[squid-users] High CPU Usage with ssl_bump

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 21 13:34:05 UTC 2016


On 22/04/2016 1:18 a.m., Odhiambo Washington wrote:
> Is is expected that  using ssl_bump results into high CPU usage all the
> time?
> 

Encryption adds CPU overhead, but how much depends on what your normal
use was. I dont think any of us have a good rule-of-thumb or educated
guess yet because Squid code has been changing so much.

If its worrying you, I suggest trying your favourite profiling tools out
and see if anything useful shows up.


> This is squid-3.5.17
> 
> That is what I am seeing:
> 
> last pid: 26673;  load averages:  2.24,  2.00,  2.10
> 
>               up 0+03:47:56  16:08:30
> 160 processes: 2 running, 157 sleeping, 1 zombie
> CPU: 86.1% user,  0.0% nice,  7.8% system,  3.3% interrupt,  2.7% idle
> Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free
> Swap: 5900M Total, 1248K Used, 5899M Free
> 
>   PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU
> COMMAND
> 13309 squid           17  20    0   305M   264M uwait   0   7:38  80.86%
> squid
> 26088 squid            1  21    0 12812K  5352K sbwait  1   0:04   2.49%
> ssl_crtd
> 26090 squid            1  20    0 12812K  5272K sbwait  1   0:01   0.88%
> ssl_crtd
> 
> 
> My config has:
> 
> 
> 
> acl no_ssl_interception ssl::server_name
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> ssl_bump splice no_ssl_interception
> ssl_bump peek step1
> ssl_bump stare step2
> #ssl_bump bump all
> #ssl_bump splice all
> 
> I think I read somewhere that 'ssl_bump splice all" is the default
> behaviour, hence why I have commented it out. All I need is just become a
> TCP tunnel without decrypting proxied traffic.

I wouldn't rely on the default for things like this. Squid makes a
*guess* based on what data it has to work with on a per-connection
basis. There is no extra cost to having it configured, Squid has to
check the whole set anyway.

Amos



More information about the squid-users mailing list