[squid-users] SSLBump, system requirements ?

[Amos Jeffries]

On 21/03/18 04:30, FredB wrote:
> Hi all,
> 
> I'm testing SSLBump and Squid eats up all my CPU, maybe I made something wrong or maybe some updates are required ? Any advice would be greatly appreciated.

Not sure about CPU consumption. AFAIK that is related to traffic loading
on the crypto library, mitigated by whether it is using hardware support
for the intensive math parts.


> 
> Debian 8.10 64 bits, Squid 3.5.27 + 64 Go ram + SSD + 15 Cores Xeon(R) CPU E5-2637 v2 @ 3.50GHz 
> FI, I don't see anything about limit reached in kern.log (File descriptor or network)
> 
> acl nobump dstdomain "/home/squid/domains" -> Some very used websites (google, fb, etc) otherwise the system dies after less 1 minute 
> http_port 3128 ssl-bump cert=/etc/squid/ca_orion/cert generate-host-certificates=on dynamic_cert_mem_cache_size=500MB

Definitely use sslflags=NO_DEFAULT_CA to avoid memory bloat, whether
that is your problem now or not.

> sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 100MB

FYI: 100MB x 2000 helpers is larger than your 64GB. Even just the 100
helpers being initialized on startup is a significant chunk out of memory.


> sslcrtd_children 2000 startup=100 idle=20 
> sslproxy_capath /etc/ssl/certs/
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem
> acl step1 at_step SslBump1
> ssl_bump peek step1 all
> ssl_bump splice nobump
> ssl_bump bump all
> 
> The sslcrtd_children increases quickly and permanently
> 
> root at proxyorion5:/tmp# ps -edf | grep ssl | wc -l
> 1321
...
> root at proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1395
> 
> Of course after a while 2000 is reached and the system becomes completely mad, but I already tried 200, 500, 1000, etc 
> 


Can you tell how fast (or not) they are responding?
 If it is particularly slow you may benefit from the memory-only mode in
the Squid-4 helper (or might not).

Amos