N8n + AWS API Gateway setup

Hello,

I have deployed n8n on Kubernetes. The n8n UI and webhook are exposed through a private NGINX Ingress controller. I would like to proxy the n8n webhook through AWS API Gateway in order to:

1. Provide a public endpoint, and

2. Attach it to AWS WAF for enhanced security.

Setup:

• Webhook ingress domain: n8n-webhook-private.mydomain.com

• API Gateway custom domain: n8n-webhook-public.mydomain.com

• API Gateway integration: via VPC link

• API Gateway integration proxy n8n-webhook-private.mydomain.comto n8n-webhook-public.mydomain.com

Issue:
When I access n8n-webhook-public.mydomain.com, the site is redirected to n8n-webhook-private.mydomain.com. This is incorrect — it doesn’t work publicly and eventually times out.

I tried setting the webhook.url in the Helm chart like this:

webhook:
  url: "https://n8n-webhook-public.mydomain.com"

But this value seems to control the Ingress setup, so it doesn’t solve the problem.

Question:
Is it possible to proxy the n8n webhook via AWS API Gateway so that I can expose a secure, public webhook endpoint behind WAF?

Do you also want me to suggest how to configure n8n + API Gateway correctly to avoid the redirect issue?

Information on your n8n setup

• n8n version: 1.107.4
• Database (default: SQLite): PostgreSQL
• n8n EXECUTIONS_PROCESS setting (default: own, main): default
• Running n8n via (Docker, npm, n8n cloud, desktop app): Kubernetes / helm chart

@n8nn19x The problem is that n8n is redirecting to its internal URL because it doesn’t know it’s being proxied. To fix this, you need to configure n8n to recognize the public URL.

1. Set environment variables like N8N_HOST, N8N_PORT, N8N_PROTOCOL, and N8N_WEBHOOK_URL to point to your public URL.
2. Pass the original host header and set X-Forwarded-Host and X-Forwarded-Proto headers.
3. Create a ConfigMap to set the webhook URL.

The architecture looks like this:
Public Client → API Gateway → AWS WAF → VPC Link → NGINX Ingress → n8n Pod

To verify the setup, you can use curl to test the webhook URL with the correct headers.

If you still face issues, check the n8n logs, API Gateway logs, and VPC Link connectivity.

Finally, add some security enhancements by setting headers like Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options in API Gateway.

Does this make sense or do you want me to walk you through each step?

Thanks for your answer @Zelite

You are right, but I still see some issues:

1. When I set in the Helm chart:

   webhook:
     url: "https://n8n-webhook-public.mydomain.com"
   
   

   an Ingress is created for this domain, which breaks the configuration.

2. So I tried creating the Ingress manually and adding extra environment variables:

   main:
     extraEnvVars:
       WEBHOOK_URL: "https://n8n-webhook-public.mydomain.com"
   webhook:
     extraEnvVars:
       WEBHOOK_URL: "https://n8n-webhook-public.mydomain.com"
   
   

   But the result is the same — it still redirects to the private endpoint.

3. On API Gateway, I added the following mappings:

   • integration.request.header.Host = 'n8n-webhook-public.mydomain.com'

   • integration.request.header.X-Forwarded-Host = 'n8n-webhook-public.mydomain.com'

   • integration.request.header.X-Forwarded-Proto = 'https'

4. I also tried adding these annotations to the NGINX Ingress:

   nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
   nginx.ingress.kubernetes.io/configuration-snippet: |
     proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-Forwarded-Proto $scheme;
   
   

   But the behavior is still the same.

Do you see where the issue might be?

@n8nn19x i see the exact issue now.

Update your helm values.yaml

# Disable the Helm-created webhook Ingress
webhook:
  enabled: false  # ← This is the key!
  # Remove the webhook.url setting entirely

# Configure n8n environment variables properly
main:
  extraEnvVars:
    - name: N8N_WEBHOOK_URL
      value: "https://n8n-webhook-public.mydomain.com"
    - name: N8N_HOST
      value: "n8n-webhook-public.mydomain.com"
    - name: N8N_PROTOCOL
      value: "https"

Create a separate ingress manifest that you control

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: n8n-webhook-private
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Port $server_port;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
spec:
  rules:
  - host: n8n-webhook-private.mydomain.com  # ← Private internal host
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: n8n-webhook-service  # Your n8n service name
            port:
              number: 5678

Your API gateway mapping is correct

Lastly verify the n8n config

hey @Zelite

thanks for your answer. Unfortunately, this setup also doesn’t work, it’s the same issue.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.