a month ago
Hi Railway Support,
I'm running a service on a Hobby plan and I'm experiencing a constant flow of malicious scanners hitting my deployment 24/7.
I already have a security layer in place that blocks these requests (WordPress probes, .git exposure attempts, credential file scans, xmlrpc.php, etc.), but the volume is significant and non-stop.
I have two main concerns:
1. Resource consumption – Even though these requests are blocked at the application level, do they still count toward my Railway usage (compute, bandwidth, or request limits)? If the traffic hits my container before being dropped, I'd like to understand exactly where in the stack the billing meter starts.
2. Upstream mitigation – Is there any Railway-native way to block these scanners before they reach my service? For example:
- IP blocklists or rate limiting at the Railway edge/proxy level
- Custom firewall rules
- Cloudflare integration or similar WAF support
Here is a small sample of what my logs look like continuously:
```
[security] Blocked scanner 157.49.73.19 → /xmlrpc.php
[security] Blocked scanner 158.94.209.109 → /.git/HEAD
[security] Blocked scanner 127.0.0.1 → /wp-content/dump.sql
```
This is generating a lot of noise and potentially unnecessary resource usage. Any guidance on upstream filtering or Railway-level protections would be greatly appreciated.
Thank you,
Soro
Pinned Solution
a month ago
Hello sorono-dev,
on billing , railway charges for allocated resources (cpu/ram) not per request, and outbound egress is billed at $0.05/gb , so even your small blocked responses do generate a tiny bit of egress over time.
on upstream protection, Railway only protects at network layer 4 and below, and they do not provide protection on the application layer. if you need waf functionality, theyrecommend using cloudflare alongside railway, so no native ip blocklist, no edge firewall rules, no rate limiting per service. cloudflare is literally their official recommended solution
so the practical fix i suggest to you is to put cloudflare in front of your railway service (orange cloud proxied), set railway as origin, then use cloudflare's free waf rules to block xmlrpc.php, .git probes, wp scans etc before they ever hit your container . that's the only supported upstream filter railway offers right now
Hope this help you :)
3 Replies
Status changed to Awaiting Railway Response Railway • about 1 month ago
Status changed to Open Railway • about 1 month ago
a month ago
Hello sorono-dev,
on billing , railway charges for allocated resources (cpu/ram) not per request, and outbound egress is billed at $0.05/gb , so even your small blocked responses do generate a tiny bit of egress over time.
on upstream protection, Railway only protects at network layer 4 and below, and they do not provide protection on the application layer. if you need waf functionality, theyrecommend using cloudflare alongside railway, so no native ip blocklist, no edge firewall rules, no rate limiting per service. cloudflare is literally their official recommended solution
so the practical fix i suggest to you is to put cloudflare in front of your railway service (orange cloud proxied), set railway as origin, then use cloudflare's free waf rules to block xmlrpc.php, .git probes, wp scans etc before they ever hit your container . that's the only supported upstream filter railway offers right now
Hope this help you :)
domehane
Hello **sorono-dev,** on billing , railway charges for allocated resources (cpu/ram) not per request, and outbound egress is billed at $0.05/gb , so even your small blocked responses do generate a tiny bit of egress over time. on upstream protection, Railway only protects at network layer 4 and below, and they do not provide protection on the application layer. if you need waf functionality, theyrecommend using cloudflare alongside railway, so no native ip blocklist, no edge firewall rules, no rate limiting per service. cloudflare is literally their official recommended solution so the practical fix i suggest to you is to put cloudflare in front of your railway service (orange cloud proxied), set railway as origin, then use cloudflare's free waf rules to block xmlrpc.php, .git probes, wp scans etc before they ever hit your container . that's the only supported upstream filter railway offers right now Hope this help you :)
a month ago
Ok i see how it works thank you for your time I'll test the solution coming back once done
sorono-dev
Ok i see how it works thank you for your time I'll test the solution coming back once done
a month ago
okay
Status changed to Solved brody • 17 days ago