One question I had after reading through. With the current design you have, would it be correct to say all traffic between your server and cloud flare would be using http and thus unencrypted? This would also mean user logins would be visible between your server and cloud flare.
Let me know if I missed something here!
Absolutely terrifying.