[squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

On 21 April 2016 at 16:48, Alex Rousskov <rousskov at measurement-factory.com>
wrote:

> On 04/21/2016 07:18 AM, Odhiambo Washington wrote:
> > Is is expected that  using ssl_bump results into high CPU usage all the
> > time?
>
> Your question is impossible to answer in general: The CPU usage levels
> depend on the amount of Squid traffic, the portion of SSL traffic in the
> overall traffic mix, the portion of step1, step2, and step3 traffic in
> the SSL traffic mix, hardware resources available to Squid, the number
> of Squid workers, and many other factors.
>
> > acl no_ssl_interception ssl::server_name ...
> > ssl_bump splice no_ssl_interception
> > ssl_bump peek step1
> > ssl_bump stare step2
>
> The above config continues to violate the specific advice given to you
> previously:
> *Do not mix "peek" and "stare" unless you have a very specific need for
> doing so.*
>

I have noted that instruction. It was actually an oversight caused by slow
understanding of the terminologies.
Once I have changed to what you advised before, the CPU usage has gone down
considerably:


acl no_ssl_interception ssl::server_name
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare step2
#ssl_bump bump all
ssl_bump splice all

So basically I should just have two options, I think, no?? Like

ssl_bump stare step2
ssl_bump splice all

If one day, for some reason I want to bump, then I could change to:

acl no_ssl_interception ssl::server_name
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare step2
ssl_bump bump all


Thank you so much Alex.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160421/71801506/attachment.html>