2 months ago
Starting around March 30-31, requests to a service hosted on Railway began failing with Cloudflare error 1000 ("DNS points to prohibited IP") when the request is proxied onward to a Cloudflare-fronted origin (Discord's API).
The root cause is the CF-Connecting-IP header. Cloudflare rejects any inbound request containing this header (as it's a reserved internal header), returning a 403 with error code 1000. Our container proxies requests to Discord's API, which is behind Cloudflare. This setup was previously working, which suggests that CF-Connecting-IP was not previously reaching our container but now is — likely due to recent changes in Railway's edge infrastructure.
We resolved it by stripping the CF-Connecting-IP header in our Caddy config before forwarding upstream.
2 Replies
Status changed to Awaiting Railway Response Railway • about 2 months ago
Status changed to Awaiting User Response Railway • about 2 months ago
2 months ago
Thanks for confirming. I had thought it was most likely related to your recent CDN rollout, but if not, that means the change could have been on Discord’s or Cloudflare’s end. This wasn’t previously an issue, the same deployment had been running without changes for weeks before this suddenly broke. Good info nonetheless. Thanks.
Status changed to Awaiting Railway Response Railway • about 2 months ago
Status changed to Solved evaera • about 2 months ago