[squid-users] SSLBump, system requirements ?

Yuri yvoinov at gmail.com
Tue Mar 20 17:35:40 UTC 2018


Forgot about:

My server is relatively modest (more resources just do not need :))

Just 8 cores (Xeon 2.3 GHz), 16 Gb RAM, SAS HDD's 10k RPM (~300 Gb in
RAID-10)  :)

Overall CPU usage is ~3% (with SSL Bump). And half of RAM is free :)


20.03.2018 23:14, Yuri пишет:
>
> 20.03.2018 23:10, Yuri пишет:
>> 20.03.2018 23:03, FredB пишет:
>>> Hi Yuri,
>>>
>>> 200 mbits, more or less 1000/2000 simultaneous users 
>>>
>>> I increase children value, because the limit is reached very quickly 
>> Because of SSL processing to slow. Investigate, why. Simple increasing
>> number of children exghausting your RAM.
>>>> and only 100 MB on disk?
>>> 100 MB by process, no ? I think I should reduce this value and rather increase the max of children
>> No. This is overall fs limit to store.
> Look on my relatively big server (Squid 5.0) config snippet:
>
> https_port 3127 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
> key=/usr/local/squid/etc/rootCA2.key
> tls-cafile=/usr/local/squid/etc/rootCA12.crt
> options=SINGLE_DH_USE:SINGLE_ECDH_USE
> tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
> key=/usr/local/squid/etc/rootCA2.key
> tls-cafile=/usr/local/squid/etc/rootCA12.crt
> options=SINGLE_DH_USE:SINGLE_ECDH_USE
> tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
> tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>
> # Cert database on ramdisk
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /ramdisk1/ssl_db -M 1GB
> sslcrtd_children 32 startup=10 idle=5
>
> Pay attention - I've put SSL db on RAM disk. :)
>>> Maybe such load is just impossible because I reached a limit with a single core 
>> Hardly. SSL helper children should spread across cores by OS scheduler.
>>> Perhaps I should retry SMP but unfortunately in the past I had many issues with, and some features I'm using still SMP-unaware 
>> Squid's SMP itself does not solves SSL Bump issues. It's about different
>> things, and, IMHO, irrelevant your load profile.
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180320/991e33bb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180320/991e33bb/attachment-0001.sig>


More information about the squid-users mailing list