🐛 header X-Forwarded-For not set correctly for the origin

[PMA-Servizi]

Describe the bug
Using a cf tunnel (public hostname), a wrong value of X-Forwarded-For is given to the origin when the original request includes that header.
For example, if the original visitor IP address is 203.0.113.1, and the X-Forwarded-For header is included like: curl -v -H "X-Forwarded-For: a,b,c,d,e,f,g" https://whoami.example.com

the origin receives:

Cf-Connecting-Ip: 203.0.113.1
X-Forwarded-For: a,b,c,d,e,f,g,203.0.113.1

To Reproduce
Steps to reproduce the behavior:
docker compose:

services:

  cloudflared:
    container_name: cloudflared
    image: cloudflare/cloudflared
    command: tunnel --no-autoupdate run
    env_file: .env_cloudflare
    restart: unless-stopped

  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    restart: unless-stopped

setup zero trust tunnel and make curl request like:
curl -v -H "X-Forwarded-For: a,b,c,d,e,f,g" https://whoami.example.com

If it's an issue with Cloudflare Tunnel:
4. Tunnel ID : a449d8a5-0a64-437e-bc33-f9051fbf8452
5. cloudflared config: TUNNEL_TOKEN env variable with the secret token

Expected behavior
the origin should receive: X-Forwarded-For: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>
the example should be: X-Forwarded-For: 203.0.113.1,a,b,c,d,e,f,g
(and maybe remove all invalid ip addresses)

Environment and versions

• OS: debian 12
• Architecture: amd64
• Version: 2025.2.0 (Checksum d7e573b235ef4a1cf45d6b837f61094e4a3403c4ef92e1281a8fec3f7f257691)

Additional context
https://developers.cloudflare.com/fundamentals/reference/http-headers/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For