[squid-users] Optimization

Alex Rousskov rousskov at measurement-factory.com
Mon Dec 30 18:28:31 UTC 2024 

On 2024-12-30 11:55, Jonathan Lee wrote:
> what is faster or better for performance? The parsed ssl_bump lists
> or the singular list?

To remove very distracting noise, I am posting an abridged version of 
your "before" and "after" configurations:

     # before
     ssl_bump splice A
     ssl_bump splice D E
     ssl_bump splice B
     ssl_bump splice C
     ssl_bump bump F G

     # after
     ssl_bump splice AorBorCorDE
     ssl_bump bump FG


The two versions differ only in evaluation order:

     before: ACLs D and E evaluate before ACLs B and C
     after:  ACLs D and E evaluate after ACLs B and C

Which version is faster depends on whether ACLs D and E match (together) 
more often than ACL B or ACL C matches (each) _and_ on the cost of 
evaluating the respective ACLs. I do not have enough information to do 
the math.

If the evaluation order is kept the same, then both configurations 
should have about the same performance. Internally, modern Squid interprets

     directive actionX a
     directive actionX b

almost as if it was written as

     acl AorB any-of a b
     directive actionX AorB

The latter configuration might consume slightly less memory in some 
cases, but that difference in memory consumption is unlikely to have a 
measurable effect on performance in most cases.


HTH,

Alex.

>     acl AorBorC any-of A B C
>     acl DE all-of D E
>     acl AorBorCorDE any-of AorBorC DE
>     acl FG all-of F G


> ----Parsed——
> acl splice_group any-of https_login NoBumpDNS NoSSLIntercept
> acl splice_only_local_group all-of splice_only_mac splice_only
> acl splice_main any-of splice_group splice_only_local_group
> acl bump_main all-of bump_only_mac bump_only
> 
> ssl_bump peek step1
> ssl_bump terminate SSL_Intercept_Terminate
> ssl_bump splice https_login active_use
> ssl_bump splice splice_only_mac splice_only active_use
> ssl_bump splice NoBumpDNS active_use
> ssl_bump splice NoSSLIntercept active_use
> ssl_bump bump bump_only_mac bump_only active_use
> 
> 
> -----Concatenated new version——
> acl splice_group any-of https_login NoBumpDNS NoSSLIntercept
> acl splice_only_local_group all-of splice_only_mac splice_only
> acl splice_main any-of splice_group splice_only_local_group
> acl bump_main all-of bump_only_mac bump_only


> ssl_bump peek step1
> ssl_bump terminate SSL_Intercept_Terminate
> ssl_bump splice splice_main active_use
> ssl_bump bump bump_main active_use
> acl activated note active_use true
> 
> 
> 
>> On Dec 30, 2024, at 08:46, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>>
>> Hello Fellow Squid Users,
>>
>> I wanted to try to speed up my SSL interception caching, or optimize it
>>
>> I have some small issues with some websites loading slowly not really bad just a small lag and I started to play around with
>> all-of and any-of to create new concatenated acls.
>>
>> I have arp mac addresses being used to check for ip and mac address for approval of proxy use and some other items.
>>
>> Does this speed up anything I am trying to get the ssl bump items to have better performance. The splice side is lighting fast again I just wonder if anything can be done to speed up the bump side. I am attempting to combine and concatenate access control lists.
>>
>> the Mac address and IP address matching does work it has been for some time I am just attempting a better way to create a better single acl for use with the ssl_bump directive
>>
>> Here is the part of my config I am asking about see #!!!!!!!
>>
>> acl wpad urlpath_regex ^/wpad.dat$
>> acl wpad urlpath_regex ^/proxy.pac$
>> acl wpad urlpath_regex ^/wpad.da$
>> deny_info TCP_RESET wpad
>> #deny_info 200:/etc/squid/wpad.dat wpad
>> reply_header_access Content-Type deny wpad
>> http_access deny wpad
>> http_access deny !safeports
>> http_access deny CONNECT !sslports
>> #http_access allow localhost manager
>> #http_access deny manager
>> cachemgr_passwd disable offline_toggle reconfigure shutdown
>> cachemgr_passwd CLASSIFIED all
>> eui_lookup on
>> acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
>> acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
>> acl CONNECT method CONNECT
>> acl wuCONNECT dstdomain www.update.microsoft.com
>> acl wuCONNECT dstdomain sls.microsoft.com
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow CONNECT wuCONNECT localhost
>> http_access allow CONNECT windowsupdate localnet
>> http_access allow CONNECT windowsupdate localhost
>> http_access allow CONNECT HttpAccess localnet
>> http_access allow CONNECT HttpAccess localhost
>> #http_access deny manager
>> http_access deny to_ipv6
>> http_access deny from_ipv6
>>
>> acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
>> acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
>> sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
>> sslproxy_cert_error deny all
>>
>> acl splice_only src 192.168.1.8
>> acl splice_only src 192.168.1.10
>> acl splice_only src 192.168.1.11
>> acl splice_only src 192.168.1.15
>> acl splice_only src 192.168.1.16
>>
>> acl splice_only_mac arp MAC
>> acl splice_only_mac arp MAC
>> acl splice_only_mac arp MAC
>> acl splice_only_mac arp MAC
>> acl splice_only_mac arp MAC
>>
>> acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
>> acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"
>> acl SSL_Intercept_Terminate dstdomain "/usr/local/pkg/url.bump"
>>
>> #acl markBumped annotate_client bumped=true #TESTING NOT USED
>> acl active_use annotate_client active=true
>>
>> acl bump_only src 192.168.1.3
>> acl bump_only src 192.168.1.4
>> acl bump_only src 192.168.1.5
>> #acl bump_only src 192.168.1.6
>> acl bump_only src 192.168.1.9
>> acl bump_only src 192.168.1.13
>>
>> acl bump_only_mac arp MAC
>> acl bump_only_mac arp MAC
>> acl bump_only_mac arp MAC
>> acl bump_only_mac arp MAC
>> acl bump_only_mac arp MAC
>> #acl bump_only_mac arp MAC
>>
>> collapsed_forwarding on
>> negative_dns_ttl 5 minutes
>> coredump_dir /label/swap0
>> read_ahead_gap 64 KB
>> pipeline_prefetch 100
>> happy_eyeballs_connect_timeout 10
>> memory_pools on
>>
>>
>> #!!!!!!!!
>> acl splice_group any-of https_login NoBumpDNS NoSSLIntercept #any of the splice lists OR acl ||
>> acl splice_only_local_group all-of splice_only_mac splice_only #MAC AND IP ADDRESS &&
>> acl splice_main any-of splice_group splice_only_local_group  #combine to OR acl ||
>>
>> acl bump_main all-of bump_only_mac bump_only #MAC AND IP ADDRESS &&
>> #!!!!!!!!
>>
>>
>>
>> ssl_bump peek step1
>> ssl_bump terminate SSL_Intercept_Terminate
>> miss_access deny no_miss active_use
>>
>> #OLD WAY
>> #ssl_bump splice https_login active_use
>> #ssl_bump splice splice_only_mac splice_only active_use
>> #ssl_bump splice NoBumpDNS active_use
>> #ssl_bump splice NoSSLIntercept active_use
>>
>> #NEW WAY ONE ACL
>> ssl_bump splice splice_main active_use
>>
>> #OLD WAY
>> #ssl_bump bump bump_only_mac bump_only active_use
>>
>> #NEW WAY ONE ACL
>> ssl_bump bump bump_main active_use
>>
>> acl activated note active_use true
>> ssl_bump terminate !activated
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list