Adrian Chadd wrote:
> ACLs are evaluated short-circuit. If you have this:
>
> acl clientA src 1.2.3.0/24
> acl clientB src 1.2.4.0/24
> acl youtube (expensive regexp)
> acl microsoft (expensive regexp)
>
> http_access deny clientA youtube
> http_access deny clientB microsoft
>
> the http_access lines are evaluated in order from top to bottom, and stop being
> evaluated across each http_access line if one of the ACLs fails.
>
> So the expensive youtube regexp ACL will only be processed by requests from clientA.
> Requests from clientB won't ever hit the youtube ACL lookup.
>
> If you know how to craft ACLs then you can avoid almost all of the penalties.
>
> Adrian
Adrian! stop encouraging the regexp-addicts. :-)
We're trying to wean them off the unnecessary use of slow ACL remember? ;)
Amos
Received on Wed Dec 05 2007 - 01:46:37 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST