,不做选择时默认所有IP\r\n\r\n* 选项名称:目的IP-\r\n* 执行动作:点击“筛选”——>选择“目的IP”,输入筛选的目的IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应目的IP的HTTP(S)监测日志,不做选择时默认所有IP\r\n\r\n* 选项名称:配置ID-\r\n* 执行动作:点击“筛选”——>选择“配置ID”,输入筛选的配置ID。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应配置ID的HTTP(S)监测日志,不做选择时默认所有配置\r\n\r\n#### [3.日志信息标签:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、源目的IP端口等](#accordion1_2)\r\n\r\n此处对日志信息每项标签做解析,帮助使用人员理解日志具体信息: Proxy在命中记录日志的控制策略时将会产生相应的日志信息,命中配置的消息日志信息包括:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、目的IP、源IP、目的端口、源端口、串联设备、方向、流类型、服务端地址、客户端地址、客户端ASN、服务端ASN、客户端用户名、服务端用户名、现场日志文件地址。\r\n\r\n* 配置ID:命中配置的配置ID\r\n* 发现时间:命中规则的时间\r\n* 出入口:暂不支持\r\n* URL:命中配置的URL\r\n* 处理机IP:处理这条命中规则的服务器IP\r\n* 传输层协议:这条消息的传输层协议\r\n* 目的IP:命中配置的连接的目的IP\r\n* 源IP:命中配置的连接的源IP\r\n* 目的端口:命中配置的连接的目的端口\r\n* 源端口:命中配置的连接的源端口\r\n* 串联设备:暂不支持\r\n* 方向:该日志是传输方向--境内/境外\r\n* 流类型:该流是单向或双向流\r\n* 服务端地址:该流服务端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端地址:该流客户端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端ASN:客户端的ASN号(自治系统号)\r\n* 服务端ASN:服务端的ASN号(自治系统号)\r\n* 客户端用户名:客户端账户的用户名\r\n* 服务端用户名:服务端账户的用户名\r\n* 现场日志文件地址:该日志保存的地址', null); -INSERT INTO `help_document` VALUES ('30', 'https_monitor_policy.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nHTTP(s)监测与IP监测的功能类似,额外增加了其他的监测,主要包括URL监测,请求头域监测,应答头域监测,请求内容监测,应答内容监测,账号监测。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:HTTP发送请求的头域信息\r\n* HTTP 应答头域:HTTP应答的头域信息\r\n* HTTP 请求内容:HTTP请求体中的内容\r\n* HTTP 应答内容:HTTP 响应体的内容\r\n* 账号:上网登陆账号\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* IP:同“IP拦截”\r\n* 端口:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* URL:同“域名拦截”\r\n* HTTP 请求头域:浏览器发送头信息的请求头,其中包括请求方法\r\n* HTTP 应答头域:HTTP响应的头信息\r\n* HTTP 请求内容:HTTP请求体\r\n* HTTP 应答内容:HTTP响应体\r\n* 账号:拨号上网账号\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* IP:同“IP拦截”\r\n* 端口:同“IP拦截”\r\n* URL:配置的URL必须是可访问的\r\n* HTTP 请求头域:合法的请求头域\r\n* HTTP 应答头域:合法的应答头域\r\n* HTTP 请求内容:合法HTTP请求体\r\n* HTTP 应答内容:合法HTTP响应体\r\n* 账号:拨号上网的账号\r\n\r\n#### [5.预期效果](#accordion1_5)\r\n\r\n* 证书替换:浏览器的证书替换,有日志\r\n* 账号监测:检测到配置的账号,有日志\r\n\r\n#### [6.配置生效区域](#accordion1_6)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效\r\n\r\n#### [7.配置标签](#accordion1_7)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据。\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。', null); -INSERT INTO `help_document` VALUES ('31', 'https_redirect_log.md', '#### [1.基础信息](#accordion1_1)\r\n\r\nProxy日志按照控制策略类型进行分类,分为HTTP(S)监测、HTTP(S)管控、HTTP(S)重定向配置、HTTP(S)替换。每类日志页面下有两个基础搜索选项:开始时间、结束时间。和三个功能按钮搜:搜索、重置、筛选和右侧的设置按钮。\r\n\r\n* 选项名称:开始时间-\r\n* 执行动作:点击“开始时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)重定向配置日志\r\n\r\n* 选项名称:结束时间-\r\n* 执行动作:点击“结束时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)重定向配置日志\r\n\r\n* 选项名称:搜索-\r\n* 执行动作:点击“搜索”,将返回满足时间范围和筛选条件内的HTTP(S)重定向日志\r\n\r\n* 选项名称:重置-\r\n* 执行动作:点击“重置”,将筛选条件和开始时间结束时间清空\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,扩展日志筛选条件。eg.传输层协议、传输方向等\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,选择查询结果输出的日志信息项\r\n\r\n#### [2.拓展筛选项](#accordion1_3)\r\n\r\n点开筛选按钮后,会出现扩展搜索选项:传输层协议、传输方向、出入口、处理机IP、源IP、目的IP和配置ID。\r\n\r\n* 选项名称:传输层协议-\r\n* 执行动作:点击“筛选”——>选择“传输层协议”,可以选择:L2TP、IPv4\\_UDP、IPv6、IPv6\\_UDP、OpenVPN、MAC、MPLS、IPv4\\_TCP、IPv4、IPv6\\_TCP、PPTP、VLAN、GRE。确认筛选的传输层协议后,搜索结果将返回选定时间范围内的对应协议的HTTP(S)重定向配置日志,不做选择时默认所有协议\r\n\r\n* 选项名称:传输方向-\r\n* 执行动作:点击“筛选”——>选择“传输方向”,可以选择:境内、境外。境内表示触发规则的源IP为内部IP,境外表示触发规则的源IP为外部IP。确认筛选的传输方向后,搜索结果将返回选定时间范围内的对应传输方向的HTTP(S)重定向日志,不做选择时默认境内外\r\n\r\n* 选项名称:出入口-\r\n* 执行动作:点击“筛选”——>选择“出入口”。暂时不支持该功能\r\n\r\n* 选项名称:处理机IP-\r\n* 执行动作:点击“筛选”——>选择“处理机IP”,输入筛选的处理机IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的处理机IP后,搜索结果将返回选定时间范围内的对应处理机IP的HTTP(S)重定向配置日志,不做选择时默认所有IP\r\n\r\n* 选项名称:源IP-\r\n* 执行动作:点击“筛选”——>选择“源IP”,输入筛选的源IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的源IP后,搜索结果将返回选定时间范围内的对应源IP的HTTP(S)重定向配置日志,不做选择时默认所有IP\r\n\r\n* 选项名称:目的IP-\r\n* 执行动作:点击“筛选”——>选择“目的IP”,输入筛选的目的IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应目的IP的HTTP(S)重定向配置日志,不做选择时默认所有IP\r\n\r\n* 选项名称:配置ID-\r\n* 执行动作:点击“筛选”——>选择“配置ID”,输入筛选的配置ID。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应配置ID的HTTP(S)重定向日志,不做选择时默认所有配置\r\n\r\n#### [3.日志信息标签:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、源目的IP端口等](#accordion1_2)\r\n\r\n此处对日志信息每项标签做解析,帮助使用人员理解日志具体信息: Proxy在命中记录日志的控制策略时将会产生相应的日志信息,命中配置的消息日志信息包括:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、目的IP、源IP、目的端口、源端口、串联设备、方向、流类型、服务端地址、客户端地址、客户端ASN、服务端ASN、客户端用户名、服务端用户名、现场日志文件地址。\r\n\r\n* 配置ID:命中配置的配置ID\r\n* 发现时间:命中规则的时间\r\n* 出入口:暂不支持\r\n* URL:命中配置的URL\r\n* 处理机IP:处理这条命中规则的服务器IP\r\n* 传输层协议:这条消息的传输层协议\r\n* 目的IP:命中配置的连接的目的IP\r\n* 源IP:命中配置的连接的源IP\r\n* 目的端口:命中配置的连接的目的端口\r\n* 源端口:命中配置的连接的源端口\r\n* 串联设备:暂不支持\r\n* 方向:该日志是传输方向--境内/境外\r\n* 流类型:该流是单向或双向流\r\n* 服务端地址:该流服务端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端地址:该流客户端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端ASN:客户端的ASN号(自治系统号)\r\n* 服务端ASN:服务端的ASN号(自治系统号)\r\n* 客户端用户名:客户端账户的用户名\r\n* 服务端用户名:服务端账户的用户名\r\n* 现场日志文件地址:该日志保存的地址', null); -INSERT INTO `help_document` VALUES ('32', 'https_redirect_policy.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nHTTP(s)重定向主要对将请求的页面根据配置的信息重定向到指定的网页,主要包括应答重定向,IP重定向,URL重定向,请求头域重定向和应答头域重定向,请求内容重定向,应答内容重定向,账号重定向。\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* HTTP 请求内容:同“HTTP(s)监测”\r\n* HTTP 应答内容:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* HTTP 请求内容:同“HTTP(s)监测”\r\n* HTTP 应答内容:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* HTTP 请求内容:同“HTTP(s)监测”\r\n* HTTP 应答内容:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [5.预期效果](#accordion1_5)\r\n\r\n* 页面重定向:浏览器重定向到指定的页面\r\n* 日志:生成日志\r\n\r\n#### [6.配置生效区域](#accordion1_6)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效\r\n\r\n#### [7.配置标签](#accordion1_7)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据。\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。', null); -INSERT INTO `help_document` VALUES ('33', 'https_replace_log.md', '#### [1.基础信息](#accordion1_1)\r\n\r\nProxy日志按照控制策略类型进行分类,分为HTTP(S)监测、HTTP(S)管控、HTTP(S)重定向配置、HTTP(S)替换。每类日志页面下有两个基础搜索选项:开始时间、结束时间。和三个功能按钮搜:搜索、重置、筛选和右侧的设置按钮。\r\n\r\n* 选项名称:开始时间-\r\n* 执行动作:点击“开始时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)替换日志\r\n\r\n* 选项名称:结束时间-\r\n* 执行动作:点击“结束时间”可以选择搜索日志的时间范围。时间选项中有当前时间的日历和时间表,以确定具体的筛选时间,下方三个选项“clear”表示清空当前选择、“Today”表示将选择时间定为当前时间,“OK”表示确认。确认时间范围后,搜索结果将返回时间范围内的满足搜索条件的HTTP(S)替换日志\r\n\r\n* 选项名称:搜索-\r\n* 执行动作:点击“搜索”,将返回满足时间范围和筛选条件内的HTTP(S)重定向日志\r\n\r\n* 选项名称:重置-\r\n* 执行动作:点击“重置”,将筛选条件和开始时间结束时间清空\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,扩展日志筛选条件。eg.传输层协议、传输方向等\r\n\r\n* 选项名称:筛选-\r\n* 执行动作:点击“筛选”,选择查询结果输出的日志信息项\r\n\r\n#### [2.拓展筛选项](#accordion1_3)\r\n\r\n点开筛选按钮后,会出现扩展搜索选项:传输层协议、传输方向、出入口、处理机IP、源IP、目的IP和配置ID。\r\n\r\n* 选项名称:传输层协议-\r\n* 执行动作:点击“筛选”——>选择“传输层协议”,可以选择:L2TP、IPv4\\_UDP、IPv6、IPv6\\_UDP、OpenVPN、MAC、MPLS、IPv4\\_TCP、IPv4、IPv6\\_TCP、PPTP、VLAN、GRE。确认筛选的传输层协议后,搜索结果将返回选定时间范围内的对应协议的HTTP(S)替换日志,不做选择时默认所有协议\r\n\r\n* 选项名称:传输方向-\r\n* 执行动作:点击“筛选”——>选择“传输方向”,可以选择:境内、境外。境内表示触发规则的源IP为内部IP,境外表示触发规则的源IP为外部IP。确认筛选的传输方向后,搜索结果将返回选定时间范围内的对应传输方向的HTTP(S)重定向日志,不做选择时默认境内外\r\n\r\n* 选项名称:出入口-\r\n* 执行动作:点击“筛选”——>选择“出入口”。暂时不支持该功能\r\n\r\n* 选项名称:处理机IP-\r\n* 执行动作:点击“筛选”——>选择“处理机IP”,输入筛选的处理机IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的处理机IP后,搜索结果将返回选定时间范围内的对应处理机IP的HTTP(S)替换日志,不做选择时默认所有IP\r\n\r\n* 选项名称:源IP-\r\n* 执行动作:点击“筛选”——>选择“源IP”,输入筛选的源IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的源IP后,搜索结果将返回选定时间范围内的对应源IP的HTTP(S)替换日志,不做选择时默认所有IP\r\n\r\n* 选项名称:目的IP-\r\n* 执行动作:点击“筛选”——>选择“目的IP”,输入筛选的目的IP地址,支持IPv4和IPv6,IPv4输入“IPv4 xxx”,IPv输入“IPv6 xxx”(xxx为对应IP地址),eg.\"IPv4 192.168.17.3\"、\"IPv6 fc00::1:1f\"。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应目的IP的HTTP(S)替换日志,不做选择时默认所有IP\r\n\r\n* 选项名称:配置ID-\r\n* 执行动作:点击“筛选”——>选择“配置ID”,输入筛选的配置ID。确认筛选的目的IP后,搜索结果将返回选定时间范围内的对应配置ID的HTTP(S)重定向日志,不做选择时默认所有配置\r\n\r\n#### [3.日志信息标签:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、源目的IP端口等](#accordion1_2)\r\n\r\n此处对日志信息每项标签做解析,帮助使用人员理解日志具体信息: Proxy在命中记录日志的控制策略时将会产生相应的日志信息,命中配置的消息日志信息包括:配置ID、发现时间、出入口、URL、处理机IP、传输层协议、目的IP、源IP、目的端口、源端口、串联设备、方向、流类型、服务端地址、客户端地址、客户端ASN、服务端ASN、客户端用户名、服务端用户名、现场日志文件地址。\r\n\r\n* 配置ID:命中配置的配置ID\r\n* 发现时间:命中规则的时间\r\n* 出入口:暂不支持\r\n* URL:命中配置的URL\r\n* 处理机IP:处理这条命中规则的服务器IP\r\n* 传输层协议:这条消息的传输层协议\r\n* 目的IP:命中配置的连接的目的IP\r\n* 源IP:命中配置的连接的源IP\r\n* 目的端口:命中配置的连接的目的端口\r\n* 源端口:命中配置的连接的源端口\r\n* 串联设备:暂不支持\r\n* 方向:该日志是传输方向--境内/境外\r\n* 流类型:该流是单向或双向流\r\n* 服务端地址:该流服务端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端地址:该流客户端所在的地理区域,eg.Hong Kong、United States\r\n* 客户端ASN:客户端的ASN号(自治系统号)\r\n* 服务端ASN:服务端的ASN号(自治系统号)\r\n* 客户端用户名:客户端账户的用户名\r\n* 服务端用户名:服务端账户的用户名\r\n* 现场日志文件地址:该日志保存的地址', null); -INSERT INTO `help_document` VALUES ('34', 'https_replace_policy.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nHTTP(s)替换的主要功能是将访问网站的应答内容替换为配置的内容,主要包括IP替换,URL替换,请求头域替换和应答头域替换,账号替换\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [3.业务配置属性](#accordion1_2)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [4.配置约束条件](#accordion1_3)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* HTTP 应答头域:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [5.预期效果](#accordion1_4)\r\n\r\n* 证书检查:浏览器的证书被替换\r\n* 日志检查:产生日志信息\r\n\r\n#### [6.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效\r\n\r\n#### [7.配置标签](#accordion1_6)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据。\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。', null); -INSERT INTO `help_document` VALUES ('35', 'https_whiteList_policy.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nHTTP(s)白名单主要是对访问的网站进行拦截,但是不替换证书,从而不解析网站的加密流量,主要包括IP拦截白名单,URL白名单,请求头域白名单,账号白名单\r\n\r\n#### [2.基础配置信息](#accordion1_2)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [3.业务配置属性](#accordion1_2)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [4.配置约束条件](#accordion1_3)\r\n\r\n* IP:同“IP拦截”\r\n* HTTP URL:同“域名拦截”\r\n* HTTP 请求头域:同“HTTP(s)监测”\r\n* 账号:同“HTTP(s)监测”\r\n\r\n#### [5.预期效果](#accordion1_4)\r\n\r\n* 证书检查:证书未替换\r\n\r\n#### [6.配置生效区域](#accordion1_5)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效\r\n\r\n#### [7.配置标签](#accordion1_6)\r\n\r\n* 来函:官方或其他组织下达的配置流量管控依据\r\n* 分类:配置所属的类别\r\n* 性质:配置所属的性质\r\n* 标签:配置所属的标签', null); -INSERT INTO `help_document` VALUES ('36', 'intercept_policy.md', '#### [1.Function Introduction](#accordion1_1)\r\n\r\nOn National Proxy System, Individual Intercept policy rules determines whether to intercept/optimize a connection based on traffic attributes, such as IP address, domain name and Subscribe ID. You could specify these attributes in IP Intercept and Domain Intercept.\r\n\r\n#### [2.Action](#accordion1_2)\r\n\r\nBoth IP intercept and Domain Intercept are subject two actions:\r\n\r\n* Bypass: the Proxy passes through the network connection without apply an optimization or policy checking. It’s could be used to bypass SSL pinning applications, such as Apple Store and WhatsApp, or a of a VIP’s IP address. In case of traffic matches one more policies, bypass overrides intercept.