naxsi

You can list which IP or CIDR (i.e 192.168.0.1/24), should be always allowed and never blocked.

IP is taken from X-Forwarder-for header (when available or from the client IP).

Your load balancer, some proxy could add it already, but if not you can add it with proxy_set_header X-Forwarded-For $remote_addr;

Usage:

location / {
     SecRulesEnabled;
     IgnoreIP   "1.2.3.4";
     IgnoreCIDR "192.168.0.0/24";
     DeniedUrl "/RequestDenied";
     CheckRule "$SQL >= 8" BLOCK;
     CheckRule "$RFI >= 8" BLOCK;
     CheckRule "$TRAVERSAL >= 4" BLOCK;
     CheckRule "$XSS >= 8" BLOCK;
     root /var/www/html/;
     index index.html index.htm;
}