Hi Railway team,

Running into a CDN routing bug where Fastly rejects Cloudflare-origin traffic for a first-level subdomain, while accepting it for the apex on the same service. Looks like a Fastly VCL

registration gap.

Setup matches your docs for first-level subdomains + Cloudflare:

- Apex (example.com) and subdomain (app.example.com) both added as custom domains on the same service

- CNAME on each pointing to the Railway-issued target

- Cloudflare Universal SSL, SSL mode Full (strict)

- Both Railway-required TXT verification records in place

Symptom:

With Cloudflare in "DNS only" (grey-cloud), app.example.com serves HTTP 200 correctly. With Cloudflare in "Proxied" (orange-cloud), every request returns HTTP 404 with

x-railway-fallback: true and body {"status":"error","code":404,"message":"Application not found"} — served from x-railway-cdn-edge: fastly/.... This persists indefinitely.

Railway API confirms detection worked:

Querying domains(...) for the service returns cdnProvider: DETECTED_CDN_PROVIDER_CLOUDFLARE on both the apex and the subdomain when Cloudflare is proxied. Both show cdnMode: "off". So

configuration is identical between the working apex and the broken subdomain.

What we already tried:

1. Flipped CF proxy on — detection fired, Fastly still returns fallback (5+ min)

2. Deleted the CustomDomain, re-added it with Cloudflare proxied from the start (new Railway target issued), waited 5+ min — same 404 fallback

3. Confirmed apex works correctly through the same Cloudflare zone at the same time

This suggests Fastly's VCL routing table wasn't updated to accept the subdomain's hostname for Cloudflare-origin traffic, even though Railway's dashboard/API report everything as

healthy. Apex must have been registered via a different code path.

Ask:

Can you manually refresh the Fastly config for the subdomain on our service? Or if the automation has a subdomain gap, please flag it internally — happy to re-enable CF proxy for a short

window so you can observe live.

Currently reverted to grey-cloud to keep the site up. Will share project/service IDs privately once a ticket is assigned. Let me know when you'd like me to flip CF back to proxied for

testing.

Thanks