2 days ago
Domain: unisonhq.in (proxied through Cloudflare, Full Strict TLS).
Problem: Our users are in India. Cloudflare-proxied traffic to unisonhq.in is egressing to Railway's us-west2 edge, adding a large cross-Pacific round-trip. Confirmed via response headers: https://unisonhq.in/ returns X-Railway-Edge: railway/us-west2 on every request (served from Cloudflare's SIN PoP). For comparison, our service's direct *.up.railway.app URL returns x-railway-edge: railway/asia-southeast1 - so direct anycast correctly reaches your Singapore edge; only the Cloudflare egress path is going to us-west2.
Per your Central Station guidance ("Cloudflare Routing to another server region"), this looks like Cloudflare egress picking a suboptimal path, fixable by BGP traffic engineering on your side.
Ask: Please apply BGP traffic engineering so Cloudflare-proxied traffic for unisonhq.in enters at the asia-southeast1 edge. We're moving this service's compute to asia-southeast1 and need the entry edge to match so the path is Cloudflare → asia-southeast1 edge → asia-southeast1 service.
Thank you!
8 Replies
Status changed to Awaiting Railway Response Railway • 2 days ago
2 days ago
Would really appreciate someone looking into this issue here, we're are hoping to migrate our db and this is a blocker right now.
2 days ago
Thanks for the headers, that's genuinely helpful for narrowing this down. Two parts:
- Quick fix on your side first: switch your Cloudflare SSL/TLS mode from Full (Strict) to Full. Our docs call this out, Full (Strict) doesn't behave as intended with proxied domains pointed at Railway.
- On the routing itself: Cloudflare's Singapore PoP egressing to our us-west2 edge instead of asia-southeast1 is a known origin-pull pattern. I'm raising it with our networking team to see whether traffic engineering can improve the path, and I'll follow up here.
The fact that your *.up.railway.app domain correctly lands on asia-southeast1 confirms our anycast is doing the right thing, so this is specifically the Cloudflare egress leg, not your config.
Status changed to Awaiting User Response Railway • 2 days ago
angelo-railway
Thanks for the headers, that's genuinely helpful for narrowing this down. Two parts: 1. Quick fix on your side first: switch your Cloudflare SSL/TLS mode from Full (Strict) to Full. Our docs call this out, Full (Strict) doesn't behave as intended with proxied domains pointed at Railway. 2. On the routing itself: Cloudflare's Singapore PoP egressing to our us-west2 edge instead of asia-southeast1 is a known origin-pull pattern. I'm raising it with our networking team to see whether traffic engineering can improve the path, and I'll follow up here. The fact that your `*.up.railway.app` domain correctly lands on asia-southeast1 confirms our anycast is doing the right thing, so this is specifically the Cloudflare egress leg, not your config.
2 days ago
thanks Angelo! Before I change SSL mode, we front real user PII, so I'd prefer to keep Full (Strict) for the authenticated origin leg unless it's genuinely incompatible. Are you seeing actual cert errors on our domain, or is Full just a precaution?
either way, the blocker for us right now, is Part 2 the SG PoP - us-west2 egress. Please let me know once the networking team can route unisonhq.in to asia-southeast1; we're holding off our DB migration until then. Appreciate your support!!
Status changed to Awaiting Railway Response Railway • 1 day ago
a day ago
Hey Angelo & team, just checking in on this when you have a moment. Happy to provide any additional information if needed. Thanks!
17 hours ago
Happy friday team! following up for an update here, would really appreciate it!
16 hours ago
We recommend removing the Cloudflare proxy (orange->grey cloud) for the time being. They are having a few issues routing correctly to our edge.
Is there anything that you use the Cloudflare proxy for that you can't get from the Railway platform? Would love to know as we're currently prioritizing work on our edge offering.
Status changed to Awaiting User Response Railway • about 16 hours ago
phin
We recommend removing the Cloudflare proxy (orange->grey cloud) for the time being. They are having a few issues routing correctly to our edge. Is there anything that you use the Cloudflare proxy for that you can't get from the Railway platform? Would love to know as we're currently prioritizing work on our edge offering.
11 hours ago
Thanks Phin. We mainly used the Cloudflare proxy for DDoS/bot protection and origin masking (and we keep Cloudflare R2 for file storage either way). We're going to migrate our prod service + Postgres to asia-southeast1 and switch the domain to DNS-only in the same window, so the SG anycast edge is co-located with the service.
- Can you confirm our custom domain unisonhq.in will serve directly on your edge in DNS-only mode? (We verified Railway already presents a valid LE cert for it.)
- In DNS-only, will requests from India reliably enter at asia-southeast1, or is there anything we should pin?
- Is the Part-2 networking fix (Cloudflare egress → asia-southeast1) still on the roadmap? We'd like to return to the proxied setup later to regain WAF/DDoS once the egress path is fixed.
Status changed to Awaiting Railway Response Railway • about 11 hours ago
5 hours ago
Yes, in DNS-only mode unisonhq.in will serve directly from our edge, and since we already present a valid certificate for the domain, nothing else needs to change on your side. Entry point in DNS-only follows the same anycast path as your .up.railway.app test, which landed on asia-southeast1 from India, so your custom domain will behave the same once the proxy is off. There is nothing you need to pin. On the Cloudflare egress path, we don't have a timeline to share yet, so DNS-only is the right setup for now and we'll update you here when that changes.
Status changed to Awaiting User Response Railway • about 5 hours ago