Keep in mind, parts of this guide are outdated and this guide is only being kept online for reference purposes. If you have any questions about securing your server from exposing the IP address when using Cloudflare, please contact our support and we'd be happy to review your configuration.
Cloudflare can be a powerful tool if you know how to use it. Perhaps the most popular reason Cloudflare is used is due to their anti-DDoS infrastructure, which exists in a very basic form even on their Free plan. With correct configuration, you can utilize this as a very cost-efficient (free!) and helpful DDoS protection solution.
First, sign up for Cloudflare and add your website. https://cloudflare.com/
Once you've successfully added your website to Cloudflare, and updated your domain nameservers to successfully match your assigned Cloudflare records, you're ready to begin configuring Cloudflare for maximum security.
The goal we're trying to reach here is to ensure that Cloudflare does not leak the real server IP address. Cloudflare "resolvers" work by looking up records that are not secured, which leaks the real server IP address. By ensuring that Cloudflare is correctly configured for all of your domain records, any attacker will have to DDoS your website through Cloudflare's IP and not the real server IP address. Attacks going through Cloudflare IP's will be filtered (albeit minorly on the basic plan, however it's better than nothing), whereas attacks going to the real IP address will not.
To ensure that all records are secured, you will want to go to the DNS Records page and either a) enable (click the cloud to make it orange) Cloudflare for all records, or b) delete any records you don't need. You should not have Cloudflare disabled (grey cloud) for any records that point to the IP address you want to hide.
This is GOOD:
Cloudflare is enabled for all records pointing to the IP address we do not want to leak (18.104.22.168).
This is BAD. Cloudflare is not enabled for the www record, and as such attackers can retrieve the real IP address from the www record. Even if it's enabld for the root record at the top, it needs to be enabled for ALL records pointing to the IP we want to hide.
Sometimes you will get records attached to services that can't run Cloudflare, because it will break them (due to incompatibility issues). For example, if you enable Cloudflare on a cpanel record, it will break your cPanel. Because we can't enable cPanel on this record, you will want to rename it to something obscure that nobody will be able to guess. Attackers will be able to look up your additional records if needed, but keeping obscure record names is still a good technique for this and will deter most of the inexperienced attackers.
Now that your records are all safely hidden, the attacker will not be able to find your real IP address. For every tier of Cloudflare you upgrade (paid), your DDoS protection will increase. If you are prone to DDoS attacks, or may leave your website in I'm Under Attack Mode constantly 24/7, and all users will be prompted with a Cloudflare loading page before being able to access your website.
There are two other popular ways attackers can get the real IP address from your server, one of which being your website's scripts connect to third party sources and leaking out the IP address that way. If you have PHP scripts that use CURL, they are probably leaking out the real IP address to whichever server they're connecting to. Usually that isn't a huge problem, however for example if you run a MyBB forum an attacker could upload an image on their personal server and then submit the URL to MyBB to update their user avatar. MyBB will send out a CURL HTTP request to the server to check if the image exists, thus leaking the source IP. The attacker would then only need to check their webserver access logs to get the real IP address. The best way to combat this is to either:
1) Disable any functionality or scripts that use CURL entirely
2) Reconfigure your PHP scripts to send our CURL requests through a proxy.
Unfortunately these are both not easy tasks to do, but if you're serious about web security and preventing DDoS attacks it is necessary.
The second, and much more common way attackers can get your website's IP address is through checking e-mail headers. However, configuring your PHP mail to not leak the server's IP address is a completely different tutorial on it's own, and is not covered in the scope of this guide.