[squid-users] High CPU Usage with ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Fri Apr 22 18:13:26 UTC 2016

On 04/22/2016 09:19 AM, Odhiambo Washington wrote:
> Can I terminate based on time? 

Yes. You can terminate based on any information except information
contained inside HTTP messages. Time is always available.
ssl::server_name will give you an approximation of what you call "site".

> By just modifying the bits you wrote for me?

Technically yes (any configuration can be written "by just modifying
some other configuration"). In practice, the two directions
(splice/terminate versus bump/block) are so different that I recommend
the following approach instead:

1. Study the bits Amos gave you. Do not proceed until you understand
what each line means/does. Ask specific questions if needed. IMHO, if
you cannot complete this step, then you should not subject humans to
SslBump. Without this knowledge, there will be too much suffering, on
all sides.

2. Use the first template I gave you. Add your own rules so that Squid
terminates the connections you want it to terminate and splices
everything else. If you honestly complete step #1 above, then you should
be able to do this too (and, more importantly, you would be able to
troubleshoot deployment problems).

3. Test, deploy, and ask questions/file bug reports as needed.


> On 17:45, Fri, Apr 22, 2016 Amos Jeffries wrote:
>     On 23/04/2016 12:39 a.m., Odhiambo Washington wrote:
>     >
>     > So is it possible to achieve such a non-intrusive setup, but without
>     > 'terminate'?
>     You declared the requirement "Serve an error page.".
>     That is intrusive.
>     As Alex has said repeatedly:
>       terminate or produce an error. Pick one.
>     Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list