Cloudflare doesn't expose the origin IP through normal headers, so support for this will have to be added in, or documented so that users behind CF can have the rate-limiting work properly.
Also, warnings about using the spicy mode behind CF, since that might not be kosher use :V