Polish default http_access lines ordering

There is no reason why manager access should be excluded from CONNECT and
Safe_ports security checks. Also, under the new design manager ACL is a
REGEX pattern test, which may be quite slow.

Overall there should be better performnce under certain DoS condtions
having the manager tests after the port tests, with no change under the
other more common traffic.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index e38603b1b52ff5124d474471261db876ff2160f8..a8e9d43e3c27078f3707a03422cc29c9b091f1fc 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1253,16 +1253,16 @@ NOCOMMENT_START
 #
 # Recommended minimum Access Permission configuration:
 #
-# Only allow cachemgr access from localhost
-http_access allow localhost manager
-http_access deny manager
-
 # Deny requests to certain unsafe ports
 http_access deny !Safe_ports
 
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user