1. Under Attack Mode or captcha (helps in some cases)
2. Rate Limiter + banip (forward ip users through cloudflare and ban through api cloudflare) (can be done using self-written python or anything, or using the fail2ban module and its add-ons for cloudflare)
Next, you need to understand what exactly loads the server. Most likely, this is not even nginx, but a backend (php or whatever you have).
I advise you to use php8.0-fpm and nginx. It also needs to be optimized. At least chop off gzip on nginx. (this creates a load on the percent). PHP 8.0 delivers a significant performance boost.
If security is not particularly important, disable ssl on your server and assign the task of terminating ssl to cloudflare (make Flexible ssl mode in the SSL\TLS cloudflare tab)
===========
I can’t say anything else, because. no specifics from you. You need to look at least what loads percent. Problems can be different (heavy and unoptimized code, old software versions, etc.)