Right... like I said... not worth it. Honestly I'd rethink the plan of trying to whitelist all users/IPs, etc... that becomes an impossible task real quick. Imagine if Facebook was trying to setup whitelists for it's users trying to access facebook.com Just not realistic even if it was easily configurable (the overhead of checking a whitelist containing millions of entries for every HTTP request becomes a resource impossibility).Yeah, try that on a big board with hundreds of thousands of members.
CloudFlare is pretty good at blocking DDoS attacks even if you set the Security Level to "Essentially Off". You'd be better off using the CloudFlare API to switch it to something else based on the load your servers were experiencing. No one wants to get challenge responses... are you actually having issues where you need the challenge response system on for your users?