The web template adds a redirect for the IP (and any connection), so you could un-do that bit.
Allowing Cloudflare IP addresses only in Nginx | inDev. Journal describes how to allow only cloudflare IPs. Figuring out how to get a template to do that is a bit of work for someone who understands the templates, but it should be possible.
No. The real address is in another header.
https://www.google.com/search?q=iptables+docker&oq=iptables+docker
and the first hit (Packet filtering and firewalls | Docker Docs) describes
So you’d need to change the cloudflare script accordingly.