Get IPv4 addresses of TOR exit nodes behind Cloudflare

Using ngx_http_realip_module I get $_SERVER[HTTP_CF_CONNECTING_IP] with visitor’s real IP in order to match it against TOR exit node IP list. But in most cases, when a visitor for sure uses Tor Browser, I get IPv6 addresses like 2405:8100:8000:5ca1::e0:d91f that actually is expected to be one of the IPv4 exit list.

If I exclude Cloudflare I failed to catch even a single IPv6 address from tor exit

Did I miss anything? Is there really existing IPv6 exit list? Is there another strong method to detect visitors that use Tor Browses if I still use Cloudflare?

Why not turn on Geolocation? The Tor country code should be T1.

1 Like

Indeed! CF returns HTTP_CF_IPCOUNTRY as well that will be set to T1 in case of Tor

Thanks for the idea

1 Like

Hmm…
Something goes wrong with geo IP and tor exit list. Approximately 50% addresses show particular countries instead of T1. For example:
2a0b:f4c2:1::1
and its [HTTP_CF_CONNECTING_IP] => 241.157.89.19
show [HTTP_CF_IPCOUNTRY] => DE
And 241.157.89.19 is not in Tor exit list

Who knows how to handle it?

That looks like a bogus IP address, so I’m not sure how it’s getting through.

As well as I can see this list https://onionoo.torproject.org/summary contains both IPv4 and IPv6 exit addresses. For each IPv6 address there is one corresponding IPv4 address that belongs to https://check.torproject.org/torbulkexitlist that can be checked via TorDNSEL

{"n":"bang1","f":"0136696B025AC5503847D736FE9F3D65EB27A596","a":["134.209.159.74","[2400:6180:100:d0::8bb:6001]"],"r":true},
{"n":"Desson","f":"0136DDF285ABAF485E369A0104C4B56A2B1044FB","a":["186.209.187.57"],"r":true},
{"n":"TorNode31","f":"01384A5D9C6D34352701BF86D04E5F406CB256AE","a":["45.9.148.31"],"r":true},
{"n":"insist","f":"014BD09636373B78CC28BA70E36C7190E3DE236A","a":["185.83.92.166"],"r":false},
{"n":"8ac97a37","f":"014E24C0CD21D2B9829E841D5EC1D3C415F866BF","a":["138.201.122.55"],"r":true},
{"n":"marsmellow","f":"014EE24BCBDA160F236B2547A4639B27E303A1E7","a":["62.251.89.74","[2001:985:a751:1:428d:5cff:fe5f:7f92]"],"r":true},
{"n":"Minducus","f":"01518C0417843E9709B15B3B004BC834CDE67A92","a":["204.228.147.42"],"r":false},

But CF returns IPv6 address whenever is possible.

Is there any settings to force CF to return only IPv4?
I tried Pseudo IPv4 but it returns some trash like 241.157.89.19 (non-existing or reserved for future use addresses).

The only way I see is to cache the above list regularly and check the addresses against it. Any better idea?

:wave: @milkyway,

Cloudflare doesn’t return the IPv6 whenever possible, the user is connecting to your site via IPv6.

What time s it you are trying to achieve exactly that it matters?

— OG

I noticed that when I exclude CF, Tor Browser is detected 100% of the time. And fifty-fifty through CF

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.