Squid and SSLBump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid and SSLBump

FredB
Hi all,

There is way to approximately estimate the "cost" of CPU/Memory usage of SSLbump ?
What do you see in practice ?
Some features are incompatibles with SMP so I'm using a single process, Squid is using more or less 30/40 % of CPU

I have approximately 1000 users simultaneously connected
Squid 3.5.25

Fred
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid and SSLBump

Walter H.
On 09.06.2017 09:33, FredB wrote:
> Hi all,
>
> There is way to approximately estimate the "cost" of CPU/Memory usage of SSLbump ?
be careful, if there is a "cost" value now, this will be very probably
wrong when SSL gets more common ...



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid and SSLBump

Amos Jeffries
Administrator
On 10/06/17 06:01, Walter H. wrote:
> On 09.06.2017 09:33, FredB wrote:
>> Hi all,
>>
>> There is way to approximately estimate the "cost" of CPU/Memory usage
>> of SSLbump ?
> be careful, if there is a "cost" value now, this will be very probably
> wrong when SSL gets more common ...
>


As far as I have seen there are simply not enough published numbers for
the SSL-Bump and HTTPS proxying to get even a good ballpark estimate
yet. Additional info for the
<http://wiki.squid-cache.org/KnowledgeBase/Benchmarks> page are welcome,
how to take measurements to minimize comparison issues are listed there.

IMO, the situation is much the same with plain-text as well as Squid has
constantly improving support for HTTP/1.1 and performance updates
changing things there too. For any given machine you should be able to
get your own numbers by comparing the RPS numbers to the CPU and memory
load patterns, regardless of what the feature sets in use are.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid and SSLBump

Alex Rousskov
In reply to this post by FredB
On 06/09/2017 01:33 AM, FredB wrote:

> There is way to approximately estimate the "cost" of CPU/Memory usage of SSLbump ?

Ballpark splicing speed/CPU estimates[1,2] for Squid v4+:

  * splicing during step 2: 75% of splicing during step1 performance
  * splicing during step 3: 25% of splicing during step1 performance

Squid v3.5 numbers for splicing during step 2 are much worse (~20%)
because the SNI peeking code is not optimized in v3.5 [1].

I do not recall bumping numbers, but expect them to be approximately 10%
of baseline plain text performance.

The above info is based on lab benchmarks that do not reflect _your_
deployment environment. You can collect much more reliable performance
data for your use case by measuring your actual Squid performance while
turning features on and off (or at least by running lab benchmarks that
are tuned to represent your use case).


Please also note that there is currently no regular Squid performance
regression testing so individual releases may experience significant and
surprising changes[3]. If the Squid Foundation has enough money, the
Squid Project will fix that [4].


[1] http://lists.squid-cache.org/pipermail/squid-dev/2016-May/005659.html

[2] http://lists.squid-cache.org/pipermail/squid-dev/2016-May/005660.html

[3] http://lists.squid-cache.org/pipermail/squid-dev/2016-August/006637.html

[4] http://wiki.squid-cache.org/QA/Pilots


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...