[squid-users] High memory usage associated with ssl_bump and broken clients

Amos Jeffries squid3 at treenet.co.nz
Sat Sep 9 12:35:53 UTC 2017

On 09/09/17 04:37, Steve Hill wrote:
> I've identified a problem with Squid 3.5.26 using a lot of memory when 
> some broken clients are on the network.  Strictly speaking this isn't 
> really Squid's fault, but it is a denial of service mechanism so I 
> wonder if Squid can help mitigate it.

AFAIK every connection opened or accepted by Squid does have a timeout, 
though some of them are long. The mitigation is probably to reduce 
request_timeout (v2+) or better the request_start_timeout (v4+).

Please bring up your research on squid-dev mailing list so the guys 
working on TLS/SSL and QA can all see it.

You may also need to update the networks congestion control algorithms 
to ones that better handle RST packets.


More information about the squid-users mailing list