From 93d4da8778725894b75108655915ff76283a658f Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 1 Apr 2013 22:04:31 -0600
Subject: [PATCH] Polish default http_access lines ordering

There is no reason why manager access should be excluded from CONNECT and
Safe_ports security checks. Also, under the new design manager ACL is a
REGEX pattern test, which may be quite slow.

Overall there should be better performnce under certain DoS condtions
having the manager tests after the port tests, with no change under the
other more common traffic.
---
 src/cf.data.pre | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/cf.data.pre b/src/cf.data.pre
index f9e1976fa3..7badbc7128 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1163,16 +1163,16 @@ NOCOMMENT_START
 #
 # Recommended minimum Access Permission configuration:
 #
-# Only allow cachemgr access from localhost
-http_access allow localhost manager
-http_access deny manager
-
 # Deny requests to certain unsafe ports
 http_access deny !Safe_ports
 
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
-- 
2.47.2