[squid-users] SSLBump, system requirements ?
FredB
fredbmail at free.fr
Tue Mar 20 15:30:16 UTC 2018
Hi all,
I'm testing SSLBump and Squid eats up all my CPU, maybe I made something wrong or maybe some updates are required ? Any advice would be greatly appreciated.
Debian 8.10 64 bits, Squid 3.5.27 + 64 Go ram + SSD + 15 Cores Xeon(R) CPU E5-2637 v2 @ 3.50GHz
FI, I don't see anything about limit reached in kern.log (File descriptor or network)
acl nobump dstdomain "/home/squid/domains" -> Some very used websites (google, fb, etc) otherwise the system dies after less 1 minute
http_port 3128 ssl-bump cert=/etc/squid/ca_orion/cert generate-host-certificates=on dynamic_cert_mem_cache_size=500MB
sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 100MB
sslcrtd_children 2000 startup=100 idle=20
sslproxy_capath /etc/ssl/certs/
sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem
acl step1 at_step SslBump1
ssl_bump peek step1 all
ssl_bump splice nobump
ssl_bump bump all
The sslcrtd_children increases quickly and permanently
root at proxyorion5:/tmp# ps -edf | grep ssl | wc -l
1321
root at proxyorion5:/tmp# ps -edf | grep ssl | wc -l
1341
root at proxyorion5:/tmp# ps -edf | grep ssl | wc -l
1341
root at proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
1380
root at proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
1381
root at proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
1382
root at proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
1395
Of course after a while 2000 is reached and the system becomes completely mad, but I already tried 200, 500, 1000, etc
Right after squid start CPU and load average values are very, very, high
top - 16:06:17 up 13 days, 2:46, 3 users, load average: 102,02, 56,67, 30,75
Tasks: 1964 total, 3 running, 1961 sleeping, 0 stopped, 0 zombie
%Cpu(s): 15,3 us, 3,7 sy, 0,0 ni, 80,2 id, 0,4 wa, 0,0 hi, 0,4 si, 0,0 st
KiB Mem: 66086692 total, 52378248 used, 13708444 free, 2899764 buffers
KiB Swap: 1952764 total, 0 used, 1952764 free. 32798948 cached Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23711 squid 20 0 3438832 2,976g 13784 R 100,0 4,7 6:01.02 squid
23724 squid 20 0 24868 8552 4340 S 3,6 0,0 0:02.46 ssl_crtd
23712 squid 20 0 25132 8896 4428 R 3,0 0,0 0:02.62 ssl_crtd
23714 squid 20 0 24868 8556 4344 S 2,3 0,0 0:02.43 ssl_crtd
23716 squid 20 0 24868 8636 4428 S 2,3 0,0 0:02.26 ssl_crtd
23720 squid 20 0 24868 8612 4400 S 2,3 0,0 0:02.58 ssl_crtd
23771 squid 20 0 24868 8580 4368 S 2,0 0,0 0:01.86 ssl_crtd
23780 squid 20 0 24872 8484 4268 S 2,0 0,0 0:01.86 ssl_crtd
23787 squid 20 0 24868 8612 4404 S 2,0 0,0 0:01.92 ssl_crtd
The same system without SSLBump and e2guardian (web filtering) added (I tried without more or less 10% CPU )
Tasks: 304 total, 2 running, 302 sleeping, 0 stopped, 0 zombie
%Cpu(s): 2,0 us, 1,1 sy, 0,0 ni, 95,9 id, 0,1 wa, 0,0 hi, 0,9 si, 0,0 st
KiB Mem: 66086700 total, 65627952 used, 458748 free, 2652264 buffers
KiB Swap: 1952764 total, 20884 used, 1931880 free. 32639208 cached Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20389 e2guard+ 20 0 0,122t 1,133g 6144 S 28,6 1,8 191:06.50 e2guardian
20283 squid 20 0 21,761g 0,021t 8128 R 24,2 34,0 145:00.09 squid
101 root 20 0 0 0 0 S 1,3 0,0 19:05.09 kswapd1
100 root 20 0 0 0 0 S 1,0 0,0 22:41.82 kswapd0
8 root 20 0 0 0 0 S 0,7 0,0 68:49.48 rcu_sched
24 root 20 0 0 0 0 S 0,3 0,0 8:37.14 ksoftirqd/3
65 root 20 0 0 0 0 S 0,3 0,0 8:05.02 ksoftirqd/11
929 root 20 0 71928 6984 4716 S 0,3 0,0 17:53.57 syslog-ng
8069 root 20 0 0 0 0 S 0,3 0,0 0:22.35 kworker/0:0
16624 root 20 0 25868 3236 2592 R 0,3 0,0 0:00.19 top
20291 squid 20 0 59504 5228 4568 S 0,3 0,0 0:03.41 digest_
FredB
More information about the squid-users
mailing list