CPU Load 100% after implementing SSL Bump ....

Sagar Malve <sagarmalve91@xxxxxxxxx> · Mon, 23 May 2016 11:57:31 +0530

Hi Team,

System Config:

Intel S2400SC2 MotherboardIntel Xeon ES 2407 V2 CPU
RAM 32 GB

http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key options=NO_SSLv3 tls-dh=/etc/squid/dhparam.pem
sslproxy_capath /etc/ssl/certs

# FILTERING HTTPS
acl 1 dstdomain .fbcdn.net .akamaihd.net .fbsbx.com
#acl 2a dstdomain .mahadana.com .mql4.com .metaquotes.net
acl 2 url_regex -i ^https?:\/\/attachment\.fbsbx\.com\/.*\?(id=[0-9]*).*
acl 2 url_regex -i \.fbsbx\.com\/.*\/(.*\.(unity3d|pak|zip|exe|dll|jpg|png|gif|swf)/)$
acl 2 url_regex -i ^https?:\/\/.*\.ytimg\.com(.*\.(webp|jpg|gif))
acl 2 url_regex -i ^https?:\/\/([^\.]*)\.yimg\.com\/(.*)
acl 2 url_regex -i ^https?:\/\/.*\.gstatic\.com\/images\?q=tbn\:(.*)
acl 2 url_regex -i ^https?:\/\/.*\.reverbnation\.com\/.*\/(ec_stream_song|download_song_direct|stream_song)\/([0-9]*).*
acl 2 url_regex -i ^https?:\/\/([a-z0-9.]*)(\.doubleclick\.net|\.quantserve\.com|.exoclick\.com|interclick.\com|\.googlesyndication\.com|\.auditude\.com|.visiblemeasures\.com|yieldmanager|cpxinteractive)(.*)
acl 2 url_regex -i ^https?:\/\/(.*?)\/(ads)\?(.*?)
acl 2 url_regex -i ^https?:\/\/.*steampowered\.com\/.*\/([0-9]+\/(.*))
acl 3 url_regex -i ^https?:\/\/(.*?)\/speedtest\/.*\.(jpg|txt|png|gif|swf)\?.*
acl 3 url_regex -i speedtest\/.*\.(jpg|txt|png|gif|swf)\?.*
acl 4 url_regex -i reverbnation.*audio_player.*ec_stream_song.*$
acl 5 url_regex -i utm.gif.*
acl 6 url_regex -i c.android.clients.google.com.market.GetBinary.GetBinary.*
acl 7 url_regex -i youtube.*(ptracking|stream_204|player_204|gen_204).*$
acl 7 url_regex -i \.c\.(youtube|google)\.com\/(get_video|videoplayback|videoplay).*$
acl 7 url_regex -i (youtube|google).*\/videoplayback\?.*
acl 8 http_status 302
acl getmethod method GET

ssl_bump splice localhost
acl 9 at_step SslBump1
acl 10 at_step SslBump2
acl 11 at_step SslBump3
ssl_bump peek 9 all
ssl_bump bump 10 all
ssl_bump bump 11 all

----------------------------------------------------------------------------------------------

Is there any way where it can Cache SSL Certificate for all HTTPS Traffic ....
Because SSL Cert & Squid process were using 99% of CPU Load ....

We have approx 200 users ....

I have set the open file limit to 100000 

Could you please let us know if there is any way to Cache the HTTPS Request in Squid .....

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users