I know running Caddy on Railway has been discussed here before, and I’ve gone through the existing threads and workarounds. Unfortunately, those approaches don’t work for my situation, so I wanted to lay out the exact setup and blocker I’m running into.What I’m trying to doI want to run a Caddy server on Railway that acts as an edge proxy for customer-owned custom domains.In my setup, I assign a Railway custom domain directly to the Caddy service, for example:cname.my-domain.comMy customers then create a CNAME record pointing their domain to that hostname.Caddy’s responsibility is to:Receive traffic for the customer’s domainAutomatically provision an SSL certificate for that domain (ACME)Reverse proxy traffic to my internal web appIntended flow (simplified):customer-domain.com | | CNAME v cname.my-domain.com | | (Caddy provisions SSL for customer-domain.com) v Caddy Server | | reverse_proxy v Web App / APIThe problemWhen I attach cname.my-domain.com as a custom domain on the Caddy service, Railway automatically provisions and enforces its own SSL certificate for that domain.As a result:TLS is terminated at Railway using a Railway-managed certificateThat certificate does not match the customer’s hostnameCaddy never sees the raw TLS connectionCaddy cannot complete ACME challenges or present its own certBrowsers fail with hostname / certificate mismatch errorsBecause Railway controls TLS termination for custom domains, Caddy never gets the opportunity to manage certificates itself, which breaks this entire pattern.What seems necessaryFor this use case to work, there needs to be a way to:Disable Railway-managed SSL for a custom domain, orAllow a “bring your own TLS termination” mode, orSupport TCP / TLS passthrough so Caddy can fully control certificatesThis is a very common requirement for multi-tenant SaaS platforms that allow customers to bring their own domains, and Caddy is specifically designed to handle this workflow.I’d love to keep this app on Railway, but this limitation currently makes that impossible for my use case. Happy to provide more details or test any experimental options if helpful.Thanks!— Dave

Running Caddy on Railway for Customer Custom Domains

dknell

HOBBYOP

a month ago

I know running Caddy on Railway has been discussed here before, and I’ve gone through the existing threads and workarounds. Unfortunately, those approaches don’t work for my situation, so I wanted to lay out the exact setup and blocker I’m running into.

What I’m trying to do

I want to run a Caddy server on Railway that acts as an edge proxy for customer-owned custom domains.

In my setup, I assign a Railway custom domain directly to the Caddy service, for example:

cname.my-domain.com

My customers then create a CNAME record pointing their domain to that hostname.

Caddy’s responsibility is to:

Receive traffic for the customer’s domain
Automatically provision an SSL certificate for that domain (ACME)
Reverse proxy traffic to my internal web app

Intended flow (simplified):

customer-domain.com
        |
        |  CNAME
        v
cname.my-domain.com
        |
        |  (Caddy provisions SSL for customer-domain.com)
        v
    Caddy Server
        |
        |  reverse_proxy
        v
   Web App / API

The problem

When I attach cname.my-domain.com as a custom domain on the Caddy service, Railway automatically provisions and enforces its own SSL certificate for that domain.

As a result:

TLS is terminated at Railway using a Railway-managed certificate
That certificate does not match the customer’s hostname
Caddy never sees the raw TLS connection
Caddy cannot complete ACME challenges or present its own cert
Browsers fail with hostname / certificate mismatch errors

Because Railway controls TLS termination for custom domains, Caddy never gets the opportunity to manage certificates itself, which breaks this entire pattern.

What seems necessary

For this use case to work, there needs to be a way to:

Disable Railway-managed SSL for a custom domain, or
Allow a “bring your own TLS termination” mode, or
Support TCP / TLS passthrough so Caddy can fully control certificates

This is a very common requirement for multi-tenant SaaS platforms that allow customers to bring their own domains, and Caddy is specifically designed to handle this workflow.

I’d love to keep this app on Railway, but this limitation currently makes that impossible for my use case. Happy to provide more details or test any experimental options if helpful.

Thanks!

— Dave

2 Replies

sarahkb125

EMPLOYEE

a month ago

Hi there,

Upon speaking with the Caddy team, I think we would need a new Railway feature to support this. Basically, Railway provisions an existing SSL certificate already.

Would you be able to submit a feature request in Central Station for this, and we'll see who upvotes it?

Thank you!
The Railway Team

Status changed to Solved sarahkb125 • about 1 month ago

sarahkb125

Hi there,Upon speaking with the Caddy team, I think we would need a new Railway feature to support this. Basically, Railway provisions an existing SSL certificate already.Would you be able to submit a feature request in Central Station for this, and we'll see who upvotes it?Thank you!The Railway Team

dknell

HOBBYOP

a month ago

I can do that, but i need this now. I have to move to AWS if you don't have support for this. There are a lot of threads in station about this and most of them are unresolved.

Status changed to Open Railway • about 1 month ago