Create a file named cloudflare_ips.ls and in that add all the cloudflare IP’s
vi /etc/haproxy/cloudflare_ips.ls173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/12
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32Now in your haproxy configuration add
acl from_cf src -f /etc/haproxy/cloudflare_ips.lst
http-request set-src req.hdr(CF-Connecting-IP) if from_cfSo your configuration will look like
frontend https
mode http
bind *:443 ssl crt /etc/letsencrypt/live/web.bullten.work/web.bullten.work.pem alpn h2,http/1.1
option forwardfor
http-request track-sc0 src table per_ip_rates
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }
acl from_cf src -f /etc/haproxy/cloudflare_ips.lst
http-request set-src req.hdr(CF-Connecting-IP) if from_cf
default_backend app-mainThis was haproxy will record real IP of user and send it to nginx.