Nginx and allow/deny with real_ip

After being hit by an attacker who discovered the origin IP by using Censys, I’m trying to secure the site.

The problem is that I can do 2 things separately but not together:

  1. I can get the original IPs back using set_real_ip_from and real_ip_header CF-Connecting-IP
    or
  2. I can only allow CF servers to connect with allow and deny.

But if I do both, nginx applies the allow/deny rule on the “real” connecting IP so no one can connect.

What’s the best way to solve this, preferably using just nginx? (I could set up some ufw rules, but that would lead to other issues).

I’m not sure if there is anything on the Community for this, but Stack Overflow probably has the answer:

Gonna throw my personal opinion in here, obscuring the IP should never be something that you should have to handle. Many CMS will leak it no matter what you do.
I would ask my server provider to nullroute any traffic not coming from Cloudflare, making incoming attacks useless unless it somehow overwhelmed their edge, which should be highly unlikely.