Has the target of a HTTP CONNECT tunnel to be reachable from both client and proxy?

I am trying to tunnel ssh via HTTP. My apache virtual host config looks as follows: ServerName proxy.example.org ProxyRequests On AllowCONNECT 22 Require all denied Require all granted Proxytunnel outputs the following: proxytunnel -E -p proxy.example.org:443 -d ssh-container:22 -> Via proxy.example.org:443 -> ssh-container:22 HTTP return code: 404 Not Found ssh-container is a docker container in the same network of the apache httpd container. ssh ssh-container is successful from inside the apache container. If I now change ssh-container to something which is reachable from the client requesting the tunnel via proxy.example.org to the sshd (e.g. ssh.example.org:22) it works. So why is that? I am assuming that if I tunnel via HTTP CONNECT that only the proxy has to be able to reach the target. I suspected some DNS issues (e.g. client has to resolve DNS), but even connecting via the proxy with the container IP as the target does not work.