On 21 April 2016 at 16:48, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 04/21/2016 07:18 AM, Odhiambo Washington wrote:
> Is is expected that using ssl_bump results into high CPU usage all the
> time?
Your question is impossible to answer in general: The CPU usage levels
depend on the amount of Squid traffic, the portion of SSL traffic in the
overall traffic mix, the portion of step1, step2, and step3 traffic in
the SSL traffic mix, hardware resources available to Squid, the number
of Squid workers, and many other factors.
> acl no_ssl_interception ssl::server_name ...
> ssl_bump splice no_ssl_interception
> ssl_bump peek step1
> ssl_bump stare step2
The above config continues to violate the specific advice given to you
previously: Do not mix "peek" and "stare" unless you have a very
specific need for doing so.
I have noted that instruction. It was actually an oversight caused by slow understanding of the terminologies.
Once I have changed to what you advised before, the CPU usage has gone down considerably:
acl no_ssl_interception ssl::server_name "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare step2
#ssl_bump bump all
ssl_bump splice all
So basically I should just have two options, I think, no?? Like
ssl_bump stare step2
ssl_bump splice all
If one day, for some reason I want to bump, then I could change to:
acl no_ssl_interception ssl::server_name "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare step2
ssl_bump bump all
Thank you so much Alex.
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
