Use case:

My app is behind cloudflare and a custom domain is set up so that app.myapp.com points to web-production-a20f.up.railway.app, staging.myapp.com to the staging environment etc.

The custom domain has cloudflare access enabled, so we can control who can access staging / apply WAF rules to the domain.

Other tools like our auth provider allow wildcard allow-lists too, but we have to currently enter *.railway.up which opens us up to any railway app being able to interact with these services.

We rely heavily on preview deploys, and would like to be able to point web-myapp-pr-xx.mydomain.com or web-myapp-pr-xx.app.mydomain.com to web-myapp-pr-xx.up.railway.app, so that we can enforce similar access control for preview deployments

Current workarounds explored:

• A github action to manually provision the custom domain and cloudflare DNS settings per preview deploy. We might end up doing this, but it's not ideal

• Setting up a cloudflare worker to reverse proxy all requests for PR deploys. Not ideal because then we still have to publicly expose the railway.up domains (or add app-logic to block)

• Create a reverse-proxy within railway. Slgihtly better than the worker as it can use the internal network, but still not ideal

Another user asked for similar a few years ago:

https://station.railway.com/feedback/custom-domain-for-ephemeral-pr-environme-90600ad7