=== modified file 'src/ClientRequestContext.h'
--- src/ClientRequestContext.h	2009-07-13 01:20:26 +0000
+++ src/ClientRequestContext.h	2010-01-20 02:07:17 +0000
@@ -26,6 +26,7 @@
 
     bool httpStateIsValid();
     void clientAccessCheck();
+    void clientAccessCheck2();
     void clientAccessCheckDone(int answer);
     void clientRedirectStart();
     void clientRedirectDone(char *result);
@@ -42,11 +43,10 @@
     int redirect_state;
 
     bool http_access_done;
+    bool http_access2_done;
 #if USE_ADAPTATION
-
     bool adaptation_acl_check_done;
 #endif
-
     bool redirect_done;
     bool no_cache_done;
     bool interpreted_req_hdrs;

=== modified file 'src/cf.data.depend'
--- src/cf.data.depend	2009-12-16 03:46:59 +0000
+++ src/cf.data.depend	2010-01-20 02:03:45 +0000
@@ -22,7 +22,7 @@
 HelperChildConfig
 hostdomain		cache_peer
 hostdomaintype		cache_peer
-http_header_access
+http_header_access	acl
 http_header_replace
 http_port_list
 https_port_list

=== modified file 'src/cf.data.pre'
--- src/cf.data.pre	2010-01-02 04:32:46 +0000
+++ src/cf.data.pre	2010-01-20 02:03:13 +0000
@@ -922,6 +922,18 @@
 NOCOMMENT_END
 DOC_END
 
+NAME: http_access2
+TYPE: acl_access
+LOC: Config.accessList.http2
+DEFAULT: none
+DOC_START
+	Allowing or Denying access based on defined access lists
+
+	Essentially identical to http_access, but runs after redirectors
+	and ICAP/eCAP adatpation.
+	If not set then only http_access is used.
+DOC_END
+
 NAME: http_reply_access
 TYPE: acl_access
 LOC: Config.accessList.reply

=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc	2009-12-11 23:37:30 +0000
+++ src/client_side_request.cc	2010-01-20 02:01:22 +0000
@@ -525,6 +525,23 @@
     }
 }
 
+/**
+ * Identical in operation to clientAccessCheck() but performed later using different configured ACL list.
+ * The default here is to allow all. Since the earlier http_access should do a default deny all.
+ * This check is just for a last-minute denial based on adapted request headers.
+ */
+void
+ClientRequestContext::clientAccessCheck2()
+{
+    if (Config.accessList.http2) {
+        acl_checklist = clientAclChecklistCreate(Config.accessList.http2, http);
+        acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
+    } else {
+        debugs(85, 2, HERE << "No http_access2 configuration.");
+        clientAccessCheckDone(ACCESS_ALLOWED);
+    }
+}
+
 void
 clientAccessCheckDoneWrapper(int answer, void *data)
 {
@@ -1283,6 +1300,13 @@
         }
     }
 
+    if (!calloutContext->http_access2_done) {
+        debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()");
+        calloutContext->http_access2_done = true;
+        calloutContext->clientAccessCheck2();
+        return;
+    }
+
     if (!calloutContext->interpreted_req_hdrs) {
         debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()");
         calloutContext->interpreted_req_hdrs = 1;

=== modified file 'src/structs.h'
--- src/structs.h	2010-01-02 04:32:46 +0000
+++ src/structs.h	2010-01-20 02:04:46 +0000
@@ -459,6 +459,7 @@
 
     struct {
         acl_access *http;
+        acl_access *http2;
         acl_access *icp;
         acl_access *miss;
         acl_access *NeverDirect;