bypass.config

The bypass.config file contains static bypass rules that Content Gateway uses in transparent proxy mode. Static bypass rules instruct Content Gateway to bypass certain incoming client requests so that they are served by the origin server.

The bypass.config file also accepts dynamic deny bypass rules. See Dynamic deny bypass rules.

You can configure three types of static bypass rules:

Source bypass rules configure the proxy to bypass a particular source IP address or range of IP addresses. For example, you can bypass clients that do not want to use caching.

Destination bypass rules configure the proxy to bypass a particular destination IP address or range of IP addresses. For example, you can bypass origin servers that use IP authentication based on the client's real IP address.


	Important Destination bypass rules prevent the proxy from caching an entire site. You will experience hit rate impacts if the site you bypass is popular.

Source/destination pair bypass rules configure the proxy to bypass requests that originate from the specified source to the specified destination. For example, you can route around specific client-server pairs that experience broken IP authentication or out-of-band HTTP traffic problems when cached. Source/destination bypass rules can be preferable to destination rules because they block a destination server only for users that experience problems.

Format

Bypass rules have the following format:

bypass src ipaddress | dst ipaddress | src ipaddress AND dst ipaddress

Option

Description

src ipaddress

Specifies the source (client) IP address in incoming requests that the proxy must bypass.

ipaddress can be one of the following:

A simple IP address, such as 123.45.67.8

In CIDR (Classless Inter-Domain Routing) format, such as 1.1.1.0/24

A range separated by a dash, such as 1.1.1.1-2.2.2.2

Any combination of the above, separated by commas, such as 1.1.1.0/24, 25.25.25.25, 123.1.23.1-123.1.23.123

dst ipaddress

Specifies the destination (origin server) IP address in incoming requests that the proxy must bypass.

ipaddress can be one of the following:

A simple IP address, such as 123.45.67.8

In CIDR (Classless Inter-Domain Routing) format, such as 1.1.1.0/24

A range separated by a dash, such as 1.1.1.1-2.2.2.2

Any combination of the above, separated by commas, such as 1.1.1.0/24, 25.25.25.25, 123.1.23.1-123.1.23.123

src ipaddress AND dst ipaddress

Specifies the source and destination IP address pair that the proxy must bypass.

ipaddress can be a single IP address, an IP address range, or a combination of both separated by commas

Dynamic deny bypass rules

In addition to static bypass rules, the bypass.config file also accepts dynamic deny bypass rules.

Deny bypass rules prevent the proxy from bypassing certain incoming client requests dynamically (a deny bypass rule can prevent the proxy from bypassing itself). Dynamic deny bypass rules can be source, destination, or source/destination and have the following format:

deny_dyn_bypass src ipaddress | dst ipaddress | src ipaddress AND dst ipaddress

For a description of the options, see the table in Format.

Note

For the dynamic deny bypass rules to work, you must either:

Enable the Dynamic Bypass option in the Content Gateway manager.

Set proxy.config.arm.bypass_dynamic_enabled to 1 in the records.config file.


	Important Static bypass rules overwrite dynamic deny bypass rules. Therefore, if a static bypass rule and a dynamic bypass rule contain the same IP address, the dynamic deny bypass rule is ignored.

Examples

The following example shows source, destination, and source/destination bypass rules:

bypass src 1.1.1.0/24, 25.25.25.25, 128.252.11.11-128.252.11.255

bypass dst 24.24.24.0/24

bypass src 25.25.25.25 AND dst 24.24.24.0

The following example shows source, destination, and source/destination dynamic deny bypass rules:

deny_dyn_bypass src 128.252.11.11-128.252.11.255

deny_dyn_bypass dst 111.111.11.1

deny_dyn_bypass src 111.11.11.1 AND dst 111.11.1.1