Search squid archive

Squid ssl_bump configuration optimized for highest CPS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

 

I’m running squid v4.13 in TLS bump mode.

Trying to configure it to get highest (single core) CPS (new TLS sessions/connections per second) numbers.

 

I run multiple s_time tests on client side and “plain” nginx on server side.

 

Example s_time command line:

openssl s_time -connect server:443 -new -cipher AES128-GCM-SHA256 -time 30 -CAfile /opt/proxy_rootCA.pem -tls1_2

 

Could you please review config below and suggest changes to improve performance?

 

Assumptions:

  • SSL bump/transparent SSL proxy;
  • single core performance;
  • caching disabled;
  • persistent connections disabled;
  • no logs;

 

Best wishes

Wojciech Andralojc

 

---

 

acl localnet src 10.0.8.0/24

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

 

http_access deny !Safe_ports

 

http_access deny CONNECT !SSL_ports

 

http_access allow localhost manager

http_access deny manager

 

http_access allow localnet

http_access allow localhost

 

http_access allow all

 

# Squid normally listens to port 3128

http_port 3128

http_port 3129 intercept

ssl_bump server-first all

https_port 3130 intercept ssl-bump cert=/etc/ssl/certs//rootCA.pem generate-host-certificates=on

 

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

 

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

dns_nameservers 127.0.0.1

visible_hostname "proxy"

tls_outgoing_options cafile=/etc/ssl/certs//nginx.pem

access_log none

cache_store_log none

cache_log /dev/null

workers 1

cache deny all

cache_mem 0

server_persistent_connections off

client_persistent_connections off

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263

This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux