Transform Rule for Authelia / Caddy

I’m trying to understand what the Authelia documentation is asking me to do here: Forwarded Headers - Integration - Authelia

It looks like it is saying to create two rules that each remove the X-Forwarded-For header? One removes it if it is non-empty and one removing it if it doesn’t contain a Cloudflare IP address? These don’t make sense to me. I’m not sure what we’re trying to accomplish?

My interpretation (which has to be wrong) is that any match of either of the expressions:

(http.x_forwarded_for ne "")
 - OR -
(not ip.src in {173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22})

should result in X-Forwarded-For be removed.

I’m trying to set up a small homelab mainly for Home Assistant and smarthome applications. Ultimately, I want to go through Cloudflare Tunnel to Caddy proxy with Authelia authenticating. Could someone please explain what transforms I’m supposed to be creating? I’m lost on what I’m supposed to be accomplishing and I don’t want to do anything that will negatively affect security.