Tunnel SSH proxying does not work through Docker, or direct connection, browser rendering errors
Dear Cloudflare support,
We've tried several ways to expose SSH connection outside of our local network.
After we searched through internet we've encountered your solution.
We've setup tunnnel and added self-hosted application with browser rendering set to ON.
We've tried all solutions from tutorials and your support pages, including Docker setup and direct setup. Neither of them worked.
The tunnel connection is showing up healthy, but when trying to connect through browser we get "SSL Connection, Cypher algorithm mismatch" or "Connection failed".
When trying to connect directly via command-line SSH we got even stranger errors, like: "kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535"
No errors what so ever with tunnel, only we get warnings (and only on Docker), like from QUIC that it can not allocate what it needs, we've tried to increase it given the wiki article but the cloudflared container does not have shell access nor sys commands.
Tried to cleanup and redo, still the same issues persists. We even do not get access page for the policy we've setup.
Eagerly waiting for your response.
2 Replies
We've finally resolved the issue.
There were many reasons that made our SSH tunnel not work at all.
We've figured it out, how to do that on Linux, Ubuntu 24.04.
I'll leave them here in case anyone needs:
- You NEED to have SSL enabled, in SSL/TLS to at least flexible (flexible is enough), on your target domain (on example.com if you have SSH on ssh.example.com)
- You NEED to have one-level subdomain with tunneled domain. That's because Cloudflare does not issue SSL certificates for multi-level domains. (instead of ssh.computer.example.com you should have computer-ssh.example.com or ssh.example.com, it does not matter if you have ssh.example.com I could have ted.example.com, just beware of one-level subdomain)
- You NEED to have your docker container running cloudflared in
--network host
mode. There are other, more secure or "better" solutions, but this one is the most straightforward. You HAVE to give dockerized cloudflared access to your computer's network.
- You SHOULD, if you install cloudflared on bare-metal, before you install cloudflared service remove all artifacts of possible previous daemons, do it by sudo cloudflared service install
- You SHOULD create self-hosted application (this is important one) if you want browser-rendered application. Then enable Browser Rendering and switch it to SSH. Beware of setting your application domain to the same of your Public Hostname. Set policy. That's enough, you do not need anything more.
See also this reddit comments thread which helped us resolve most of our issues: https://www.reddit.com/r/selfhosted/comments/or8zd4/comment/h6irffq/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_buttonReddit
Whitestrake's comment on "A Guide to deploying Sish: A selfhosted a...
Explore this conversation and more from the selfhosted community
It is clearly dissatisfing that there's no response from Cloudflare Community Support et'all.
If anyone would appriciate, I can write a step by step guide on how to setup Cloudflare Tunnels w/ troubleshooting on Docker and bare-metal. Let me know!
I can say that this issue can be marked as solved.