When you use Cloudflare proxy for your domains, the real IP address of the server is not visible, but SPF and MX records are often not proxied and an attacker can find your server IP address.
If the server IP is known, the traffic can be sent directly to the IP and it will bypass Cloudflare's Web Application Firewall.
If all domains on a server will be using Cloudflare proxy, as an additional security measure you Can open ports 80 and 443 only for the Cloudflare network IP addresses.
Here is how to enable access only to Cloudflare IP addresses and a small script to periodically check IPs used by Cloudflare and whitelist them.
Step 1. Create directory for the script
mkdir /root/scripts/
Step 2. Download the script and make it executable :
curl -s -o /root/scripts/whitelist_cloudflare https://gist.githubusercontent.com/stefanpejcic/dc826efdc5429801a59ea03ec4c6d90a/raw/0ca7932be46197e1925a3ccd29a6ad23dec8ee1c/whitelist_cloudflare.sh && chmod +x /root/scripts/whitelist_cloudflare_ips
Step 3. Edit the crontab of the root user:
crontab -e
And add the following line:
0 4 * * * bash /root/scripts/whitelist_cloudflare &> /dev/null
The script will block public access to ports 80 and 443 on the firewall, and allow access only from Cloudflare network.