In effect, Cloudflare would give protection against DDoS attacks before requests would even hit your servers. That much said you can implement mitigations on the reverse proxy itself. One example would be fail2ban.
I'm sure there are additional steps that you can take. I'm not a fan of Cloudflare because their free offering has some caveats and violating these could be problematic. I have a cloud VPS with a WireGuard tunnel back to my server. I don't have to do anything ugly like port forwarding. The cloud VPS runs NGINX as a reverse proxy. It's a relatively simple and effective setup.