|
Because squid 4.5 with the configuration like this can not bump TLS1.3.
https_port
192.168.30.4:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA
acl broken_sites ssl::server_name google.com acl ssl_step1 at_step SslBump1 ssl_bump peek ssl_step1 ssl_bump bump broken_sites ssl_bump splice all How can squid 4.5 be configured to support TLS1.3 .
发件人: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> 代表 squid-users-request@xxxxxxxxxxxxxxxxxxxxx <squid-users-request@xxxxxxxxxxxxxxxxxxxxx>
发送时间: 2019年4月2日 7:23 收件人: squid-users@xxxxxxxxxxxxxxxxxxxxx 主题: squid-users Digest, Vol 56, Issue 3 Send squid-users mailing list submissions to
squid-users@xxxxxxxxxxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://lists.squid-cache.org/listinfo/squid-users or, via email, send a message with subject or body 'help' to squid-users-request@xxxxxxxxxxxxxxxxxxxxx You can reach the person managing the list at squid-users-owner@xxxxxxxxxxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." Today's Topics: 1. Re: Why Squid on CentOS is faster than Debian ? (Alex Rousskov) 2. How to restrict the maximum negotiated version of squid HTTPS to TLS1.2 (赵 俊) 3. Re: How to restrict the maximum negotiated version of squid HTTPS to TLS1.2 (Amos Jeffries) 4. Re: Why Squid on CentOS is faster than Debian ? (L A Walsh) 5. Re: Why Squid on CentOS is faster than Debian ? (David Touzeau) ---------------------------------------------------------------------- Message: 1 Date: Mon, 1 Apr 2019 15:22:54 -0600 From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Why Squid on CentOS is faster than Debian ? Message-ID: <31bb34b4-9c61-68cd-78df-51b8630c446d@xxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=utf-8 On 4/1/19 3:17 AM, David Touzeau wrote: > On 30.03.19 10:22, David Touzeau wrote: >> * Debian 9 net install + Squid compiled >> * CentOS 7 minimal + Squid compiled >> >> Same version, same compilation parameters, same Squid settings. >> It seems that Squid on CentOS is 10 times faster than squid on Debian > We have recompiled same squid version on 2 systems > > No march= using --disable-arch-native on both systems > > Debian config.log > https://github.com/dtouzeau/1.6.x/blob/Tempfiles/debian9-config.log?raw=true > > Centos config.log > https://github.com/dtouzeau/1.6.x/blob/Tempfiles/centos7-config.log?raw=true > > Result was CentOS 44% faster on TCP_MEM_HITS Just to clarify: Did changing ./configure options alone move you from 1000% to 44%? Or was the earlier "10 times" just a crude approximation that we should ignore now? Do your Squids use shared memory for the memory cache? See memory_cache_shared (even if you do not set it explicitly). http://www.squid-cache.org/Doc/config/memory_cache_shared/ Any significant difference in mgr:info and mgr:counters output after a test that only has memory hits? Alex. ------------------------------ Message: 2 Date: Tue, 2 Apr 2019 01:10:37 +0000 From: 赵 俊 <jun357572957zhao@xxxxxxxxxxx> To: Squid <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: How to restrict the maximum negotiated version of squid HTTPS to TLS1.2 Message-ID: <CO2PR0801MB2312283C8FEAFDCC4C70C6EE98560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="gb2312" Hi, this is part of my squid.conf: https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA acl broken_sites ssl::server_name foo.com acl ssl_step1 at_step SslBump1 ssl_bump peek ssl_step1 ssl_bump bump broken_sites ssl_bump splice all so how to restrict the maximum negotiated version of squid HTTPS to TLS1.2? I also try configure like this: https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/ssl_cert/CA.pem version=4 it did not work. the access.log show TCP/TUNNEL 200 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190402/92341273/attachment-0001.html> ------------------------------ Message: 3 Date: Tue, 2 Apr 2019 18:07:22 +1300 From: Amos Jeffries <squid3@xxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: How to restrict the maximum negotiated version of squid HTTPS to TLS1.2 Message-ID: <a35ce939-5eea-e965-371f-69da02a619c8@xxxxxxxxxxxxx> Content-Type: text/plain; charset=UTF-8 On 2/04/19 2:10 pm, 赵 俊 wrote: > Hi, this is part of my squid.conf: > https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/opt/squid/ssl_cert/CA.pem sslflags=NO_DEFAULT_CA > > acl broken_sites ssl::server_name foo.com > acl ssl_step1 at_step SslBump1 > > ssl_bump peek ssl_step1 > ssl_bump bump broken_sites > ssl_bump splice all > > so how to restrict the maximum negotiated version of squid HTTPS to TLS1.2? That is not possible without patching Squid. Only versions up to TLS/1.2 can be controlled by any published Squid. > I also try configure like this: > > > https_port 192.168.30.4:3129 intercept ssl-bump connection-auth=off > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/opt/squid/ssl_cert/CA.pem version=4 > > > it did not work. > The deprecated 'version=4' setting means TLS/*1.0* only. > the access.log