Passing original incoming IP through Cloudflare to NPM?

[jacksaturn]

I'm self-hosting a Mastodon server behind Cloudflare and trying to configure NPM so that I can pass a visitor's original (non-Cloudflare) IP address through to Mastodon.

All my other domains are configured in NPM using an Access List set up to only accept Cloudflare IP addresses. That works great for all of those sites, but in the interest of properly federating my Mastodon instance, I need to be able to see the actual IP addresses coming in.

Currently I have the Cloudflare Access List disabled, with Access set to "Public."

In the Custom Nginx Configuration field of the Proxy Host I have the following code:

set_real_ip_from    103.21.244.0/22;
set_real_ip_from    103.22.200.0/22;
set_real_ip_from    103.31.4.0/22;
set_real_ip_from    104.16.0.0/13;
set_real_ip_from    104.24.0.0/14;
set_real_ip_from    108.162.192.0/18;
set_real_ip_from    131.0.72.0/22;
set_real_ip_from    141.101.64.0/18;
set_real_ip_from    162.158.0.0/15;
set_real_ip_from    172.64.0.0/13;
set_real_ip_from    173.245.48.0/20;
set_real_ip_from    188.114.96.0/20;
set_real_ip_from    190.93.240.0/20;
set_real_ip_from    197.234.240.0/22;
set_real_ip_from    198.41.128.0/17;
set_real_ip_from    2400:cb00::/32;
set_real_ip_from    2405:8100::/32;
set_real_ip_from    2405:b500::/32;
set_real_ip_from    2606:4700::/32;
set_real_ip_from    2803:f800::/32;
set_real_ip_from    2a06:98c0::/29;
set_real_ip_from    2c0f:f248::/32;
real_ip_header CF-Connecting-IP;

That list of IPs are all the possible Cloudflare IPs. The CF-Connecting-IP is the original visitor IP address, prior to Cloudflare.

This setup is working, and Mastodon logs the correct external IP addresses, but unfortunately this setup still leaves the Access List as "Public" rather than narrowed down specifically to my pre-existing Cloudflare list.

If I turn the Cloudflare Access List back on, I get a 403 Forbidden error from Openresty in the browser unless I also delete the real_ip_header CF-Connecting-IP; line.

Any ideas about what I can change in my configuration in order to be able to use the Access List within NPM while still receiving the real external IP addresses of visitors?