Есть настройенный squid с керберос аутентификацией через АД.
Система:
Код: Выделить всё
FreeBSD test.test.local 10.2-RELEASE-p5 FreeBSD 10.2-RELEASE-p5 #0: Thu Oct 15 20:57:19 MSK 2015 root@clean:/usr/obj/usr/src/sys/PF15102015 i386
Код: Выделить всё
Squid Cache: Version 3.5.10
Service Name: squid
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--disable-follow-x-forwarded-for' '--enable-htcp' '--disable-icap-client' '--disable-icmp' '--enable-ident-lookups' '--disable-ipv6' '--enable-kqueue' '--without-large-files' '--disable-http-violations' '--without-nettle' '--disable-snmp' '--disable-ssl' '--disable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--disable-pf-transparent' '--without-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-heimdal-krb5=/usr/local' 'CFLAGS=-I/usr/local/include/heimdal -O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib/heimdal -L/usr/local/lib -L/usr/local/lib -pthread -Wl,-rpath,/usr/local/lib/heimdal:/usr/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi ' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP SASL SMB NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group wbinfo_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd10.2' 'build_alias=i386-portbld-freebsd10.2' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience
Код: Выделить всё
#auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -r -s HTTP/test.test.local@TEST.local
#auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -i -r -s HTTP/test.test.local@TEST.local
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -r -s HTTP/test.test.local@TEST.local
auth_param negotiate children 100 startup=10
auth_param negotiate keep_alive off
#Basic parametrs of authorisation
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm TEST.TEST.LOCAL
auth_param basic credentialsttl 20 minute
auth_param basic casesensitive off
#auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#external_acl_type nt_group %LOGIN /usr/local/libexec/squid/ext_wbinfo_group_acl -d -K
external_acl_type ldap_search ttl=3600 negative_ttl=3600 children-max=50 children-startup=10 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -i -m 64 -D TEST.LOCAL -u test -p PASSWD
Код: Выделить всё
last pid: 2395; load averages: 0.63, 0.68, 0.72 up 11+13:43:14 13:39:36
80 processes: 2 running, 78 sleeping
CPU: 60.4% user, 0.0% nice, 17.3% system, 0.4% interrupt, 22.0% idle
Mem: 148M Active, 763M Inact, 235M Wired, 4504K Cache, 90M Buf, 843M Free
Swap: 1680M Total, 38M Used, 1642M Free, 2% Inuse
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
1444 squid 1 91 0 129M 79768K RUN 59.2H 68.07% (squid-1) -f /usr/local/etc/squid/squid.conf (squid)
2066 squid 1 21 0 111M 93508K sbwait 1:08 2.39% (negotiate_kerberos_auth) -r -s HTTP/test.test.local@TEST.LOCAL (negotiate_kerberos_)
2035 root 1 20 0 12680K 4384K select 334:21 1.17% /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --config /usr/local/etc/openvpn/conf.conf --writepid /va
2067 squid 1 21 0 56612K 42240K sbwait 0:28 0.68% (negotiate_kerberos_auth) -r -s HTTP/test.test.local@TEST.LOCAL (negotiate_kerberos_)
512 unbound 1 20 0 38388K 24060K select 5:35 0.10% /usr/sbin/unbound -c/var/unbound/unbound.conf
---------------------
2073 squid 1 20 0 15652K 5784K sbwait 0:00 0.00% (negotiate_kerberos_auth) -r -s HTTP/test.test.local@TEST.LOCAL (negotiate_kerberos_)
2075 squid 1 20 0 15652K 5728K sbwait 0:00 0.00% (negotiate_kerberos_auth) -r -s HTTP/test.test.local@TEST.LOCAL (negotiate_kerberos_)
2349 squid 1 42 0 15652K 5716K sbwait 0:00 0.00% (negotiate_kerberos_auth) -r -s HTTP/test.test.local@TEST.LOCAL (negotiate_kerberos_)
2074 squid 1 20 0 15652K 5732K sbwait 0:00 0.00% (negotiate_kerberos_auth) -r -s HTTP/test.test.local@TEST.LOCAL (negotiate_kerberos_)
2350 squid 1 39 0 15652K 5716K sbwait 0:00 0.00% (negotiate_kerberos_auth) -r -s HTTP/test.test.local@TEST.LOCAL (negotiate_kerberos_)
Через некоторое время когда забивается оперативная память и своп начинает тормозить интернет у пользователей. Активных пользователе примерно 100. Кто нибудь сталкивался с такой проблемой.