Setting Sucuri as WAF should also enable WAF bypass prevention
In the advanced settings for nginx there is an option to set a WAF. This is needed fo nginx to grab the right headers in order to get the actual visitor's IP address.
Using a WAF one would certainly also want a WAF bypass prevention. For this SUCURI suggests adding the following lines to the nginx vhost:
location / {
allow 192.88.134.0/23;
allow 185.93.228.0/22;
allow 2a02:fe80::/29;
allow 66.248.200.0/22;
allow 208.109.0.0/22;
deny all;
....
}
There should be an option to do that when chosing sucuri as a WAF.
Also, if you contact support to add those rules for you (which they thankfully did), the WAF configuration box will be blank. DO NOT CHOSE SUCURI AGAIN as this will mess with the allow rules. I am not sure why. But if you set it to sucuri WAF again, the page will result in a 403 for all requests made by sucuri.
Also, for this to be a complete package, a meaningful WAF bypass should also prevent SSL information leakage. I created another suggestion for that (https://cloudways.uservoice.com/forums/203824-service-improvement/suggestions/42272272-stop-server-from-leaking-ssl-information)