I have some issues in restrict for webhook_url. We 've discussed about this at:
Now n8n could have N8N_EDITOR_BASE_URL. But someone could still go to webhook_url to login to n8n. Do not like editor, webhook_url is easier to know and attack by bruce force.
Could you have repo to upgrade n8n core to restrict webhook_url?
I thinks an env variable make it more simple.
I’m pretty sure n8n is agnostic of the incoming Host header at the moment. It does make sense this boundary would be applied where you’re terminating your TLS connections… the/a reverse proxy.
I’ve recently used Caddy in a very strict environment to separate out webhook and management connections with a config something like this:
# n8n management interface
n8n.example.com {
reverse_proxy http://myn8n:5678
}
# n8n webhook interface, exposed externally
webhook.example.com {
# Match n8n webhook requests
@webhook {
path_regexp ^\/webhook(?:-test)?\/([A-f\d]{8}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{12})
}
# Send to n8n
reverse_proxy @webhook http://myn8n:5678
# Drop anything not going to a webhook URL
abort
}
Sure, I typed something up, can’t guarantee it’s perfect… or works, but it’s a start:
# Reject non-valid hostnames
server {
listen 443 ssl default_server;
ssl_reject_handshake on;
}
# n8n management interface (internal only)
server {
listen 443;
server_name n8n.example.com;
ssl_certificate /etc/pki/n8n.example.com.crt;
ssl_certificate_key /etc/pki/n8n.example.com.key;
security_headers on;
# modern TLS configuration
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
allow 10.0.0.0/8
allow 172.16.0.0/12
allow 192.168.0.0/16
deny all;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://n8n-main:5678;
}
}
# n8n webhook interface
server {
listen 443;
server_name webhook.example.com;
ssl_certificate /etc/pki/webhook.example.com.crt;
ssl_certificate_key /etc/pki/webhook.example.com.key;
security_headers on;
# modern TLS configuration
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# Drop anything not going to a webhook URL
location / {
return 444
}
# Don't allow external connections to use a different hostname
# "if" is not evil in this context
if ($host !~* ^webhook.example.com$ ) {
return 444;
}
# Forward valid webhook requests to n8n v2 (non-capturing)
location ~* "^\/webhook(?:-test)?\/[A-f\d]{8}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{12}" {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://n8n-main:5678$request_uri;
}
# Forward valid webhook requests to n8n (capturing)
location ~* "^\/(webhook(?:-test)?)\/([A-f\d]{8}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{12})" {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://n8n-main:5678/$1/$2;
}
}
# https://webhook.example.com/webhook-test/b31b656d-3dc4-487d-a94e-1cf3da8d0a0e
# https://webhook.example.com/webhook/b31b656d-3dc4-487d-a94e-1cf3da8d0a0e
This would be a nice improvement. It makes sense to have one endpoint for the GUI and one endpoint for the webhooks if the webhooks are used for an API. It is undesirable for someone to go to the root of the subdomain used for the API and easily discover that n8n is being used. This is a potential security risk.
I have a unique subdomain for the GUI and another unique subdomain for the API. The problem is that the GUI still loads when visiting the API subdomain. I have addressed this for now with a Cloudflare Page Rule that redirects to another website all calls to the API subdomain; it does not affect calls to the webhooks.
I’m using docker on open lite speed
Do you have any config for OLS?
Hi, following up on this thread: as some third parties require to whitelist their IPs in order to be able to receive webhooks from them, it would be great to be able to do it on n8n cloud.
Best regards