Cloudflare Tunnel to Ceph S3

We’re using CF Tunnel to provide access to a S3 server (ceph rgw).

When we enable the a “Service Auth policy” and we supply the “Service Token” the requests are somehow modified by the CF Tunnel, and so S3 always complains about it:

We get a 403:

<?xml version="1.0" encoding="UTF-8"?>

We think this happens because CF strips the original headers in the request (CF-Access-Client-Id / CF-Access-Client-Secret)