\r\n* Intercept: the National Proxy System intercepts network traffic for further control policy and cache policy checking. When a connection is set to intercept, the proxy terminates the connection and initiates a new connection between client and server. If the connection is SSL encrypted, the original certificate is replaced with a substitute one.\r\n \r\n When Intercept Related Domains is enabled, domains that share one certificates with the specified domain are considered as the same. For example, if the intercept facebook.com with Intercept Related Domain option, then *.xx.fbcdn.net, fb.com, .messenger.com and etc. are also intercepted. There may be side effects that intercept many different websites when they were hosted in a same CDN provider (Content Delivery Network).\r\n \r\n Key ring determines which certificate will be used to generate substitute certificate. You could configure key ring through Proxy Policy Object page. If no key ring is specified, proxy will use the default one.\r\n \r\n Intercept policy produces no log. You can find out if the interception is successful by checking if the certificate is issued by your pre-configured Root CA. You need a PC which traffic has already directed to the Proxy, and a web browser to test the policy. For Chrome and Microsoft Internet Explorer, you could click the lock icon on the address bar to view certificate. For Firefox, after you clicking the lock icon, click “>” button to show connection details, click “more information”, and then click “view certificate”. If the browser warning that the connection is not secure, one possible reason is you haven’t install/trust the root certificate yet.\r\n \r\n\r\n### Note: You should exercise caution because web applications may not cooperate with SSL interception, such as SSL pinning, mutual authentication or non-standard SSL implementation.', null); -INSERT INTO `help_document` VALUES ('37', 'ip_intercept_policy.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nIP拦截主要用于配置拦截的IP地址和端口号,测试拦截的效果,其中包括拦截黑名单和拦截白名单,当选择黑名单,这配置了IP地址的被测机器的浏览器证书替换,当选择白名单,则浏览器的证书不会替换。拦截的端口一般配置为服务的端口。\r\n\r\n#### [2.配置基础属性](#accordion1_2)\r\n\r\n* 源IP:用户的IP地址\r\n* 目的IP:网络服务器的IP\r\n* 源端口:用户的端口\r\n* 目的端口:服务使用的端口\r\n* 端口掩码:使用掩码表示的端口\r\n* IP范围:表示一段范围内的IP地址\r\n* IP掩码:使用掩码方式表示的IP段地址\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* 源IP:报文中的源IP\r\n* 目的IP:报文中目的IP\r\n* 源端口:报文中的源端口\r\n* 目的端口:报文中的目的端口\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* 源IP:与目的IP不同,且合法\r\n* 源端口:在0——65535范围以内\r\n* 目的IP:与源IP不同,且合法\r\n* 目的端口:在0——65535范围以为\r\n* IP范围:x.x.x.0——x.x.x.255\r\n* IP掩码:x.x.x.x/mask,mask属于16—32\r\n\r\n#### [5.预期效果](#accordion1_5)\r\n\r\n* 黑名单:浏览器证书替换\r\n* 白名单:证书未替换\r\n\r\n#### [6.配置生效区域](#accordion1_6)\r\n\r\n配置的生效区域,生效区域包括地区,以及ISP,地区和ISP可组合,即某个地区的某个运营商流量生效, 或者某个地区的所有流量生效,或者某个运营商的所有流量生效,也可全域生效\r\n\r\n#### [7.配置标签](#accordion1_7)\r\n\r\n* 来函:必选项,官方或其他组织下达的配置流量管控依据。\r\n* 分类:非必选项,配置分类,例如内容安全、网络攻击等。\r\n* 性质:非必选项,配置性质,例如政治、暴力、宗教等。\r\n* 标签:非必选项,自定义标签。', null); -INSERT INTO `help_document` VALUES ('38', 'proxy_policy_object.md', '#### [1.Function Introduction](#accordion1_1)\r\n\r\nA policy object is a single object or a collective unit that groups discrete identities such as IP addresses, URLs, applications, or users. With policy objects that are a collective unit, you can reference the object in policy instead of manually selecting multiple objects one at a time. Typically, when creating a policy object, you group objects that require similar permissions in policy.\r\n\r\n#### [2.Key Ring](#accordion1_2)\r\n\r\nOn National Proxy System, Key Ring is a pair of private key and public certificate. You can also import a certificate chain containing multiple certificates. Key Ring is a policy object, you can reference it in Intercept Policy. There are three Certificate Type:\r\n\r\n* End-entity Certificate: is used for web servers to identify themselves. The Public Key File MUST be .p12 format that contains entire certificate chain. The Private Key File could be .pem, .key or .p12 format. This certificate type is not applicable to Domain Intercept for it cannot be used to sign other certificates. Expire After parameter is also not applicable to end-entity certificate for the same reason.\r\n* Intermedia Certificate: is used to sign other certificates. An intermediate certificate must be signed by another intermediate certificate, or a root certificate. The Public Key File MUST be .p12 format that contains entire certificate chain. The Expire After parameter indicates the expiration of the substitute certificate that was issued by this intermedia certificate.\r\n* Root Certificate: is used to sign other certificates. The Public Key File could be .der, .cer, .crt or .pem format. The Expire After parameter has the same meaning as Intermedia Certificate. Specification of certificate formats:\r\n * .pem- (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between \"-----BEGIN CERTIFICATE-----\" and \"-----END CERTIFICATE-----\"\r\n * .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)\r\n * .p12 – PKCS#12, may contain certificate(s) (public) and private keys (without password protected)\r\n\r\n#### [3.Trusted Certificate](#accordion1_3)\r\n\r\nNational Proxy System has a build-in trusted certificate authorities list. When the original certificate is issued by a certificate authority that not in the list, the proxy will issued the substitute certificate with an untrusted root certificate, and so consequently, the browser could identify unsecure connections.\r\n\r\nYou can add a custom certificate authority to the trusted certificate authorities of the system.\r\n\r\nThe certificate MUST be PEM format.\r\n\r\nFollowing are the National Proxy System’s default trusted certificate authorities:\r\n\r\n* ACCVRAIZ1\r\n* Actalis Authentication Root CA\r\n* AddTrust External CA Root\r\n* AffirmTrust Commercial\r\n* AffirmTrust Networking\r\n* AffirmTrust Premium\r\n* AffirmTrust Premium ECC\r\n* Amazon Root CA 1\r\n* Amazon Root CA 2\r\n* Amazon Root CA 3\r\n* Amazon Root CA 4\r\n* Atos TrustedRoot 2011\r\n* Autoridad de Certificacion Firmaprofesional CIF A62634068\r\n* Baltimore CyberTrust Root\r\n* Buypass Class 2 Root CA\r\n* Buypass Class 3 Root CA\r\n* CA Disig Root R2\r\n* CFCA EV ROOT\r\n* COMODO Certification Authority\r\n* COMODO ECC Certification Authority\r\n* COMODO RSA Certification Authority\r\n* Certigna\r\n* Certinomis - Root CA\r\n* Class 2 Primary CA\r\n* Certplus Root CA G1\r\n* Certplus Root CA G2\r\n* Certum Trusted Network CA\r\n* Certum Trusted Network CA 2\r\n* Chambers of Commerce Root - 2008\r\n* AAA Certificate Services\r\n* Cybertrust Global Root\r\n* D-TRUST Root Class 3 CA 2 2009\r\n* D-TRUST Root Class 3 CA 2 EV 2009\r\n* DST Root CA X3\r\n* Deutsche Telekom Root CA 2\r\n* DigiCert Assured ID Root CA\r\n* DigiCert Assured ID Root G2\r\n* DigiCert Assured ID Root G3\r\n* DigiCert Global Root CA\r\n* DigiCert Global Root G2\r\n* DigiCert Global Root G3\r\n* DigiCert High Assurance EV Root CA\r\n* DigiCert Trusted Root G4\r\n* E-Tugra Certification Authority\r\n* EC-ACC\r\n* EE Certification Centre Root CA\r\n* Entrust.net Certification Authority (2048)\r\n* Entrust Root Certification Authority\r\n* Entrust Root Certification Authority - EC1\r\n* Entrust Root Certification Authority - G2\r\n* GDCA TrustAUTH R5 ROOT\r\n* GeoTrust Global CA\r\n* GeoTrust Primary Certification Authority\r\n* GeoTrust Primary Certification Authority - G2\r\n* GeoTrust Primary Certification Authority - G3\r\n* GeoTrust Universal CA\r\n* GeoTrust Universal CA 2\r\n* GlobalSign\r\n* GlobalSign\r\n* GlobalSign Root CA\r\n* GlobalSign\r\n* GlobalSign\r\n* Global Chambersign Root - 2008\r\n* Go Daddy Root Certificate Authority - G2\r\n* Hellenic Academic and Research Institutions ECC RootCA 2015\r\n* Hellenic Academic and Research Institutions RootCA 2011\r\n* Hellenic Academic and Research Institutions RootCA 2015\r\n* Hongkong Post Root CA 1\r\n* ISRG Root X1\r\n* IdenTrust Commercial Root CA 1\r\n* IdenTrust Public Sector Root CA 1\r\n* Izenpe.com\r\n* LuxTrust Global Root 2\r\n* Microsec e-Szigno Root CA 2009\r\n* NetLock Arany (Class Gold) Főtanúsítvány\r\n* Network Solutions Certificate Authority\r\n* OISTE WISeKey Global Root GA CA\r\n* OISTE WISeKey Global Root GB CA\r\n* OpenTrust Root CA G1\r\n* OpenTrust Root CA G2\r\n* OpenTrust Root CA G3\r\n* QuoVadis Root Certification Authority\r\n* QuoVadis Root CA 1 G3\r\n* QuoVadis Root CA 2\r\n* QuoVadis Root CA 2 G3\r\n* QuoVadis Root CA 3\r\n* QuoVadis Root CA 3 G3\r\n* SSL.com EV Root Certification Authority ECC\r\n* SSL.com EV Root Certification Authority RSA R2\r\n* SSL.com Root Certification Authority ECC\r\n* SSL.com Root Certification Authority RSA\r\n* SZAFIR ROOT CA2\r\n* SecureSign RootCA11\r\n* SecureTrust CA\r\n* Secure Global CA\r\n* Sonera Class2 CA\r\n* Staat der Nederlanden EV Root CA\r\n* Staat der Nederlanden Root CA - G2\r\n* Staat der Nederlanden Root CA - G3\r\n* Starfield Root Certificate Authority - G2\r\n* Starfield Services Root Certificate Authority - G2\r\n* SwissSign Gold CA - G2\r\n* SwissSign Silver CA - G2\r\n* T-TeleSec GlobalRoot Class 2\r\n* T-TeleSec GlobalRoot Class 3\r\n* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1\r\n* TWCA Global Root CA\r\n* TWCA Root Certification Authority\r\n* TeliaSonera Root CA v1\r\n* TrustCor ECA-1\r\n* TrustCor RootCert CA-1\r\n* TrustCor RootCert CA-2\r\n* TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5\r\n* USERTrust ECC Certification Authority\r\n* USERTrust RSA Certification Authority\r\n* VeriSign Class 3 Public Primary Certification Authority - G4\r\n* VeriSign Class 3 Public Primary Certification Authority - G5\r\n* VeriSign Universal Root Certification Authority\r\n* VeriSign Class 3 Public Primary Certification Authority - G3\r\n* Visa eCommerce Root\r\n* XRamp Global Certification Authority\r\n* thawte Primary Root CA\r\n* thawte Primary Root CA - G2\r\n* thawte Primary Root CA - G3\r\n* Microsoft Root Authority\r\n* Microsoft Root Certificate Authority\r\n* Microsoft Root Certificate Authority 2010\r\n* Microsoft Root Certificate Authority 2011\r\n* Baltimore CyberTrust Root', null); -INSERT INTO `help_document` VALUES ('39', 'audio_sample.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n音频样例匹配功能,可对网络流量中的音频内容进行分析,找出与用户配置的音频样例相匹配的音视频流量,并执行阻断与监测动作,产生日志\r\n\r\n#### [2.配置基础信息](#accordion1_2)\r\n\r\n* 规则名称:统一填写\r\n* 执行动作:(阻断与监测)统一填写\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* 源文件:上传本地音频文件,将以该文件中包含的音频信息与流量中传输的音频进行匹配,命中后执行配置动作,产生日志\r\n* 置信度:当执行动作为监测时,用户可指定匹配命中的最小置信度,置信度可选值为70、80、90、100\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* 上传的本地音频文件大小应不大于20MB\r\n* 上传的本地音频文件时长应不大于2分钟\r\n* 支持的本地音频文件格式为:mp4,flv,asf,wmv,avi,mpeg,mov,dat,m4v,m4p,m4b,webm,ogv,wav,mp3\r\n\r\n#### [5.