How to change Nginx to deny by default instead of allow, when using X-Forwarded-For, with visitors inside the LAN allowed access without a login?

In an Nginx config we have the following code to allow viewing the site from inside the LAN without a login, otherwise require a login if outside the LAN:

real_ip_header X-Forwarded-For;
# IPs trusted to forward the visitor's remote IP (our reverse proxy)
set_real_ip_from 172.17.0.1;
set_real_ip_from 192.168.1.1;

location / {
    satisfy               any;

    # Allow visitors inside the LAN to access the site without a login
    allow                 10.0.0.0/8;
    allow                 127.0.0.1/32;
    allow                 172.16.0.0/12;
    allow                 192.168.0.0/16;

    # Require a login for visitors outside the LAN
    deny                  all;
    auth_basic            "Login required";
    auth_basic_user_file  /etc/nginx/.htpasswd;

    # Basic config
    root                  /usr/share/nginx/html;
    index                 index.html;
}

nginx is running inside a docker container. Visits to the site are made through a reverse-proxy running on pfsense at 192.168.1.1 using haproxy.

Initially we were using docker-desktop. Visits to the site from an external internet IP would show up as being made from 172.17.0.1 – which I understand is the IP address of the gateway between the Docker host and the bridge network on default networking. This required the use of set_real_ip_from 172.17.0.1 (real-ip/ x-forwarded-for) in order to show the real IP of the visitor and therefore require a login. Note that it did not show the reverse proxy server’s IP of 192.168.1.1 at this point, it instead showed 172.17.0.1.

When we switched to another server, running docker-engine (not Docker Desktop), visits to the site now show up as being made from 192.168.1.1 – the actual IP address of our pfSense router (our reverse proxy). This meant we had to switch it to set_real_ip_from 192.168.1.1; in order for external visitors to be shown a login prompt. Otherwise internet users would be able to access the site without a login.

How can we flip this so that it denies by default? Currently if for any reason the IP address changes again, visits to the site would be allowed to all users (I.E. those outside the LAN/on the external internet), without requiring a login – since our reverse proxy is inside the LAN – so Nginx would think their IP was E.G. 192.168.123.45 – instead of their external IP, E.G. 99.88.77.66.

Should real_ip_recursive be set to on?

The site that this is protecting is purely HTML files (about 100 files at the moment) – there are no PHP files, but the server is capable of running PHP. Maybe there is an outside-of-the-box solution, such as incorporating some GitHub PHP project to do the login/logout/etc. Or some other indirect way of solving this problem.