[meowface]

My understanding is this shouldn't be necessary. If you only start using your SSL cert after your origin is protected behind Cloudflare, and don't serve traffic to anything except Cloudflare's CDN IP ranges, your real IP can't be discovered through Shodan, Censys, or any other technique.

And even if you don't lock it down to their CDN, it may still never be discovered if your origin only serves the relevant content when a specific host header and SNI are passed (rather than served by default regardless of host header or SNI), which Censys/Shodan may never try. Someone could still scan a huge chunk of the Internet to try to look specifically for your origin, though. Anyone using Cloudflare or a similar CDN should always spend the minute or so it requires to restrict inbound 80/443 to only Cloudflare's published IPs at https://www.cloudflare.com/ips/

[rdl]

I'm talking about the specific case where www.mosthated.com is sufficiently hated that people will scan the entire Internet looking for it. At some point, you'd use other intelligence to develop info on which VPS providers someone prefers for their hidden middle nodes, too. Knocking a few random VPS providers offline and then observing if the site goes down might be sufficient.

IP acl is best practice but the absolute cheapest web hosting options don't make this trivial or even possible. Plus, you could conceivably scan close to the hosting provider candidate by jacking a CF more-specific.