[squid-users] High CPU Usage with ssl_bump

Odhiambo Washington odhiambo at gmail.com
Fri Apr 22 12:39:59 UTC 2016 

On 22 April 2016 at 13:45, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 22/04/2016 8:23 p.m., Odhiambo Washington wrote:
> >
> > Sure, I am really struggling to understand this. I would like to serve
> > error pages. A complete example of this would really help. I am thinking,
> > based on the two templates you gave and going with the one where squid
> > intrudes, that it could be like below, but to be honest I am not sure so
> > kindly correct me.
> >
> >
> > acl time_wastage_sites_ssl ssl::server_name .facebook.com .youtube.com
> > ssl_bump splice time_wastage_sites_ssl
> > ssl_bump stare all
> > ssl_bump bump all
> > http_access allow time_wastage_sites_ssl privileged-staff
> > http_access allow time_wastage_sites_ssl privileged-clients
> > http_access allow time_wastage_sites_ssl TIMElunch
> > http_access allow time_wastage_sites_ssl TIMEafterhoursAFT
> > http_access allow time_wastage_sites_ssl TIMEafterhoursMORN
> > http_access allow time_wastage_sites_ssl TIMEsatALLDAY
> > http_access allow time_wastage_sites_ssl TIMEsundALLDAY
> > http_access deny  time_wastage_sites_ssl
> >
>
> In a file called "/etc/squid/tws":
> .facebook.com
> .youtube.com
>
>
> squid.conf:
>  acl time_wastage_sites_ssl  ssl::server_name "/etc/squid/tws"
>  acl time_wastage_sites_http dstdomain        "/etc/squid/tws"
>
>  acl privileged_traffic any-of \
>     privileged-staff privileged-clients \
>     TIMElunch TIMEafterhoursAFT TIMEafterhoursMORN \
>     TIMEsatALLDAY TIMEsundALLDAY
>
>  http_access allow privileged_traffic
>  http_access deny time_wastage_sites_http
>
>  ssl_bump splice privileged_traffic time_wastage_sites_ssl
>  ssl_bump stare all
>  ssl_bump bump all
>
>
>
> You can probably merge the TIME* ACLs down as well like:
>   # lunch
>   acl okay_times time ...
>   # afterhours PM
>   acl okay_times time ...
>   # afterhours AM
>   acl okay_times time ...
>   # Saturday and Sunday all day
>   acl okay_times time SA
>
> Amos
>
>
Quoting Alex:
"
If you want Squid to not intrude except when terminating prohibited traffic,
then start with this sketch:

>       ssl_bump terminate prohibited_traffic
>       ssl_bump peek all
>       ssl_bump splice all
"

So is it possible to achieve such a non-intrusive setup, but without
'terminate'?



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160422/22c404a3/attachment.html>

More information about the squid-users mailing list