I recently forked a script to auto-update Cloudflare proxy IPs and edited to support aaPanel. Setup is as simple as running the script as a cron job once a day.
Details and script can be found here: https://github.com/Whitei520/nginx-cloudflare-real-ip-aapanel
Without this script you can get the real users IP using these headers:
$_SERVER["HTTP_CF_CONNECTING_IP"]
$_SERVER["HTTP_X_FORWARDED_FOR"]
The problem is those are client headers which can be easily edited so are no suitable for secure whitelists. Using this script however you can get an assured/unedited IP using:
$_SERVER['REMOTE_ADDR']
Message to aaPanel devs...
Not sure if you agree but as this is such a simple script it may be a nice idea to integrate it as a simple checkbox somewhere in the Nginx settings panel so it's super easy for users to enable.
Hopefully, someone finds it useful. 😀