Connecting from firewalled network to Private SSH Server through Zero Trust Tunnel

Hi,

I’m using Cloudflare Tunnel to protect the private SSH server and provide it to the user via the custom domain guarded by Zero Trust Access Control. We also require users to tunnel thru cloudflaredwith Short-Lived Certs enabled. From now on, we suppose*.example.comas the custom domain andexample.cloudflareaccess.comas the tunnel url - note that the actual URLs are different. The user is supposed to log in viaaccess.example.com, with the ~/.ssh/config` with the following content:

Match host access.example.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h"
  User user
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub

(The user is actually connecting from Windows machine using Bash, so paths are slightly different - but the file itself seems similar)

One of the users has to connect to the server from the local network behind a somewhat strict firewall, which is out of my control. I asked users to ask their network admin to allow HTTP/HTTPS access to example.com, access.example.com and example.cloudflareaccess.com.

After the above access allowance, they use the following command to connect to SSH:

export http_proxy=http://local-proxy:1234
export https_proxy=http://local-proxy:1234
ssh access.example.com

With this, the user can proceed to browser-based authentication and successfully authenticated with the page saying “Success :tada:”. However, in the console, SSH login itself failed with the following message:

A browser window should have opened at the following URL:
 
https://access.example.com/cdn-cgi/access/cli?[REDUCTED]
 
If the browser failed to open, please visit the URL above directly in your brows
er.
2024-02-05T08:45:00Z INF Waiting for login...
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

To diagnose, I asked the user to modify ProxyCommand so that it outputs debug log:

ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h --log-level debug --logfile ~/.cloudflared/access.log

Here is the contents of access.log:

{"level":"debug","time":"2024-02-06T05:27:46Z","message":"Websocket request: GET / HTTP/1.1\r\nHost: access.example.com\r\nUser-Agent: cloudflared/2023.10.0\r\n\r\n"}
{"level":"error","error":"tls: server advertised unrequested ALPN extension","originURL":"https://access.example.com","time":"2024-02-06T05:27:47Z","message":"failed to connect to origin"}

It seems that the firewall adds some unexpected message to the response from access.example.com. At this point, I have no idea to resolve this situation. Is there any possible way to circumvent such situation or inspect the situation even further?

Thank you in advance.