Polish default http_access lines ordering

There is no reason why manager access should be excluded from CONNECT and
Safe_ports security checks. Also, under the new design manager ACL is a
REGEX pattern test, which may be quite slow.

Overall there should be better performnce under certain DoS condtions
having the manager tests after the port tests, with no change under the
other more common traffic.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index f9e1976fa3ac56838dd34f8cf8586deb9bd43756..7badbc7128a44bda617889365181bf07abcc00e0 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1163,16 +1163,16 @@ NOCOMMENT_START
 #
 # Recommended minimum Access Permission configuration:
 #
-# Only allow cachemgr access from localhost
-http_access allow localhost manager
-http_access deny manager
-
 # Deny requests to certain unsafe ports
 http_access deny !Safe_ports
 
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user