CloudFlare does not automatically block visitors who use the Tor network.
Why might a Tor visitor be blocked or challenged?
Due to the behavior of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes may earn a bad reputation, elevating their CloudFlare threat score. Our basic protection level issues CAPTCHA-based challenges to visitors whose IP address has a high threat score, depending on the level chosen by the CloudFlare customer. The choices for security range from Essentially Off to I'm Under Attack. The default level is Medium.
What additional control do CloudFlare customers have over traffic from visitors using Tor?
Since late February 2016, CloudFlare treats Tor exit nodes as a "country" of their own. There's no geography associated with these IPs, but this approach lets CloudFlare customers override the default CloudFlare threat score to define the experience for their Tor visitors.
CloudFlare updates its list of Tor exit node IP addresses every 15 minutes.
Control is in the Access Rules section of the Firewall app.
The options for Tor are:
- Whitelist (trust)
- CAPTCHA (visible challenge which the visitor must interact with to pass)
- Block (blacklist -- available only to CloudFlare Enterprise customers)
CloudFlare uses the two-letter code T1 for Tor.
Here's an example where a CloudFlare customer chooses in their dashboard to Whitelist Tor.
What does a Tor visitor see when CAPTCHA is selected?
A Tor visitor to any CloudFlare site which has chosen to CAPTCHA (challenge) Tor will see a page like this and need to proceed through the CAPTCHA, which may have different actions required.
What does a Tor visitor see when Blocked selected?
Tor visitors to a CloudFlare Enterprise site which has chosen to Block Tor will see a page like this: