Decouple the Webhook listening port from the Admin UI port

mcoate · January 27, 2025, 9:30am

The idea is:

The ability to have separate Admin UI and Webhook Listening ports

My use case:

Splitting the Webhook and Admin UI listening ports allows you to firewall the port at the network layer to prevent packets from even reaching it.

I think it would be beneficial to add this because:

While its possible using a reverse proxy and URI routing to filter the Admin UI from appearing, the port still remains publicly accessible for attack.

Any resources to support this?

Any basic firewall/networking documentation out there

Are you willing to work on this?

I am not a developer

BramKn · January 27, 2025, 10:51am

Hi @mcoate

Welcome to the community!
Do not forget to vote on it yourself.

Also I think you can fix this in a reverse proxy. as you can send whatever you want to n8n and it will process it as long as the path is correct. So you could just use a different URL for webhooks and send those in as a webhook and have a completely separate URL as your UI.
And of course in the reverse proxy you can manage what goes through and what does not.

mcoate · January 29, 2025, 9:26am

Right but the IP:port will still be visible to the entire internet. Ideally (lets say the Admin UI was on port 1111 and Webhooks on 2222) you could block all incoming traffic from the internet to 1111 and only reach it locally or by tunnel and 2222 would remain open to everyone.

JamesP · January 29, 2025, 10:13am

You could try setting the WEBHOOK_URL environment variable and having the webhook on a different URL.

jiromusik · May 14, 2025, 8:14pm

This is working most of the time but I run into problems with that. Sometimes it looks like n8n is not listening on this second port.
I cant get Oauth2 to work with 2 different ports…