20.03.2018 23:10, Yuri пишет: > > 20.03.2018 23:03, FredB пишет: >> Hi Yuri, >> >> 200 mbits, more or less 1000/2000 simultaneous users >> >> I increase children value, because the limit is reached very quickly > Because of SSL processing to slow. Investigate, why. Simple increasing > number of children exghausting your RAM. >>> and only 100 MB on disk? >> 100 MB by process, no ? I think I should reduce this value and rather increase the max of children > No. This is overall fs limit to store. Look on my relatively big server (Squid 5.0) config snippet: https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt key=/usr/local/squid/etc/rootCA2.key tls-cafile=/usr/local/squid/etc/rootCA12.crt options=SINGLE_DH_USE:SINGLE_ECDH_USE tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt key=/usr/local/squid/etc/rootCA2.key tls-cafile=/usr/local/squid/etc/rootCA12.crt options=SINGLE_DH_USE:SINGLE_ECDH_USE tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS # Cert database on ramdisk sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 1GB sslcrtd_children 32 startup=10 idle=5 Pay attention - I've put SSL db on RAM disk. :) >> Maybe such load is just impossible because I reached a limit with a single core > Hardly. SSL helper children should spread across cores by OS scheduler. >> Perhaps I should retry SMP but unfortunately in the past I had many issues with, and some features I'm using still SMP-unaware > Squid's SMP itself does not solves SSL Bump issues. It's about different > things, and, IMHO, irrelevant your load profile. >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
