-
We do most of our work stuff in a similar way within AWS using what you call 'Flexible'. Autoscaling IIS boxes accepting http traffic from various Cloudfronts (so close to Cloudflare it gets confusing), hosts CNAMEd to the Cloudfronts.
With my personal shit it's all on cheap shit hosting and I care not for its maintenance or even security for that matter, I just don't want the "Not Secure" shit popping up in Chrome so the quickest, easiest solution for me is what I want.
Might give it a whirl. You sure your servers can cope with the extra workload? Gotta be at least a hit a day from something that isn't a crawler...
Universal SSL is the product.
Yes we give free certs. You cannot download those certs, we manage them for you and terminate the SSL traffic, rotate the certs, renew them, etc. It means we are a reverse proxy.
We then connect to your server, and yup... DNS is the key. When you enable Cloudflare for an A, AAAA or CNAME we will publish our IPs to the world, terminate the SSL, and then use the real IPs internally to reach you.
There are three modes for that last bit where Cloudflare talks to your server:
Flexible isn't great security, but sometimes with CNAMEs it's the best you can do (no control over the CNAME sites' ability to use TLS).
This is all free, and we still make money from it, it's not going away and isn't a loss leader... it's just a by-product of lowering the cost of doing something to fractions of a cent through automation and some clever tech.