You could also:
- always insert/append forwardfor and remove the cloudflare ips in the
application code
This has the disadvantage that you need to modify the application code.
Or another way:
- duplicate your backend, one for "direct-mode" and one for cloudflare:
select it based on a ACL (which you can feed with the cloudflare ips).
- configure "option forwardfor" only on the direct-mode backend and remove
it from default/frontend/global sections
This has the disadvantage that by duplicating the backend, per server
settings like maxconn need to be configured more carefully.
Lukas
