Search squid archive

Re: security_file_certgen I/O

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 1 Dec 2021 at 18:29, Alex Rousskov
<rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> On 12/1/21 12:06 PM, David Touzeau wrote:
> >
> > Hi
> >
> > We used Squid 5.2 and we see that security_file_certgen consume I/O
> > Is there any way to put the ssldb in memory without need to mount a tmpfs ?
>
> Yes, there are at least two other ways to reduce disk I/O related to
> certificate generation:
>
> 1) Tell the official certificate generator helper not to cache the
> generated certificates. See sslcrtd_program documentation for details.
>
> 2) Write your own certificate generator helper.
>
> Alex.

We have found that the certificate helpers perform strictly worse with
the disk cache turned on, over approximately 3 processes. It is
something that perhaps one day, with luck, we may be able to
contribute something. The problems are the way in which the disk cache
is stored and accessed.

I do have a large spreadsheet with some performance results, which (at
some point) I do plan to share.

I feel it's likely that the process of generating the certificates
could, or should be separate from their caching on disk (or in
memory). Currently the helper does both, and the disk caching does
seem detrimental in a multi process setting.
Another reason for separating these concerns is that some people may
wish to use HSM facilities (Hardware Security Module), and so it may
make sense to separate out the caching, and; in light of the
consideration that the HSM interface may vary widely, and require a
specific HSM helper type for each HSM.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux