"DNS points to local or disallowed IP" effectively blocks all Tor users

A recent change to GitLab.com is now effectively blocking all Tor users. GitLab is blocking all IP addresses sourced from "local addresses" and Cloudflare's onion service is presenting almost-all Tor users under a local IPv6 address.

More information on Cloudflare's blog post for their onion services.

Blocked address example. Your IP address: 2405:8100:8000:5ca1::226:9a52

The IPv6 range 2405:8100:8000:: is used by Cloudflare representing Tor users whose browsers have accepted their onion-service alt-svc header.

Any GitLab instances running as onion services with HiddenServiceExportCircuitID enabled will see the range fc00:dead:beef:4dad:: instead. Both ranges should be whitelisted.

A workaround for users in the meantime is to temporarily significantly weaken their anonymity by disabling altsvc in their browser. network.http.altsvc.enabled = false. However under this configuration, Cloudflare is very likely to block other requests due to the aggregation of millions of Tor users under only a few thousand exit relays as this "looks bad" to naive traffic analysis.