> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/jp/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/http-access-policy-type.md).
# HTTPアクセス
**HTTPアクセス**ポリシーでは、適用対象とURLルールに基づき、外向きのHTTP/HTTPSアクセスを制御します。
***
### マッチの仕組み (概要)
**URLフィルター**の評価は、以下の前提に基づきます。
* URLの正規化 (小文字化、クエリ文字列の除去)
* `https://*.example.com/*` などへのワイルドカードマッチ
* HttpAccessイベントへの適用に限定
### 手順: HTTP アクセスポリシーの作成 (高度なJSONから)
{% stepper %}
{% step %}
**エンドポイント特権マネージャー** → **\[ポリシー]** に移動
{% endstep %}
{% step %}
**\[ポリシーの作成]** ボタンをクリック
ポリシー作成用のモーダルが開きます。
{% endstep %}
{% step %}
**ポリシー属性の定義**
新しいポリシーには、適切で分かりやすい名前を付けます。
新規ポリシーでは、UIに表示されている**既存のポリシータイプのいずれか**を選びます (あくまで作成時のテンプレートであり、実際のタイプはJSONで指定します)。
ステータスを選びます。初めてポリシーを用意するときは、\*\*\[監視]\*\*を推奨します。
**\[コントロールを追加]** をクリックしてコントロールを1つ以上追加し、新しいポリシーに含めたいコントロールを選びます。
ユーザーグループ、マシンコレクション、アプリケーションコレクションを指定します。
{% endstep %}
{% step %}
**ポリシーの適用対象の設定**
UIで、コレクション/ユーザー/マシン/アプリ/プラットフォームなどから、必要な**適用対象**を設定します。ポリシーをどのユーザー、マシン、アプリなどに適用するかを決めます。
{% endstep %}
{% step %}
**Advanced Mode** (JSONビュー) を開く
ポリシーフォーム左下の **\[Advanced Mode]** のリンクをクリックして開きます。
{% endstep %}
{% step %}
**JSONでポリシータイプを指定**
`PolicyType` を **`"HttpAccess"`** に設定します。
{% endstep %}
{% step %}
**URLフィルターの設定**
ポリシーJSONのURLフィルター項目でパターンを指定します (キー名は実装ごとに異なりますが、評価ではここで説明したURLパターンとワイルドカードの扱いに従います)。
{% endstep %}
{% step %}
**ポリシーを保存**
{% endstep %}
{% endstepper %}
***
## JSONの例
#### 例1: 特定ドメインのみ許可 (許可リスト)
```
{
"PolicyName": "HTTP Access - Allow Example Domains",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"ALLOW"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access allowed by policy.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 25,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://example.com/*",
"https://*.example.com/*",
"https://login.microsoftonline.com/*"
],
"Default": "DENY"
}
}
```
**意図:** マッチしたURLは許可し、それ以外はすべて拒否 (`Default: "DENY"`)。
***
#### 例2: 特定ドメインをブロック (拒否リスト)
```
{
"PolicyName": "HTTP Access - Block Social Media",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"DENY"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access blocked by policy.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 60,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://*.social.example/*",
"https://social.example/*",
"https://*.facebook.com/*",
"https://*.instagram.com/*",
"https://*.tiktok.com/*"
],
"MatchAction": "DENY"
}
}
```
**意図:** URLがいずれかのパターンに一致した場合の拒否。
***
#### 例3: 特定アプリにのみドメインをブロック (アプリ単位)
```
{
"PolicyName": "HTTP Access - Block Example.com in Browser Only",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"DENY"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access blocked for this application.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 55,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://example.com/*",
"https://*.example.com/*"
],
"MatchAction": "DENY",
"Notes": "Use ApplicationCheck targeting to scope enforcement to a specific browser/app."
}
}
```
この形では、アプリ単位に適用範囲を絞る場合は、他のポリシーと同様に、既存の `ApplicationCheck` の適用対象を使います。HTTPのURL一致は `Extension.UrlPatterns` の設定に基づいて評価されます。
***
#### 例4: HTTP アクセスの監視のみ (ブロックせず通知のみ)
段階的な展開に向いています。URLがパターンに一致したときはブロックせず、通知のみを行います。
```
{
"PolicyName": "HTTP Access - Monitor Sensitive Domains",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"NOTIFY"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access to a monitored domain was detected.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 40,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://*.bank.example/*",
"https://*.payroll.example/*"
],
"MatchAction": "NOTIFY"
}
}
```
### よく書き換える項目 (定型的な編集)
* `PolicyId`: コンソールが採番したIDの維持
* `Status`: ロールアウト段階に応じた `"on"` / `"off"`
* `UserCheck`、`MachineCheck`、`ApplicationCheck`: コンソールが書き込む適用対象エントリと同じ内容での記入
* `Extension.UrlPatterns`: 許可または拒否のURLパターン
### 検証のヒント
* まずは具体的なURLでの確認、その後ワイルドカードで範囲を広げる
* 正規化でクエリ文字列は落ちるため、パターンにクエリパラメータは含めないのが一般的
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/jp/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/http-access-policy-type.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.