a month ago
We're seeing outbound requests from our application use IPs that are not the one we have configured. This is causing 401s with an upstream service as it allows only a single IP per API key.
The earliest instance we have of this is June 3rd at 09:18 UTC and it appears to be ongoing. See second image for the actual IPs this service was receiving requests from.
FWIW, we host this service on Railway in a different project. The project linked to this help thread is the one with the configured static outbound IP.
34 Replies
a month ago
During build the static IP is not used.
a month ago
It's not during build.
a month ago
It would be during build.
a month ago
Our last deployment was 18 hours ago, all of the 401s we've seen are since then.
a month ago
Tho I'll clarify that in my original post I typo'd June 2nd instead of June 3rd - this started today.
a month ago
(I'll fix that)
a month ago
Besides, all of these outgoing requests are user-triggered which can only happen from an active deployment.
a month ago
That is a DataCamp IP. We use DataPacket for builds; zero user workloads run on them.
a month ago
I promise you that these requests are not occuring during builds. We have 0 code paths that could ever hit this. It requires an active user session which simply could not exist at build time, unless your build agents know how to OAuth login with Google.
a month ago
It is occurring during some build somewhere on the platform, again we do not run user workloads on DataPacket.
a month ago
Nor do we run the egress gateways on DataPacket.
a month ago
root@57ffbad2fe04:/var/www# wget -O - https://utilities-eu-west.up.railway.app/raw
--2026-06-03 20:48:02-- https://utilities-eu-west.up.railway.app/raw
Resolving utilities-eu-west.up.railway.app (utilities-eu-west.up.railway.app)... 69.46.46.76
Connecting to utilities-eu-west.up.railway.app (utilities-eu-west.up.railway.app)|69.46.46.76|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 399 [text/plain]
Saving to: 'STDOUT'
- 0%[ ] 0 --.-KB/s GET /raw HTTP/1.1
Host: utilities-eu-west.up.railway.app
Accept: */*
Accept-Encoding: identity
User-Agent: Wget/1.21.3
X-Forwarded-For: 162.220.234.15, 89.222.103.194
X-Forwarded-Host: utilities-eu-west.up.railway.app
X-Forwarded-Proto: https
X-Railway-Edge: railway/us-east4-eqdc4a
X-Railway-Request-Id: eMV12z-GSWSFQAqfO8poTA
X-Real-Ip: 162.220.234.15
X-Request-Start: 1780519682973
- 100%[=======================================================================>] 399 --.-KB/s in 0s
2026-06-03 20:48:03 (67.6 MB/s) - written to stdout [399/399]a month ago
X-Forwarded-For: 162.220.234.15, 89.222.103.194
a month ago
Thats inbound, this thread's title says outbound.
a month ago
I mean, it's technically both I guess. We send a request from a service in one project, out over its public URL, and then back into a service in another project.
a month ago
It at least appears that the outbound IP is incorrect.
a month ago
I get what you are saying, but it's not both; they are very distinct.
89.222.103.194 in X-Forwarded-For is the CDN's IP.
a month ago
I gave this answer with the limited information available at the time, so with this new information, this is no longer correct.
a month ago
That's my bad, I didn't think to actually hit it in the terminal.
a month ago
The application is likely using X-Forwarded-For, not X-Real-Ip
a month ago
But I am confused why it has worked for weeks and suddenly the extra IP has come in <:thinkingbread:935682467124359258>
a month ago
Also, friendly bit of insider information, since you said "only a single IP per API key."
See that "Enable HA Static IPs" button? Eventually, that will be automatically enabled for all workloads in the future and then you will need to whitelist multiple IPs. We will, of course, send out multiple communications long before this happens, so me saying this is just giving you an extra long heads-up.
So in short, modify your code to use X-Real-IP and accept multiple IPs for the allowlist.
a month ago
New CDN, you didn't see? - https://discord.com/channels/713503345364697088/921233523719946260/1510042109976121424
a month ago
I appreciate that, but unfortunately this is an off-the-shelf product we use for support ticket handling. I can maybe write a patch for the build stage to fix it up, but time is against me. <:madman3D:605090841102647297>
a month ago
Totally missed it. 😂 It's been a mad few weeks. <:Peepo_Cry:832227339161174027>
a month ago
We haven't even put a date on the hard cutover; you have plenty of time.
a month ago
My favourite solution to this would be inter-project networking, but we can dream ;P
a month ago
Anyways, I appreciate your help in figuring this out! Thanks so much! ❤️
a month ago
Maybe the best solution is to not use IP allowlists. You don't need to be a Railway employee to know that anyone can get the same IPs you are using just by paying for Pro.
a month ago
Could technically be done with Tailscale.
a month ago
I'll just disable the IP check I think. Never been a fan of them anyway. The key itself is large enough that I doubt it'll ever matter.
a month ago
Sounds good
a month ago
And it's a write-only API anyway, so what are they gonna do... send us support requests? 😂
a month ago
As a support engineer, that is about the worst thing you can have happen to you.