Production service returning 403 "host_not_allowed" from outside my home network
bethanyrussell
HOBBYOP

11 days ago

Hi team,

My production service is blocking requests from almost every IP except my own home network. This is stopping Anthropic's Claude from connecting to it via MCP, and other external integrations have stopped working too. I'm not technically experienced — I had an AI assistant help me investigate, and we narrowed it down to something on Railway's side, not in my code.

My service

  • Project: b-brain-hub-production
  • Public URL: https://b-brain-hub-production.up.railway.app
  • No custom domain, no TCP proxy — just the default .up.railway.app domain on port 8080.
  • Stack: Node 20 + Express. No IP-allowlist code or middleware in the app (we grepped the codebase and dependencies).

What's happening

From most networks, every URL on my service returns:

HTTP/2 403

x-deny-reason: host_not_allowed

content-type: text/plain

content-length: 21

Host not in allowlist

The 403 response is missing your usual edge headers (server: railway-edge, x-railway-request-id, x-railway-edge) — but successful responses include all of them. The header name x-deny-reason and the body Host not in allowlist do not appear anywhere in my code, dependencies, or environment variables.

Confirmed IP dependence (same minute, same paths)

  • From my home Wi-Fi: GET /api/health-checkHTTP/2 200 with full Railway headers; request id XV6nN-ErTBm8LC-7jq4OvQ.
  • From a sandbox VM on a different ASN: every path returns the 403 above.
  • From my phone on cellular (Wi-Fi off): also unreachable.

Affected paths include:

  • POST /mcp/v2
  • GET /.well-known/oauth-protected-resource
  • GET /.well-known/oauth-authorization-server
  • GET /api/health-check

Reproduction

curl -i -X POST -H "Content-Type: application/json" -d '{}' \

https://b-brain-hub-production.up.railway.app/mcp/v2

Reference IDs for log correlation

  • Successful request id (from my home IP): XV6nN-ErTBm8LC-7jq4OvQ
  • Earlier successful request id: fFvjkGU3Sx60LY2v6WHkDg
  • - Error references from Claude when its connector tried to reach the service: ofid_9b2bae343c845fa2 and ofid_3201da116f50a22b (most recent attempt, just now)
  • My current outbound IP (the one that's getting through) is on the Fastly/Apple-relay range — happy to share the exact address privately if it helps your team correlate logs.

My questions

  1. What is emitting the x-deny-reason: host_not_allowed header? Is it a Railway edge feature, a beta access-control or anti-abuse rule, or a proxy in front of the edge?
  2. Is there a setting in my project that turned this on? If so, where in the dashboard can I manage it?
  3. The MCP endpoint needs to be reachable from Anthropic's servers (Claude's backend), not just from my browser. Can you check whether their IP ranges are being blocked, and tell me how to allow them?

Thank you!

Solved

1 Replies

Status changed to Awaiting Railway Response Railway 11 days ago

codydearkland
EMPLOYEE

11 days ago

Hi! Your service definitely appears "healthy" right now externally - I'm able to connect to it from my side just fine (haven't tried your MCP server directly though). We're not seeing any logs on our side currently indicating a problem. Was this previously working and it stopped recently? Does the root page load up for you (the login that I'm currently looking at on my side).

Status changed to Awaiting User Response Railway 11 days ago

Status changed to Solved bethanyrussell 10 days ago

Welcome!

Sign in to your Railway account to join the conversation.

Login
Loading...