[squid-users] High CPU Usage with ssl_bump
Alex Rousskov
rousskov at measurement-factory.com
Thu Apr 21 20:14:08 UTC 2016
On 04/21/2016 01:59 PM, Odhiambo Washington wrote:
> On 21 April 2016 at 22:04, Amos Jeffries wrote:
>
> On 22/04/2016 6:20 a.m., Odhiambo Washington wrote:
> > I have now changed to *configurations suggested specifically for your use
> > case, on this email thread* :)
> > acl no_ssl_interception ssl::server_name
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump stare all
> > ssl_bump bump all
> No the "stare" being done will prevent splice and you will see breakage
> or unexpected things again.
> You have to replace 'stare' with 'peek' AND replace 'bump' with
> 'splice'.
> Like below???
> acl no_ssl_interception ssl::server_name
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> ssl_bump splice no_ssl_interception
> ssl_bump peek all
> ssl_bump splice all
Logging aside, your latest random configuration is equivalent to
ssl_bump splice all
which means you are better off not intercepting SSL at all, which brings
us back to the old question: What do you want Squid to do?
If you want Squid to not intrude except when terminating prohibited
traffic, then start with this sketch:
ssl_bump terminate prohibited_traffic
ssl_bump peek all
ssl_bump splice all
If you want Squid to intrude (where possible) and block prohibited
traffic, then install your CA certificates on all user devices and start
with this sketch:
ssl_bump splice things_that_are_impossible_to_bump
ssl_bump stare all
ssl_bump bump all
http_access deny prohibited_traffic
Alex.
More information about the squid-users
mailing list