配置生效区域](#accordion1_5)\r\n\r\n统一填写\r\n\r\n#### [6.配置标签](#accordion1_6)\r\n\r\n* 统一填写\r\n\r\n#### [7.预期效果](#accordion1_7)\r\n\r\n* 首次分析阻断效果:命中样例配置后,客户端收到NTC系统发送的虚假RST报文,如此时该音视频未缓存或下载完成,则中断当前音视频的播放或下载\r\n* 后续访问阻断效果:首次分析命中后,会生成该音视频的传输特征,后续访问直接依据传输特征进行阻断\r\n\r\n#### [8.免责声明](#accordion1_8)\r\n\r\n* 对于音视频编码的索引信息在音视频文件尾部的情况,本系统不予支持\r\n* 由于音视频内容分析滞后于网络传输,本系统不保证首次观看音视频时的阻断效果', null); -INSERT INTO `help_document` VALUES ('40', 'file_digest.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n文件摘要检测功能,可提取网络流量中传输文件的摘要信息,并找出与用户配置的文件具有相似摘要的流量,命中配置后,执行阻断与监测动作,产生日志\r\n\r\n#### [2.配置基础信息](#accordion1_2)\r\n\r\n* 规则名称:统一填写\r\n* 执行动作:(阻断与监测)统一填写\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* 文件:上传本地文件,该文件将与流量中包含的文件进行匹配,命中后执行配置动作,产生日志\r\n* 置信度:当执行动作为监测时,用户可指定匹配命中的最小置信度,置信度可选值为70、80、90、100\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* 上传的本地文件大小应不大于20MB\r\n* 支持的本地文件格式为:txt,doc,img,docx,pptx,xlsx,xls,ppt\r\n\r\n#### [5.配置生效区域](#accordion1_5)\r\n\r\n统一填写\r\n\r\n#### [6.配置标签](#accordion1_6)\r\n\r\n* 统一填写\r\n\r\n#### [7.预期效果](#accordion1_7)\r\n\r\n* 首次分析阻断效果:当客户端下载某文件,并命中文件摘要配置后,客户端将收到NTC系统发送的虚假RST报文,如此时该文件未下载完成,则中断当前文件的下载\r\n* 后续访问阻断效果:首次分析命中后,会生成该文件的传输特征,后续下载请求直接依据传输特征进行阻断\r\n\r\n#### [8.免责声明](#accordion1_8)\r\n\r\n* 由于文件摘要的分析滞后于网络传输,本系统不保证首次文件下载时的阻断效果', null); -INSERT INTO `help_document` VALUES ('41', 'picture_sample.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n图片样例匹配功能,可对网络流量中的图片内容进行分析,找出与用户配置的图片样例相匹配的图片流量,并执行阻断与监测动作,产生日志\r\n\r\n#### [2.配置基础信息](#accordion1_2)\r\n\r\n* 规则名称:统一填写\r\n* 执行动作:阻断与监测(统一填写)\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* 源文件:上传本地图片文件,将以该文件中包含的图片画面信息与流量中传输的图片进行匹配,命中后执行配置动作,产生日志\r\n* 置信度:当执行动作为监测时,用户可指定匹配命中的最小置信度,置信度可选值为70、80、90、100\r\n\r\n#### [4\\. 配置约束条件](#accordion1_4)\r\n\r\n* 支持的上传图片格式为:bmp,jpg,tiff,raw,gif\r\n\r\n#### [5.配置生效区域](#accordion1_5)\r\n\r\n统一填写\r\n\r\n#### [6.配置标签](#accordion1_6)\r\n\r\n* 统一填写\r\n\r\n#### [7.预期效果](#accordion1_7)\r\n\r\n* 阻断效果:客户端访问某图片命中图片样例配置后,会生成该图片的传输特征,后续对该图片的访问直接依据传输特征进行阻断\r\n\r\n#### [8.免责声明](#accordion1_8)\r\n\r\n* 对于图片文件大于4MB的图片,本系统不予支持', null); -INSERT INTO `help_document` VALUES ('42', 'video_sample.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n视频样例匹配功能,可对网络流量中的视频内容进行分析,找出与用户配置的视频样例相匹配的视频流量,并执行阻断与监测动作,产生日志\r\n\r\n#### [2.配置基础信息](#accordion1_2)\r\n\r\n* 规则名称:统一填写\r\n* 执行动作:(阻断与监测)统一填写\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* 源文件:上传本地视频文件,将以该文件中包含的视频画面信息与流量中传输的视频进行匹配,命中后执行配置动作,产生日志\r\n* 置信度:当执行动作为监测时,用户可指定匹配命中的最小置信度,置信度可选值为70、80、90、100\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* 上传的本地视频文件大小应不大于20MB\r\n* 上传的本地视频文件时长应不大于2分钟\r\n* 支持的本地视频文件格式为:mp4,flv,asf,wmv,avi,mpeg,mov,dat,m4v,m4p,m4b,webm\r\n\r\n#### [5.配置生效区域](#accordion1_5)\r\n\r\n统一填写\r\n\r\n#### [6.配置标签](#accordion1_6)\r\n\r\n* 统一填写\r\n\r\n#### [7.预期效果](#accordion1_7)\r\n\r\n* 首次分析阻断效果:命中样例配置后,客户端收到NTC系统发送的虚假RST报文,如此时该视频未缓存或下载完成,则中断当前视频的播放或下载\r\n* 后续访问阻断效果:首次分析命中后,会生成该视频的传输特征,后续访问直接依据传输特征进行阻断\r\n\r\n#### [8.免责声明](#accordion1_8)\r\n\r\n* 对于音视频编码的索引信息在音视频文件尾部的情况,本系统不予支持\r\n* 对于分辨率大于4兆的视频,本系统不予支持\r\n* 由于音视频内容分析滞后于网络传输,本系统不保证首次观看音视频时的阻断效果', null); -INSERT INTO `help_document` VALUES ('43', 'video_scene.md', '#### [1.功能简介](#accordion1_1)\r\n\r\n视频场景检测功能,可检测出网络中传输的包含视频色情场景的流量,并根据用户配置,进行阻断或监测,产生日志\r\n\r\n#### [2.配置基础信息](#accordion1_2)\r\n\r\n* 执行动作:(阻断与监测)统一填写\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* 置信度:当执行动作为监测时,用户可指定匹配命中的最小置信度,置信度可选值为70、80、90、100\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* 无\r\n\r\n#### [5.配置生效区域](#accordion1_5)\r\n\r\n统一填写\r\n\r\n#### [6.配置标签](#accordion1_6)\r\n\r\n* 统一填写\r\n\r\n#### [7.预期效果](#accordion1_7)\r\n\r\n* 首次分析阻断效果:检测到色情场景后,客户端收到NTC系统发送的虚假RST报文,如此时该视频未缓存或下载完成,则中断当前视频的播放或下载\r\n* 后续访问阻断效果:首次分析命中后,会生成该视频的传输特征,后续访问直接通过传输特征进行阻断\r\n\r\n#### [8.免责声明](#accordion1_8)\r\n\r\n* 对于音视频编码的索引信息在音视频文件尾部的情况,本系统不予支持\r\n* 对于分辨率大于4兆的视频,本系统不予支持\r\n* 由于音视频内容分析滞后于网络传输,本系统不保证首次观看音视频时的阻断效果', null); -INSERT INTO `help_document` VALUES ('44', 'voip_sample.md', '#### [1.功能简介](#accordion1_1)\r\n\r\nVOIP样例匹配功能,可对VOIP流量中的语音内容进行分析,找出与用户配置的音频样例相匹配的VOIP流量,并执行阻断与监测动作,产生日志\r\n\r\n#### [2.配置基础信息](#accordion1_2)\r\n\r\n* 规则名称:统一填写\r\n* 执行动作:(阻断与监测)统一填写\r\n\r\n#### [3.业务配置属性](#accordion1_3)\r\n\r\n* 源文件:上传本地音频文件,将以该文件中包含的音频信息与流量中传输的VOIP音频内容进行匹配,命中后执行配置动作,产生日志\r\n* 置信度:当执行动作为监测时,用户可指定匹配命中的最小置信度,置信度可选值为70、80、90、100\r\n\r\n#### [4.配置约束条件](#accordion1_4)\r\n\r\n* 上传的本地音频文件大小应不大于20MB\r\n* 上传的本地音频文件时长应不大于2分钟\r\n* 支持的本地音频文件格式为:mp4,flv,asf,wmv,avi,mpeg,mov,dat,m4v,m4p,m4b,webm,ogv,wav,mp3\r\n\r\n#### [5.配置生效区域](#accordion1_5)\r\n\r\n统一填写\r\n\r\n#### [6.配置标签](#accordion1_6)\r\n\r\n* 统一填写\r\n\r\n#### [7.预期效果](#accordion1_7)\r\n\r\n* 阻断效果:命中配置后,通过串联设备临时规则,丢弃后续传输报文,已接通的VOIP电话不中断,但无后继语音内容\r\n\r\n#### [8.免责声明](#accordion1_8)\r\n\r\n无', null); +INSERT INTO `help_document` VALUES ('1', 'cache_policy.md', 'Cache Policy + +On National Proxy System, Individual Cache policy rules determine +whether to cache or not based on traffic attributes, such as URL and +Cookies. For cache action, the optimization parameters are: + +*A Cache key* — is a unique string that lets the National Proxy System +look for web content when requests hit them. It’s made up of a hostname, +path, and cookie parts. By default, the Proxy use the entire URL as the +cache key. Selecting the correct cache key will ensure maximum cache +footprint and increase cache hits. + +*Ignore Query String in URL* — in case the query strings doesn’t +actually indicate that the object need to be different then you could +EXCLUDE them from the cache key. For example, after ignoring “sqp” and +“rs” of URL: “https://example.com/pic.jpg?~~sqp=UAAI&rs=AOn4~~”. + +*Include Cookie Values* — in case the server send different content for +the same URL based on the cookie value, you can include that cookie +value as a part of cache key. For example, the server may set a cookie +at the client called "prefLang=ru" to record user preferred language, +you could add "prefLang" to distinguish different web content. + +*Disable Revalidate* — is an ON-OFF switch. The pragma-no-cache header +in a client’s request causes the proxy to re-fetch the entire object +from the original server, even if the cached copy of the object is +fresh. By default this option is switch OFF, which means a client’s +non-conditional request results in a conditional GET request sent to the +original server if the object is already in cache. The conditional +request allows the original server to return the 304 Not Modified +response, if the content in cache is still fresh. Thereby, the +server-side bandwidth and latency consumed are lesser as the full +content is not retrieved again from the original server. + +*Cache Dynamic Content* — is an ON-OFF switch. A URL is considered +dynamic if it ends in “.asp(x)” or contains a question mark (?), a +semicolon (;), or “cgi”. *Ignore Query String* overrides this option +(switch on). + +*Cache Cookied Content* — is an ON-OFF switch. By default, the Proxy +does NOT cache cookied content of any type. If this option is switch on, +the system cache all cookied content except HTML. + +*Ignore Request no-cache Headers* — is an ON-OFF switch. By default, the +proxy strictly observes client Cache-Control: no-cache directives. As +known as: + +i. Authorization + +ii. WWW-Authenticate + +iii. Cache-Control: no-store + +iv. Cache-Control: no-cache + +If a requested object contains a no-cache header, then proxy forwards +the request to the origin server even if it has a fresh copy in cache. +You can configure proxy to ignore client no-cache directives such that +it ignores no-cache headers from client requests and serves the object +from its cache. + +*Ignore Response no-cache Headers* — is an ON-OFF switch. By default, a +response from an origin server with a no-cache header is not stored in +the cache. As known as: + +i. Cache-Control: no-store + +ii. Cache-Control: private + +iii. Set-Cookie + +iv. Cache-Control: no-cache + +v. WWW-Authenticate + +vi. Expires header with a value of 0 (zero) or a past date. + +If you configure proxy to ignore no-cache headers, then proxy also +ignores no-store headers. The default behavior of observing no-cache +directives is appropriate in most cases. + +*Forcing Object Caching* — is an ON-OFF switch. You can force Proxy to +cache specific URLs (including dynamic URLs) for a specified duration, +regardless of Cache-Control response headers. + +*Minimum Use* — sets the number of times an item must be requested by +clients before Proxy caches it. This is useful if the cache is +constantly filling up, as it ensures that only the most frequently +accessed items are added to the cache. By default, Proxy cache object at +its first appearance. The counter resets in every 30 minutes. Note that +the requests is counted independently on each processing unit. + +*Max Cache Object Size* — sets the upper limit of an object size, larger +object will not be cached. By default, Proxy does not cache object +larger than 1 GB. + +*Cache Pinning Time* — configures Proxy to keep certain objects in the +cache for a specified time. You can use this option to ensure that the +most popular objects are in cache when needed and to prevent cache +manager from deleting important objects. Proxy observes Cache-Control +headers and pins an object in the cache only if it is indeed cacheable. + +*Max Cache Size* — sets the upper limit of the size of storage for a +policy. By default, Proxy uses all available disk space. When the cache +size reaches the limit, the cache manager removes the files that were +least recently used to bring the cache size back under the limit. + +*Inactive Time* — specifies how long an item can remain in the cache +without being accessed. A file that has not been requested for this time +is automatically deleted from the cache by the cache manager, regardless +of whether or not it has expired. + +', null); +INSERT INTO `help_document` VALUES ('2', 'Control Policy + +On National Proxy System, Individual Control policy rules determine +whether to allow, block, redirect or replace a session based on traffic +attributes, such as URL, request header fields, request body keywords, +response header fields, response body keywords, IP address, Subscribe ID +and their combination. You could specify these attributes in the submenu +of *Control Policy*. + +The attributes are detailed in following context: + +*URL* — From proxy’s perspective, a HTTP URL consists of a hierarchical +sequence of three components: URL = hostname/path[?query] . The URL path +name can also be specified by the user in the local writing system. If +not already encoded, it is converted to UTF-8, and any characters not +part of the basic URL character set are escaped as hexadecimal using +percent-encoding; for example, search keywords “русский” in Google +produces URL: + +https://www.google.com/search?q=%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9 + +To perform policy action on above URL, you could input the whole URL in +the input box. Or, you could input original keywords and let the Proxy +do the decoding, e.g. “google.com/search” & “русский”. Note that the +scheme string MUST be excluded from the URL, it’s “https://” in this +case. + +NOTE Maximum HTTP/HTTPS URL length is 1023 characters + +*Request Header* — is used to set conditions on request header fields. +Header fields are colon-separated key-value pairs in clear-text string +format, terminated by a carriage return (CR) and line feed (LF) +character sequence. For example, “user-agent: Mozilla/5.0 (Windows NT +10.0; Win64; x64)“ is a header filed in request header. The *Matching +District* is used to configure the field’s key, if the key was +presented, the Proxy will search in the value for *Keywords*. + +*Response Header* — is used to set conditions on response header fields. +Its configuration is similar to *Request Header*. + +*Request Body* — is used to set conditions on request’s body message. +The Proxy searches the pre-configured *Keywords* in it. You can +configure non-ASCII or non-utf8 keywords by turn on HEX. + +*Response Body* — is used to set conditions on response’s body message. +Its configuration is similar to *Request Body*. + +You could select one of the five actions for above attributes, as known +as: + +*Monitor* — the Proxy produce a log to record matched HTTP session +information. + +*Block* — the Proxy terminate matched HTTP session with an error page +and produce a log. You MUST specify a *Response Code* and a *Response +Content* to generate an error page. + +*Redirect*—the Proxy redirect matched HTTP session to a predefined URL. +Since redirection need to be performed before delivering response to +client, condition of response body is not applicable in this action. You +MUST configure the redirect response via *Response Code* and *Response +URL*. The Response URL MUST start with a scheme (http:// or https://). +You SHOULD NOT select **301** as *Response Code* unless you exactly know +what you are doing. This action produces a log. + +*Replace*—the Proxy *Searches in* a given HTTP part to *Find* a given +string, and *Replace* any matches *with* another given string. If no +match was found, the session remained untouched. For performance +concerns, condition of request body and response body is not available +in this action. For example, you can configure the Proxy to search in +the response body of URL “www.example.com/index.html”, find every +“string1” and replace with “string2”. This action produces a log. + +*Whitelist*—the Proxy pass-through the matched sessions and produce no +log. + +National Proxy will enforce policy check on traffic attributes, policies +have been created that there will be some that overlap or are subsets of +the parameters that the policies use to determine which policy should be +matched against the traffic. The execute order of policy is “first +match, first served”. In case of an incoming traffic attribute matches +one more policy, the priority order is *Whitelist \> Block \> +Redirect \> Replace \> Monitor*, action with higher priority overrides +others. If multiple policies of same action are matched, policy with +bigger ID number is precedence. +', null); +INSERT INTO `help_document` VALUES ('3', 'intercept_policy.md', 'Intercept Policy + +An Intercept policy rule allows you to define traffic that you want the +National Proxy to decrypt and to define traffic that you choose to +exclude from decryption because the traffic is personal or because of +local regulations. A connection is intercepted/optimized based on +traffic attributes, such as IP address, domain name (via SNI matching) +and Subscribe ID. You could specify these attributes in *IP Intercept* +and *Domain Intercept*. + +Both *IP intercept* and *Domain Intercept* are subject two actions: + +*Intercept*—the National Proxy System intercepts network traffic for +further control policy and cache policy checking. Interception requires +certificates to establish the National Proxy as a trusted third party. +National Proxy deployed in transparent mode, which means the users don`t +have any proxy settings in their browser. When a connection is set to +intercept, the proxy terminates the connection and initiates a new +connection between client and server. If the connection is SSL +encrypted, the original certificate is replaced with a substitute one. + +*Bypass*—the Proxy passes through the network connection without apply +an optimization or policy checking. You can also use bypass action when +excluding servers from SSL decryption for technical reasons (the site +breaks decryption for reasons such as certificate pinning, unsupported +ciphers, or mutual authentication). Apple Store, WhatsApp, Telegram, +Microsoft Windows Update are common SSL pinning application. In case of +traffic matches one more policy, bypass overrides intercept. + +When *Intercept Related Domains* is enabled, domains that share one +certificates with the specified domain are considered as the same. For +example, if the intercept facebook.com with I*ntercept Related Domain* +option, then \*.xx.fbcdn.net, fb.com, .messenger.com and etc. are also +intercepted. There may be side effects that intercept undesired websites +that share one certificate. For example, two websites hosted in a same +CDN provider (Content Delivery Network) or different products of one +company. + +*Key ring* determines which certificate will be used to generate +substitute certificate. You could configure key ring through *Proxy +Policy Object* page. If no key ring is specified, proxy will use the +default one. + +Intercept policy produces no log. You can find out if the interception +is successful by checking if the certificate is issued by your +pre-configured Root CA. You need a PC which traffic has already directed +to the Proxy, and a web browser to test the policy. For Chrome and +Microsoft Internet Explorer, you could click the lock icon on the +address bar to view certificate. For Firefox, after you clicking the +lock icon, click “\>” button to show connection details, click “more +information”, and then click “view certificate”. If the browser warning +that the connection is not secure, one possible reason is you haven’t +install/trust the root certificate yet. + +**Note:** You should exercise caution because web applications may not +cooperate with SSL interception. Reasons that sites break decryption +technically include pinned certificates, mutual authentication, +incomplete certificate chains, unsupported ciphers, and non-standard SSL +implementation. If a site uses an incomplete certificate chain, the +National Proxy doesn’t automatically fix the chain as a browser would. +You need to manually download the missing sub-CA certificates and load +and deploy them onto the proxy.', null); +INSERT INTO `help_document` VALUES ('4', 'proxy_policy_object.md', 'Proxy Policy Object + +A policy object is a single object or a collective unit that groups +discrete identities such as IP addresses, URLs, applications, or users. +With policy objects that are a collective unit, you can reference the +object in policy instead of manually selecting multiple objects one at a +time. Typically, when creating a policy object, you group objects that +require similar permissions in policy. + +1. Key Ring + +On National Proxy System, Key Ring is a pair of private key and public +certificate. You can also import a certificate chain containing multiple +certificates. Key Ring is a policy object, you can reference it in +*Intercept Policy*. + +There are three *Certificate Type:* + +*End-entity Certificate*— is used for web servers to identify +themselves. The *Public Key File* MUST be .p12 format that contains +entire certificate chain. The Private Key File could be .pem, .key or +.p12 format. This certificate type is not applicable to *Domain +Intercept* for it cannot be used to sign other certificates. *Expire +After* parameter is also not applicable to end-entity certificate for +the same reason. + +*Intermedia Certificate* — is used to sign other certificates. An +intermediate certificate must be signed by another intermediate +certificate, or a root certificate. The *Public Key File* MUST be .p12 +format that contains entire certificate chain. The *Expire After* +parameter indicates the expiration of the substitute certificate that +was issued by this intermedia certificate. + +*Root Certificate* — is used to sign other certificates. The *Public Key +File* could be .der, .cer, .crt or .pem format. The *Expire After* +parameter has the same meaning as Intermedia Certificate. + +*CRL* — or Certificate Revocation List, is a list of digital +certificates that have been revoked by the issuing certificate authority +(CA) before their scheduled expiration date and should no longer be +trusted. On Key Ring settings, CRL is an HTTP URL that point to a valid +.crl file. Invalid URL or .crl file may produce certificate warnings on +some browser, i.e. Internet Explorer 11. + +Specification of certificate formats: + +*.pem* – (Privacy-enhanced Electronic Mail) Base64 encoded DER +certificate, enclosed between "-----BEGIN CERTIFICATE-----" and +"-----END CERTIFICATE-----" + +*.cer, .crt, .der* – usually in binary DER form, but Base64-encoded +certificates are common too (see .pem above) + +*.p12* – PKCS\#12, may contain certificate(s) (public) and private keys +(without password protected) + +1. Trusted Certificate + +National Proxy System has a build-in trusted certificate authorities +list. When the original certificate is issued by a certificate authority +that not in the list, the proxy will issued the substitute certificate +with an untrusted root certificate, and so consequently, the browser +could identify unsecure connections. + +You can add a custom certificate authority to the trusted certificate +authorities of the system. + +The certificate MUST be PEM format. + +Following are the National Proxy System’s default trusted certificate +authorities: + +ACCVRAIZ1 + +Actalis Authentication Root CA + +AddTrust External CA Root + +AffirmTrust Commercial + +AffirmTrust Networking + +AffirmTrust Premium + +AffirmTrust Premium ECC + +Amazon Root CA 1 + +Amazon Root CA 2 + +Amazon Root CA 3 + +Amazon Root CA 4 + +Atos TrustedRoot 2011 + +Autoridad de Certificacion Firmaprofesional CIF A62634068 + +Baltimore CyberTrust Root + +Buypass Class 2 Root CA + +Buypass Class 3 Root CA + +CA Disig Root