@julian If you use nodebb's IP blacklist option (I do not), it does make a difference 😀
But in any case something needs to be defined, there are 2 options:
Set a trusted proxy otherwise the forum will never know the real IP addresses, the cloudflare address will always appear, and IP addresses are a very useful thing to identify duplicate spam users, for example.
1.1 Optional - define a transform rule that will verify that the received address is real and not faked by a slightly advanced user
Add the line I brought, and thus actually refer to CF-Connecting-IP
I don't see any security advantage for trusted proxy (method 1) over the definition I brought.