You certainly can, Cloudflare will show visitors a different certificate, but having one on your origin is recommended as it will encrypt the full connection. When you sign-up, make sure to leave the records un-proxied () while the Cloudflare certificate is issued (you can check here: https://dash.cloudflare.com/redirect?zone=ssl-tls/edge-certificates). Make also sure to set (here: https://dash.cloudflare.com/redirect?zone=ssl-tls) the mode as Full (Strict) to force HTTPS to the origin when it’s used by the user.
Always Use HTTPS is always recommended as well.
On the origin sure, with caching you should see a reduction in bandwidth (configure the
cache-control headers correctly to take advantage of it), overall no, it could also see a boost due to better performance for users.
- caching -> speed and bandwidth reduction on the origin
- DDoS protection
- depending on plan, but firewall and security benefits.
It’s not really a con, but you won’t be able to directly access your server via SSH with the hostname, unless it’s since it’s not a supported port and protocol (there are ways, but paid ones).