[squid-users] Squid ssl_bump configuration optimized for highest CPS?

Andralojc, Wojciech wojciech.andralojc at intel.com
Thu Nov 10 16:38:17 UTC 2022 

Hi,

I'm running squid v4.13 in TLS bump mode.
Trying to configure it to get highest (single core) CPS (new TLS sessions/connections per second) numbers.

I run multiple s_time tests on client side and "plain" nginx on server side.

Example s_time command line:
openssl s_time -connect server:443 -new -cipher AES128-GCM-SHA256 -time 30 -CAfile /opt/proxy_rootCA.pem -tls1_2

Could you please review config below and suggest changes to improve performance?

Assumptions:

  *   SSL bump/transparent SSL proxy;
  *   single core performance;
  *   caching disabled;
  *   persistent connections disabled;
  *   no logs;

Best wishes
Wojciech Andralojc

---

acl localnet src 10.0.8.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

http_access allow all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
ssl_bump server-first all
https_port 3130 intercept ssl-bump cert=/etc/ssl/certs//rootCA.pem generate-host-certificates=on

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
dns_nameservers 127.0.0.1
visible_hostname "proxy"
tls_outgoing_options cafile=/etc/ssl/certs//nginx.pem
access_log none
cache_store_log none
cache_log /dev/null
workers 1
cache deny all
cache_mem 0
server_persistent_connections off
client_persistent_connections off
--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221110/3392a0b0/attachment-0001.htm>

More information about the squid-users mailing list