[squid-users] High CPU Usage with ssl_bump

Odhiambo Washington odhiambo at gmail.com
Thu Apr 21 13:43:35 UTC 2016 

I will put the splice explicitly and observe.

Without ssl_bump I never saw such cpu usage with squid.

However, lemme watch and also listen to feedback..


On 21 April 2016 at 16:34, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 22/04/2016 1:18 a.m., Odhiambo Washington wrote:
> > Is is expected that  using ssl_bump results into high CPU usage all the
> > time?
> >
>
> Encryption adds CPU overhead, but how much depends on what your normal
> use was. I dont think any of us have a good rule-of-thumb or educated
> guess yet because Squid code has been changing so much.
>
> If its worrying you, I suggest trying your favourite profiling tools out
> and see if anything useful shows up.
>
>
> > This is squid-3.5.17
> >
> > That is what I am seeing:
> >
> > last pid: 26673;  load averages:  2.24,  2.00,  2.10
> >
> >               up 0+03:47:56  16:08:30
> > 160 processes: 2 running, 157 sleeping, 1 zombie
> > CPU: 86.1% user,  0.0% nice,  7.8% system,  3.3% interrupt,  2.7% idle
> > Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free
> > Swap: 5900M Total, 1248K Used, 5899M Free
> >
> >   PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU
> > COMMAND
> > 13309 squid           17  20    0   305M   264M uwait   0   7:38  80.86%
> > squid
> > 26088 squid            1  21    0 12812K  5352K sbwait  1   0:04   2.49%
> > ssl_crtd
> > 26090 squid            1  20    0 12812K  5272K sbwait  1   0:01   0.88%
> > ssl_crtd
> >
> >
> > My config has:
> >
> >
> >
> > acl no_ssl_interception ssl::server_name
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump peek step1
> > ssl_bump stare step2
> > #ssl_bump bump all
> > #ssl_bump splice all
> >
> > I think I read somewhere that 'ssl_bump splice all" is the default
> > behaviour, hence why I have commented it out. All I need is just become a
> > TCP tunnel without decrypting proxied traffic.
>
> I wouldn't rely on the default for things like this. Squid makes a
> *guess* based on what data it has to work with on a per-connection
> basis. There is no extra cost to having it configured, Squid has to
> check the whole set anyway.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160421/b07d4007/attachment.html>

More information about the squid-users mailing list