R2 + +CFCA EV ROOT + +COMODO Certification Authority + +COMODO ECC Certification Authority + +COMODO RSA Certification Authority + +Certigna + +Certinomis - Root CA + +Class 2 Primary CA + +Certplus Root CA G1 + +Certplus Root CA G2 + +Certum Trusted Network CA + +Certum Trusted Network CA 2 + +Chambers of Commerce Root - 2008 + +AAA Certificate Services + +Cybertrust Global Root + +D-TRUST Root Class 3 CA 2 2009 + +D-TRUST Root Class 3 CA 2 EV 2009 + +DST Root CA X3 + +Deutsche Telekom Root CA 2 + +DigiCert Assured ID Root CA + +DigiCert Assured ID Root G2 + +DigiCert Assured ID Root G3 + +DigiCert Global Root CA + +DigiCert Global Root G2 + +DigiCert Global Root G3 + +DigiCert High Assurance EV Root CA + +DigiCert Trusted Root G4 + +E-Tugra Certification Authority + +EC-ACC + +EE Certification Centre Root CA + +Entrust.net Certification Authority (2048) + +Entrust Root Certification Authority + +Entrust Root Certification Authority - EC1 + +Entrust Root Certification Authority - G2 + +GDCA TrustAUTH R5 ROOT + +GeoTrust Global CA + +GeoTrust Primary Certification Authority + +GeoTrust Primary Certification Authority - G2 + +GeoTrust Primary Certification Authority - G3 + +GeoTrust Universal CA + +GeoTrust Universal CA 2 + +GlobalSign + +GlobalSign + +GlobalSign Root CA + +GlobalSign + +GlobalSign + +Global Chambersign Root - 2008 + +Go Daddy Root Certificate Authority - G2 + +Hellenic Academic and Research Institutions ECC RootCA 2015 + +Hellenic Academic and Research Institutions RootCA 2011 + +Hellenic Academic and Research Institutions RootCA 2015 + +Hongkong Post Root CA 1 + +ISRG Root X1 + +IdenTrust Commercial Root CA 1 + +IdenTrust Public Sector Root CA 1 + +Izenpe.com + +LuxTrust Global Root 2 + +Microsec e-Szigno Root CA 2009 + +NetLock Arany (Class Gold) Főtanúsítvány + +Network Solutions Certificate Authority + +OISTE WISeKey Global Root GA CA + +OISTE WISeKey Global Root GB CA + +OpenTrust Root CA G1 + +OpenTrust Root CA G2 + +OpenTrust Root CA G3 + +QuoVadis Root Certification Authority + +QuoVadis Root CA 1 G3 + +QuoVadis Root CA 2 + +QuoVadis Root CA 2 G3 + +QuoVadis Root CA 3 + +QuoVadis Root CA 3 G3 + +SSL.com EV Root Certification Authority ECC + +SSL.com EV Root Certification Authority RSA R2 + +SSL.com Root Certification Authority ECC + +SSL.com Root Certification Authority RSA + +SZAFIR ROOT CA2 + +SecureSign RootCA11 + +SecureTrust CA + +Secure Global CA + +Sonera Class2 CA + +Staat der Nederlanden EV Root CA + +Staat der Nederlanden Root CA - G2 + +Staat der Nederlanden Root CA - G3 + +Starfield Root Certificate Authority - G2 + +Starfield Services Root Certificate Authority - G2 + +SwissSign Gold CA - G2 + +SwissSign Silver CA - G2 + +T-TeleSec GlobalRoot Class 2 + +T-TeleSec GlobalRoot Class 3 + +TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + +TWCA Global Root CA + +TWCA Root Certification Authority + +TeliaSonera Root CA v1 + +TrustCor ECA-1 + +TrustCor RootCert CA-1 + +TrustCor RootCert CA-2 + +TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 + +USERTrust ECC Certification Authority + +USERTrust RSA Certification Authority + +VeriSign Class 3 Public Primary Certification Authority - G4 + +VeriSign Class 3 Public Primary Certification Authority - G5 + +VeriSign Universal Root Certification Authority + +VeriSign Class 3 Public Primary Certification Authority - G3 + +Visa eCommerce Root + +XRamp Global Certification Authority + +thawte Primary Root CA + +thawte Primary Root CA - G2 + +thawte Primary Root CA - G3 + +Microsoft Root Authority + +Microsoft Root Certificate Authority + +Microsoft Root Certificate Authority 2010 + +Microsoft Root Certificate Authority 2011 + +Baltimore CyberTrust Root + +', null); \ No newline at end of file diff --git a/src/main/webapp/online-help/proxy/cache_policy.md b/src/main/webapp/online-help/proxy/cache_policy.md index 0f3fe2864..9d8c6e88d 100644 --- a/src/main/webapp/online-help/proxy/cache_policy.md +++ b/src/main/webapp/online-help/proxy/cache_policy.md @@ -1,32 +1,112 @@ -#### [1.Function Introduction](#accordion1_1) +Cache Policy -On National Proxy System, Individual Cache policy rules determine whether to cache or not based on traffic attributes, such as URL and Cookies. +On National Proxy System, Individual Cache policy rules determine +whether to cache or not based on traffic attributes, such as URL and +Cookies. For cache action, the optimization parameters are: -#### [2.Action](#accordion1_2) +*A Cache key* — is a unique string that lets the National Proxy System +look for web content when requests hit them. It’s made up of a hostname, +path, and cookie parts. By default, the Proxy use the entire URL as the +cache key. Selecting the correct cache key will ensure maximum cache +footprint and increase cache hits. -For cache action, the optimization parameters are: +*Ignore Query String in URL* — in case the query strings doesn’t +actually indicate that the object need to be different then you could +EXCLUDE them from the cache key. For example, after ignoring “sqp” and +“rs” of URL: “https://example.com/pic.jpg?~~sqp=UAAI&rs=AOn4~~”. + +*Include Cookie Values* — in case the server send different content for +the same URL based on the cookie value, you can include that cookie +value as a part of cache key. For example, the server may set a cookie +at the client called "prefLang=ru" to record user preferred language, +you could add "prefLang" to distinguish different web content. + +*Disable Revalidate* — is an ON-OFF switch. The pragma-no-cache header +in a client’s request causes the proxy to re-fetch the entire object +from the original server, even if the cached copy of the object is +fresh. By default this option is switch OFF, which means a client’s +non-conditional request results in a conditional GET request sent to the +original server if the object is already in cache. The conditional +request allows the original server to return the 304 Not Modified +response, if the content in cache is still fresh. Thereby, the +server-side bandwidth and latency consumed are lesser as the full +content is not retrieved again from the original server. + +*Cache Dynamic Content* — is an ON-OFF switch. A URL is considered +dynamic if it ends in “.asp(x)” or contains a question mark (?), a +semicolon (;), or “cgi”. *Ignore Query String* overrides this option +(switch on). + +*Cache Cookied Content* — is an ON-OFF switch. By default, the Proxy +does NOT cache cookied content of any type. If this option is switch on, +the system cache all cookied content except HTML. + +*Ignore Request no-cache Headers* — is an ON-OFF switch. By default, the +proxy strictly observes client Cache-Control: no-cache directives. As +known as: + +i. Authorization + +ii. WWW-Authenticate + +iii. Cache-Control: no-store + +iv. Cache-Control: no-cache + +If a requested object contains a no-cache header, then proxy forwards +the request to the origin server even if it has a fresh copy in cache. +You can configure proxy to ignore client no-cache directives such that +it ignores no-cache headers from client requests and serves the object +from its cache. + +*Ignore Response no-cache Headers* — is an ON-OFF switch. By default, a +response from an origin server with a no-cache header is not stored in +the cache. As known as: + +i. Cache-Control: no-store + +ii. Cache-Control: private + +iii. Set-Cookie + +iv. Cache-Control: no-cache + +v. WWW-Authenticate + +vi. Expires header with a value of 0 (zero) or a past date. + +If you configure proxy to ignore no-cache headers, then proxy also +ignores no-store headers. The default behavior of observing no-cache +directives is appropriate in most cases. + +*Forcing Object Caching* — is an ON-OFF switch. You can force Proxy to +cache specific URLs (including dynamic URLs) for a specified duration, +regardless of Cache-Control response headers. + +*Minimum Use* — sets the number of times an item must be requested by +clients before Proxy caches it. This is useful if the cache is +constantly filling up, as it ensures that only the most frequently +accessed items are added to the cache. By default, Proxy cache object at +its first appearance. The counter resets in every 30 minutes. Note that +the requests is counted independently on each processing unit. + +*Max Cache Object Size* — sets the upper limit of an object size, larger +object will not be cached. By default, Proxy does not cache object +larger than 1 GB. + +*Cache Pinning Time* — configures Proxy to keep certain objects in the +cache for a specified time. You can use this option to ensure that the +most popular objects are in cache when needed and to prevent cache +manager from deleting important objects. Proxy observes Cache-Control +headers and pins an object in the cache only if it is indeed cacheable. + +*Max Cache Size* — sets the upper limit of the size of storage for a +policy. By default, Proxy uses all available disk space. When the cache +size reaches the limit, the cache manager removes the files that were +least recently used to bring the cache size back under the limit. + +*Inactive Time* — specifies how long an item can remain in the cache +without being accessed. A file that has not been requested for this time +is automatically deleted from the cache by the cache manager, regardless +of whether or not it has expired. -* A Cache key:is a unique string that lets the National Proxy System look for web content when requests hit them. It’s made up of a hostname, path, and cookie parts. By default, the Proxy use the entire URL as the cache key. Selecting the correct cache key will ensure maximum cache footprint and increase cache hits. -* Ignore Query String in URL:in case the query strings doesn’t actually indicate that the object need to be different then you could EXCLUDE them from the cache key. For example, after ignoring “sqp” and “rs” of URL: “https://example.com/pic.jpg?sqp=UAAI&rs=AOn4”. -* Include Cookie Values:in case the server send different content for the same URL based on the cookie value, you can include that cookie value as a part of cache key. For example, the server may set a cookie at the client called "prefLang=ru" to record user preferred language, you could add "prefLang" to distinguish different web content. -* Disable Revalidate:is an ON-OFF switch. The pragma-no-cache header in a client’s request causes the proxy to re-fetch the entire object from the original server, even if the cached copy of the object is fresh. By default this option is switch OFF, which means a client’s non-conditional request results in a conditional GET request sent to the original server if the object is already in cache. The conditional request allows the original server to return the 304 Not Modified