2 months ago
Hey there! I'm trying to deploy a simple NGINX proxy to whitelist IPs to my mongo database. The problem I have is that the connections are never reaching the proxy itself.
They nginx config is simple:
worker_processes auto;
events { worker_connections 1024; }
stream {
upstream mongodb {
server mongodb.railway.internal:27017;
}
server {
listen 27017;
allow 54.102.43.101; # I've made this up
deny all;
proxy_pass mongodb;
}
}Then Im trying to connect to the db like: mongodb://<username>:<password>@mongodb-proxy-production.up.railway.app:27017/db
I can see that the service is running and receiving connections:
nc -vz mongodb-proxy-production.up.railway.app 27017
Connection to mongodb-proxy-production.up.railway.app port 27017 [tcp/*] succeeded!But no logs are displayed so I believe that the connections are no reaching nginx at all. Does Railway has any limitation about doing TCP connections?
Is this even supported? Are there any other solutions for this?
Thanks for the help!
9 Replies
2 months ago
Hey there! We've found the following might help you get unblocked faster:
If you find the answer from one of these, please let us know by solving the thread!
2 months ago
Hey, for TCP connections you'll need to add a TCP proxy to your service. https://docs.railway.com/reference/tcp-proxy
2 months ago
Thanks for the response passos. That almost worked, I had to allow the Railway TCP proxy in my NGINX proxy:
allow 100.64.0.0/10; # trust Railway's proxy
allow 54.102.43.101; # This is completely ignoredBut this does not works. External IP's are lost going through the Railway's proxy:
external_ip -> Railways TCP Proxy -> My NGINX Proxy -> mongodb
^
(whitelisting happens here)So in other words, this is not even possible right now or am I wrong?
2 months ago
I'm not super expert, but I think that you can find the real ip address in these header X-Forwarded-For ?? X-Real-Ip , so maybe you need something like real_ip_header X-Forwarded-For; in the http block?
This should be the header passed by railway:
https://utilities-metal-us-east-zfs.up.railway.app/raw
2 months ago
Thanks for the response fra. This would work if the connection would be http, but its TCP. I cannot find any way of doing this, so I believe its a Railway's limitation.
Maybe if they add L7 TCP metadata to extract the real source IP for raw TCP traffic, this could be possible. Or just enable IPs whitelisting directly in their TCP proxy.
2 months ago
Like hot2eatorg, unfortunately I don't believe your use case is possible.
2 months ago
Also, if you're looking for a private way to access your database, take a look at Tailscale (https://docs.railway.com/tutorials/set-up-a-tailscale-subnet-router). It's pretty easy to setup and provides the quality of a true VPN instead of IP whitelisting.
2 months ago
Thats a not bad idea passos! I ended up setting TSL tho. I think it's good enough. Thanks for your contribution :)