NGINX: forward real ip AND only allow cloudflare

My cheater method (in Apache) might work similarly in NGINX: