[squid-users] High CPU Usage with ssl_bump
Amos Jeffries
squid3 at treenet.co.nz
Thu Apr 21 13:34:05 UTC 2016
On 22/04/2016 1:18 a.m., Odhiambo Washington wrote:
> Is is expected that using ssl_bump results into high CPU usage all the
> time?
>
Encryption adds CPU overhead, but how much depends on what your normal
use was. I dont think any of us have a good rule-of-thumb or educated
guess yet because Squid code has been changing so much.
If its worrying you, I suggest trying your favourite profiling tools out
and see if anything useful shows up.
> This is squid-3.5.17
>
> That is what I am seeing:
>
> last pid: 26673; load averages: 2.24, 2.00, 2.10
>
> up 0+03:47:56 16:08:30
> 160 processes: 2 running, 157 sleeping, 1 zombie
> CPU: 86.1% user, 0.0% nice, 7.8% system, 3.3% interrupt, 2.7% idle
> Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free
> Swap: 5900M Total, 1248K Used, 5899M Free
>
> PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU
> COMMAND
> 13309 squid 17 20 0 305M 264M uwait 0 7:38 80.86%
> squid
> 26088 squid 1 21 0 12812K 5352K sbwait 1 0:04 2.49%
> ssl_crtd
> 26090 squid 1 20 0 12812K 5272K sbwait 1 0:01 0.88%
> ssl_crtd
>
>
> My config has:
>
>
>
> acl no_ssl_interception ssl::server_name
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> ssl_bump splice no_ssl_interception
> ssl_bump peek step1
> ssl_bump stare step2
> #ssl_bump bump all
> #ssl_bump splice all
>
> I think I read somewhere that 'ssl_bump splice all" is the default
> behaviour, hence why I have commented it out. All I need is just become a
> TCP tunnel without decrypting proxied traffic.
I wouldn't rely on the default for things like this. Squid makes a
*guess* based on what data it has to work with on a per-connection
basis. There is no extra cost to having it configured, Squid has to
check the whole set anyway.
Amos
More information about the squid-users
mailing list