Hi folks,

I have a Vbox runing squid 3.5.24 with 125 address in interfaces.

Im routing specific IPs to some users and protecting it with htpasswd.
Eg there are users using 2 dedicated IPs and the routing is like this:

http_port 141.191.72.201:4223 name=201
acl ip201 myportname 201
tcp_outgoing_address 141.191.72.201 ip201

http_port 161.191.72.202:4223 name=202
acl ip202 myportname 202
tcp_outgoing_address 161.191.72.202 ip202

The strange bug is that just in the fist conection through any of these IPs, myip.com shows the outgoing IP of my server instead of one of those IPs above.
For any other conection through the same IPs after the first, myip.com shows the correct outgoing IP.

Any clue of why?
I thought maybe it could be something related with authentication...

I have more than 10 Vboxes with exact same problem runing ubuntu 16.

if the 2nd connection comes from a different IP, does it still show the wrong IP?

sounds like a possible timing bug. if the 2nd connection works OK even if it comes from a different IP, then a workaround would be to trigger a connection through it right after it starts. that could also be a nice way to verify it is up (if that script doesn't get a response, it could report a problem).

Thanks a lot for your time Skaperen.

The problem in deed is only in the first time connection.
In the this first connection squid is really leaking the client's IP.
This is a big problem for the kind of customers I have.

You said "workaround would be to trigger a connection through it right after it starts"

Any sugestion about how to do it?

so it leaks per client. if you restart it today and a client comes back from overseas next week and uses it then, it will still leak their IP once even though other users have used this for thousands of requests?

where you say "with 125 address in interfaces" is "125" part of an address or a count of addresses?

i'd set up some kind of port forwarding to obscure client IP addresses if your authentication is not based on IP (a bad design).

you would have a script to restart it and a script to trigger a connection. the script to restart it would then run the trigger script. you also want the trigger script to run when the system boots up.

the trigger script should sleep a minute or two to let squid get going. then it would run "curl" or a program like that to access a safe web page, like your own.

"if you restart it today and a client comes back from overseas next week and uses it then, it will still leak their IP once even though other users have used this for thousands of requests?"

Actually it is a bit hard to replicate the problem now.
If I test with scrapebox's proxy manager all IPs of my 10 Vboxes each one with around 125 IPs in squid, I will have around 4% of "the proxy leaks your ip" message.

I have managed to increase this just reading a lot about squid.conf best practices and implementing some code.
But I cant get rid of this 4%.

I also implemented web caching and I have plans to get rid of this htpasswd and change authentication for source IP based authentication as you have suggested.

"you would have a script to restart it and a script to trigger a connection. the script to restart it would then run the trigger script. you also want the trigger script to run when the system boots up"

My concert about this workaround is timing.
I run this IPs as proxies and response time is a key to success.