Public Networking refers to exposing your application to the internet, to be accessible from the public network.
An essential part of connecting your service to the internet, is properly handling the
The easiest way to get up and running is by using the Railway-provided port.
As long as you have not defined a
PORT variable, Railway will provide and expose one for you.
To have your application use the Railway-provided port, you should ensure it is listening on
PORT is the Railway-provided environment variable.
If you prefer to explicitly set a port, you must set the
PORT variable in your service variables to the port on which your service is listening.
For information on how to configure variables, see the Variables guide.
Railway services don't obtain a domain automatically, but it is easy to set one up.
To assign a domain to your service, go to your service's settings, find the Networking -> Public Networking section, and choose
If Railway detects that a deployed service is listening correctly (as described above), you will see a prompt on the service tile in the canvas, and within the service panel.
Simply follow the prompts to generate a domain and your app will be exposed to the internet.
Don't see the Generate Domain Button?
If you have previously assigned a TCP Proxy to your service, you will not see the
Generate Domain option. You must remove the TCP Proxy (click the Trashcan icon), then you can add a domain.
Custom domains can be added to a Railway service and environment.
Navigate to the Settings tab of your desired service
+ Custom Domainin the Public Networking section of Settings
Type in the custom domain (wildcard domains are supported, see below for more details)
In your DNS provider (Cloudflare, DNSimple, Namecheap, etc), update your domain's DNS settings by adding the appropriate DNS record(s) and associating it with the domain provided by Railway, e.g.,
- For subdomains, including "www", add a CNAME record
- For root or apex domains, the record type will vary, see below for more details
Wait for Railway to verify your record. When verified, you will see a greencheck mark next to the domain(s) -
Note that changes to DNS settings may take up to 72 hours to propagate worldwide.
- Freenom domains are not allowed and not supported.
- The Hobby Plan is limited to 2 custom domains.
- The Pro Plan is limited to 10 domains by default. This limit can be increased for Pro users on request, simply reach out to us at email@example.com or via private thread.
Wildcard domains allow for flexible subdomain management. There are a few important things to know when using them:
- Ensure that the CNAME record for
authorize.railwaydns.netis not proxied by your provider (eg: Cloudflare). This is required for the verification process to work.
- Wildcards can be used for any subdomain level (e.g.,
- Wildcards cannot be nested (e.g., *.*.yourdomain.com).
When you add a wildcard domain, you will be provided with two domains for which you should add two CNAME records -
One record is for the wildcard domain, and one for the _acme-challenge. The _acme-challenge CNAME is required for Railway to issue the SSL Certificate for your domain.
NOTE: If you're using Cloudflare, it is important that the _acme-challenge record has Cloudflare proxying disabled (no orange cloud).
When adding a root or apex domain to your Railway service, you must ensure that you add the appropriate DNS record to the domain within your DNS provider. At this time, Railway supports CNAME Flattening and ALIAS records.
Generally, direct CNAME records at the root or apex level are incompatible with DNS standards (which assert that you should use an "A" or "AAAA" record). However, given the dynamic nature of the modern web and PaaS providers like Railway, some DNS providers have incorporated workarounds enabling CNAME-like records to be associated with root domains.
Check out RFC 1912 if you're interested in digging into this topic.
Choosing the correct record type
The type of record to create is entirely dependent on your DNS provider. Here are some examples -
- Cloudflare CNAME - Simply set up a CNAME record for your root domain in Cloudflare, and they take care of the rest under the hood. Refer to this guide for more detailed instructions.
- DNSimple ALIAS - Set up an ALIAS in DNSimple for your root domain.
- Namecheap ALIAS - Set up an ALIAS in Namecheap for your root domain.
Workaround - Changing your Domain's Nameservers
If your DNS provider doesn't support CNAME Flattening or ALIAS records, you can also change your domain's nameservers to point to Cloudflare's nameservers. This will allow you to use a CNAME record for the root domain. Follow the instructions listed on Cloudflare's documentation to change your nameservers.
You can proxy TCP traffic to your service by creating a TCP proxy in the service settings. Enter the port that you want traffic proxied to, Railway will generate a domain and port for you to use. All traffic sent to
domain:port will be proxied to your service. This is useful for services that don't support HTTP, such as databases.
Currently we use a random load balancing strategy for TCP traffic.
Once a custom domain has been correctly configured, Railway will automatically
generate and apply a Let's Encrypt certificate. This means that any custom
domain on Railway will automatically be accessible
We currently do not support external SSL certificates since we provision one for you.
If you have proxying enabled on Cloudflare (the orange cloud), you MUST set your SSL/TLS settings to full or above.
If proxying is not enabled, Cloudflare will not associate the domain with your Railway project with the following error:
Also note that if proxying is enabled, you can NOT use a domain deeper than a first level subdomain without Cloudflare's Advanced Certificate Manager. For example, anything falling under *.yourdomain.com can be proxied through Cloudflare without issue, however if you have a custom domain under *.subdomain.yourdomain.com, you MUST disable Cloudflare Proxying and set the CNAME record to DNS Only (the grey cloud), unless you have Cloudflare's Advanced Certificate Manager.
Looking for the technical specs like timeouts, TLS information, rate limits etc? Check out the Public Networking reference page.
Edit this file on GitHub