|
Finally.
Premature optimization is the root of all evils.
Never start new setups from your assumptions only. Set good
enough starting values and monitor. Increase only if required.
And, pls, don't think all performance problems can solves with
giant RAM.
It does not matter how big your RAM is. It's important how you
use it.
Scaling
is also done differently.
21.03.2018 19:08, Yuri пишет:
21.03.2018 14:55, FredB пишет:
Perhaps I should retry SMP but unfortunately in the past I had many
issues with, and some features I'm using still SMP-unaware
Squid's SMP itself does not solves SSL Bump issues. It's about
different
things, and, IMHO, irrelevant your load profile.
I'm thinking about that, because the single squid core is 100% CPU
I tried with 900MB and 50MB without more success, I also added sslflags-NO_DEFAULT_CA
How much simultaneous users do you have ? and bandwidth ?
I'm using this right now, the number of process used is very better now but still an issue with CPU
acl nobump dstdomain "/home/squid/domains"
http_port 8080 ssl-bump cert=/etc/squid/ca_orion/cert generate-host-certificates=on sslflags=NO_DEFAULT_CA dynamic_cert_mem_cache_size=500MB
sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 500MB
sslcrtd_children 1000 startup=100 idle=5
Still misconfiguration. Pay attention. You set
dynamic_cert_mem_cache_size=500MB
Again - why so much?
Do not think that a
lot of RAM will not make anything worse.
For some unknown reason, you set dynamic_cert_mem_cache_size
equal to -M on-disk fs limit. It is enough to set
dynamic_cert_mem_cache_size to 1/10-1/20 of overall SSL db
on-disk size.
And still too high upper children limit. Just imagine, how
much RAM will eat by 1000 processes. Each with own heap.
It seems for me, in your case good initial approximation will
be
sslcrtd_children 256 startup=100 idle=200
No more. Other changes will do only based on performance stats and
diagnostics.
sslproxy_capath /etc/ssl/certs/
sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump splice nobump
ssl_bump bump all
Maybe there is a problem with memory, but as you can see here CPU is the point
top - 09:50:04 up 16:16, 1 user, load average: 1,72, 1,78, 1,39
Tasks: 393 total, 3 running, 390 sleeping, 0 stopped, 0 zombie
%Cpu(s): 8,4 us, 1,2 sy, 0,0 ni, 89,6 id, 0,3 wa, 0,0 hi, 0,5 si, 0,0 st
KiB Mem: 66086692 total, 28654240 used, 37432452 free, 2974568 buffers
KiB Swap: 1952764 total, 0 used, 1952764 free. 17653336 cached Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
9803 squid 20 0 3913044 3,452g 13464 R 99,9 5,5 7:47.47 squid
10051 e2guard+ 20 0 0,122t 284392 5124 S 25,6 0,4 1:33.10 e2guardian
9804 squid 20 0 21956 5628 4420 S 7,3 0,0 0:48.93 ssl_crtd
9805 squid 20 0 21952 5672 4372 S 6,3 0,0 0:31.25 ssl_crtd
9806 squid 20 0 21952 5476 4252 S 2,7 0,0 0:19.10 ssl_crtd
9807 squid 20 0 21952 5616 4408 S 2,3 0,0 0:13.88 ssl_crtd
9808 squid 20 0 21952 5540 4332 S 2,3 0,0 0:10.59 ssl_crtd
9810 squid 20 0 21956 5536 4332 S 2,0 0,0 0:05.61 ssl_crtd
9809 squid 20 0 21952 5584 4372 S 1,7 0,0 0:07.40 ssl_crtd
9996 squid 20 0 25612 2924 2696 S 1,3 0,0 0:05.47 diskd
9995 squid 20 0 25612 2744 2516 S 1,0 0,0 0:04.41 diskd
9811 squid 20 0 21964 5588 4372 S 0,7 0,0 0:03.72 ssl_crtd
9813 squid 20 0 21848 5660 4464 S 0,7 0,0 0:01.96 ssl_crtd
Amos, there is way to add the domain requested in message like this ?
2018/03/21 09:45:30| Error negotiating SSL on FD 1835: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2018/03/21 09:45:30| Error negotiating SSL on FD 4782: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
It can be very, very, useful for analysis
Thanks
FredB
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
|
