Search squid archive

Re: High CPU Usage with ssl_bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I will put the splice explicitly and observe.

Without ssl_bump I never saw such cpu usage with squid.

However, lemme watch and also listen to feedback..


On 21 April 2016 at 16:34, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 22/04/2016 1:18 a.m., Odhiambo Washington wrote:
> Is is expected that  using ssl_bump results into high CPU usage all the
> time?
>

Encryption adds CPU overhead, but how much depends on what your normal
use was. I dont think any of us have a good rule-of-thumb or educated
guess yet because Squid code has been changing so much.

If its worrying you, I suggest trying your favourite profiling tools out
and see if anything useful shows up.


> This is squid-3.5.17
>
> That is what I am seeing:
>
> last pid: 26673;  load averages:  2.24,  2.00,  2.10
>
>               up 0+03:47:56  16:08:30
> 160 processes: 2 running, 157 sleeping, 1 zombie
> CPU: 86.1% user,  0.0% nice,  7.8% system,  3.3% interrupt,  2.7% idle
> Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free
> Swap: 5900M Total, 1248K Used, 5899M Free
>
>   PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU
> COMMAND
> 13309 squid           17  20    0   305M   264M uwait   0   7:38  80.86%
> squid
> 26088 squid            1  21    0 12812K  5352K sbwait  1   0:04   2.49%
> ssl_crtd
> 26090 squid            1  20    0 12812K  5272K sbwait  1   0:01   0.88%
> ssl_crtd
>
>
> My config has:
>
>
>
> acl no_ssl_interception ssl::server_name
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> ssl_bump splice no_ssl_interception
> ssl_bump peek step1
> ssl_bump stare step2
> #ssl_bump bump all
> #ssl_bump splice all
>
> I think I read somewhere that 'ssl_bump splice all" is the default
> behaviour, hence why I have commented it out. All I need is just become a
> TCP tunnel without decrypting proxied traffic.

I wouldn't rely on the default for things like this. Squid makes a
*guess* based on what data it has to work with on a per-connection
basis. There is no extra cost to having it configured, Squid has to
check the whole set anyway.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux