Search squid archive

Re: Huge memory required for squid 3.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I have the same issue as Nil. I have set No_DEFAULT_CA and also did "generate-host-certificates=off".  I see with these changes it takes more time reach 2GB but it does reach there (in about 6 hours for me with peak usage).

These were my settings. 

https_port 192.168.0.10:3129 generate-host-certificates=off dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myserver.pem intercept ssl-bump sslflags=NO_DEFAULT_CA
https_port 192.168.0.10:3128 generate-host-certificates=off dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myserver.pem intercept ssl-bump sslflags=NO_DEFAULT_CA

I did a 10 minutes test to compare the behavior in Squid 3.3 and squid 3.5. My test scenario was kept exactly same except for following diff in squid 3.5.

acl exceptions ssl::server_name_regex "/etc/squid/exception_list.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all !exceptions
ssl_bump splice step2 !exceptions

Here are the results after 10mins -

1. When I didn't use NO_DEFAULT_CA and generate-host-certificates=on

Squid 3.3 = 550MB
Squid 3.5 = 1.1GB

2. When I use NO_DEFAULT_CA and generate-host-certificates=off

Squid 3.3 = 402MB
Squid 3.5 = 560MB

So it looks like Squid 3.5 have higher mem usage than 3.3 in both cases which makes me wonder, is it that more CAs are being loaded into cache in 3.5 ?

Also, is there any more change  I can do to my config to arrest the memory growth to 2GB  in 3.5 in my production system ? I got only 4Gb RAM.


Thanks and Regards,
Davis

On Wed, Apr 26, 2017 at 8:38 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 26/04/17 10:53, Yuri Voinov wrote:
Ok, but how NO_DEFAULT_CA should help with this?

 It prevents OpenSSL copying that 1MB into each incoming client connections memory. The CAs are only useful there when you have some of the global CAs as root for client certificates - in which case you still only want to trust the roots you paid for service and not all of them.

Just something to try if there are huge memory issues with TLS/SSL proxying. The default behaviour is fixed for Squid-4 with the config options changes. But due to being a major surprise for anyone already relying on global roots for client certs it remains a problem in 3.5.


Amos

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux