I’m pretty sure n8n is agnostic of the incoming Host header at the moment. It does make sense this boundary would be applied where you’re terminating your TLS connections… the/a reverse proxy.
I’ve recently used Caddy in a very strict environment to separate out webhook and management connections with a config something like this:
# n8n management interface
n8n.example.com {
reverse_proxy http://myn8n:5678
}
# n8n webhook interface, exposed externally
webhook.example.com {
# Match n8n webhook requests
@webhook {
path_regexp ^\/webhook(?:-test)?\/([A-f\d]{8}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{4}-[A-f\d]{12})
}
# Send to n8n
reverse_proxy @webhook http://myn8n:5678
# Drop anything not going to a webhook URL
abort
}