Restrict NGINX to Cloudflare IPs only

[MattIPv4]

trafficstars

Currently, anyone can access direct.nodejs.org, bypassing the Cloudflare CDN, caching and protection. It is relatively well documented that folks are using this to get around some of the blocking that was put in place for misconfigured Artifactory instances etc.

The NGINX config should be updated such that it only accepts connections from Cloudflare, removing the ability to make HTTP requests to direct.nodejs.org. As I understand it, the hostname itself needs to remain (unproxied) for SSH access etc., but I don't believe there is any need for direct HTTP access, so I believe this should be fine to do?