Hi Maxim,
thank you for quick response.

> How did you found that limit_req uses a wrong element?

We don't know if this is limit_req - in reality we were just looking into logs and I guess that's what confused us. We observed those IPs and rolled back the changes as we assumed that all requests from CDN or DDOS Service were blocked.

The only way to I guess to verify that our current schema works is to use some arbitrary IP and see if our requests are blocked rather then CDN service IP is blocked.

We've looked into http://nginx.org/en/docs/http/ngx_http_realip_module.html and not sure if it is going to work.

As you saw one of the examples we have other services in front of us.
There are 2 cases:
User -> DDOS Service -> Our NGINX - X-Forwarded-For ex: 555.182.61.171, 333.101.98.188
User -> CDN -> DDOS Service -> Our NGINX - X-Forwarded-For ex: 555.182.61.171, 444.1.3.56, 555.12.34.567, 333.101.98.188

Will realip module able to identify real IP of end user?
Should we set CIDR of both DDOS Service and CDN Service as real ip tables:

set_real_ip_from 192.168.1.0/24;
set_real_ip_from 192.168.2.1;
set_real_ip_from 2001:0db8::/32;

Thanks again.

Sergey