[squid-users] CPU Load 100% after implementing SSL Bump ....

Sagar Malve sagarmalve91 at gmail.com
Mon May 23 06:27:31 UTC 2016 

Hi Team,

System Config:

Intel S2400SC2 Motherboard
Intel Xeon ES 2407 V2 CPU
RAM 32 GB


http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt
key=/etc/squid/ssl_certs/squid.key options=NO_SSLv3
tls-dh=/etc/squid/dhparam.pem
sslproxy_capath /etc/ssl/certs


# FILTERING HTTPS
acl 1 dstdomain .fbcdn.net .akamaihd.net .fbsbx.com
#acl 2a dstdomain .mahadana.com .mql4.com .metaquotes.net
acl 2 url_regex -i ^https?:\/\/attachment\.fbsbx\.com\/.*\?(id=[0-9]*).*
acl 2 url_regex -i
\.fbsbx\.com\/.*\/(.*\.(unity3d|pak|zip|exe|dll|jpg|png|gif|swf)/)$
acl 2 url_regex -i ^https?:\/\/.*\.ytimg\.com(.*\.(webp|jpg|gif))
acl 2 url_regex -i ^https?:\/\/([^\.]*)\.yimg\.com\/(.*)
acl 2 url_regex -i ^https?:\/\/.*\.gstatic\.com\/images\?q=tbn\:(.*)
acl 2 url_regex -i
^https?:\/\/.*\.reverbnation\.com\/.*\/(ec_stream_song|download_song_direct|stream_song)\/([0-9]*).*
acl 2 url_regex -i
^https?:\/\/([a-z0-9.]*)(\.doubleclick\.net|\.quantserve\.com|.exoclick\.com|interclick.\com|\.googlesyndication\.com|\.auditude\.com|.visiblemeasures\.com|yieldmanager|cpxinteractive)(.*)
acl 2 url_regex -i ^https?:\/\/(.*?)\/(ads)\?(.*?)
acl 2 url_regex -i ^https?:\/\/.*steampowered\.com\/.*\/([0-9]+\/(.*))
acl 3 url_regex -i
^https?:\/\/(.*?)\/speedtest\/.*\.(jpg|txt|png|gif|swf)\?.*
acl 3 url_regex -i speedtest\/.*\.(jpg|txt|png|gif|swf)\?.*
acl 4 url_regex -i reverbnation.*audio_player.*ec_stream_song.*$
acl 5 url_regex -i utm.gif.*
acl 6 url_regex -i c.android.clients.google.com.market.GetBinary.GetBinary.*
acl 7 url_regex -i youtube.*(ptracking|stream_204|player_204|gen_204).*$
acl 7 url_regex -i
\.c\.(youtube|google)\.com\/(get_video|videoplayback|videoplay).*$
acl 7 url_regex -i (youtube|google).*\/videoplayback\?.*
acl 8 http_status 302
acl getmethod method GET


ssl_bump splice localhost
acl 9 at_step SslBump1
acl 10 at_step SslBump2
acl 11 at_step SslBump3
ssl_bump peek 9 all
ssl_bump bump 10 all
ssl_bump bump 11 all


----------------------------------------------------------------------------------------------

Is there any way where it can Cache SSL Certificate for all HTTPS Traffic
....
Because SSL Cert & Squid process were using 99% of CPU Load ....

We have approx 200 users ....

I have set the open file limit to 100000

Could you please let us know if there is any way to Cache the HTTPS Request
in Squid .....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160523/3e54c9cc/attachment.html>

More information about the squid-users mailing list