response, if the content in cache is still fresh. Thereby, the server-side bandwidth and latency consumed are lesser as the full content is not retrieved again from the original server. -* Cache Dynamic Content:is an ON-OFF switch. A URL is considered dynamic if it ends in “.asp(x)” or contains a question mark (?), a semicolon (;), or “cgi”. Ignore Query String overrides this option (switch on). -* Cache Cookied Content:is an ON-OFF switch. By default, the Proxy does NOT cache cookied content of any type. If this option is switch on, the system cache all Cookeid content except HTML. -* Ignore Request no-cache Headers:is an ON-OFF switch. By default, the proxy strictly observes client Cache-Control: no-cache directives. As known as: - * i. Authorization - * ii. WWW-Authenticate - * iii. Cache-Control: no-store - * iv. Cache-Control: no-cache -* If a requested object contains a no-cache header, then proxy forwards the request to the origin server even if it has a fresh copy in cache. You can configure proxy to ignore client no-cache directives such that it ignores no-cache headers from client requests and serves the object from its cache. Ignore Response no-cache Headers — is an ON-OFF switch. By default, a response from an origin server with a no-cache header is not stored in the cache. As known as: - * i. Cache-Control: no-store - * ii. Cache-Control: private - * iii. Set-Cookie - * iv. Cache-Control: no-cache - * v. WWW-Authenticate - * vi. Expires header with a value of 0 (zero) or a past date.If you configure proxy to ignore no-cache headers, then proxy also ignores no-store headers. The default behavior of observing no-cache directives is appropriate in most cases. -* Forcing Object Caching: is an ON-OFF switch. You can force Proxy to cache specific URLs (including dynamic URLs) for a specified duration, regardless of Cache-Control response headers. -* Minimum Use: sets the number of times an item must be requested by clients before Proxy caches it. This is useful if the cache is constantly filling up, as it ensures that only the most frequently accessed items are added to the cache. By default, Proxy cache object at its first appearance. The Counter resets in every 30 minutes. Note that the requests is counted in computing unit independently. -* Max Cache Object Size: sets the upper limit of an object size, larger object will not be cached. By default, Proxy does not cache object larger than 1 GB. -* Cache Pinning Time: configures Proxy to keep certain objects in the cache for a specified time. You can use this option to ensure that the most popular objects are in cache when needed and to prevent cache manager from deleting important objects. Proxy observes Cache-Control headers and pins an object in the cache only if it is indeed cacheable. -* Max Cache Size: sets the upper limit of the size of storage for a policy. By default, Proxy uses all available disk space. When the cache size reaches the limit, the cache manager removes the files that were least recently used to bring the cache size back under the limit. -* Inactive Time: specifies how long an item can remain in the cache without being accessed. A file that has not been requested for this time is automatically deleted from the cache by the cache manager, regardless of whether or not it has expired. \ No newline at end of file diff --git a/src/main/webapp/online-help/proxy/control_policy.md b/src/main/webapp/online-help/proxy/control_policy.md index 9c02cb194..5e67ebcae 100644 --- a/src/main/webapp/online-help/proxy/control_policy.md +++ b/src/main/webapp/online-help/proxy/control_policy.md @@ -1,24 +1,86 @@ -#### [1.Function Introduction](#accordion1_1) +Control Policy -On National Proxy System, Individual Control policy rules determine whether to allow, block, redirect or replace a session based on traffic attributes, such as URL, request header fields, request body keywords, response header fields, response body keywords, IP address, Subscribe ID and their combination. You could specify these attributes in the submenu of Control Policy. - -#### [2.Action](#accordion1_2) - -You could select one of the five actions for above attributes, as known as: - -* Monitor:the Proxy produce a log to record matched HTTP session information. -* Block:the Proxy terminate matched HTTP session with an error page and produce a log. You MUST specify a Response Code and a Response Content to generate an error page. -* Redirect: the Proxy redirect matched HTTP session to a predefined URL. Since redirection need to be performed before delivering response to client, condition of response body is not applicable in this action. You MUST configure the redirect response via Response Code and Response URL. The Response URL MUST start with a scheme (http:// or https://). You SHOULD NOT select 301 as Response Code unless you exactly know what you are doing. This action produces a log. -* Replace:the Proxy Searches in a given HTTP part to Find a given string, and Replace any matches with another given string. If no match was found, the session remained untouched. For performance concerns, condition of request body and response body is not available in this action. For example, you can configure the Proxy to search in the response body of URL “www.example.com/index.html”, find every “string1” and replace with “string2”. This action produces a log. -* Whitelist:the Proxy pass-through the matched sessions and produce no log. -* In case of HTTP session matches one more policies, the priority order is Whitelist > Reject > Redirect > Replace > Monitor, action with higher priority overrides others. - -#### [3.Attibutes](#accordion1_3) +On National Proxy System, Individual Control policy rules determine +whether to allow, block, redirect or replace a session based on traffic +attributes, such as URL, request header fields, request body keywords, +response header fields, response body keywords, IP address, Subscribe ID +and their combination. You could specify these attributes in the submenu +of *Control Policy*. The attributes are detailed in following context: -* URL:From proxy’s perspective, a HTTP URL consists of a hierarchical sequence of three components: URL = hostname/path\[?query\] . The URL path name can also be specified by the user in the local writing system. If not already encoded, it is converted to UTF-8, and any characters not part of the basic URL character set are escaped as hexadecimal using percent-encoding; for example, search keywords “русский” in Google produces URL: https://www.google.com/search?q=%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9 To perform policy action on above URL, you could input the whole URL in the input box. Or, you could input original keywords and let the Proxy do the decoding, e.g. “google.com/search” & “русский”. Note that the scheme string MUST be excluded from the URL, it’s “https://” in this case. -* Request Header: is used to set conditions on request header fields. Header fields are colon-separated key-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. For example, “user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)“ is a header filed in request header. The Matching District is used to configure the field’s key, if the key was presented, the Proxy will search in the value for Keywords. -* Response Header: is used to set conditions on response header fields. Its configuration is similar to Request Header. -* Request Body:is used to set conditions on request’s body message. The Proxy searches the pre-configured Keywords in it. You can configure non-ASCII or non-utf8 keywords by turn on HEX. -* Response Body:is used to set conditions on response’s body message. Its configuration is similar to Request Body. \ No newline at end of file +*URL* — From proxy’s perspective, a HTTP URL consists of a hierarchical +sequence of three components: URL = hostname/path[?query] . The URL path +name can also be specified by the user in the local writing system. If +not already encoded, it is converted to UTF-8, and any characters not +part of the basic URL character set are escaped as hexadecimal using +percent-encoding; for example, search keywords “русский” in Google +produces URL: + +https://www.google.com/search?q=%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9 + +To perform policy action on above URL, you could input the whole URL in +the input box. Or, you could input original keywords and let the Proxy +do the decoding, e.g. “google.com/search” & “русский”. Note that the +scheme string MUST be excluded from the URL, it’s “https://” in this +case. + +NOTE Maximum HTTP/HTTPS URL length is 1023 characters + +*Request Header* — is used to set conditions on request header fields. +Header fields are colon-separated key-value pairs in clear-text string +format, terminated by a carriage return (CR) and line feed (LF) +character sequence. For example, “user-agent: Mozilla/5.0 (Windows NT +10.0; Win64; x64)“ is a header filed in request header. The *Matching +District* is used to configure the field’s key, if the key was +presented, the Proxy will search in the value for *Keywords*. + +*Response Header* — is used to set conditions on response header fields. +Its configuration is similar to *Request Header*. + +*Request Body* — is used to set conditions on request’s body message. +The Proxy searches the pre-configured *Keywords* in it. You can +configure non-ASCII or non-utf8 keywords by turn on HEX. + +*Response Body* — is used to set conditions on response’s body message. +Its configuration is similar to *Request Body*. + +You could select one of the five actions for above attributes, as known +as: + +*Monitor* — the Proxy produce a log to record matched HTTP session +information. + +*Block* — the Proxy terminate matched HTTP session with an error page +and produce a log. You MUST specify a *Response Code* and a *Response +Content* to generate an error page. + +*Redirect*—the Proxy redirect matched HTTP session to a predefined URL. +Since redirection need to be performed before delivering response to +client, condition of response body is not applicable in this action. You +MUST configure the redirect response via *Response Code* and *Response +URL*. The Response URL MUST start with a scheme (http:// or https://). +You SHOULD NOT select **301** as *Response Code* unless you exactly know +what you are doing. This action produces a log. + +*Replace*—the Proxy *Searches in* a given HTTP part to *Find* a given +string, and *Replace* any matches *with* another given string. If no +match was found, the session remained untouched. For performance +concerns, condition of request body and response body is not available +in this action. For example, you can configure the Proxy