On 22/04/2016 1:18 a.m., Odhiambo Washington wrote: > Is is expected that using ssl_bump results into high CPU usage all the > time? > Encryption adds CPU overhead, but how much depends on what your normal use was. I dont think any of us have a good rule-of-thumb or educated guess yet because Squid code has been changing so much. If its worrying you, I suggest trying your favourite profiling tools out and see if anything useful shows up. > This is squid-3.5.17 > > That is what I am seeing: > > last pid: 26673; load averages: 2.24, 2.00, 2.10 > > up 0+03:47:56 16:08:30 > 160 processes: 2 running, 157 sleeping, 1 zombie > CPU: 86.1% user, 0.0% nice, 7.8% system, 3.3% interrupt, 2.7% idle > Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free > Swap: 5900M Total, 1248K Used, 5899M Free > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU > COMMAND > 13309 squid 17 20 0 305M 264M uwait 0 7:38 80.86% > squid > 26088 squid 1 21 0 12812K 5352K sbwait 1 0:04 2.49% > ssl_crtd > 26090 squid 1 20 0 12812K 5272K sbwait 1 0:01 0.88% > ssl_crtd > > > My config has: > > > > acl no_ssl_interception ssl::server_name > "/usr/local/etc/squid/ssl_bump_broken_sites.txt" > ssl_bump splice no_ssl_interception > ssl_bump peek step1 > ssl_bump stare step2 > #ssl_bump bump all > #ssl_bump splice all > > I think I read somewhere that 'ssl_bump splice all" is the default > behaviour, hence why I have commented it out. All I need is just become a > TCP tunnel without decrypting proxied traffic. I wouldn't rely on the default for things like this. Squid makes a *guess* based on what data it has to work with on a per-connection basis. There is no extra cost to having it configured, Squid has to check the whole set anyway. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
