On 21/03/18 04:30, FredB wrote: > Hi all, > > I'm testing SSLBump and Squid eats up all my CPU, maybe I made something > wrong or maybe some updates are required ? Any advice would be greatly > appreciated.
Not sure about CPU consumption. AFAIK that is related to traffic loading on the crypto library, mitigated by whether it is using hardware support for the intensive math parts. > > Debian 8.10 64 bits, Squid 3.5.27 + 64 Go ram + SSD + 15 Cores Xeon(R) CPU > E5-2637 v2 @ 3.50GHz > FI, I don't see anything about limit reached in kern.log (File descriptor or > network) > > acl nobump dstdomain "/home/squid/domains" -> Some very used websites > (google, fb, etc) otherwise the system dies after less 1 minute > http_port 3128 ssl-bump cert=/etc/squid/ca_orion/cert > generate-host-certificates=on dynamic_cert_mem_cache_size=500MB Definitely use sslflags=NO_DEFAULT_CA to avoid memory bloat, whether that is your problem now or not. > sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 100MB FYI: 100MB x 2000 helpers is larger than your 64GB. Even just the 100 helpers being initialized on startup is a significant chunk out of memory. > sslcrtd_children 2000 startup=100 idle=20 > sslproxy_capath /etc/ssl/certs/ > sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem > acl step1 at_step SslBump1 > ssl_bump peek step1 all > ssl_bump splice nobump > ssl_bump bump all > > The sslcrtd_children increases quickly and permanently > > root@proxyorion5:/tmp# ps -edf | grep ssl | wc -l > 1321 ... > root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l > 1395 > > Of course after a while 2000 is reached and the system becomes completely > mad, but I already tried 200, 500, 1000, etc > Can you tell how fast (or not) they are responding? If it is particularly slow you may benefit from the memory-only mode in the Squid-4 helper (or might not). Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
