On Wed, 1 Dec 2021 at 18:29, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 12/1/21 12:06 PM, David Touzeau wrote: > > > > Hi > > > > We used Squid 5.2 and we see that security_file_certgen consume I/O > > Is there any way to put the ssldb in memory without need to mount a tmpfs ? > > Yes, there are at least two other ways to reduce disk I/O related to > certificate generation: > > 1) Tell the official certificate generator helper not to cache the > generated certificates. See sslcrtd_program documentation for details. > > 2) Write your own certificate generator helper. > > Alex. We have found that the certificate helpers perform strictly worse with the disk cache turned on, over approximately 3 processes. It is something that perhaps one day, with luck, we may be able to contribute something. The problems are the way in which the disk cache is stored and accessed. I do have a large spreadsheet with some performance results, which (at some point) I do plan to share. I feel it's likely that the process of generating the certificates could, or should be separate from their caching on disk (or in memory). Currently the helper does both, and the disk caching does seem detrimental in a multi process setting. Another reason for separating these concerns is that some people may wish to use HSM facilities (Hardware Security Module), and so it may make sense to separate out the caching, and; in light of the consideration that the HSM interface may vary widely, and require a specific HSM helper type for each HSM. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
