Thank you for your reply. I see I am misunderstanding something. I was thinking cloudflare doesn’t block the ruled out bots because they are going directly to my origination server’s IP but if they were doing that cloudflare wouldn’t cache the replies.
Then I thought, how am I getting the bot IPs? Well, the bots make requests that are logged on the origination server, which is behind cloudflare, so I have likely been using .htaccess to block cloudflare IPs ‘close’ to the bots!
Sure enough, some portion of the IPs I have been blocking are covered by https://www.cloudflare.com/ips/
I changed the DNS of course but I have not done anything on my origination server to make it work in particular with cloudflare. I see that the article you linked me to provides a module I can build into my CPanel Easy Apache to log origination visitor IPs properly and then I can list the bad IPs coming through cloudflare on cloudflare, and the bad IPs coming directly in my .htaccess file.
It occurred to me I could put something in the header of my web server denied response page to bypass cache but I think if I do the above correctly I should be set.