But what makes you think that the real IP serves the same site to the public internet, as it proxies to CF? If I were using CF for DDoS mitigation, I would drop all traffic to my real IP other than traffic originating from CF.
Your approach would definitely protect you. In practice, many site owners don't do this, or they configure their web server with the whitelist instead of their firewall, denying direct access but exposing information about their domain.
For site owners who don't know about this, these are the IP addresses you can expect traffic from: https://www.cloudflare.com/ips/
I'd personally advice using IPv6 (with a high, random address rather than the common aa:bb:cc:dd::0) to make scanning for hosts a lot harder to accomplish, just in case your firewall fails for some weird reason.
Thats the correct way of handling it, problem is not that many sites actually do that, or atleast they didn't used to.
Back in the day before teespring had a public API I was scraping order counts from product listings, prob was the main domain was behind CF so the "sold count" was always cached and I wanted the live number. I actually used "CrimeFlare" back then to get the real IP of the origin server and queried that instead. And thats TeeSpring.
Twitch also until recently had their origin server open to all (allthough it would often bounce you back to www.)
For site owners who don't know about this, these are the IP addresses you can expect traffic from: https://www.cloudflare.com/ips/
I'd personally advice using IPv6 (with a high, random address rather than the common aa:bb:cc:dd::0) to make scanning for hosts a lot harder to accomplish, just in case your firewall fails for some weird reason.