railway ip whitelisting via caddy
miroblog
PROOP

3 months ago

I have a setup like this in Caddy to whitelist certain IPs:

{
    admin off
    servers {
        trusted_proxies static private_ranges 100.64.0.0/10
    }
}

:{$PORT:8000} {
    @allowed client_ip {$CADDY_IP_WHITELIST:0.0.0.0/0}
    handle @allowed {
        reverse_proxy localhost:9000
    }
    respond "Access denied" 403
}

The problem: I can't get the real client IP — it seems to be overridden by the cache server (cache-icn1450077-ICN).

Here are the headers I'm seeing:

X-Forwarded-For: <my-ip>, 157.52.116.77, 100.64.0.2
X-Forwarded-Host: ???.app
X-Forwarded-Proto: https
X-Forwarded-Server: cache-icn1450077-ICN
X-Orig-Host: ???.app
X-Railway-Edge: railway/----
X-Railway-Request-Id: ----
X-Real-Ip: 157.52.116.77

My actual IP is the first value in X-Forwarded-For, but X-Real-Ip shows 157.52.116.77 instead.

It looks like this started happening after Railway's recent DDoS protection changes (around February). The behavior is intermittent — sometimes it works correctly, sometimes it doesn't.

How can I reliably extract the real client IP?

Solved$20 Bounty

Pinned Solution

miroblog
PROOP

3 months ago

Oh i figured out ...

- https://blog.railway.com/p/incident-report-february-19-2026

- Envoy -> Fastly

so use this pattern where

- fastly ip ranges : https://api.fastly.com/public-ip-list

- caddy at 8080

- your app port 9000

`{

admin off

servers {

trusted_proxies static

trusted_proxies_strict

}

}

:${PORT:8000} {

@allowed client_ip {${CADDY_IP_WHITELIST:0.0.0.0/0}}

handle @allowed {

reverse_proxy localhost:9000

}

respond "Access denied" 403

}`

4 Replies

miroblog
PROOP

3 months ago

Fastly-Client-Ip: xxx

seems like this can be ovewritten by curl -H . so it did not help

xmrafonso
FREE

3 months ago

Hey,

You can either trust all proxies (would work, but insecure) or you'd handle it whitelisting in your app directly but all of these can be faked.

The problem relies on the fact that railway does not publicly provide stable edge ip ranges, so there is no way to validate authenticity of requests.

But I did find the following ips for railway servers in another thread:

California, United States - 162.220.232.0/23

Virginia, United States - 162.220.234.0/23

Amsterdam, Netherlands - 208.77.244.0/23

Singapore - 208.77.246.0/23

So I guess you can try to use these.

miroblog
PROOP

3 months ago

Oh i figured out ...

- https://blog.railway.com/p/incident-report-february-19-2026

- Envoy -> Fastly

so use this pattern where

- fastly ip ranges : https://api.fastly.com/public-ip-list

- caddy at 8080

- your app port 9000

`{

admin off

servers {

trusted_proxies static

trusted_proxies_strict

}

}

:${PORT:8000} {

@allowed client_ip {${CADDY_IP_WHITELIST:0.0.0.0/0}}

handle @allowed {

reverse_proxy localhost:9000

}

respond "Access denied" 403

}`

brody
EMPLOYEE

3 months ago

We have been off Envoy for many years at this point.

Status changed to Awaiting User Response Railway 3 months ago

Status changed to Solved brody 3 months ago

Welcome!

Sign in to your Railway account to join the conversation.

Login
Loading...