Cloudflare is great - but only if you run with “Full (Strict)” to the Origin, and thus ensure valid TLS for the whole journey. Unfortunately many people are setting it up in either “Flexible” or “Full” mode, neither of which is secure, whilst masking the issue from the end user.
Flexible creates a HTTP connection (non-SSL) between Cloudflare and your Origin. Whilst that mitigates the chances of a MITM between Consumer + Cloudflare, it does nothing to prevent MITM between Cloudflare + Origin (Lucee.org).
Full at least uses TLS between Cloudflare + Origin, but doesn’t verify the certificate is valid. As such this also doesn’t prevent a MITM attack between Cloudflare <=> Origin.
By implementing IP blocks, and authenticated origin pulls, for Lucee.org (where it’s mostly GET requests) you can mitigate this to some extent, however not for critical data travelling in both directions.