I have some sites that cannot currently sit behind CF, as they require two way SSL authentication. All the clients accessing these hostnames have a unique SSL cert signed by my private CA, and my webserver validates that cert before allowing access. (Using ssl_client_certificate and ssl_verify_client).
Having the auth performed in CF would enable these hosts to gain the security and performance benefits all out other hostnames get.
The entire hostname requires auth (mostly because I could never get it to only work in a location below the root ), and the ssl_client_certificate is not rooted in a well-known CA.