lask App – Outbound Proxy Requests Blocked / Proxy Tunnels Failing
mrgrupprr
HOBBYOP

3 months ago

I'm running a Flask application that needs to perform outbound requests through external proxies. Suddenly all proxy tunnels are being blocked — including HTTPS CONNECT tunnels — and it appears that other outbound proxy endpoints are failing as well.

The issue is not limited to a single provider; all outbound proxy attempts return either blocked responses, HTML error pages instead of JSON, or fail with tunnel connection errors. Direct requests (without proxies) still work, so the problem seems to affect only proxied outbound traffic.

Has anyone experienced similar behavior?
What could cause Flask (or the hosting environment) to block all outbound proxy connections?
Any known restrictions from Railway / Render / Docker containers / firewalls that would prevent CONNECT-based proxy usage?

Any guidance or diagnostic steps would be appreciated.

Solved$10 Bounty

3 Replies

Railway
BOT

3 months ago

Hey there! We've found the following might help you get unblocked faster:

If you find the answer from one of these, please let us know by solving the thread!

bytekeim
PRO

3 months ago

Hey, I've run into this exact issue before and it drove me crazy for a while. Here's what finally worked for me:

First thing to check - go to your Railway dashboard and look at your environment variables. I had HTTP_PROXY and HTTPS_PROXY set from an old config and didn't realize they were interfering. Remove anything related to proxies (HTTP_PROXY, HTTPS_PROXY, http_proxy, https_proxy, NO_PROXY). This fixed it for me about 60% of the time.

Try running this to see what's actually happening:

python

import os
import requests

# see if there's any proxy vars set
print("HTTP_PROXY:", os.environ.get('HTTP_PROXY'))
print("HTTPS_PROXY:", os.environ.get('HTTPS_PROXY'))

# test without proxy first
try:
    direct = requests.get('https://httpbin.org/ip', timeout=10)
    print(f"Direct works: {direct.status_code}")
except Exception as e:
    print(f"Direct failed: {e}")

# now test your proxy
proxies = {'http': 'your-proxy-url', 'https': 'your-proxy-url'}
try:
    proxied = requests.get('https://httpbin.org/ip', proxies=proxies, timeout=10)
    print(f"Proxy works: {proxied.status_code}")
except Exception as e:
    print(f"Proxy error: {e}")

Other stuff that might be the culprit:

  • A lot of proxy providers need you to whitelist IPs. Railway doesn't give you static IPs unless you pay for it, so your proxy service might be rejecting the requests. You'd need to either get Railway's static IP addon or ask your proxy provider if they can whitelist Railway's IP ranges.

  • Some proxy services straight up block datacenter/cloud IPs because of abuse. Worth checking if yours does that.

  • Could also be that your proxy provider changed something on their end. I'd check their status page or reach out to support.

Quick things to try:

  • Swap to a different proxy provider temporarily just to see if it's your current one causing problems

  • Double check your proxy credentials are still good

  • Maybe add some retry logic with requests.Session() in case it's just being flaky

If none of that works, you might need something like QuotaGuard to get a static IP that plays nice with Railway, or just switch to a proxy service that explicitly works with PaaS platforms.

Let me know what happens when you try the diagnostic script - might help narrow it down more.

heart1
mrgrupprr
HOBBYOP

3 months ago

Thanks for the suggestions! I went through all those steps already, but the issue turned out to be something completely different - and pretty sneaky.

What was actually happening:

The API I'm calling uses Akamai CDN for protection. Turns out, Akamai can detect how your app makes HTTPS connections - something called "TLS fingerprinting." Basically, Python's standard requests library has a unique "handshake signature" that looks different from a real web browser.

When Akamai sees this signature coming from a cloud server (Railway, Render, Heroku, etc.), it thinks: "This doesn't look like a real user, probably a bot" → 403 Forbidden or 404 HTML error page.

The same exact code works perfectly on your local machine because home IPs aren't scrutinized as heavily.

The fix:

Instead of the standard requests library, use curl_cffi - it makes your Python app's HTTPS connections look exactly like Chrome:

from curl_cffi import requests as cffi_requests

response = cffi_requests.get(
    "https://api.example.com/endpoint",
    impersonate="chrome120"
)

That's it. Same code, just different library. The API can't tell the difference between your Python app and someone browsing with Chrome.

Why this matters for Railway users:

Cloud platforms share IP ranges that APIs already view with suspicion. Combine that with Python's obvious TLS fingerprint, and you get blocked. This isn't a Railway issue specifically - it happens on any cloud platform hitting APIs protected by Akamai, Cloudflare, or similar CDNs.

If you're getting weird 403s or HTML responses when expecting JSON, TLS fingerprinting is probably the culprit. curl_cffi has been a game-changer for me.

Status changed to Open brody 3 months ago

Status changed to Solved brody 3 months ago

Loading...