[squid-users] High memory usage associated with ssl_bump and broken clients

Amos Jeffries squid3 at treenet.co.nz
Sat Sep 9 12:35:53 UTC 2017


On 09/09/17 04:37, Steve Hill wrote:
> 
> I've identified a problem with Squid 3.5.26 using a lot of memory when 
> some broken clients are on the network.  Strictly speaking this isn't 
> really Squid's fault, but it is a denial of service mechanism so I 
> wonder if Squid can help mitigate it.
> 

AFAIK every connection opened or accepted by Squid does have a timeout, 
though some of them are long. The mitigation is probably to reduce 
request_timeout (v2+) or better the request_start_timeout (v4+).


Please bring up your research on squid-dev mailing list so the guys 
working on TLS/SSL and QA can all see it.


You may also need to update the networks congestion control algorithms 
to ones that better handle RST packets.

Amos


More information about the squid-users mailing list