[squid-users] log sslbump for sslbump steps

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 20 04:41:29 UTC 2016


On 20/01/2016 5:16 p.m., xxiao8 wrote:
> http://www.squid-cache.org/Doc/config/logformat/ showed a new logformat
> in Squid-3.3:
> 
> "New token %ssl::bump_mode to log the SSL-bump mode type performed on a
> request. Logs values of: -, none, client-first, or server-first."
> 
> For Squid-3.5, does Squid have logformat that tells ssl-bump mode, e.g.
> splice, bump,etc that I put into access.log? All my spliced domain names
> are probably bumped and I would like to debug that.

Try that code. The meaning of the code has not changed between versions.
But the modes themselves have, so it should log the new mode names even
if the docs are outdated.

(if anyone can confirm its changed values I will happily fix the docs).

> 
> Additionally, I noticed for intercept proxying, https and http video
> streaming(from https://youtube.com and http://dailymotion.com) gave me
> the same high cpu load on the squid 3.5.13 box, which is strange. I
> would expect the http proxy which has no ssl bump should put a _much_
> lighter load to the system instead, or am I missing something?
> 

It could be a matter of temporal flow.

CPU load is not related to the type of video, but to the amount of work
performed per second. Each event cycle Squid receives, decodes, and
delivers as much as it can.

Squid often runs faster than the data can arrive from the network, so
spends more CPU cycling than strictly necessary. Up to a point the more
traffic you throw at Squid the more efficient it gets.
 Since TLS decoding takes time, it can slow Squid to allow larger chunks
to be received on each cycle.
 Thus on average: few expensive cycles per byte (TLS) vs many cheap
cycles per byte (TCP).

The TLS algorithms may also be hardware accelerated. Meaning no core CPU
load for adding them. Just delay. Which also affects the balance
mentioned above through chunk size.

Amos



More information about the squid-users mailing list