Adrian Chadd wrote:
ACLs are evaluated short-circuit. If you have this: acl clientA src 1.2.3.0/24 acl clientB src 1.2.4.0/24 acl youtube (expensive regexp) acl microsoft (expensive regexp) http_access deny clientA youtube http_access deny clientB microsoft the http_access lines are evaluated in order from top to bottom, and stop being evaluated across each http_access line if one of the ACLs fails. So the expensive youtube regexp ACL will only be processed by requests from clientA. Requests from clientB won't ever hit the youtube ACL lookup. If you know how to craft ACLs then you can avoid almost all of the penalties. Adrian
Adrian! stop encouraging the regexp-addicts. :-) We're trying to wean them off the unnecessary use of slow ACL remember? ;) Amos
