@DownPW of you're not already serving static assets with nginx, I'd recommend doing that. You should be able to set a separate rate limit for that while still protecting NodeBB.

It may also be possible to whitelist cloudflare so it can bypass the rate limit.