[squid-users] High CPU Usage with ssl_bump
Yuri Voinov
yvoinov at gmail.com
Fri Apr 22 12:42:57 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
22.04.16 18:39, Odhiambo Washington пишет:
>
>
> On 22 April 2016 at 13:45, Amos Jeffries <squid3 at treenet.co.nz
<mailto:squid3 at treenet.co.nz>> wrote:
>
> On 22/04/2016 8:23 p.m., Odhiambo Washington wrote:
> >
> > Sure, I am really struggling to understand this. I would like to
serve
> > error pages. A complete example of this would really help. I am
thinking,
> > based on the two templates you gave and going with the one where
squid
> > intrudes, that it could be like below, but to be honest I am not
sure so
> > kindly correct me.
> >
> >
> > acl time_wastage_sites_ssl ssl::server_name .facebook.com
<http://facebook.com> .youtube.com <http://youtube.com>
> > ssl_bump splice time_wastage_sites_ssl
> > ssl_bump stare all
> > ssl_bump bump all
> > http_access allow time_wastage_sites_ssl privileged-staff
> > http_access allow time_wastage_sites_ssl privileged-clients
> > http_access allow time_wastage_sites_ssl TIMElunch
> > http_access allow time_wastage_sites_ssl TIMEafterhoursAFT
> > http_access allow time_wastage_sites_ssl TIMEafterhoursMORN
> > http_access allow time_wastage_sites_ssl TIMEsatALLDAY
> > http_access allow time_wastage_sites_ssl TIMEsundALLDAY
> > http_access deny time_wastage_sites_ssl
> >
>
> In a file called "/etc/squid/tws":
> .facebook.com <http://facebook.com>
> .youtube.com <http://youtube.com>
>
>
> squid.conf:
> acl time_wastage_sites_ssl ssl::server_name "/etc/squid/tws"
> acl time_wastage_sites_http dstdomain "/etc/squid/tws"
>
> acl privileged_traffic any-of \
> privileged-staff privileged-clients \
> TIMElunch TIMEafterhoursAFT TIMEafterhoursMORN \
> TIMEsatALLDAY TIMEsundALLDAY
>
> http_access allow privileged_traffic
> http_access deny time_wastage_sites_http
>
> ssl_bump splice privileged_traffic time_wastage_sites_ssl
> ssl_bump stare all
> ssl_bump bump all
>
>
>
> You can probably merge the TIME* ACLs down as well like:
> # lunch
> acl okay_times time ...
> # afterhours PM
> acl okay_times time ...
> # afterhours AM
> acl okay_times time ...
> # Saturday and Sunday all day
> acl okay_times time SA
>
> Amos
>
>
> Quoting Alex:
> "
> If you want Squid to not intrude except when terminating prohibited
traffic, then start with this sketch:
>
> > ssl_bump terminate prohibited_traffic
> > ssl_bump peek all
> > ssl_bump splice all
> "
>
> So is it possible to achieve such a non-intrusive setup, but without
'terminate'?
Not only possible. This is the only solution if you do not want legal
problems. But, of course, you will forgot about high cache hit....
:))))))))))
>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXGhxQAAoJENNXIZxhPexG+vMH/1BC4CuOMJKp9RYxHcpf/0a+
HsBW3wdCJxCMUI6gq89wCxD9FRq/7gmJIl1vM22l6zZP15JigYrUrosBaD2bjyhk
U+e8daGrOORdnxqajgggKrCOC+pBmkjlmaceU5etteb6QfkHW4sOVTxL9kF8dx1o
0/p1Dvl4LtRynsAloBhK8mr0BMhFFYSLoYipEKSBadK0mckqxAdCIyt1EQiyNAdy
aMRfPMit5KU9JhiK8R28v0c6eSiIyP0cZ7oQG1YL2DmlGOiJ6zwPBmrsDTkb7hRZ
10XPFtzAyRydVI5ca4kN+W2o/pmIc2yUEi0CLX7qUMV88PJjS4Ep7l7+QJF5/SM=
=zxK+
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160422/6a71923d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160422/6a71923d/attachment.key>
More information about the squid-users
mailing list