Nothing like attempting to assist someone with problems and trying to 'fill in the blanks' via Vulcan Mind Meld ... but .... such is public forums. :| Understood.
Ok, quick review ...
You upgraded a site from 2.7.x through 3.2.highest then onto 3.7.highest.
(I take it you stopped at the 3.2.highest and checked things out ... backed up code + DB ... when everything was checked out, then onto 3.7.highest. Images now missing were present)
You did so using the old method of moving moodle code directory out of the way, unzipping the moodle code zip, copying back in config.php from code directory moved.
At that point things were fine except images ...
Well, the manually created images directory needed to be moved back into new moodle code from old moodle code.
Am guessing ... because you've shown /public_html/ in paths ... that you don't have to be concerned about username/group on files/folders in new code.
moodledata was in public_html and you moved to /srv/home/customerID/ or something like that ... that's your '/' (root of your account). moodledata has an .htaccess file in it.
since moodledata has been moved, did you tell apache that it could access moodledata via some addiitonal config of apache?
There was no duplicate moodledata directory remaining from a upgrade that went sour?
What would happen if you moved moodledata back to it's original location? The hidden .htaccess file should be enough to protect from direct browsing.
???? with CloudFlare off, the site works!!! Hmmmmmm ...
'SoS', Ken