Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TCP proxy docs #334

Merged
merged 1 commit into from
Sep 9, 2023
Merged

TCP proxy docs #334

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 21 additions & 4 deletions src/docs/deploy/exposing-your-app.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ width={1396} height={628} quality={80} />
One or more custom domains can be added to a Railway service (tied to a specific environment).

Here's how it works:

1. Navigate to the Settings tab of your desired service
2. Add a custom domain and type in the name (wildcard domains are supported)
3. Add the `CNAME` records to the DNS settings for your domain
Expand All @@ -38,20 +39,34 @@ width={1338} height={808} quality={80} />
worldwide. Freenom is not allowed, and not supported.

## Wildcard Domains

There are a few important things to know when using Wildcard Domains:

1. Ensure that the CNAME record for authorize.railwaydns.net is not proxied by your provider (eg: Cloudflare). This is required for the verification process to work.
3. Wildcards can be used for any subdomain level (eg: `*.yourdomain.com` or `*.subdomain.yourdomain.com`).
4. You cannot nest wildcards (eg: \*.\*.yourdomain.com).
2. Wildcards can be used for any subdomain level (eg: `*.yourdomain.com` or `*.subdomain.yourdomain.com`).
3. You cannot nest wildcards (eg: \*.\*.yourdomain.com).

<Image
src="https://res.cloudinary.com/railway/image/upload/v1679693511/wildcard_domains_zdguqs.png"
alt="Screenshot of Wildcard Domain"
layout="responsive"
width={1048} height={842} quality={80} />

In order to use Wildcard Domains, you must add two CNAME records, one for the wildcard domain, and one for the _acme-challenge. The _acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain.
In order to use Wildcard Domains, you must add two CNAME records, one for the wildcard domain, and one for the \_acme-challenge. The \_acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain.

**NOTE:** If you're using Cloudflare, it is important that the \_acme-challenge record has Cloudflare proxying disabled (no orange cloud).

## TCP Proxying

<PriorityBoardingBanner />

**NOTE:** If you're using Cloudflare, it is important that the _acme-challenge record has Cloudflare proxying disabled (no orange cloud).
You can proxy TCP traffic to your service by creating a TCP proxy in the service settings. Enter the port that you want traffic proxied to, Railway will generate a domain and port for you to use. All traffic sent to `domain:port` will be proxied to your service. This is useful for services that don't support HTTP, such as databases.

<Image
src="https://res.cloudinary.com/railway/image/upload/v1694217808/docs/screenshot-2023-09-08-20.02.55_hhxn0a.png"
alt="Screenshot of TCP proxy configuration"
layout="responsive"
width={700} height={225} quality={100} />

## Private Networks

Expand All @@ -76,6 +91,7 @@ layout="responsive"
width={1205} height={901} quality={80} />

If proxying is not enabled, Cloudflare will not associate the domain with your Railway project with the following error:

```
ERR_TOO_MANY_REDIRECTS
```
Expand All @@ -87,6 +103,7 @@ Also note that if proxying is enabled, you can NOT use a domain deeper than a fi
Some domain registrars don't fully support CNAME records. As a result - when you add an `@` record for a CNAME, the domain registrar will create an invalid `A` record.

Registrars that are known to not fully support CNAME records for the root domain include:

- Freenom
- GoDaddy
- Ionos
Expand Down
4 changes: 3 additions & 1 deletion src/docs/reference/private-networking.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,16 +45,18 @@ Requests to replica DNS service address will be round robin'd between all replic
## Caveats

During the feature development process we found a few caveats that you should be aware of:

- Railway databases are not accessible via the private network, we are moving towards a system where DBs are services with volumes attached.
- You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application.
- You will need to bind to a IPv6 port to receive traffic on the private network.
- Private networking is enabled automatically for new projects/environments. If you want to use private networking in an existing environment, you will have to enable it manually in the settings panel of one of the environment services.
- Private networks take 100ms to initialize on deploy, we ask that you set initial requests on a retry loop.
- We don't support IPv4 private networking
- Alpine-based images may not work with our internal DNS due to how it performs
resolution. See the section below for a workaround.
resolution. See the section below for a workaround.

## Workaround for Alpine-based images

During private networking initialization (the period under 100ms), dns resolution is handled via a fallback DNS server 8.8.8.8 in the container DNS config.
However, in Alpine-based images, due to how DNS resolution is handled, if that public DNS server's response is faster than the private networking DNS, it causes private resolution to fail.

Expand Down