Onion Routing and Tor support
Improve the Tor user experience by enabling Onion Routing, which enables Cloudflare to serve your website’s content directly through the Tor network and without requiring exit nodes.
How it works
Due to the behavior of some individuals using the Tor network (spammers, distributors of malware, attackers), the IP addresses of Tor exit nodes may earn a bad reputation, elevating their Cloudflare threat score.
One way to address this threat score is to create . Cloudflare assigns the two-letter code
T1 for Tor. There’s no geographical country associated with these IPs, but this approach lets Cloudflare customers override the default Cloudflare threat score to define the experience for their Tor visitors. Cloudflare updates its list of Tor exit node IP addresses every hour.
The other way to improve the Tor user experience is through Onion Routing. This improves Tor browsing as follows:
- Tor users no longer access your site via exit nodes, which can sometimes be compromised, and may snoop on user traffic.
- Human Tor users and bots can be distinguished by our Onion services, such that interactive challenges are only served to malicious bot traffic.
You should note that the visible domain in the UI remains unchanged, as the host header and the SNI are preserved. However, the underlying connection changes to be routed through Tor, as the with a Tor Circuit. Cloudflare does not provide a certificate for the
.onion domain provided as part of alt-svc flow, which therefore cannot be accessed via HTTPS.