This is probably little of a grey area. I don't think that the IP-address by itself is considered personal data since it usually doesn't single out a specific living person. Unless you pair it with other information, like date and time.
But if IP was considered personal data you would need an active consent from the user where you also inform them why you are doing this, which paragraph in GDPR gives you legal right to do this, how long the data is stored and you will need a data processing agreement with Cloudflare. You will also need to be able to prove that you made sufficient effort to make sure you are not handling data of someone under 16 years of age.
People often think that GDPR is made to forbid processing of personal data. Actually you can pretty much do anything with peoples information and still be GDPR compliant. It's more that it becomes such a hassle to do it and still be compliant that it's just not worth it to collect personal data "just because you can".
But if IP was considered personal data you would need an active consent from the user where you also inform them why you are doing this, which paragraph in GDPR gives you legal right to do this, how long the data is stored and you will need a data processing agreement with Cloudflare. You will also need to be able to prove that you made sufficient effort to make sure you are not handling data of someone under 16 years of age.
People often think that GDPR is made to forbid processing of personal data. Actually you can pretty much do anything with peoples information and still be GDPR compliant. It's more that it becomes such a hassle to do it and still be compliant that it's just not worth it to collect personal data "just because you can".