Authentification?

Is there any type of authentification that I can setup to protect my n8n instance?

Welcome to the community.

If you follow the server setup guide, your n8n subdomain will have user/password protection.

image

Does the same guide applies for an installation using npm?

The guide above is for server setup, e.g. on a Digital Ocean droplet.

To install n8n with npm, you can follow this guide:

This will install n8n locally and make it accessible though localhost:5678, without authentication.

To protect n8n via Basic-Auth can also be done if installed via npm. You just have to make sure to set the following environment variables:

export N8N_BASIC_AUTH_ACTIVE=true
export N8N_BASIC_AUTH_USER=<USER>
export N8N_BASIC_AUTH_PASSWORD=<PASSWORD>
1 Like

I ran the commands (by obviously replacing and by something else) and restarted n8n, but I got no auth dialog soooo…

Then I guess it did not get set correctly.

Did it display any kind of error message after you did run the commands? If you use for example Windows, you have to set environment variables differently. Did you start n8n in the same terminal? Do you still run n8n via npm, as written above or do you use Docker now for some reason?

Alright, let’s get back to the basics (I should have included those information sooner)
So, I’m running Debian 10 on a VPS and I installed n8n using npm, and used a service to make it so that it starts automatically if the server has to reboot for some reason.

To access my n8n instance, I’m using http://ip:port/ of my server, but this is not secured as no authentification dialog appears and anybody could really do anything they want.

I ran the commands with no errors and n8n restarted successfully, but the dialog box that should ask for the username and password still does not appear.

It would actually be best to follow this guide:

That makes sure that n8n is setup correctly. The way you run it right now would cause problems as soon as you want to register a webhook on an external service (so almost every Trigger-Node). The most do not allow IP addresses and require additionally also SSL.

Anyway, do sadly not have much experience with services on Linux but I am still quite sure that they run in their own “environment” so have their own environment variables. So you would have to set them in there somehow. But again I strongly recommend to follow the above guide.

Hope that helps!

Sadly that setup doesn’t work since I already have a nginx server running on the server and therefore the webserver packed into n8n is unable to bind to 0.0.0.0:443.

So depending on what you are doing it is then maybe not a big issue but be aware what I mentioned above with the Triggers. So if you start using them and they cause problems, you know at least already now why and what you have to do to fix it.

thanks man, I will try it

Hi @jan, what If we have n8n which is running within the docker container? What parameters should we add to the docker-compose file?

Exactly the same ones as mentioned above.

Also recommend again using the docker-compose setup documented here:

Everything is already set up correctly there incl. authentication.

Basic auth in n8n is alarmingly not enough (think brute force attacks with no throttling).

It’s a bit surprising, because there’s so many critical credentials stored in n8n, I can’t sleep well at night: a tight, modern authentication system is crucial to this app.

For now I wired Cloudflare’s zero trust authentication and whitelisted Cloudflare IP addresses in Nginx. But this is a very partial solution (i.e. bots are at bay, but still no auth from any Cloudflare workers).

Another super low hanging fruit is: multi-user support with a good permission system. This would immediately attract so many B2B sales (where the real money is).

1 Like

Hey @sscarduzio,

This is something that is being worked on the feature request can be found here: User and Privilege Management [GOT CREATED]

1 Like