<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>FInally,</p>
<p>just take a look:</p>
<p><img src="cid:part1.E267154C.C00AB1C9@gmail.com" alt=""></p>
<p>This is SSL Bump-aware setup. Seems no memory leaks, yes? Normal
memory distribution.</p>
<p>Let's see on overall OS memory:</p>
<p><img src="cid:part2.BCE88CE9.DB12402D@gmail.com" alt=""></p>
No leaks.<br>
<br>
<div class="moz-cite-prefix">13.03.2018 23:44, Yuri пишет:<br>
</div>
<blockquote type="cite"
cite="mid:f6a85fc5-50a3-9372-b487-72d8d42122fe@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>AFAIK, <br>
</p>
<p>SSL bump subsystem uses OpenSSL memory routines. So, first of
all, most probably leaks (if any) can be OpenSSL-related, but
not squid itself.<br>
</p>
Now let's see your config snippets.<br>
<br>
<div class="moz-cite-prefix">13.03.2018 23:00, Aaron Turner пишет:<br>
</div>
<blockquote type="cite"
cite="mid:CANAZdzUsamD-_P2gB9oQEbjR=Y0XEK0mnKUdYgjXtRGAxnPQUQ@mail.gmail.com">
<pre wrap="">"Usually misconfiguration leads to memory overhead."
This may be true, but if you look in the list archives a few months
ago I basically chased my tail in circles and nobody could tell me
what I was doing wrong and so many of the docs are so old that they're
worse then useless, they seem to suggest the wrong thing.
It was literally leaking GB's worth of RAM. I even disabled all
caching and process sizes were growing into the GB's. Turn off
ssl-bump and the leak went away.
This is what I was using:
http_port 10.0.0.1:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=400MB cert=/etc/squid/ssl_cert/myCA.pem
sslflags=NO_DEFAULT_CA
http_port localhost:3128
ssl_bump bump all</pre>
</blockquote>
bump all is useless without peek/splice. <br>
<br>
Let's see on my config snippets:<br>
<br>
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB
cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL<br>
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB
cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL<br>
tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS<br>
# Cert database on ramdisk<br>
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/ramdisk1/ssl_db -M 1GB<br>
sslcrtd_children 32 startup=10 idle=5<br>
<br>
# SSL bump rules<br>
acl DiscoverSNIHost at_step SslBump1<br>
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/acl.url.nobump"<br>
ssl_bump peek DiscoverSNIHost<br>
ssl_bump splice NoSSLIntercept<br>
ssl_bump bump all<br>
<br>
<blockquote type="cite"
cite="mid:CANAZdzUsamD-_P2gB9oQEbjR=Y0XEK0mnKUdYgjXtRGAxnPQUQ@mail.gmail.com">
<pre wrap="">
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 32 startup=2 idle=2</pre>
</blockquote>
This is defaults. Pay attention, -M is limits use ssl_db directory
to 4 Mb in size. It's too few for production servers. My ramdisk
for ssl db is 1+ Gb in size:<br>
<br>
/dev/ramdisk/ramdisk1 961M 14M 890M 2%
/ramdisk1/ssl_db<br>
<br>
<blockquote type="cite"
cite="mid:CANAZdzUsamD-_P2gB9oQEbjR=Y0XEK0mnKUdYgjXtRGAxnPQUQ@mail.gmail.com">
<pre wrap="">sslproxy_session_cache_size 100 MB</pre>
</blockquote>
This is disbalanced size instead of previous setting. Why so big?<br>
<br>
# TAG: sslproxy_session_cache_size<br>
# Sets the cache size to use for ssl session<br>
#Default:<br>
# sslproxy_session_cache_size 2 MB<br>
<br>
<blockquote type="cite"
cite="mid:CANAZdzUsamD-_P2gB9oQEbjR=Y0XEK0mnKUdYgjXtRGAxnPQUQ@mail.gmail.com">
<pre wrap="">sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER</pre>
</blockquote>
<b>NEVER use this options. It is unsafe.<br>
<br>
SSL Bump is dangerous enough itself. Don't do it more unsafe
additionally by yourself.<br>
</b>
<blockquote type="cite"
cite="mid:CANAZdzUsamD-_P2gB9oQEbjR=Y0XEK0mnKUdYgjXtRGAxnPQUQ@mail.gmail.com">
<pre wrap="">
This was on a machine (EC2 VM) with 14GB of RAM.</pre>
</blockquote>
Pay attention on several places:<br>
<br>
1. OS memory allocator.<br>
2. OpenSSL version.<br>
3. OS configuration (IPC, shared memory, swap - all memory
related).<br>
4. Squid's memory/pools configuration.<br>
<br>
Don't forget about: Often memory fragmentation seems like leaks.
But no leaks occurs indeed.<br>
<br>
Also, don't forget - squid's memory consumption is not only
cache_mem, but also caching on-disk metadata (swap.state), pools
settings, working memory areas, processes memory. And - also -
such things like content adaptation (did you know wide uses ecap
gzip adapter is leaky itself?).<br>
<br>
But this is just for example.<br>
<br>
In any case, dig to the OpenSSL/OS side. Squid's memory in most
cases is ok.<br>
<br>
I know, this appears SSL Bump is leaky. But this is not correct. <br>
<blockquote type="cite"
cite="mid:CANAZdzUsamD-_P2gB9oQEbjR=Y0XEK0mnKUdYgjXtRGAxnPQUQ@mail.gmail.com">
<pre wrap="">
--
Aaron Turner
<a class="moz-txt-link-freetext" href="https://synfin.net/" moz-do-not-send="true">https://synfin.net/</a> Twitter: @synfinatic
My father once told me that respect for the truth comes close to being
the basis for all morality. "Something cannot emerge from nothing,"
he said. This is profound thinking if you understand how unstable
"the truth" can be. -- Frank Herbert, Dune
On Tue, Mar 13, 2018 at 9:47 AM, Yuri <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com" moz-do-not-send="true"><yvoinov@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I've used it on all versions starting from 3.4.
Now I'm using Squid 5.0.0.
I'm afraid, my config is completely useless, because of it contains tons
of optimizations/tweaks/tricks and designed for customized Squid 5.0.0,
with different memory allocator for custom infrastructure.
You can't just take my config, implement it and hope it will give same
results for you.
At least, it uses non-system CA bundle, platform-specific configuration
parameters combinations, etc.
I can say, than SSL Bump is not directly related to memory leaks. Squid
itself almost not contains memory leaks now. Usually misconfiguration
leads to memory overhead.
As a recommendation, I can give some advices.
1. Use server with enough RAM. 4 Gb usually enough just for default
squid configuration. Usually whole system RAM usage should never be
bigger than 1/2 of overall physical RAM. (I.e. at least 1/3 of RAM
should always be free during normal running. This prevents OS allocator
pressure to your proxy and, also, increasing performance of proxy). In
case of medium proxy server 16 Gb of RAM seems big enough, but never try
to fill it up completely.
2. Don't set giant cache_mem. Remember how you platform allocates whole
RAM - kernel, anon pages, fs caches, etc. - and use reasonable squid's
memory-related settings.
3. Use sslflags=NO_DEFAULT_CA with your SSL Bump ports.
4. Never remember - SSL Bump increases your cache memory pressure due to
increasing caching. So, you still require to have enough memory in your
system.
13.03.2018 22:25, Aaron Turner пишет:
</pre>
<blockquote type="cite">
<pre wrap="">What version are you using Yuri? Can you share your config?
Everytime I use ssl bump, I have massive memory leaks. It's been
effectively unusable for me.
--
Aaron Turner
<a class="moz-txt-link-freetext" href="https://synfin.net/" moz-do-not-send="true">https://synfin.net/</a> Twitter: @synfinatic
My father once told me that respect for the truth comes close to being
the basis for all morality. "Something cannot emerge from nothing,"
he said. This is profound thinking if you understand how unstable
"the truth" can be. -- Frank Herbert, Dune
On Tue, Mar 13, 2018 at 9:10 AM, Yuri <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com" moz-do-not-send="true"><yvoinov@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Moreover,
SSL Bump combines with interception/explicit proxy in one setup.
And works perfectly.
13.03.2018 21:14, Marcus Kool пишет:
</pre>
<blockquote type="cite">
<pre wrap="">"SSL bump" is the name of a complex Squid feature.
With ssl_bump ACLs one can decide which domains can be 'spliced' (go
through the proxy untouched) or can be 'bumped' (decrypted).
Interception is not a requirement for SSL bump.
Marcus
On 13/03/18 11:44, Danilo V wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I mean SSL bump in explicit mode.
So intercept is a essencial requirement for running SSL bump?
Em ter, 13 de mar de 2018 às 11:10, Matus UHLAR - fantomas
<<a class="moz-txt-link-abbreviated" href="mailto:uhlar@fantomas.sk" moz-do-not-send="true">uhlar@fantomas.sk</a> <a class="moz-txt-link-rfc2396E" href="mailto:uhlar@fantomas.sk" moz-do-not-send="true"><mailto:uhlar@fantomas.sk></a>> escreveu:
On 13.03.18 13:44, Danilo V wrote:
>Is it possible/feasible to configure squid in explicit mode
with ssl
>intercept?
explicit is not intercept, intercept is not explicit.
explicit is where browser is configured (manually or
automatically via WPAD)
to use the proxy.
intercept is where network device forcifully redirects http/https
connections
to the proxy.
maybe you mean SSL bump in explicit mode?
>Due to architecture of my network it is not possible to implement
>transparent proxy.
excuse me?
by "transparent" people mean what we usually call "intercept".
>What would be the behavior of applications that dont support
proxy - i.e.
>dont forward requests to proxy?
they mest be intercepted.
--
Matus UHLAR - fantomas, <a class="moz-txt-link-abbreviated" href="mailto:uhlar@fantomas.sk" moz-do-not-send="true">uhlar@fantomas.sk</a>
<a class="moz-txt-link-rfc2396E" href="mailto:uhlar@fantomas.sk" moz-do-not-send="true"><mailto:uhlar@fantomas.sk></a> ; <a class="moz-txt-link-freetext" href="http://www.fantomas.sk/" moz-do-not-send="true">http://www.fantomas.sk/</a>
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<pre wrap="">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org" moz-do-not-send="true">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users" moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
</pre>
</blockquote>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>