[squid-users] High CPU Usage with ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Thu Apr 21 13:48:27 UTC 2016


On 04/21/2016 07:18 AM, Odhiambo Washington wrote:
> Is is expected that  using ssl_bump results into high CPU usage all the
> time?

Your question is impossible to answer in general: The CPU usage levels
depend on the amount of Squid traffic, the portion of SSL traffic in the
overall traffic mix, the portion of step1, step2, and step3 traffic in
the SSL traffic mix, hardware resources available to Squid, the number
of Squid workers, and many other factors.

> acl no_ssl_interception ssl::server_name ...
> ssl_bump splice no_ssl_interception 
> ssl_bump peek step1
> ssl_bump stare step2

The above config continues to violate the specific advice given to you
previously: Do not mix "peek" and "stare" unless you have a very
specific need for doing so.


> I think I read somewhere that 'ssl_bump splice all" is the default
> behaviour, hence why I have commented it out. All I need is just become
> a TCP tunnel without decrypting proxied traffic.

"splice all" is not the default in the latest Squids. The default there
is closer to something like "bump if the last step was 'stare' and
splice otherwise". I do not remember what the default is in your Squid
version, but, as Amos has already said, relying on _any_ default in this
complex environment is the wrong approach.

Alex.



More information about the squid-users mailing list