I ended up using fail2ban. Cloudflare has a cert that they will always present to your origin server. Download the origin cert to your swag config.
Changes in ssl.conf to require cloudflare cert along with an error log of failed requests.
error_log /config/log/nginx/cert.log info;
Then create fal2ban filter:
failregex = client sent no required SSL certificate while reading client request headers, client:
Now create rule in jail.local. Be sure to exclude the Cloudflare IP ranges.
enabled = true
port = http,https
filter = ssl-origin
logpath = /config/log/nginx/cert.log
maxretry = 1
findtime = 43200
bantime = -1
ignoreip = 184.108.40.206/20 220.127.116.11/22 18.104.22.168/22 22.214.171.124/22 126.96.36.199/18 188.8.131.52/18 184.108.40.206/20 220.127.116.11/20 18.104.22.168/22 22.214.171.124/17 126.96.36.199/15 188.8.131.52/13 184.108.40.206/14 220.127.116.11/13 18.104.22.168/22
Now your server will serve an error if you attempt to bypass cloudflare. When it does, it automatically bans that IP.