[squid-users] SSL intercept in explicit mode

Yuri yvoinov at gmail.com
Tue Mar 13 16:47:30 UTC 2018


I've used it on all versions starting from 3.4.

Now I'm using Squid 5.0.0.

I'm afraid, my config is completely useless, because of it contains tons
of optimizations/tweaks/tricks and designed for customized Squid 5.0.0,
with different memory allocator for custom infrastructure.

You can't just take my config, implement it and hope it will give same
results for you.

At least, it uses non-system CA bundle, platform-specific configuration
parameters combinations, etc.

I can say, than SSL Bump is not directly related to memory leaks. Squid
itself almost not contains memory leaks now. Usually misconfiguration
leads to memory overhead.

As a recommendation, I can give some advices.

1. Use server with enough RAM. 4 Gb usually enough just for default
squid configuration. Usually whole system RAM usage should never be
bigger than 1/2 of overall physical RAM. (I.e. at least 1/3 of RAM
should always be free during normal running. This prevents OS allocator
pressure to your proxy and, also, increasing performance of proxy). In
case of medium proxy server 16 Gb of RAM seems big enough, but never try
to fill it up completely.

2. Don't set giant cache_mem. Remember how you platform allocates whole
RAM - kernel, anon pages, fs caches, etc. - and use reasonable squid's
memory-related settings.

3. Use sslflags=NO_DEFAULT_CA with your SSL Bump ports.

4. Never remember - SSL Bump increases your cache memory pressure due to
increasing caching. So, you still require to have enough memory in your
system.


13.03.2018 22:25, Aaron Turner пишет:
> What version are you using Yuri?  Can you share your config?
> Everytime I use ssl bump, I have massive memory leaks.  It's been
> effectively unusable for me.
> --
> Aaron Turner
> https://synfin.net/         Twitter: @synfinatic
> My father once told me that respect for the truth comes close to being
> the basis for all morality.  "Something cannot emerge from nothing,"
> he said.  This is profound thinking if you understand how unstable
> "the truth" can be.  -- Frank Herbert, Dune
>
>
> On Tue, Mar 13, 2018 at 9:10 AM, Yuri <yvoinov at gmail.com> wrote:
>> Moreover,
>>
>> SSL Bump combines with interception/explicit proxy in one setup.
>>
>> And works perfectly.
>>
>>
>> 13.03.2018 21:14, Marcus Kool пишет:
>>> "SSL bump" is the name of a complex Squid feature.
>>> With ssl_bump ACLs one can decide which domains can be 'spliced' (go
>>> through the proxy untouched) or can be 'bumped' (decrypted).
>>>
>>> Interception is not a requirement for SSL bump.
>>>
>>> Marcus
>>>
>>> On 13/03/18 11:44, Danilo V wrote:
>>>> I mean SSL bump in explicit mode.
>>>> So intercept is a essencial requirement for running SSL bump?
>>>>
>>>> Em ter, 13 de mar de 2018 às 11:10, Matus UHLAR - fantomas
>>>> <uhlar at fantomas.sk <mailto:uhlar at fantomas.sk>> escreveu:
>>>>
>>>>     On 13.03.18 13:44, Danilo V wrote:
>>>>      >Is it possible/feasible to configure squid in explicit mode
>>>> with ssl
>>>>      >intercept?
>>>>
>>>>     explicit is not intercept, intercept is not explicit.
>>>>
>>>>     explicit is where browser is configured (manually or
>>>> automatically via WPAD)
>>>>     to use the proxy.
>>>>
>>>>     intercept is where network device forcifully redirects http/https
>>>> connections
>>>>     to the proxy.
>>>>
>>>>     maybe you mean SSL bump in explicit mode?
>>>>
>>>>      >Due to architecture of my network it is not possible to implement
>>>>      >transparent proxy.
>>>>
>>>>     excuse me?
>>>>     by "transparent" people mean what we usually call "intercept".
>>>>
>>>>      >What would be the behavior of applications that dont support
>>>> proxy - i.e.
>>>>      >dont forward requests to proxy?
>>>>
>>>>     they mest be intercepted.
>>>>
>>>>     --
>>>>     Matus UHLAR - fantomas, uhlar at fantomas.sk
>>>> <mailto:uhlar at fantomas.sk> ; http://www.fantomas.sk/
>>>>     Warning: I wish NOT to receive e-mail advertising to this address.
>>>>     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>>>     Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
>>>>     _______________________________________________
>>>>     squid-users mailing list
>>>>     squid-users at lists.squid-cache.org
>>>> <mailto:squid-users at lists.squid-cache.org>
>>>>     http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> --
>> "C++ seems like a language suitable for firing other people's legs."
>>
>> *****************************
>> * C++20 : Bug to the future *
>> *****************************
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180313/e9c558f1/attachment.sig>


More information about the squid-users mailing list