[squid-users] Huge memory required for squid 3.5

Sabu Thaliyath sabu.thaliyath at gmail.com
Wed Apr 26 07:00:53 UTC 2017 

Hi,

I have the same issue as Nil. I have set No_DEFAULT_CA and also did
"generate-host-certificates=off".  I see with these changes it takes more
time reach 2GB but it does reach there (in about 6 hours for me with peak
usage).

These were my settings.

https_port 192.168.0.10:3129 generate-host-certificates=off
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myserver.pem intercept
ssl-bump sslflags=NO_DEFAULT_CA
https_port 192.168.0.10:3128 generate-host-certificates=off
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myserver.pem intercept
ssl-bump sslflags=NO_DEFAULT_CA

I did a 10 minutes test to compare the behavior in Squid 3.3 and squid 3.5.
My test scenario was kept exactly same except for following diff in squid
3.5.

acl exceptions ssl::server_name_regex "/etc/squid/exception_list.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all !exceptions
ssl_bump splice step2 !exceptions

Here are the results after 10mins -

1. When I didn't use NO_DEFAULT_CA and generate-host-certificates=on

Squid 3.3 = 550MB
Squid 3.5 = 1.1GB

2. When I use NO_DEFAULT_CA and generate-host-certificates=off

Squid 3.3 = 402MB
Squid 3.5 = 560MB

So it looks like Squid 3.5 have higher mem usage than 3.3 in both cases
which makes me wonder, is it that more CAs are being loaded into cache in
3.5 ?

Also, is there any more change  I can do to my config to arrest the memory
growth to 2GB  in 3.5 in my production system ? I got only 4Gb RAM.


Thanks and Regards,
Davis

On Wed, Apr 26, 2017 at 8:38 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 26/04/17 10:53, Yuri Voinov wrote:
>
>> Ok, but how NO_DEFAULT_CA should help with this?
>>
>
> It prevents OpenSSL copying that 1MB into each incoming client connections
> memory. The CAs are only useful there when you have some of the global CAs
> as root for client certificates - in which case you still only want to
> trust the roots you paid for service and not all of them.
>
> Just something to try if there are huge memory issues with TLS/SSL
> proxying. The default behaviour is fixed for Squid-4 with the config
> options changes. But due to being a major surprise for anyone already
> relying on global roots for client certs it remains a problem in 3.5.
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170426/c4154640/attachment.html>

More information about the squid-users mailing list