By never revealing the IP address of the origin. Conceal it completely behind CF. A properly configured CF setup will mean your real server IP never gets revealed ever.
Not always possible without expensive plans. For example, if you use websockets you will need a business/enterprise level plan in order to pipe through cloudflare. Non http/https services often fail to go through cloudflare as well. For example, you're gonna have to reveal origin to use ftp/sftp.
Have a separate domain that points to your real origin IP. This is how I do it. I have company.com and companyprivate.com (obviously named so it's not so obvious they are related). Company.com points to CloudFlare and companyprivate.com points directly to the origin. Nobody knows about companyprivate.com except the people who need to.
Not everyone needs websockets, and only the legitimate administrator needs to know the true IP address for ssh. Plenty of websites can be perfectly hidden behind CloudFlare as long as they don't have an MX record or unused subdomain that points to the same server.
>and only the legitimate administrator needs to know the true IP address for ssh
Again this is a blanket statement. I recently integrated with a service that required sftp access to function. Is this ideal? No, but if I could recreate the service efficiently I wouldn't be paying for it in the first place.
This and the websockets scenario were just two examples I can come up with from personal experience, I'm sure there are many other situations that I've never come across.
My point is that the above commenter was acting like cloudflare is a panacea for DDOS attacks.
>"A properly configured CF setup will mean your real server IP never gets revealed ever."
This makes it sound like only engineers who are inept with cloudflare are vulnerable to origin ip leaks which simply isn't true.
> Plenty of websites can be perfectly hidden behind CloudFlare as long as they don't have an MX record or unused subdomain that points to the same server.
