Chrome's Autofill component causes high CPU usage on ProxySG appliances

book

Article ID: 169310

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The ProxySG appliance experiences high CPU usage. This occurs due to a large volume of web requests sent from Google Chrome's Autofill Download Manager component.

Cause

The appliance's CPU Monitor reports high CPU utilization in SSL and Cryptography and Policy evaluation - HTTP.

The high CPU usage is caused by Google Chrome sending a large volume of web request traffic to https://clients1.google.com/tbproxy/af/query?client=Google Chrome. If you stop Chrome from accessing the URL, the CPU utilization goes down.

The specific POST request URL is sent by Google Chrome's Autofill Download Manager component as seen in the source code file ("autofill_download_manager.cc") available at:
https://cs.chromium.org/chromium/src/components/autofill/core/browser/autofill_download_manager.cc?q=tbproxy&sq=package:chromium&l=88
 

 

Resolution

To determine if there is a large volume of requests in the network causing continuous policy evaluations, leverage Blue Coat Reporter. The following Reporter reports can be helpful for diagnosing the issue:
  • SSL access-logs show protocol of tcp for SSL traffic (that is, tunneled). The SSL Access Log contains protocols tcp and ssl. The ssl protocol has been handed off to the SSL Proxy. 
  • Web requests per client ip report filters further based on the site and protocol. 

Additionally, the Blocked web browsing per user and Default Bandwidth reports are useful. 

After reviewing the access logs, if you see significant SSL traffic to
https://clients1.google.com/tbproxy/af/query?client=Google%20Chrome, you can apply a policy to disable SSL interception or deny access to the URL. 
 

Example: Disable SSL interception 

Disable SSL Interception by url.domain:

  • For Transparent Proxy:

<ssl-intercept>
  url.domain=clients1.google.com ssl.forward_proxy(no)

  • For Explicit Proxy:

<proxy>
  url.domain=clients1.google.com detect_protocol(none)

 

Example: Deny access to the specific URL

This requires SSL Interception  to be enabled to block the URL query path.

<proxy>
  DENY url.domain=clients1.google.com url.substring="tbproxy/af"