From baa3ea7e7304ff25af0fe3b4c28212fc254d3d82 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 30 Mar 2013 03:47:23 -0600
Subject: [PATCH] Polish default http_access lines ordering

There is no reason why manager access should be excluded from CONNECT and
Safe_ports security checks. Also, under the new design manager ACL is a
REGEX pattern test, which may be quite slow.

Overall there should be better performnce under certain DoS condtions
having the manager tests after the port tests, with no change under the
other more common traffic.
---
 src/cf.data.pre | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/cf.data.pre b/src/cf.data.pre
index e38603b1b5..a8e9d43e3c 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1253,16 +1253,16 @@ NOCOMMENT_START
 #
 # Recommended minimum Access Permission configuration:
 #
-# Only allow cachemgr access from localhost
-http_access allow localhost manager
-http_access deny manager
-
 # Deny requests to certain unsafe ports
 http_access deny !Safe_ports
 
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
-- 
2.47.3