Cloudflare Cloudflare users: check to see if your origin server's IP address is exposed

It's a known issue with Censys.io but rarely talked about unfortunately. If folks really want to spend time digging they will find it. The usual methods of hiding origin IP are just to protect from the usual attacks or automated methods.

Cloudflare Argo Tunnels is one way of completely hiding origin IPs but it's expensive as you need to enable Cloudflare Argo. The other way is setup your own remote Gre tunnels via a separate DDOS protected server. Which is what I do via BuyVM.net KVM VPS with 500+ Gbps DDOS protection. And/or you can get origin server which already has native DDOS protection before Cloudflare.

Pricing for Cloudflare Argo https://support.cloudflare.com/hc/en-us/articles/115000224192

That means Cloudflare Argo costs around US$100/TB per month + US$5/month and it has to be enabled on all Cloudflare Orange cloud protected domains/subdomains under the single domain. It can't be selectively enabled.

Double edge sword, Cloudflare Authenticated Origin Pulls still protect you if they're trying to do Layer 7 application level attacks as even if they know your real IP, trying to connect to your site/web app by bypassing Cloudflare won't work as your origin Centmin Mod Nginx with be verifying the Cloudflare Origin SSL cert to allow access only to Cloudflare connections. But it does mean other attacks at network level are possible with origin IP knowledge.