Hey there! We've found the following might help you get unblocked faster:

• 🧵 MySQL Database - lock down remote access

• 🧵 Lost access to my MySQL database

• 📚 Integrations

If you find the answer from one of these, please let us know by solving the thread!

https://docs.railway.com/guides/mysql#connecting-externally

have you looked at this in our docs?

Yeah, I know I can use TCP proxy and I do, but my database being open to internet is what concerns me

Hello,

Perhaps this template will help you -

https://railway.com/deploy/tailscale-forwarder

Give its overview a read and then deploy it into your project.

yeah, that works, thanks

do you think we can use this forwarder with web services? let's say allow access to our dev web app only with vpn, i can see that tailscale has https for ts.net domains, but http is 80, and https is 443, so i assume I would need to deploy one forwarder per web service?

so after a day of usage, I have one problem, when I restart forwarder, it creates new device in my tailnet, I guess either we have to mount volume so that creds are persisted between restarts, or use ephemeral nodes, but I couldn't find any info on how to make ephemeral node keep it's magic dns domain

It's just a TCP proxy, and HTTP uses TCP as the transport, so web services will work just fine!

You only need one forwarder per Railway environment since you can configure multiple mappings. Please read the template overview for more information, as it mentions that it can be used for web services and shows you how you can configure multiple connection mappings.

I would recommend simply renaming the machine back to its original name within the Tailscale dashboard, as the forwarder is already running in ephemeral mode.

I have set it up without persistence (ephemeral mode) because you could have the forwarder deployed into your base environment that is used for PR environments, and you wouldn't want the forwarder machine to stay in your Tailscale machine list indefinitely after you close the PR. When the PR is closed, the PR environment within Railway is deleted. Since the forwarder runs in ephemeral mode, the forwarder machine will eventually be removed from your Tailscale machines, and I think that is the optimal outcome.

So, for the rare occasions when you add or adjust the connection mappings (and therefore the forwarder gets redeployed), I think renaming the machine within Tailscale is a good compromise.