Re: SSLBump, system requirements ?

Yuri <yvoinov@xxxxxxxxx> · Tue, 20 Mar 2018 22:47:46 +0600

20.03.2018 21:30, FredB пишет:
> Hi all,
>
> I'm testing SSLBump and Squid eats up all my CPU, maybe I made something wrong or maybe some updates are required ? Any advice would be greatly appreciated.
>
> Debian 8.10 64 bits, Squid 3.5.27 + 64 Go ram + SSD + 15 Cores Xeon(R) CPU E5-2637 v2 @ 3.50GHz
Big box. How much users and traffic?
>  
> FI, I don't see anything about limit reached in kern.log (File descriptor or network)
>
> acl nobump dstdomain "/home/squid/domains" -> Some very used websites (google, fb, etc) otherwise the system dies after less 1 minute 
> http_port 3128 ssl-bump cert=/etc/squid/ca_orion/cert generate-host-certificates=on dynamic_cert_mem_cache_size=500MB
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 100MB
Disbalanced config.

dynamic_cert_mem_cache_size=500MB

and only 100 MB on disk?

sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 100MB

> sslcrtd_children 2000 startup=100 idle=20 
Why so much children? Again - for what workload?
> sslproxy_capath /etc/ssl/certs/
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem
> acl step1 at_step SslBump1
> ssl_bump peek step1 all
> ssl_bump splice nobump
> ssl_bump bump all
>
> The sslcrtd_children increases quickly and permanently
>
> root@proxyorion5:/tmp# ps -edf | grep ssl | wc -l
> 1321
> root@proxyorion5:/tmp# ps -edf | grep ssl | wc -l
> 1341
> root@proxyorion5:/tmp# ps -edf | grep ssl | wc -l
> 1341
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1380
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1381
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1382
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1395
>
> Of course after a while 2000 is reached and the system becomes completely mad, but I already tried 200, 500, 1000, etc 
>
> Right after squid start CPU and load average values are very, very, high 
>
> top - 16:06:17 up 13 days,  2:46,  3 users,  load average: 102,02, 56,67, 30,75
> Tasks: 1964 total,   3 running, 1961 sleeping,   0 stopped,   0 zombie
> %Cpu(s): 15,3 us,  3,7 sy,  0,0 ni, 80,2 id,  0,4 wa,  0,0 hi,  0,4 si,  0,0 st
> KiB Mem:  66086692 total, 52378248 used, 13708444 free,  2899764 buffers
> KiB Swap:  1952764 total,        0 used,  1952764 free. 32798948 cached Mem
>
>   PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                  
> 23711 squid     20   0 3438832 2,976g  13784 R 100,0  4,7   6:01.02 squid                                                    
> 23724 squid     20   0   24868   8552   4340 S   3,6  0,0   0:02.46 ssl_crtd                                                 
> 23712 squid     20   0   25132   8896   4428 R   3,0  0,0   0:02.62 ssl_crtd                                                 
> 23714 squid     20   0   24868   8556   4344 S   2,3  0,0   0:02.43 ssl_crtd                                                 
> 23716 squid     20   0   24868   8636   4428 S   2,3  0,0   0:02.26 ssl_crtd                                                 
> 23720 squid     20   0   24868   8612   4400 S   2,3  0,0   0:02.58 ssl_crtd                                                 
> 23771 squid     20   0   24868   8580   4368 S   2,0  0,0   0:01.86 ssl_crtd                                                 
> 23780 squid     20   0   24872   8484   4268 S   2,0  0,0   0:01.86 ssl_crtd                                                 
> 23787 squid     20   0   24868   8612   4404 S   2,0  0,0   0:01.92 ssl_crtd 
.... what means some bottlenecks. Obviously.
>  
>
> The same system without SSLBump and e2guardian (web filtering) added (I tried without more or less 10% CPU )
>
> Tasks: 304 total,   2 running, 302 sleeping,   0 stopped,   0 zombie
> %Cpu(s):  2,0 us,  1,1 sy,  0,0 ni, 95,9 id,  0,1 wa,  0,0 hi,  0,9 si,  0,0 st
> KiB Mem:  66086700 total, 65627952 used,   458748 free,  2652264 buffers
> KiB Swap:  1952764 total,    20884 used,  1931880 free. 32639208 cached Mem
>
>   PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                         
> 20389 e2guard+  20   0  0,122t 1,133g   6144 S  28,6  1,8 191:06.50 e2guardian                      
> 20283 squid     20   0 21,761g 0,021t   8128 R  24,2 34,0 145:00.09 squid                           
>   101 root      20   0       0      0      0 S   1,3  0,0  19:05.09 kswapd1                         
>   100 root      20   0       0      0      0 S   1,0  0,0  22:41.82 kswapd0                         
>     8 root      20   0       0      0      0 S   0,7  0,0  68:49.48 rcu_sched                       
>    24 root      20   0       0      0      0 S   0,3  0,0   8:37.14 ksoftirqd/3                     
>    65 root      20   0       0      0      0 S   0,3  0,0   8:05.02 ksoftirqd/11                    
>   929 root      20   0   71928   6984   4716 S   0,3  0,0  17:53.57 syslog-ng                       
>  8069 root      20   0       0      0      0 S   0,3  0,0   0:22.35 kworker/0:0                     
> 16624 root      20   0   25868   3236   2592 R   0,3  0,0   0:00.19 top                             
> 20291 squid     20   0   59504   5228   4568 S   0,3  0,0   0:03.41 digest_
>   
> FredB
>     
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users