<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Forgot about:</p>
<p>My server is <span id="result_box" class="" lang="en"><span
class="">relatively modest (more resources just do not need
:))</span></span></p>
<p><span id="result_box" class="" lang="en"><span class="">Just 8
cores (Xeon 2.3 GHz), 16 Gb RAM, SAS HDD's 10k RPM (~300 Gb in
RAID-10) :)<br>
</span></span></p>
<p><span id="result_box" class="" lang="en"><span class="">Overall
CPU usage is ~3% (with SSL Bump). And half of RAM is free :)<br>
</span></span></p>
<br>
<div class="moz-cite-prefix">20.03.2018 23:14, Yuri пишет:<br>
</div>
<blockquote type="cite"
cite="mid:ff82b209-4ec0-5e33-b2bd-2673b25a2bdd@gmail.com">
<pre wrap="">
20.03.2018 23:10, Yuri пишет:
</pre>
<blockquote type="cite">
<pre wrap="">
20.03.2018 23:03, FredB пишет:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Yuri,
200 mbits, more or less 1000/2000 simultaneous users
I increase children value, because the limit is reached very quickly
</pre>
</blockquote>
<pre wrap="">Because of SSL processing to slow. Investigate, why. Simple increasing
number of children exghausting your RAM.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">and only 100 MB on disk?
</pre>
</blockquote>
<pre wrap="">100 MB by process, no ? I think I should reduce this value and rather increase the max of children
</pre>
</blockquote>
<pre wrap="">No. This is overall fs limit to store.
</pre>
</blockquote>
<pre wrap="">Look on my relatively big server (Squid 5.0) config snippet:
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
# Cert database on ramdisk
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/ramdisk1/ssl_db -M 1GB
sslcrtd_children 32 startup=10 idle=5
Pay attention - I've put SSL db on RAM disk. :)
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Maybe such load is just impossible because I reached a limit with a single core
</pre>
</blockquote>
<pre wrap="">Hardly. SSL helper children should spread across cores by OS scheduler.
</pre>
<blockquote type="cite">
<pre wrap="">Perhaps I should retry SMP but unfortunately in the past I had many issues with, and some features I'm using still SMP-unaware
</pre>
</blockquote>
<pre wrap="">Squid's SMP itself does not solves SSL Bump issues. It's about different
things, and, IMHO, irrelevant your load profile.
</pre>
<blockquote type="cite">
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************</pre>
</body>
</html>