------------------------------------------------------------ revno: 12523 revision-id: squid3@treenet.co.nz-20130402040431-dtmvsr1i7kjkhbl9 parent: squid3@treenet.co.nz-20130329055917-dob07pefoe06fd8t committer: Amos Jeffries branch nick: 3.3 timestamp: Mon 2013-04-01 22:04:31 -0600 message: Polish default http_access lines ordering There is no reason why manager access should be excluded from CONNECT and Safe_ports security checks. Also, under the new design manager ACL is a REGEX pattern test, which may be quite slow. Overall there should be better performnce under certain DoS condtions having the manager tests after the port tests, with no change under the other more common traffic. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20130402040431-dtmvsr1i7kjkhbl9 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 3bd4e7443f643e516e022f7bacec74e5acf3bf31 # timestamp: 2013-04-02 04:10:51 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20130329055917-\ # dob07pefoe06fd8t # # Begin patch === modified file 'src/cf.data.pre' --- src/cf.data.pre 2013-02-14 09:13:10 +0000 +++ src/cf.data.pre 2013-04-02 04:04:31 +0000 @@ -1163,16 +1163,16 @@ # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow localhost manager -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user