From b9206c58daade3c1fdeca7b2ff5664b96d95a82c Mon Sep 17 00:00:00 2001 From: Jake Runzer Date: Fri, 8 Sep 2023 20:04:21 -0400 Subject: [PATCH] tcp proxy docs --- src/docs/deploy/exposing-your-app.md | 25 ++++++++++++++++++++---- src/docs/reference/private-networking.md | 4 +++- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/src/docs/deploy/exposing-your-app.md b/src/docs/deploy/exposing-your-app.md index dfb67ade9..f4601dab0 100644 --- a/src/docs/deploy/exposing-your-app.md +++ b/src/docs/deploy/exposing-your-app.md @@ -23,6 +23,7 @@ width={1396} height={628} quality={80} /> One or more custom domains can be added to a Railway service (tied to a specific environment). Here's how it works: + 1. Navigate to the Settings tab of your desired service 2. Add a custom domain and type in the name (wildcard domains are supported) 3. Add the `CNAME` records to the DNS settings for your domain @@ -38,10 +39,12 @@ width={1338} height={808} quality={80} /> worldwide. Freenom is not allowed, and not supported. ## Wildcard Domains + There are a few important things to know when using Wildcard Domains: + 1. Ensure that the CNAME record for authorize.railwaydns.net is not proxied by your provider (eg: Cloudflare). This is required for the verification process to work. -3. Wildcards can be used for any subdomain level (eg: `*.yourdomain.com` or `*.subdomain.yourdomain.com`). -4. You cannot nest wildcards (eg: \*.\*.yourdomain.com). +2. Wildcards can be used for any subdomain level (eg: `*.yourdomain.com` or `*.subdomain.yourdomain.com`). +3. You cannot nest wildcards (eg: \*.\*.yourdomain.com). Screenshot of Wildcard Domain -In order to use Wildcard Domains, you must add two CNAME records, one for the wildcard domain, and one for the _acme-challenge. The _acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain. +In order to use Wildcard Domains, you must add two CNAME records, one for the wildcard domain, and one for the \_acme-challenge. The \_acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain. + +**NOTE:** If you're using Cloudflare, it is important that the \_acme-challenge record has Cloudflare proxying disabled (no orange cloud). + +## TCP Proxying + + -**NOTE:** If you're using Cloudflare, it is important that the _acme-challenge record has Cloudflare proxying disabled (no orange cloud). +You can proxy TCP traffic to your service by creating a TCP proxy in the service settings. Enter the port that you want traffic proxied to, Railway will generate a domain and port for you to use. All traffic sent to `domain:port` will be proxied to your service. This is useful for services that don't support HTTP, such as databases. + + ## Private Networks @@ -76,6 +91,7 @@ layout="responsive" width={1205} height={901} quality={80} /> If proxying is not enabled, Cloudflare will not associate the domain with your Railway project with the following error: + ``` ERR_TOO_MANY_REDIRECTS ``` @@ -87,6 +103,7 @@ Also note that if proxying is enabled, you can NOT use a domain deeper than a fi Some domain registrars don't fully support CNAME records. As a result - when you add an `@` record for a CNAME, the domain registrar will create an invalid `A` record. Registrars that are known to not fully support CNAME records for the root domain include: + - Freenom - GoDaddy - Ionos diff --git a/src/docs/reference/private-networking.md b/src/docs/reference/private-networking.md index 97976bd27..892cdf8c8 100644 --- a/src/docs/reference/private-networking.md +++ b/src/docs/reference/private-networking.md @@ -45,6 +45,7 @@ Requests to replica DNS service address will be round robin'd between all replic ## Caveats During the feature development process we found a few caveats that you should be aware of: + - Railway databases are not accessible via the private network, we are moving towards a system where DBs are services with volumes attached. - You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application. - You will need to bind to a IPv6 port to receive traffic on the private network. @@ -52,9 +53,10 @@ During the feature development process we found a few caveats that you should be - Private networks take 100ms to initialize on deploy, we ask that you set initial requests on a retry loop. - We don't support IPv4 private networking - Alpine-based images may not work with our internal DNS due to how it performs -resolution. See the section below for a workaround. + resolution. See the section below for a workaround. ## Workaround for Alpine-based images + During private networking initialization (the period under 100ms), dns resolution is handled via a fallback DNS server 8.8.8.8 in the container DNS config. However, in Alpine-based images, due to how DNS resolution is handled, if that public DNS server's response is faster than the private networking DNS, it causes private resolution to fail.