Nginx

How to beat $remote_addr in allow?

Good evening.
nginx is built with the "ngx_http_realip_module" module.
Access config says:

allow  127.0.0.1;
[allow на ipv4 и ipv6 сервера]
allow  199.27.128.0/21;
[allow на другие подсети cloudflare];
deny all;

Then there are lines (in the config above the lines with allow):

set_real_ip_from  199.27.128.0/21;
[set_real_ip_from  другие подсети cloudflare];
real_ip_header     CF-Connecting-IP;

I see in the logs that nginx correctly determines the client's ip from the header that is passed to it from the cloudflare servers, but the client gets 403, since the client's ip is not included in the ip specified in the allow section.
I tried to play with either:
allow $remote_addr;(since the client's ip is stored here)
or

set $newuserip $remote_addr;
allow $newuserip;

In both cases, nginx writes
nginx: [emerg] invalid parameter "$newuserip " in
nginx: [emerg] invalid parameter "$remote_addr" in
Is it possible to somehow beat the current ip of the client in the allow section (make it dynamic)?
This is necessary to: * see the actual ip from the logs.
* I already see it as a header, but it needs to be "beautiful".