show TCP/TUNNEL 200 > That indicates that the protocol arriving from the client is probably not TLS or SSL in any form, but some other protocol. If that is true then no matter what you set for TLS versions allowed it will always tunnel. Amos ------------------------------ Message: 4 Date: Mon, 01 Apr 2019 22:43:38 -0700 From: L A Walsh <squid-user@xxxxxxxxx> To: david@xxxxxxxxxxxxxx Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Why Squid on CentOS is faster than Debian ? Message-ID: <5CA2F68A.8000009@xxxxxxxxx> Content-Type: text/plain; charset=UTF-8 On 4/1/2019 2:17 AM, David Touzeau wrote: > We have recompiled same squid version on 2 systems > https://github.com/dtouzeau/1.6.x/blob/Tempfiles/centos7-config.log?raw=true > > ----------------------------------------------------------- > Result was CentOS 44% faster on TCP_MEM_HITS > ----------------------------------------------------------- > What kernels are the two systems running? Are the config options exactly the same? Just a WAG, but but are the settings for CONFIG_TRANSPARENT_HUGEPAGE the same for both? ------------------------------ Message: 5 Date: Tue, 2 Apr 2019 09:23:16 +0200 From: David Touzeau <david@xxxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Why Squid on CentOS is faster than Debian ? Message-ID: <7330fbab-1808-e217-8f7f-3f08bc2b88ab@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=utf-8; format=flowed Le 01/04/2019 à 23:22, Alex Rousskov a écrit : > On 4/1/19 3:17 AM, David Touzeau wrote: > >> On 30.03.19 10:22, David Touzeau wrote: >>> * Debian 9 net install + Squid compiled >>> * CentOS 7 minimal + Squid compiled >>> >>> Same version, same compilation parameters, same Squid settings. >>> It seems that Squid on CentOS is 10 times faster than squid on Debian > >> We have recompiled same squid version on 2 systems >> >> No march= using --disable-arch-native on both systems >> >> Debian config.log >> https://github.com/dtouzeau/1.6.x/blob/Tempfiles/debian9-config.log?raw=true >> >> Centos config.log >> https://github.com/dtouzeau/1.6.x/blob/Tempfiles/centos7-config.log?raw=true >> >> Result was CentOS 44% faster on TCP_MEM_HITS > Just to clarify: Did changing ./configure options alone move you from > 1000% to 44%? Or was the earlier "10 times" just a crude approximation > that we should ignore now? > > > Do your Squids use shared memory for the memory cache? See > memory_cache_shared (even if you do not set it explicitly). > http://www.squid-cache.org/Doc/config/memory_cache_shared/ > > Any significant difference in mgr:info and mgr:counters output after a > test that only has memory hits? > > Alex. Hi Alex and comunity The test did not use workers Here it is a piece of logs between the 2 machines CentOS 7: 1554185117.132 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 10979 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0611_2.jpg - HIER_NONE/- image/jpeg 1554185117.133 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 5531 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0611_5.jpg - HIER_NONE/- image/jpeg 1554185117.134 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 3727 GET http://www.projetmontsaintmichel.com//upload/document/minis/capture_40.jpg - HIER_NONE/- image/jpeg 1554185117.137 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 1230 GET http://www.projetmontsaintmichel.com/web/images/ico_pdf.png - HIER_NONE/- image/png 1554185117.141 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 33600 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_6.gif - HIER_NONE/- image/gif 1554185117.142 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 20200 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_2.gif - HIER_NONE/- image/gif 1554185117.144 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 29375 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_5.gif - HIER_NONE/- image/gif 1554185117.146 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 29835 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_4.gif - HIER_NONE/- image/gif 1554185117.147 2 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 28683 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_1.gif - HIER_NONE/- image/gif 1554185117.149 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 7715 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0608_3.jpg - HIER_NONE/- image/jpeg 1554185117.151 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 8175 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0608_2.jpg - HIER_NONE/- image/jpeg 1554185117.152 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 2519 GET http://www.projetmontsaintmichel.com/web/images/bloc_infoschantier2.gif - HIER_NONE/- image/gif 1554185117.153 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 3870 GET http://www.projetmontsaintmichel.com/web/images/bloc_espacepro2.gif - HIER_NONE/- image/gif 1554185117.157 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 9349 