Re: SSLBump, system requirements ?

Yuri <yvoinov@xxxxxxxxx> · Tue, 20 Mar 2018 23:35:40 +0600

    Forgot about:
    My server is relatively modest (more resources just do not need
          :))
    Just 8
          cores (Xeon 2.3 GHz), 16 Gb RAM, SAS HDD's 10k RPM (~300 Gb in
          RAID-10)  :)

    Overall
          CPU usage is ~3% (with SSL Bump). And half of RAM is free :)

    20.03.2018 23:14, Yuri пишет:

20.03.2018 23:10, Yuri пишет:

        20.03.2018 23:03, FredB пишет:

          Hi Yuri,

200 mbits, more or less 1000/2000 simultaneous users 

I increase children value, because the limit is reached very quickly 

        Because of SSL processing to slow. Investigate, why. Simple increasing
number of children exghausting your RAM.

            and only 100 MB on disk?

          100 MB by process, no ? I think I should reduce this value and rather increase the max of children

        No. This is overall fs limit to store.

      Look on my relatively big server (Squid 5.0) config snippet:

https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS

# Cert database on ramdisk
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/ramdisk1/ssl_db -M 1GB
sslcrtd_children 32 startup=10 idle=5

Pay attention - I've put SSL db on RAM disk. :)

          Maybe such load is just impossible because I reached a limit with a single core 

        Hardly. SSL helper children should spread across cores by OS scheduler.

          Perhaps I should retry SMP but unfortunately in the past I had many issues with, and some features I'm using still SMP-unaware 

        Squid's SMP itself does not solves SSL Bump issues. It's about different
things, and, IMHO, irrelevant your load profile.

          _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

    -- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users