Nginx deny ip not working when I use ddos denfence server as frontend

Question

I want add block IP address into nginx configure.But it still can be accessed using curl !

...
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent $request_time "$http_referer" '
                      '"$http_user_agent" REALIP"$http_x_forwarded_for"';
location  / {
        include /usr/local/nginx/blockip.conf;
        root   html;
        index  index.html index.htm;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    HTTP_X_FORWARDED_FOR $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme; 

        proxy_pass http://127.0.0.1:8080;
        }
...

the blockip.conf

deny 1.2.3.4;
deny 3.4.5.6;

There are two situations here.

1.Point to server directly using domain name (A record),blockip can work well.

2.When add ddos defence server,nginx deny rule not working anymore!

But I can get real IP from the nginx-access-log. Here logs example:

defence-server-IP - - [23/Mar/2020:14:15:59 +0800] "GET /walle HTTP/1.1" 404 1079 0.001 "-" "curl/7.58.0" REALIP"1.2.3.4"
defence-server-IP - - [23/Mar/2020:14:16:07 +0800] "GET /walle HTTP/1.1" 404 1079 0.000 "-" "curl/7.58.0" REALIP"3.4.5.6"

solution

By the way.I change nginx to openresty

server {
...
    set_real_ip_from defence-server-ip-ranges/24;
    ...
    real_ip_header X-Forwarded-For;
    include /usr/local/nginx/blockip.conf;
    
    location {...}
...
}