I am having this very specific problem. Will try my best to describe what is the deal.
I am running a server on Digital Ocean behind NGINX Reverse Proxy (configurations are done through NGINX Proxy Manager). I create A record in my cloudflare (mydomain.com) pointing to digital ocean droplets IP. Everything works good:
REQUEST FROM INTERNET > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER.
However, When I am trying to put a single IP address (for example address of my VPN server X.X.X.X ) in nginx reverse proxies Access List (So that only that IP will have access to the server). Everything stops working, and I know why. Nginx waits for requests only from X.X.X.X , and because the scheme appears to be like this:
X.X.X.X > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER
I is logical that NGINX doesn't send any response (because it is waiting for connection from X.X.X.X and the connection comes from CLOUDFLARES PROXYS IP)
The issue is, that when I am turning off cloudflare proxy (toggling the little orange cloud to OFF position) Server doesn't respond. With my understanding, when I turn it off, connection should be coming like this:
X.X.X.X > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER
Anyone knows what the issue might be? (I am guessing there might be another cloudflare server between My VPN and NGINX Proxy? Or I don't know something of that kind) Let me know if you need any additional info I will try to provide everything possible. Thank you everyone in advance.
The problem is solved thanks to @Paolo s answer. I decided to start from the easiest of the cases he provided, so I added all cloudflare IP ranges to my NGINX Revers Proxies access list. Because I run docker behind that proxy, I have several containers that need to be public and some that need to be private (accessible only with my x.x.x.x VPN)
Case #1 (with orange cloud ON) Now I am able to access conainers that I wanted to be public from any IP address (thanks to new Access List mentioned above)
REQUEST FROM INTERNET > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER > DOCKER PUBLC CONTAINER
Case #2 (with gray cloud OFF) after @Paolo pointed out that there may be a connectivity issue between X.X.X.X and NGINX I started to check all configs. He was right, the reverse proxy was misconfigured. After fixing the issue everything started to work as I planned. (Access list was switched from previous one to only allowing X.X.X.X in this case)
X.X.X.X > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER > DOCKER PRIVATE CONTAINER
Thanks everyone and special thanks to @Paolo