I'm wondering how secure this configuration is. So I have two servers, one for the frontend which serves a compiled static spa, and one for the backend which acts as an api. Each have their own cert from letsencrypt.

I'm trying to run my frontend and s3 virtualhost (cdn.website.com - cname) through cloudflare.

So from what I understand with the flexible, there's encryption between the user and cloudflare, but there's no encryption between cloudflare and the server. So when people hit the site, they are using a cached version of the site on cloudflare. So this is secure. So is the insecure part when cloudflare needs to pull the asset from my server? If my server has a certificate, would cloudflare use sslwhen retrieving it?

So in the above, the ssl connection to cloudflare is secure, so where does it become insecure when talking to my server? Since I don't have my api server's dns on cloudflare, would this still end being sent over ssl/tls?

For the images, why does ssl appear when using flexible, but gives an error when using full? Is this due to the original pull from amazon being insecure, but once cached on cloudflare, it becomes secure as people only hit cloudflare? What are the implications, or how insecure, is doing such?

I guess I'm confused on A) where/when are the handshakes occuring, and B) how are these handshakes occuring?

Take a look at the FAQ from cl, everything is pretty well explained here.

So from what I understand with the flexible, there's encryption between the user and cloudflare, but there's no encryption between cloudflare and the server. So when people hit the site, they are using a cached version of the site on cloudflare. So this is secure. So is the insecure part when cloudflare needs to pull the asset from my server?

Yes.

If my server has a certificate, would cloudflare use ssl when retrieving it?

Yes, with full ssl - not strict!

So in the above, the ssl connection to cloudflare is secure, so where does it become insecure when talking to my server?

Between cf and your server.

Since I don't have my api server's dns on cloudflare, would this still end being sent over ssl/tls?

Despite the dns, goes the traffic through cf for tls, no? So it depends on your server config.

For the images, why does ssl appear when using flexible, but gives an error when using full?

If you don't force the s3 bucket on tls and using cl with full ssl strict, you will get an error. So switch to full ssl not strict. Or get a valid cert for your s3.

What are the implications, or how insecure, is doing such?

Flexible SSL: This option is not recommended if you have any sensitive information on your website.