Re: Squid slow in connecting to SSL

Fri, 29 Jan 2016 03:10:45 -0800 

On 01/28/16 23:04, Stuart Henderson wrote:

On 2016-01-28, Kim Zeitler <kim.zeit...@konzept-is.de> wrote:

currently I try to solve the phenomenon, that certain SSL sites are slow
when accessed via squid on OpenBSD. Mostly ownCloud in my case as well
as several web shops. The login screen alone taking minutes to load.


I'm not seeing that here (squid 3.5.13 and squidclamav from packages
on recent -current, in front of a handful of Windows boxes and 30-odd
OpenBSD/GNOME/Chromium/LibreOffice workstations).

Running a similar sized setup here with ~60 Clients (Win/Linux/OpenBSD) 
and normal operation is fine some complains bout it being slightly slow 
but...


Need more information. If it's consistent for certain sites, which
sites? Have you looked in logs etc?


I gladly provide any information you need.

It was reported to me that several webshops seem to have this problem
and one of our clients owncloud sites (I'll send zou the link off-list)

I have access to the logs and they show a mixture of 200 and 503

# /var/squid/logs/access.log
...

1454058493.156     67 172.16.10.42 TCP_TUNNEL/200 2748 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -

...

1454058498.761  18089 172.16.10.42 TCP_TUNNEL/200 20017 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058498.830     65 172.16.10.42 TCP_TUNNEL/200 2917 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058498.899     67 172.16.10.42 TCP_TUNNEL/200 4307 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058499.091   6055 172.16.10.42 TCP_TUNNEL/200 866 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058499.268   6110 172.16.10.42 TCP_TUNNEL/200 33106 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058540.011  59136 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058541.017  59623 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058547.097  59817 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058558.228  59326 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058559.036  59766 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058559.036  59943 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058559.087  18066 172.16.10.42 TCP_TUNNEL/200 6251 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058559.116     74 172.16.10.42 TCP_TUNNEL/200 1096 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058559.121     78 172.16.10.42 TCP_TUNNEL/200 4679 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058559.174     77 172.16.10.42 TCP_TUNNEL/200 7765 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058564.304   6071 172.16.10.42 TCP_TUNNEL/200 15279 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058600.688  60672 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058607.767  60665 172.16.10.42 TAG_NONE/503 0 CONNECT 
owncloud.some.domain:443 - HIER_NONE/- -
1454058607.838     67 172.16.10.42 TCP_TUNNEL/200 2395 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058607.842     72 172.16.10.42 TCP_TUNNEL/200 3877 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058607.989    172 172.16.10.42 TCP_TUNNEL/200 21988 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058613.832   6061 172.16.10.42 TCP_TUNNEL/200 1197 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058613.870   6063 172.16.10.42 TCP_TUNNEL/200 7086 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -
1454058625.902  18089 172.16.10.42 TCP_TUNNEL/200 21260 CONNECT 
owncloud.some.domain:443 - HIER_DIRECT/<targetIP> -



The current configuration is squid-ldap(3.5.13) from packages  on
-current running on a KVM host as VM (4 cores, 2GB RAM, virtio HDD and NIC)


That seems a bit low RAM for Squid, but I doubt that's the problem
for TLS sites which will just be CONNECT tunnels unless you've made
a lot more config changes than you mentioned.


I doubled the RAM on the machine, but no difference. As a test if the 
virtualization is to blame we set up a similar machine on HW basically 
virgin -current with only squid installed from packages without touching 
he config in anyway and had the same effect.


As an idea I added a ocal unbound to the test proxy and had squid run
its DNS through that, but to no avail.























					Reply via email to