to search in +the response body of URL “www.example.com/index.html”, find every +“string1” and replace with “string2”. This action produces a log. + +*Whitelist*—the Proxy pass-through the matched sessions and produce no +log. + +National Proxy will enforce policy check on traffic attributes, policies +have been created that there will be some that overlap or are subsets of +the parameters that the policies use to determine which policy should be +matched against the traffic. The execute order of policy is “first +match, first served”. In case of an incoming traffic attribute matches +one more policy, the priority order is *Whitelist \> Block \> +Redirect \> Replace \> Monitor*, action with higher priority overrides +others. If multiple policies of same action are matched, policy with +bigger ID number is precedence. + diff --git a/src/main/webapp/online-help/proxy/intercept_policy.md b/src/main/webapp/online-help/proxy/intercept_policy.md index ab37be760..d996fef3a 100644 --- a/src/main/webapp/online-help/proxy/intercept_policy.md +++ b/src/main/webapp/online-help/proxy/intercept_policy.md @@ -1,19 +1,63 @@ -#### [1.Function Introduction](#accordion1_1) +Intercept Policy -On National Proxy System, Individual Intercept policy rules determines whether to intercept/optimize a connection based on traffic attributes, such as IP address, domain name and Subscribe ID. You could specify these attributes in IP Intercept and Domain Intercept. +An Intercept policy rule allows you to define traffic that you want the +National Proxy to decrypt and to define traffic that you choose to +exclude from decryption because the traffic is personal or because of +local regulations. A connection is intercepted/optimized based on +traffic attributes, such as IP address, domain name (via SNI matching) +and Subscribe ID. You could specify these attributes in *IP Intercept* +and *Domain Intercept*. -#### [2.Action](#accordion1_2) +Both *IP intercept* and *Domain Intercept* are subject two actions: -Both IP intercept and Domain Intercept are subject two actions: +*Intercept*—the National Proxy System intercepts network traffic for +further control policy and cache policy checking. Interception requires +certificates to establish the National Proxy as a trusted third party. +National Proxy deployed in transparent mode, which means the users don't +have any proxy settings in their browser. When a connection is set to +intercept, the proxy terminates the connection and initiates a new +connection between client and server. If the connection is SSL +encrypted, the original certificate is replaced with a substitute one. -* Bypass: the Proxy passes through the network connection without apply an optimization or policy checking. It’s could be used to bypass SSL pinning applications, such as Apple Store and WhatsApp, or a of a VIP’s IP address. In case of traffic matches one more policies, bypass overrides intercept. -* Intercept: the National Proxy System intercepts network traffic for further control policy and cache policy checking. When a connection is set to intercept, the proxy terminates the connection and initiates a new connection between client and server. If the connection is SSL encrypted, the original certificate is replaced with a substitute one. - - When Intercept Related Domains is enabled, domains that share one certificates with the specified domain are considered as the same. For example, if the intercept facebook.com with Intercept Related Domain option, then *.xx.fbcdn.net, fb.com, .messenger.com and etc. are also intercepted. There may be side effects that intercept many different websites when they were hosted in a same CDN provider (Content Delivery Network). - - Key ring determines which certificate will be used to generate substitute certificate. You could configure key ring through Proxy Policy Object page. If no key ring is specified, proxy will use the default one. - - Intercept policy produces no log. You can find out if the interception is successful by checking if the certificate is issued by your pre-configured Root CA. You need a PC which traffic has already directed to the Proxy, and a web browser to test the policy. For Chrome and Microsoft Internet Explorer, you could click the lock icon on the address bar to view certificate. For Firefox, after you clicking the lock icon, click “>” button to show connection details, click “more information”, and then click “view certificate”. If the browser warning that the connection is not secure, one possible reason is you haven’t install/trust the root certificate yet. - +*Bypass*—the Proxy passes through the network connection without apply +an optimization or policy checking. You can also use bypass action when +excluding servers from SSL decryption for technical reasons (the site +breaks decryption for reasons such as certificate pinning, unsupported +ciphers, or mutual authentication). Apple Store, WhatsApp, Telegram, +Microsoft Windows Update are common SSL pinning application. In case of +traffic matches one more policy, bypass overrides intercept. + +When *Intercept Related Domains* is enabled, domains that share one +certificates with the specified domain are considered as the same. For +example, if the intercept facebook.com with I*ntercept Related Domain* +option, then \*.xx.fbcdn.net, fb.com, .messenger.com and etc. are also +intercepted. There may be side effects that intercept undesired websites +that share one certificate. For example, two websites hosted in a same +CDN provider (Content Delivery Network) or different products of one +company. + +*Key ring* determines which certificate will be used to generate +substitute certificate. You could configure key ring through *Proxy +Policy Object* page. If no key ring is specified, proxy will use the +default one. + +Intercept policy produces no log. You can find out if the interception +is successful by checking if the certificate is issued by your +pre-configured Root CA. You need a PC which traffic has already directed +to the Proxy, and a web browser to test the policy. For Chrome and +Microsoft Internet Explorer, you could click the lock icon on the +address bar to view certificate. For Firefox, after you clicking the +lock icon, click “\>” button to show connection details, click “more +information”, and then click “view certificate”. If the browser warning +that the connection is not secure, one possible reason is you haven’t +install/trust the root certificate yet. + +**Note:** You should exercise caution because web applications may not +cooperate with SSL interception. Reasons that sites break decryption +technically include pinned certificates, mutual authentication, +incomplete certificate chains, unsupported ciphers, and non-standard SSL +implementation. If a site uses an incomplete certificate chain, the +National Proxy doesn’t automatically fix the chain as a browser would. +You need to manually download the missing sub-CA certificates and load +and deploy them onto the proxy. -### Note: You should exercise caution because web applications may not cooperate with SSL interception, such as SSL pinning, mutual authentication or non-standard SSL implementation. \ No newline at end of file diff --git a/src/main/webapp/online-help/proxy/proxy_policy_object.md b/src/main/webapp/online-help/proxy/proxy_policy_object.md index 431374e12..150f4151d 100644 --- a/src/main/webapp/online-help/proxy/proxy_policy_object.md +++ b/src/main/webapp/online-help/proxy/proxy_policy_object.md @@ -1,154 +1,330 @@ -#### [1.Function Introduction](#accordion1_1) +Proxy Policy Object -A policy object is a single object or a collective unit that groups discrete identities such as IP addresses, URLs, applications, or users. With policy objects that are a collective unit, you can reference the object in policy instead of manually selecting multiple objects one at a time. Typically, when creating a policy object, you group objects that require similar permissions in policy. +A policy object is a single object or a collective unit that groups +discrete identities such as IP addresses, URLs, applications, or users. +With policy objects that are a collective unit, you can reference the +object in policy instead of manually selecting multiple objects one at a +time. Typically, when creating a policy object, you group objects that +require similar permissions in policy. -#### [2.Key Ring](#accordion1_2) +1. Key Ring -On National Proxy System, Key Ring is a pair of private key and public certificate. You can also import a certificate chain containing multiple certificates. Key Ring is a policy object, you can reference it in Intercept Policy. There are three Certificate Type: +On National Proxy System, Key Ring is a pair of private key and public +certificate. You can also import a certificate chain containing multiple +certificates. Key Ring is a policy object, you can reference it in +*Intercept Policy*. -* End-entity Certificate: is used for web servers to identify themselves. The Public Key File MUST be .p12 format that contains entire certificate chain. The Private Key File could be .pem, .key or .p12 format. This certificate type is not applicable to Domain Intercept for it cannot be used to sign other certificates. Expire After parameter is also not applicable to end-entity certificate for the same reason. -* Intermedia Certificate: is used to sign other certificates. An intermediate certificate must be signed by another intermediate certificate, or a root certificate. The Public Key File MUST be .p12 format that contains entire certificate chain. The Expire After parameter indicates the expiration of the substitute certificate that was issued by this intermedia certificate. -* Root Certificate: is used to sign other certificates. The Public Key File could be .der, .cer, .crt or .pem format. The Expire After parameter has the same meaning as Intermedia Certificate. Specification of certificate formats: - * .pem- (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" - * .