How can they act as a proxy if they can’t terminate the connection?
Why wouldn’t they be able to? The DNS record points to Cloudflare’s IP, they forward the traffic to your server’s IP. This is a common choice for self hosting setups because it’s a free service and it is a way to avoid pointing a DNS record at your home IP, which you may not want everyone to know. That doesn’t require decrypting the traffic.
How this squares with the ddos protection and caching stuff, I’m not sure, but I know I set up SSL locally, did not give Cloudflare the keys, turned off all the options for them to handle it, and everything seems to work.
Why wouldn’t they be able to? The DNS record points to Cloudflare’s IP, they forward the traffic to your server’s IP. This is a common choice for self hosting setups because it’s a free service and it is a way to avoid pointing a DNS record at your home IP, which you may not want everyone to know. That doesn’t require decrypting the traffic.
How this squares with the ddos protection and caching stuff, I’m not sure, but I know I set up SSL locally, did not give Cloudflare the keys, turned off all the options for them to handle it, and everything seems to work.