Thinking about it more, you could try trusted_proxies static private_ranges instead which would trust any connections coming through other Docker containers. So it would read the headers from the request that Cloudflare adds. (You’ll probably also want to set client_ip_headers Cf-Connecting-Ip because Cloudflare’s X-Forwarded-For is still vulnerable to spoofing by default).