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above) - * .p12 – PKCS#12, may contain certificate(s) (public) and private keys (without password protected) +There are three *Certificate Type:* -#### [3.Trusted Certificate](#accordion1_3) +*End-entity Certificate*— is used for web servers to identify +themselves. The *Public Key File* MUST be .p12 format that contains +entire certificate chain. The Private Key File could be .pem, .key or +.p12 format. This certificate type is not applicable to *Domain +Intercept* for it cannot be used to sign other certificates. *Expire +After* parameter is also not applicable to end-entity certificate for +the same reason. -National Proxy System has a build-in trusted certificate authorities list. When the original certificate is issued by a certificate authority that not in the list, the proxy will issued the substitute certificate with an untrusted root certificate, and so consequently, the browser could identify unsecure connections. +*Intermedia Certificate* — is used to sign other certificates. An +intermediate certificate must be signed by another intermediate +certificate, or a root certificate. The *Public Key File* MUST be .p12 +format that contains entire certificate chain. The *Expire After* +parameter indicates the expiration of the substitute certificate that +was issued by this intermedia certificate. -You can add a custom certificate authority to the trusted certificate authorities of the system. +*Root Certificate* — is used to sign other certificates. The *Public Key +File* could be .der, .cer, .crt or .pem format. The *Expire After* +parameter has the same meaning as Intermedia Certificate. + +*CRL* — or Certificate Revocation List, is a list of digital +certificates that have been revoked by the issuing certificate authority +(CA) before their scheduled expiration date and should no longer be +trusted. On Key Ring settings, CRL is an HTTP URL that point to a valid +.crl file. Invalid URL or .crl file may produce certificate warnings on +some browser, i.e. Internet Explorer 11. + +Specification of certificate formats: + +*.pem* – (Privacy-enhanced Electronic Mail) Base64 encoded DER +certificate, enclosed between "-----BEGIN CERTIFICATE-----" and +"-----END CERTIFICATE-----" + +*.cer, .crt, .der* – usually in binary DER form, but Base64-encoded +certificates are common too (see .pem above) + +*.p12* – PKCS\#12, may contain certificate(s) (public) and private keys +(without password protected) + +1. Trusted Certificate + +National Proxy System has a build-in trusted certificate authorities +list. When the original certificate is issued by a certificate authority +that not in the list, the proxy will issued the substitute certificate +with an untrusted root certificate, and so consequently, the browser +could identify unsecure connections. + +You can add a custom certificate authority to the trusted certificate +authorities of the system. The certificate MUST be PEM format. -Following are the National Proxy System’s default trusted certificate authorities: +Following are the National Proxy System’s default trusted certificate +authorities: + +ACCVRAIZ1 + +Actalis Authentication Root CA + +AddTrust External CA Root + +AffirmTrust Commercial + +AffirmTrust Networking + +AffirmTrust Premium + +AffirmTrust Premium ECC + +Amazon Root CA 1 + +Amazon Root CA 2 + +Amazon Root CA 3 + +Amazon Root CA 4 + +Atos TrustedRoot 2011 + +Autoridad de Certificacion Firmaprofesional CIF A62634068 + +Baltimore CyberTrust Root + +Buypass Class 2 Root CA + +Buypass Class 3 Root CA + +CA Disig Root R2 + +CFCA EV ROOT + +COMODO Certification Authority + +COMODO ECC Certification Authority + +COMODO RSA Certification Authority + +Certigna + +Certinomis - Root CA + +Class 2 Primary CA + +Certplus Root CA G1 + +Certplus Root CA G2 + +Certum Trusted Network CA + +Certum Trusted Network CA 2 + +Chambers of Commerce Root - 2008 + +AAA Certificate Services + +Cybertrust Global Root + +D-TRUST Root Class 3 CA 2 2009 + +D-TRUST Root Class 3 CA 2 EV 2009 + +DST Root CA X3 + +Deutsche Telekom Root CA 2 + +DigiCert Assured ID Root CA + +DigiCert Assured ID Root G2 + +DigiCert Assured ID Root G3 + +DigiCert Global Root CA + +DigiCert Global Root G2 + +DigiCert Global Root G3 + +DigiCert High Assurance EV Root CA + +DigiCert Trusted Root G4 + +E-Tugra Certification Authority + +EC-ACC + +EE Certification Centre Root CA + +Entrust.net Certification Authority (2048) + +Entrust Root Certification Authority + +Entrust Root Certification Authority - EC1 + +Entrust Root Certification Authority - G2 + +GDCA TrustAUTH R5 ROOT + +GeoTrust Global CA + +GeoTrust Primary Certification Authority + +GeoTrust Primary Certification Authority - G2 + +GeoTrust Primary Certification Authority - G3 + +GeoTrust Universal CA + +GeoTrust Universal CA 2 + +GlobalSign + +GlobalSign + +GlobalSign Root CA + +GlobalSign + +GlobalSign + +Global Chambersign Root - 2008 + +Go Daddy Root Certificate Authority - G2 + +Hellenic Academic and Research Institutions ECC RootCA 2015 + +Hellenic Academic and Research Institutions RootCA 2011 + +Hellenic Academic and Research Institutions RootCA 2015 + +Hongkong Post Root CA 1 + +ISRG Root X1 + +IdenTrust Commercial Root CA 1 + +IdenTrust Public Sector Root CA 1 + +Izenpe.com + +LuxTrust Global Root 2 + +Microsec e-Szigno Root CA 2009 + +NetLock Arany (Class Gold) Főtanúsítvány + +Network Solutions Certificate Authority + +OISTE WISeKey Global Root GA CA + +OISTE WISeKey Global Root GB CA + +OpenTrust Root CA G1 + +OpenTrust Root CA G2 + +OpenTrust Root CA G3 + +QuoVadis Root Certification Authority + +QuoVadis Root CA 1 G3 + +QuoVadis Root CA 2 + +QuoVadis Root CA 2 G3 + +QuoVadis Root CA 3 + +QuoVadis Root CA 3 G3 + +SSL.com EV Root Certification Authority ECC + +SSL.com EV Root Certification Authority RSA R2 + +SSL.com Root Certification Authority ECC + +SSL.com Root Certification Authority RSA + +SZAFIR ROOT CA2 + +SecureSign RootCA11 + +SecureTrust CA + +Secure Global CA + +Sonera Class2 CA + +Staat der Nederlanden EV Root CA + +Staat der Nederlanden Root CA - G2 + +Staat der Nederlanden Root CA - G3 + +Starfield Root Certificate Authority - G2 + +Starfield Services Root Certificate Authority - G2 + +SwissSign Gold CA - G2 + +SwissSign Silver CA - G2 + +T-TeleSec GlobalRoot Class 2 + +T-TeleSec GlobalRoot Class 3 + +TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + +TWCA Global Root CA + +TWCA Root Certification Authority + +TeliaSonera Root CA v1 + +TrustCor ECA-1 + +TrustCor RootCert CA-1 + +TrustCor RootCert CA-2 + +TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 + +USERTrust ECC Certification Authority + +USERTrust RSA Certification Authority + +VeriSign Class 3 Public Primary Certification Authority - G4 + +VeriSign Class 3 Public Primary Certification Authority - G5 + +VeriSign Universal Root Certification Authority + +VeriSign Class 3 Public Primary Certification Authority - G3 + +Visa eCommerce Root + +XRamp Global Certification Authority + +thawte Primary Root CA + +thawte Primary Root CA - G2 + +thawte Primary Root CA - G3 + +Microsoft Root Authority + +Microsoft Root Certificate Authority + +Microsoft Root Certificate Authority 2010 + +Microsoft Root Certificate Authority 2011 + +Baltimore CyberTrust Root -* ACCVRAIZ1 -* Actalis Authentication Root CA -* AddTrust External CA Root -* AffirmTrust Commercial -* AffirmTrust Networking -* AffirmTrust Premium -* AffirmTrust Premium ECC -* Amazon Root CA 1 -* Amazon Root CA 2 -* Amazon Root CA 3 -* Amazon Root CA 4 -* Atos TrustedRoot 2011 -* Autoridad de Certificacion Firmaprofesional CIF A62634068 -* Baltimore CyberTrust Root -* Buypass Class 2 Root CA -* Buypass Class 3 Root CA -* CA Disig Root R2 -* CFCA EV ROOT -* COMODO Certification Authority -* COMODO ECC Certification Authority -* COMODO RSA Certification Authority -* Certigna -* Certinomis - Root CA -* Class 2 Primary CA -* Certplus Root CA G1 -* Certplus Root CA G2 -* Certum Trusted Network CA -* Certum Trusted Network CA 2 -* Chambers of Commerce Root - 2008 -* AAA Certificate Services -* Cybertrust Global Root -* D-TRUST Root Class 3 CA 2 2009 -* D-TRUST Root Class 3 CA 2 EV 2009 -* DST Root CA X3 -* Deutsche Telekom Root CA 2 -* DigiCert Assured ID Root CA -* DigiCert Assured ID Root G2 -* DigiCert Assured ID Root G3 -* DigiCert Global Root CA -* DigiCert Global Root G2 -* DigiCert Global Root G3 -* DigiCert High Assurance EV Root CA -* DigiCert Trusted Root G4 -* E-Tugra Certification Authority -* EC-ACC -* EE Certification Centre Root CA -* Entrust.net Certification Authority (2048) -* Entrust Root Certification Authority -* Entrust Root Certification Authority - EC1 -* Entrust Root Certification Authority - G2 -* GDCA TrustAUTH R5 ROOT -* GeoTrust Global CA -* GeoTrust Primary Certification Authority -* GeoTrust Primary Certification Authority - G2 -* GeoTrust Primary Certification Authority - G3 -* GeoTrust Universal CA -* GeoTrust Universal CA 2 -* GlobalSign -* GlobalSign -* GlobalSign Root CA -* GlobalSign -* GlobalSign -* Global Chambersign Root - 2008 -* Go Daddy Root Certificate Authority - G2 -* Hellenic Academic and Research Institutions ECC RootCA 2015 -* Hellenic Academic and Research Institutions RootCA 2011 -* Hellenic Academic and Research Institutions RootCA 2015 -* Hongkong Post Root CA 1 -* ISRG Root X1 -* IdenTrust Commercial Root CA 1 -* IdenTrust Public Sector Root CA 1 -* Izenpe.com -* LuxTrust Global Root 2 -* Microsec e-Szigno Root CA 2009 -* NetLock Arany (Class Gold) Főtanúsítvány -* Network Solutions Certificate Authority -* OISTE WISeKey Global Root GA CA -* OISTE WISeKey Global Root GB CA -* OpenTrust Root CA G1 -* OpenTrust Root CA G2 -* OpenTrust Root CA G3 -* QuoVadis Root Certification Authority -* QuoVadis Root CA 1 G3 -* QuoVadis Root CA 2 -* QuoVadis Root CA 2 G3 -* QuoVadis Root CA 3 -* QuoVadis Root CA 3 G3 -* SSL.com EV Root Certification Authority ECC -* SSL.com EV Root Certification Authority RSA R2 -* SSL.com Root Certification Authority ECC -* SSL.com Root Certification Authority RSA -* SZAFIR ROOT CA2 -* SecureSign RootCA11 -* SecureTrust CA -* Secure Global CA -* Sonera Class2 CA -* Staat der Nederlanden EV Root CA -* Staat der Nederlanden Root CA - G2 -* Staat der Nederlanden Root CA - G3 -* Starfield Root Certificate Authority - G2 -* Starfield Services Root Certificate Authority - G2 -* SwissSign Gold CA - G2 -* SwissSign Silver CA - G2 -* T-TeleSec GlobalRoot Class 2 -* T-TeleSec GlobalRoot Class 3 -* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 -* TWCA Global Root CA -* TWCA Root Certification Authority -* TeliaSonera Root CA v1 -* TrustCor ECA-1 -* TrustCor RootCert CA-1 -* TrustCor RootCert CA-2 -* TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 -* USERTrust ECC Certification Authority -* USERTrust RSA Certification Authority -* VeriSign Class 3 Public Primary Certification Authority - G4 -* VeriSign Class 3 Public Primary Certification Authority - G5 -* VeriSign Universal Root Certification Authority -* VeriSign Class 3 Public Primary Certification Authority - G3 -* Visa eCommerce Root -* XRamp Global Certification Authority -* thawte Primary Root CA -* thawte Primary Root CA - G2 -* thawte Primary Root CA - G3 -* Microsoft Root Authority -* Microsoft Root Certificate Authority -* Microsoft Root Certificate Authority 2010 -* Microsoft Root Certificate Authority 2011 -* Baltimore CyberTrust Root \ No newline at end of file