[squid-users] security_file_certgen I/O
Jason Spashett
jason.spashett at menlosecurity.com
Wed Dec 1 18:55:21 UTC 2021
On Wed, 1 Dec 2021 at 18:29, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
>
> On 12/1/21 12:06 PM, David Touzeau wrote:
> >
> > Hi
> >
> > We used Squid 5.2 and we see that security_file_certgen consume I/O
> > Is there any way to put the ssldb in memory without need to mount a tmpfs ?
>
> Yes, there are at least two other ways to reduce disk I/O related to
> certificate generation:
>
> 1) Tell the official certificate generator helper not to cache the
> generated certificates. See sslcrtd_program documentation for details.
>
> 2) Write your own certificate generator helper.
>
> Alex.
We have found that the certificate helpers perform strictly worse with
the disk cache turned on, over approximately 3 processes. It is
something that perhaps one day, with luck, we may be able to
contribute something. The problems are the way in which the disk cache
is stored and accessed.
I do have a large spreadsheet with some performance results, which (at
some point) I do plan to share.
I feel it's likely that the process of generating the certificates
could, or should be separate from their caching on disk (or in
memory). Currently the helper does both, and the disk caching does
seem detrimental in a multi process setting.
Another reason for separating these concerns is that some people may
wish to use HSM facilities (Hardware Security Module), and so it may
make sense to separate out the caching, and; in light of the
consideration that the HSM interface may vary widely, and require a
specific HSM helper type for each HSM.
More information about the squid-users
mailing list