This may sound crazy. But I imagined a way where DO’s firewall platform could work hand-in-hand with CF. Where you can restrict connections to only CloudFlare (except port 22 if you wanted) to only CF’s servers. Not a proxy, but just restricting access even further so that you can’t even access port 80 through IP.
It’s only an idea, I know there are potential flaws such as CDN’s, routing the proxied connections throughout multiple data centers (thus potentially having to rule 100s of IPs), and so many more factors. But I wanted to see if the scenario itself could be further written into.