Hi! I've configured squid with ssl_bump and now the squid process (not the helpers) takes quite load. There aren't too much clients on it (max 50). This is the config (ripped some acl to make it readable): ------------------------------------------------------ cache_mgr x@xxxxxxx visible_hostname proxy.xxx.com dns_v4_first on authenticate_ip_ttl 1 hour forward_max_tries 25 ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=xxx --kerberos /usr/local/bin/squid_kerb_auth -s GSS_C_NO_NAME auth_param negotiate children 50 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=xxx auth_param ntlm children 50 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -v 3 -R -b "dc=xxx,dc=local" -D squid@xxx.local -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h srv-dc1.xxx.local auth_param basic children 50 auth_param basic realm Proxy xxx ### ldap group authorisation external_acl_type memberof ttl=30 %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -v 3 -R -K -b "dc=xxx,dc=local" -D squid@xxx.local -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=SQUID,ou=OU xxx,dc=xxx,dc=local))" -h srv-dc1.xxx.local ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED # aclname acltype typename activedirectorygroup acl InternetBloccato external memberof "/etc/squid/Internet_bloccato.txt" ... etc acl bypass dstdomain somedomains ... etc # ACL per Windows Update e microsoft acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain .windowsupdate.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl windowsupdate dstdomain .delivery.mp.microsoft.com ----a lot more ACL---- # ACL per bloccare per estensione acl estensionibloccate urlpath_regex -i "/etc/squid/estensionibloccate.txt" ## Disable ssl interception for dropbox.com and hotmail.com (and localhost) acl no_ssl_interception dstdomain somedomains ssl_bump none localhost ssl_bump none no_ssl_interception ssl_bump stare ssl_bump bump all acl SSL_ports port 443 acl SSL_ports port 7071 acl SSL_ports port 10443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com # Permetti FTP acl ftp proto FTP acl ftp_port port 21 # ACL per limiti utenti Internet_limitato acl giorni time T W F # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS ftp_epsv off http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow ftp_port CONNECT http_access allow ftp http_access allow CONNECT wuCONNECT http_access allow windowsupdate ---- a lot more ACL ---- # DO NOT REMOVE THE FOLLOWING LINE http_access deny all ### logging logformat useragent %>a [%tl] "%{User-Agent}>h" # don't log allowedsites, prioritysites, AnonymousAccess access_log /var/log/squid/access.log logformat=squid #!allowedsites !prioritysites !AnonymousAccess cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_swap_log /var/log/squid/swap.log logfile_rotate 10 # Squid normally listens to port 3128 #http_port 8080 http_port 8080 ssl-bump cert=/etc/squid/proxy.xxx.local.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=NO_SSLv3,NO_SSLv2 s$ # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # maximum_object_size 3000 KB #Antivirus ClamAV icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all ------------------------------------------------------ the content of the "/etc/squid/estensionibloccate.txt" file is ------------------------------------------------------ \.exe(\?.*)?$ \.com(\?.*)?$ \.scr(\?.*)?$ \.cmd(\?.*)?$ \.bat(\?.*)?$ \.vbs(\?.*)?$ ------------------------------------------------------ Locked for only some users via ACL, the acl is placed at the end, so that only few users hit this acl I've already increased the number of vcpu for the machine, but the only process that i see eating cpu is squid, the helpers aren't eating a lot. I see only sometimes the clamav service goind high on usage but i think that's normal. There is something that i miss or optimize in the config, or simply the sslbump requires a lot of resources? Thanks! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users