[squid-users] High CPU Usage with ssl_bump

Odhiambo Washington odhiambo at gmail.com
Thu Apr 21 18:20:51 UTC 2016


Hi Alex,

I have now changed to *configurations suggested specifically for your use
case, on this email thread* :)



acl no_ssl_interception ssl::server_name
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare all
ssl_bump bump all

Now, suppose, as I think in my mind, bumping isn't really what I need, can
I just comment out 'ssl_bump bump all'  and sit easy or should I switch to
ssl_bump splice all ??

I am sorry for my confusion...I think I have been on this way too long that
my small brain has reached /etc (saturation point).

Thank you once again.



On 21 April 2016 at 21:06, Alex Rousskov <rousskov at measurement-factory.com>
wrote:

> On 04/21/2016 08:12 AM, Odhiambo Washington wrote:
>
> > acl no_ssl_interception ssl::server_name ...
> > ssl_bump splice no_ssl_interception
> > ssl_bump stare step2
> > ssl_bump splice all
>
> You are mixing splice and stare now. There are two groups of actions:
>
> * peek and then splice
> * stare and then bump
>
> Do not mix actions from different groups together unless you know what
> you are doing.
>
>
> > So basically I should just have two options, I think, no?? Like
> >
> > ssl_bump stare step2
> > ssl_bump splice all
>
> Two bugs in this config:
>
> 1. It will splice everything during step #1. It is equivalent to:
>
>    ssl_bump splice all
>
>
> 2. To quote the wiki page:
>
> stare (step2): Receive server certificate while preserving the
> possibility of bumping the connection. Staring at the server certificate
> usually precludes future splicing of the connection.
>
> squid.conf.documented has very similar text as well.
>
> You are telling Squid to splice do exactly what the documentation tells
> you is not usually possible.
>
>
> I can understand that it may be difficult to find and interpret
> documentation correctly. I can understand that it is difficult to
> evaluate a given configuration correctly. What I cannot understand is
> why you are not starting with configurations suggested specifically for
> your use case, on this email thread.
>
>
> > If one day, for some reason I want to bump, then I could change to:
> >
> > ssl_bump splice no_ssl_interception
> > ssl_bump stare step2
> > ssl_bump bump all
>
> Similar to #1 above, this will bump all connections not matching the
> [misnamed] no_ssl_interception during step1.
>
> The first matching action wins. During step1, that action is "bump" from
> your last rule if no_ssl_interception does not match.
>
>
> HTH,
>
> Alex.
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160421/71d31d4d/attachment.html>


More information about the squid-users mailing list