I'm new customer, and previous tenant has domains pointing to my IP.
My server is being hammered, tried blocking malicious traffic many different ways already, but need to enable Apache option SSLVerifyClient require.

It means, the webserver will only accept connections from cloudflare, and nobody else. Quite common for people to bypass cloudflare, and hack into the origin server directly.

If you let me edit the server.apache file, I would put the following:

SSLCertificateFile "/applications/xxx/privatehtml/cert2020.crt"
SSLCertificateKeyFile "/applications/xxx/privatehtml/cert2020.key"
SSLCACertificateFile "/applications/xxx/private_html/server-ca.crt"
SSLVerifyClient require

Authenticated Origin Pulls
Authenticated Origin Pulls allow you to cryptographically verify that requests to your origin server have come from Cloudflare using a TLS client certificate. This prevents clients from sending requests directly to your origin, bypassing security measures provided by Cloudflare, such as IP and Web Application Firewalls, logging, and encryption.
This feature requires additional configuration at your web server. Refer to our support guide on Authenticated Origin Pulls.

Your all web servers are vulnerable to Slow HTTP DoS (Denial of Service) attacks.

Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service.

Attack Details:
Time difference between connections: 10006 ms

The impact of this vulnerability:
A single machine can take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: Low

Temporary Solution:
Use CloudFlare with current application and it'll resolve the issue but that's not permanent solution, kindly make the changes in the real server to prevent this kind of attacks.

Upgrade PHP 7.3, 7.2 & 7.1 to current iterations.
Security vulnerability alerts for the following versions of PHP
PHP 7.1 versions prior to 7.1.32
PHP 7.2 versions prior to 7.2.22
PHP 7.3 versions prior to 7.3.9
As of today, There are currently no reports of these vulnerabilities being exploited in the wild.
Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2019-087/

When sites are hacked the first thing to check is the auth.log to see who accessed what, when. When a compromise happens we need to be able to investigate immediately and find a fix.
Can site owners be provided with a way to see the auth.log for their site, similar to how we can currently view web access/error logs?

Specifically what I'm requesting is live (and perhaps filtered to my site) visibility on:
* auth.log
* sftpserver.log
* history of auth and sftpserver logs so that we can go back at least a week to see if we missed anything