IP Resolvers

To retrieve geolocation data from an IP address, you must configure an IP resolver. ALTCHA Sentinel supports several options. For compliance purposes, we recommend using a locally hosted MaxMind database.

Note While configuring an IP resolver is recommended for precise geolocation, Sentinel also provides low-precision geolocation based on the user’s timezone. If high accuracy isn’t required , you can skip IP resolver configuration.

Supported Providers

MaxMind

ALTCHA Sentinel supports MaxMind GeoIP2 and GeoLite2 binary databases, enabling privacy-friendly IP lookups directly within Sentinel without external services.

MaxMind offers free city-level databases (GeoLite2) - you only need to register and configure your Account ID and License Key.

Configure MaxMind using the following environment variables:

MAXMIND_ACCOUNT_ID : Your MaxMind Account ID

: Your MaxMind Account ID MAXMIND_LICENSE_KEY : Your MaxMind License Key

: Your MaxMind License Key MAXMIND_DOWNLOAD_URL : Download URL for the binary database (in .tar.gz format; defaults to https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz )

For paid GeoIP2 databases, configure the download URL to point to the correct file (e.g., GeoIP2-City ).

For more information, visit maxmind.com.

HTTP Headers

If your load balancer or internet gateway supports geolocation, you can pass the following HTTP headers with requests:

x-ip-secret: XXXXXX # Authentication secret (required) x-ip-country-code: US # ISO 3166-1 alpha-2 country code x-ip-city: Washington # City name x-ip-region: District of Columbia # Region/state name x-ip-lat: 38.9034 # Latitude (decimal degrees) x-ip-lon: -76.9882 # Longitude (decimal degrees) x-ip-hosting: ?1 # Is IP associated with a datacenter/hosting? x-ip-malicious: ?0 # Is IP blacklisted or a known malicious actor? x-ip-mobile: ?0 # Is IP a mobile network? x-ip-proxy: ?0 # Is IP a known proxy provider? x-ip-tor: ?0 # Is IP a known TOR exit node?

Authentication

To authenticate the headers, you must:

Configure the IP_HEADERS_SECRET environment variable. Include the x-ip-secret header with the same value.

This ensures that Sentinel verifies the headers were set by your load balancer and not modified by the client.

Security Best Practices

Your load balancer should:

Strip any client-sent x-ip-* headers.

headers. Or override all supported headers (use empty values if data is unavailable).

Boolean Values

Accepted formats for boolean fields ( x-ip-hosting , x-ip-malicious , etc.):

True: ?1 , 1 , true

, , False: ?0 , 0 , false

Cloudflare

When ALTCHA Sentinel is hosted behind Cloudflare, it can extract the user’s country code from the CF-IPCountry HTTP header automatically added by Cloudflare. This method provides country-level geolocation only and does not include city, latitude/longitude, or other information.

If the user is accessing the site through the Tor network, Cloudflare sets CF-IPCountry to "T1" to indicate Tor usage.

To enable this resolver, set the following environment variable:

CLOUDFLARE_IP_COUNTRY_ENABLED : Set to truthy value ( 1 or true ) to enable detection via the CF-IPCountry header.

For details, see Cloudflare’s documentation on CF-IPCountry .

ip-api.com

The ip-api.com service provides precise geolocation data and advanced detection for hosting or proxy IP addresses with unlimited usage. The service has servers worldwide and is operated by an EU-based company.

Configure ip-api.com using the following environment variable:

IP_API_COM_TOKEN : Your API token for ip-api.com

For more information, visit ip-api.com.

ipstack.com

ipstack.com offers a global IP database service with advanced security indicators. This service is operated by a US-based company.

To set up ipstack.com, use the following environment variable:

IPSTACK_COM_TOKEN : Your API token for ipstack.com.

For security indicators (e.g., proxy detection, hosting, TOR), ensure you subscribe to the “PROFESSIONAL PLUS” plan which includes the “Security Module”.

For more details, visit ipstack.com.

ipinfo.io

ipinfo.io provides both free and paid IP intelligence services. It supports two integration methods and offers a downloadable MMDB file for local, privacy-friendly IP resolution. The service is operated by a US-based company.

You can use ipinfo.io in one of two ways:

API Service — Requires an API token ( IPINFO_IO_TOKEN ). Local MMDB Database — Requires a download URL for the MMDB file ( IPINFO_IO_MMDB_DOWNLOAD_URL ).

Set the following environment variables to configure ipinfo.io:

IPINFO_IO_TOKEN : Your API token for ipinfo.io. Always required.

: Your API token for ipinfo.io. Always required. IPINFO_IO_LITE_ENABLED : Optional. If set to a truthy value, the Lite API endpoint ( https://api.ipinfo.io/lite ) will be used.

: Optional. If set to a truthy value, the Lite API endpoint ( ) will be used. IPINFO_IO_MMDB_DOWNLOAD_URL : Optional. URL to download the MMDB database (e.g., https://ipinfo.io/data/ipinfo_lite.mmdb?token=... ). Required for local mode.

Verify Configuration

To confirm that your IP resolver is configured correctly, use the following endpoint:

POST /v1/ip (API Docs)

Submit your IP address in the request. If configured properly, the response will include your IP’s geolocation data.

Note: Some fields in the response may be null , depending on the chosen resolver and the supported indicators.

When automatic updates are enabled, ALTCHA Sentinel will periodically download and replace the local MaxMind or ipinfo.io MMDB database file based on a CRON-style schedule. This ensures your IP data remains accurate and up to date.

To configure the update schedule, set the following environment variables:

MaxMind: MAXMIND_DOWNLOAD_SCHEDULE : CRON-style schedule for updating the database. Defaults to 0 0 * * * (daily). To disable automatic updates, leave this variable empty.

ipinfo.io (MMDB mode): IPINFO_IO_MMDB_DOWNLOAD_SCHEDULE : CRON-style schedule for updating the database. Defaults to 0 0 * * * (daily). Set to an empty value to disable.



Automatic updates only apply when using a local database file. API-based resolvers are not affected.

Internal Caching

To improve performance and reduce resolver load, IP resolution results are cached in memory using a Least Recently Used (LRU) strategy.

Each unique IP address is cached for up to 4 hours.

Subsequent requests from the same IP within this window return cached data without querying the resolver again.

This significantly reduces response times for repeat visitors and minimizes usage of rate-limited or paid API services.

Combining IP Resolvers

You can enable multiple IP resolvers at the same time. When more than one resolver is active, Sentinel merges the data from each resolver in a defined order.

Each resolver can override values from earlier resolvers, unless its value is null (i.e. not provided or undetectable).

Resolvers are executed in the following order: