Public Networking

Public Networking refers to exposing your application to the internet, to be accessible from the public network.

Port Variable

An essential part of connecting to your service from the internet, is properly handling the PORT variable.

The easiest way to get up and running is by using the Railway-provided port.

Railway-provided port

As long as you have not defined a PORT variable, Railway will provide and expose one for you.

To have your application use the Railway-provided port, you should ensure it is listening on 0.0.0.0:$PORT, where PORT is the Railway-provided environment variable.

Examples -

# python web server
if __name__ == '__main__':
    app.run(debug=True, port=os.getenv("PORT", default=5000))
// node web server
const port = process.env.PORT || 3000;

app.listen(port, () => {
  console.log(`App listening on port: ${port}`);
});

More information and examples for this can be found in the Fixing Common Errors guide.

Note: If your application needs to be accessible over both public and private networks, your application server must support dual stack binding. Most servers handle this automatically when listening on ::, but some, like Uvicorn, do not.

User-defined port

If you prefer to explicitly set a port, you must set the PORT variable in your service variables to the port on which your service is listening.

For information on how to configure variables, see the Variables guide.

Railway-Provided Domain

Railway services don't obtain a domain automatically, but it is easy to set one up.

To assign a domain to your service, go to your service's settings, find the Networking -> Public Networking section, and choose Generate Domain.

Automated Prompt

If Railway detects that a deployed service is listening correctly (as described above), you will see a prompt on the service tile in the canvas, and within the service panel.

Screenshot of adding Service Domain

Simply follow the prompts to generate a domain and your app will be exposed to the internet.

Don't see the Generate Domain Button?

If you have previously assigned a TCP Proxy to your service, you will not see the Generate Domain option. You must remove the TCP Proxy (click the Trashcan icon), then you can add a domain.

Custom Domains

Custom domains can be added to a Railway service and environment.

  1. Navigate to the Settings tab of your desired service

  2. Click + Custom Domain in the Public Networking section of Settings

  3. Type in the custom domain (wildcard domains are supported, see below for more details)

  4. In your DNS provider (Cloudflare, DNSimple, Namecheap, etc), update your domain's DNS settings by adding the appropriate DNS record(s) and associating it with the domain provided by Railway, e.g., abc123.up.railway.app

    • For subdomains, including "www", add a CNAME record
    • For root or apex domains, the record type will vary, see below for more details
  5. Wait for Railway to verify your record. When verified, you will see a greencheck mark next to the domain(s) -

    Screenshot of Custom Domain

Note that changes to DNS settings may take up to 72 hours to propagate worldwide.

Important Considerations

  • Freenom domains are not allowed and not supported.
  • The Trial Plan is limited to 1 custom domain. It is therefore not possible to use both yourdomain.com and www.yourdomain.com as these are considered two distinct custom domains.
  • The Hobby Plan is limited to 2 custom domains per service.
  • The Pro Plan is limited to 20 domains per service by default. This limit can be increased for Pro users on request, simply reach out to us via a private thread.

Wildcard Domains

Wildcard domains allow for flexible subdomain management. There are a few important things to know when using them:

  1. Ensure that the CNAME record for authorize.railwaydns.net is not proxied by your provider (eg: Cloudflare). This is required for the verification process to work.
  2. Wildcards can be used for any subdomain level (e.g., *.yourdomain.com or *.subdomain.yourdomain.com).
  3. Wildcards cannot be nested (e.g., *.*.yourdomain.com).

When you add a wildcard domain, you will be provided with two domains for which you should add two CNAME records -

Screenshot of Wildcard Domain

One record is for the wildcard domain, and one for the _acme-challenge. The _acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain.

Wildcard Domains on Cloudflare

If you have a wildcard domain on Cloudflare, you must:

  • Turn off Cloudflare proxying is on the _acme-challenge record (disable the orange cloud)

  • Disable Cloudflare's Universal SSL

    Screenshot of Disabling Cloudflare Universal SSL

Target Ports

Target Ports, or Magic Ports, correlate a single domain to a specific internal port that the application listens on, enabling you to expose multiple HTTP ports through the use of multiple domains.

Example -

https://example.com/:8080

https://management.example.com/:9000

When you first generate a Railway-provided domain, if your application listens on a single port, Railway's magic automatically detects and sets it as the domain's target port. If your app listens on multiple ports, you're provided with a list to choose from.

When you add a custom domain, you're given a list of ports to choose from, and the selected port will handle all traffic routed to the domain. You can also specify a custom port if needed.

These target ports inform Railway which public domain corresponds to each internal port, ensuring that traffic from a specific domain is correctly routed to your application.

Screenshot of target port selection on a custom domain

You can change the automatically detected or manually set port at any time by clicking the edit icon next to the domain.

Adding a Custom Domain

When adding a root or apex domain to your Railway service, you must ensure that you add the appropriate DNS record to the domain within your DNS provider. At this time, Railway supports CNAME Flattening and dynamic ALIAS records.

Additional context

Generally, direct CNAME records at the root or apex level are incompatible with DNS standards (which assert that you should use an "A" or "AAAA" record). However, given the dynamic nature of the modern web and PaaS providers like Railway, some DNS providers have incorporated workarounds enabling CNAME-like records to be associated with root domains. Check out RFC 1912 if you're interested in digging into this topic.

Choosing the correct record type

The type of record to create is entirely dependent on your DNS provider. Here are some examples -

  • Cloudflare CNAME - Simply set up a CNAME record for your root domain in Cloudflare, and they take care of the rest under the hood. Refer to this guide for more detailed instructions.
  • DNSimple ALIAS - Set up an dynamic ALIAS in DNSimple for your root domain.
  • Namecheap CNAME - Set up an CNAME in Namecheap for your root domain.
  • bunny.net - Set up a ANAME in bunny.net for your root domain.

In contrast there are many nameservers that don't support CNAME flattening or dynamic ALIAS records -

Workaround - Changing your Domain's Nameservers

If your DNS provider doesn't support CNAME Flattening or dynamic ALIAS records at the root, you can also change your domain's nameservers to point to Cloudflare's nameservers. This will allow you to use a CNAME record for the root domain. Follow the instructions listed on Cloudflare's documentation to change your nameservers.

Adding a Root Domain With www Subdomain to Cloudflare

If you want to add your root domain (e.g., mydomain.com) and the www. subdomain to Cloudflare and redirect all www. traffic to the root domain:

  1. Create a Custom Domain in Railway for your root domain (e.g., mydomain.com). Copy the value field. This will be in the form: abc123.up.railway.app.
  2. Add a CNAME DNS record to Cloudflare:
    • Name@.
    • Target → the value field from Railway.
    • Proxy statuson, should display an orange cloud.
    • Note: Due to domain flattening, Name will automatically update to your root domain (e.g., mydomain.com).
  3. Add another CNAME DNS record to Cloudflare:
    • Namewww.
    • Target@
    • Proxy status: → on, should display an orange cloud.
    • Note: Cloudflare will automatically change the Target value to your root domain.
  4. Enable Full SSL/TLS encryption in Cloudflare:
    • Go to your domain on Cloudflare.
    • Navigate to SSL/TLS -> Overview.
    • Select Full, or Full (strict).
  5. Enable Universal SSL in Cloudflare:
    • Go to your domain on Cloudflare.
    • Navigate to SSL/TLS -> Edge Certificates.
    • Enable Universal SSL.
  6. After doing this, you should see Cloudflare proxy detected on your Custom Domain in Railway with a green cloud.
  7. Create a Bulk Redirect in Cloudflare:
    • Go to your Cloudflare dashboard.
    • Navigate to Bulk Redirects.
    • Click Create Bulk Redirect List.
    • Give it a name, e.g., www-redirect.
    • Click Or, manually add URL redirects.
    • Add a Source URL: https://www.mydomain.com.
    • Add Target URL: https://mydomain.com with status 301.
    • Tick all the parameter options: (Preserve query string, Include subdomains, Subpath matching, Preserve path suffix)
    • Click Next, then Save and Deploy.

Note: DNS changes may take some time to propagate. You may want to refresh your DNS cache by using commands like ipconfig /flushdns on Windows or dscacheutil -flushcache on macOS. Testing the URLs in an incognito window can also help verify changes.

TCP Proxying

You can proxy TCP traffic to your service by creating a TCP proxy in the service settings. Enter the port that you want traffic proxied to, Railway will generate a domain and port for you to use. All traffic sent to domain:port will be proxied to your service. This is useful for services that don't support HTTP, such as databases.

Screenshot of TCP proxy configuration

Currently we use a random load balancing strategy for TCP traffic.

Using HTTP and TCP Together

At the moment, Railway does not support exposing both HTTP and TCP over public networking, in a single service. Therefore, if you have a domain assigned, you will not see the option to enable TCP Proxy, and vice-versa. Meaning, you will need to remove one before you can enable the other.

If you have a usecase that requires exposing both HTTP and TCP over public networking, in one service, let us know!

Let's Encrypt SSL Certificates

Once a custom domain has been correctly configured, Railway will automatically generate and apply a Let's Encrypt certificate. This means that any custom domain on Railway will automatically be accessible via https://.

External SSL Certificates

We currently do not support external SSL certificates since we provision one for you.

Provider Specific Instructions

If you have proxying enabled on Cloudflare (the orange cloud), you MUST set your SSL/TLS settings to full or above.

Screenshot of Custom Domain

If proxying is not enabled, Cloudflare will not associate the domain with your Railway project. In this case, you will encounter the following error message:

ERR_TOO_MANY_REDIRECTS

Also note that if proxying is enabled, you can NOT use a domain deeper than a first level subdomain without Cloudflare's Advanced Certificate Manager. For example, anything falling under *.yourdomain.com can be proxied through Cloudflare without issue, however if you have a custom domain under *.subdomain.yourdomain.com, you MUST disable Cloudflare Proxying and set the CNAME record to DNS Only (the grey cloud), unless you have Cloudflare's Advanced Certificate Manager.

Support

Looking for the technical specs like timeouts, TLS information, rate limits etc? Check out the Public Networking reference page.

Having trouble connecting to your app from the internet? Check out the Fixing Common Errors guide or reach out on our Discord.


Edit this file on GitHub