A friend did some Fuzzing and port scanning with Zap, and got mi IP even though I have Cloudflare proxy on. My SSL configuration is set to Flexible, as with Strict (Full) makes my website return error 522 (even though I have tried a lot of fixes). My question is, if I set the SSL configuration to Strict, can my IP be absolute invisible?
Full (strict) encryption mode does not make your IP invisible. Unlike Flexible, which sends all traffic between Cloudflare and your origin unencrypted, Full (strict) protects that same traffic from interception and requires a valid certificate from either the Cloudflare Origin CA or a trusted public CA.
Switching your hostname from DNS Only to Proxied will hide your origin server IP from visitors. They will only see the IP of the Cloudflare proxy when using an hostname.
That is a pretty vague explanation amd fails to cover exactly how the origin IP was obtained. Without specific details, its going to be hard for anyone in the Community to offer you an explanation.