Get IPv4 addresses of TOR exit nodes behind Cloudflare

Using ngx_http_realip_module I get $_SERVER[HTTP_CF_CONNECTING_IP] with visitor’s real IP in order to match it against TOR exit node IP list. But in most cases, when a visitor for sure uses Tor Browser, I get IPv6 addresses like 2405:8100:8000:5ca1::e0:d91f that actually is expected to be one of the IPv4 exit list.

If I exclude Cloudflare I failed to catch even a single IPv6 address from tor exit

Did I miss anything? Is there really existing IPv6 exit list? Is there another strong method to detect visitors that use Tor Browses if I still use Cloudflare?

Why not turn on Geolocation? The Tor country code should be T1.

1 Like

Indeed! CF returns HTTP_CF_IPCOUNTRY as well that will be set to T1 in case of Tor

Thanks for the idea

1 Like

Something goes wrong with geo IP and tor exit list. Approximately 50% addresses show particular countries instead of T1. For example:
And is not in Tor exit list

Who knows how to handle it?

That looks like a bogus IP address, so I’m not sure how it’s getting through.

As well as I can see this list contains both IPv4 and IPv6 exit addresses. For each IPv6 address there is one corresponding IPv4 address that belongs to that can be checked via TorDNSEL


But CF returns IPv6 address whenever is possible.

Is there any settings to force CF to return only IPv4?
I tried Pseudo IPv4 but it returns some trash like (non-existing or reserved for future use addresses).

The only way I see is to cache the above list regularly and check the addresses against it. Any better idea?

:wave: @milkyway,

Cloudflare doesn’t return the IPv6 whenever possible, the user is connecting to your site via IPv6.

What time s it you are trying to achieve exactly that it matters?

— OG

I noticed that when I exclude CF, Tor Browser is detected 100% of the time. And fifty-fifty through CF

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.