403 Cloudflare And varnish cache server Error
niloyblueee
HOBBYOP

5 months ago

My website is hosted on Railway, and the domain is proxied through Cloudflare. The proxy status was enabled (orange cloud), and everything worked fine for about four to five months.

A few hours ago, I suddenly started receiving a 403 error when trying to access the website through the domain. Anyone who visits the domain sees the same error. I researched the issue and found possible causes like headless browser detection or suspicious regional activity. I tried changing the server region from Singapore to the US and UK, but that did not fix the problem.

What finally worked was disabling the Cloudflare proxy (changing from orange cloud to gray cloud). After turning the proxy off, the website started working normally again.

Now I have a few questions: Has anyone faced a similar issue? What is the actual cause of this problem? I also found information saying Railway does not provide built-in DDoS protection or CDN services. If that is true, can I safely rely on gray cloud (DNS-only) mode for 24/7 uptime? Can I get DDoS protection from Railway without using Cloudflare? What was the main cause of the original 403 error?

403.jpeg

Attachments

Solved

13 Replies

5 months ago

I'm also getting this intermittently with Cloudflare


5 months ago

I'm going to try disable the Cloudflare proxy as well. Thanks for the tip 🙂


I am having this as well, they recently rolled out Fastly DDoS protection. I am wondering if we are getting hit with a false positive. My applications are not accessible on my home network at all. Either that or Cloudflare is having issues.

Edit: I am wondering now if the cloudflare proxy is just clashing with Fastly.


5 months ago

Disabling cloudflare proxy fixed it for me. I guess I'm using Fastly now haha


5 months ago

Hello all,

We are looking into this, thank you for your continued patience.


basicceddie
HOBBY

5 months ago

502 from nginx usually means it can’t reach the gateway even though containers are running.

Check:

• nginx isn’t proxying to localhost (use service/container name instead)

• gateway listens on 0.0.0.0, not 127.0.0.1

• correct port is used (Railway often requires $PORT)

• nginx error logs → they usually show the exact issue (refused/timeout/etc)

• websocket apps need upgrade headers enabled

• http vs https mismatch between nginx and upstream

Containers being “up” doesn’t always mean the service is reachable 👍


niloyblueee
HOBBYOP

4 months ago

hey would you mind, describing this "fastly" ddos thing ? @Jasper


4 months ago

Railway announced a partnership with Fastly, a CDN/DDoS protection platform.

I was originally using Cloudflare for that, but seemingly Railway doesn't support Cloudflare Proxy anymore, so I'm just relying on Railway's DDoS protection (Fastly) 🙂


niloyblueee
HOBBYOP

4 months ago

oh wow, damn

this changelog was on 20th , i got the error on 21st . Might make sense that 2x Protection aint the way to go afterall xD

guess we are Fastly protected for now . But it would be a good option to get Cloudflare into this as well. Or maybe if we had the chance to choose🤷‍♂️


niloyblueee
HOBBYOP

4 months ago

oh wow, damn

this changelog was on 20th , i got the error on 21st . Might make sense that 2x Protection aint the way to go afterall xD

guess we are Fastly protected for now . But it would be a good option to get Cloudflare into this as well. Or maybe if we had the chance to choose🤷‍♂️


4 months ago

I assume they intend to support both options, we'll likely see a message next week 🙂


4 months ago

I've only had a report of 1 user facing the issue, at the time I didn't know the solution was to disable cf proxy but now that's useful info from the thread of replies here.

Image

Attachments


4 months ago

Our DDoS baseline for request mitigation was far too aggressive, we have since worked with the Fastly team to correct this. No legitimate requests are being incorrectly flagged as DDoS anymore.


Status changed to Solved brody 4 months ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...