All virtual and dedicated servers running ZoneOS platform have Apache mod_remoteip enabled by default. Thanks to this module, for connections from trusted buffer servers, the IP of the buffer server is replaced with the correct IP address of the client.
This allows, for example, .htaccess to restrict access. Also, the $_SERVER['REMOTE_ADDR'] PHP variable shows the correct IP of the client.
Currently only Cloudflare IP addresses are in the list of trusted IPs.
Apache access.log recognizes the request with the replaced IP because the client port is 0. The client port is the number after the IP address.
The Cloudflare IP address provided by the Cloudflare server is listed in $_ENV['HTTP_PROXY_IP'].
To disable all queries coming directly to the virtual server (queries trying to bypass Cloudflare), the following lines should be added to the beginning of the .htaccess file:
RewriteCond %{HTTP:Proxy-IP} ^$
RewriteRule .* - [F,L]