cloudflare is supposed to mask server ip?
Yes, but if you're not familiar with Cloudflare, it is far more than just a proxy system. That just happens to be one of their many features and also the main way that they integrate their CDN, DDoS protection, etc services. As the original poster shows, if you can resolve the originating IP, some of the security features are worthless...but personally as a free service, it has benefits beyond just security protection and most legitimate user bases won't be actively trying to resolve your IP for malicious purposes. They just want to see content.
Essentially, after you build a website on a server and give it a domain name, you can go to Cloudflare and have them scrape the name server records (such as A Records) that tell them what server IP address your website is on.
Once they have that information, you can simply change the name servers to theirs and it will filter traffic through them first before rerouting it to the actual location.
Thereby, when a visitor prompts Cloudflare for
www.examplecloudflaresite.com, they're directed to a Cloudflare IP address where Cloudflare first implements security features that have been activated, and then if the visitor is safe it will gather as many cached copies of content from your website off its servers as it can to quickly deliver to the visitor. Anything it hasn't cached or is disallowed to cache such as dynamic content, Cloudflare requests from your server IP address and then passes on to the visitor.
Unlike typical proxy systems though, delivery of content is much, much faster and it's even much, much faster than delivering straight from the originating IP because of their network of servers across the globe and how they cache versions of content on those servers readily available for quick access.
The neat thing is, because you're requesting content from them and not the site directly, and because they have a copies of that content, even if your server crashes they can deliver your website even if in just a very simple, static content only method. Plus, since traffic is routed through them, they can add on pieces of code to the website as they request it, which allows them to make adding on a variety of little apps and such like keyword advertising systems for you if you do choose.
Anyways, so yeah typically, if you use a whois type service it'll act as though Cloudflare owns the servers because it's only requesting the originating IP associated with the name servers. There was one whois service I found that was correctly able to show the resolved IP but I don't remember.
That said, Cloudflare isn't meant to mask your identity of you abuse their services and I don't believe they'd under any obligation to keep your identity private or to keep the originating IP private of they're requested, although I believe they protect identities unless there is a reasoning for them to release the details. And obviously, there are ways to resolve the address anyways.
It's pretty neat...and basic advantages are free. Again, as the original poster shows, it's not a perfect system, but as for making a site more faster for your average users and protecting you from basic spam and bots, I think it works well....in fact see the next post.