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0608_1.jpg - HIER_NONE/- image/jpeg 1554185117.162 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 3622 GET http://www.projetmontsaintmichel.com//upload/document/minis/capture_29.jpg - HIER_NONE/- image/jpeg 1554185117.162 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 409 GET http://www.projetmontsaintmichel.com/web/images/puce_carre_visite.gif - HIER_NONE/- image/gif 1554185117.162 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 409 GET http://www.projetmontsaintmichel.com/web/images/puce_carre_gris.gif - HIER_NONE/- image/gif 1554185117.175 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 23219 GET http://www.projetmontsaintmichel.com/web/images/fond_footer.jpg - HIER_NONE/- image/jpeg 1554185117.187 0 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 540 GET http://www.projetmontsaintmichel.com/web/galerie/images/overlay.png - HIER_NONE/- image/png 1554185117.389 2 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 858 GET http://www.projetmontsaintmichel.com/favicon.ico - HIER_NONE/- image/x-icon Debian 9: 1554185129.651 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 8887 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0611_1.jpg - HIER_NONE/- image/jpeg 1554185129.660 5 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 8733 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0611_4.jpg - HIER_NONE/- image/jpeg 1554185129.664 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 5565 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0611_5.jpg - HIER_NONE/- image/jpeg 1554185129.664 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 11013 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0611_2.jpg - HIER_NONE/- image/jpeg 1554185129.665 2 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 3761 GET http://www.projetmontsaintmichel.com//upload/document/minis/capture_40.jpg - HIER_NONE/- image/jpeg 1554185129.665 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 1264 GET http://www.projetmontsaintmichel.com/web/images/ico_pdf.png - HIER_NONE/- image/png 1554185129.677 12 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 33634 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_6.gif - HIER_NONE/- image/gif 1554185129.677 2 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 7749 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0608_3.jpg - HIER_NONE/- image/jpeg 1554185129.677 4 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 20234 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_2.gif - HIER_NONE/- image/gif 1554185129.678 4 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 28717 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_1.gif - HIER_NONE/- image/gif 1554185129.678 4 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 29869 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_4.gif - HIER_NONE/- image/gif 1554185129.678 4 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 29409 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0609_5.gif - HIER_NONE/- image/gif 1554185129.688 3 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 8209 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0608_2.jpg - HIER_NONE/- image/jpeg 1554185129.691 2 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 9383 GET http://www.projetmontsaintmichel.com/upload/document/reduites/TR_BA_0608_1.jpg - HIER_NONE/- image/jpeg 1554185129.692 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 3656 GET http://www.projetmontsaintmichel.com//upload/document/minis/capture_29.jpg - HIER_NONE/- image/jpeg 1554185129.694 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 443 GET http://www.projetmontsaintmichel.com/web/images/puce_carre_visite.gif - HIER_NONE/- image/gif 1554185129.694 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 443 GET http://www.projetmontsaintmichel.com/web/images/puce_carre_gris.gif - HIER_NONE/- image/gif 1554185129.700 3 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 574 GET http://www.projetmontsaintmichel.com/web/galerie/images/overlay.png - HIER_NONE/- image/png 1554185129.701 3 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 23253 GET http://www.projetmontsaintmichel.com/web/images/fond_footer.jpg - HIER_NONE/- image/jpeg 1554185129.857 1 172.16.1.228 50:46:5d:a0:3e:5a TCP_MEM_HIT/200 892 GET http://www.projetmontsaintmichel.com/favicon.ico - HIER_NONE/- image/x-icon CentOS : total: 14msec average: 0.7msec Debian : total: 56msec average: 2.8msec CentOS vs Debian: 400% faster with CentOS Do you know why CentOS objects are 34 bytes smaller than Debian ? > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users ------------------------------ Subject: Digest Footer _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users ------------------------------ End of squid-users Digest, Vol 56, Issue 3 ****************************************** |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
