We are using Cloudflare for a lot of our projects - some are premium plans, others are free. Recently we found out that outgoing HTTP requests are not proxied through Cloudflare thus revealing the IP address of our server.
This is best demonstrated when a user uploads an image as an avatar that is to be downloaded from our server. When our server requests that image, its origin IP is then recorded in the web server log of the remote server that hosts the image.
That’s normal. Cloudflare only proxies your visitors.
When it comes to server-initiated requests, it starts at your server…then it looks up the destination in DNS, then contacts that destination. This also happens when your server sends out email.
If you’re on a VPS or some other setup that lets you have a firewall, and you don’t need other inbound traffic, block everything except Cloudflare: