N8n.io with Docker and Traefik 2

Background:

I have only 1 Ubuntu VPS and using Docker / Docker-compose / Traefik 2 to install and run multiple web apps. Such apps like Ghost / Wordpress are running as normal, but I can’t use n8n. After installing and doing some config with docker-compose.yml, the UI shows up but it can’t run any function.

Please take a look at my docker-compose.yml as below. Please help me with this. I don’t know what’s wrong with the config.

/root/docker-compose.yml (For Traefik 2)

version: '3.7'

services:
  traefik:
    image: traefik:v2.4
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # Add folder with dynamic configuration yml
      - ./data/configurations:/configurations
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`dash.thedailymorrow.com`)"
      - "[email protected]"
      - "[email protected]"

networks:
  proxy:
    external: true

/root/n8n/docker-compose.yml (For n8n)

version: "3.7"

services:
  n8n:
    image: n8nio/n8n
    restart: always
    container_name: n8n
    ports:
      - "127.0.0.1:5678:5678"
    networks:
      - proxy
      - services
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.port=5678
      - traefik.protocol=http
      - traefik.frontend.rule=Host:(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.backend=n8n-app
      - traefik.http.routers.n8n.tls=true
      - traefik.http.routers.n8n.entrypoints=websecure
      - traefik.http.routers.n8n.tls.certresolver=mytlschallenge
      - traefik.http.middlewares.n8n.headers.SSLRedirect=true
      - traefik.http.middlewares.n8n.headers.STSSeconds=315360000
      - traefik.http.middlewares.n8n.headers.browserXSSFilter=true
      - traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
      - traefik.http.middlewares.n8n.headers.forceSTSHeader=true
      - traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.n8n.headers.STSPreload=true
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER
      - N8N_BASIC_AUTH_PASSWORD
      - N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
      - VUE_APP_URL_BASE_API=https://${SUBDOMAIN}.${DOMAIN_NAME}/
    volumes:
      - ${DATA_FOLDER}/.n8n:/home/node/.n8n
      - /local-files:/files

networks:
    proxy:
      external: true
    services:
      external: true

The .env file is the same with official guidance from n8n

Please help me out. Thank you so much!

Information on your n8n setup

  • n8n version: 0.149.0
  • Running n8n with the execution process: root
  • Running n8n via: Docker version 20.10.7, build 20.10.7-0ubuntu5~20.04.2

Hi @miniduke, I’m sorry to hear you’re running into this behavior. Could elaborate a bit on the error you are facing? When saying the UI shows up that means you can open your n8n domain, log in with your basic auth credentials and see the n8n canvas? What exactly would “it can’t run any function” mean, is this a problem specific to the Function node?

Hi @MutedJam, thanks for your reply.

Yes I can still login with basic auth credentials and see the n8n canvas. I use the Telegram trigger node to test if it can retrieve the message, but after a long wait, nothing happens. I tried several times and the result is still the same.

One more thing is that the SSL doesn’t seem to work. Please see the photo below:

Please help me out. Thank you!

With n8n working in principle but also seeing your SSL/TLS certificate, I suspect something isn’t quite working as expected with your Traefik configuration. A problem with your proxy in front of n8n would also explain why Telegram might not be able to send webhooks to n8n.

I am not familiar with Traefik, but in a first step you might want to double check your Traefik configuration for any pointers (it seems you are doing this through your traefik.yml and configurations files) here. Does your configuration match the suggested configuration? Has a certificate been generated for your n8n subdomain by Traefik?

2 Likes

Thank you. I’ll take a look at it again and see if it works.

You need certificatesresolvers on traefik:

version: "3.7"

services:
  traefik:
    image: traefik:latest
    command:
      - "--api.dashboard=false"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=network_public"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
      - "-[email protected]gmail.com"
      - "--certificatesresolvers.letsencryptresolver.acme.storage=/etc/traefik/letsencrypt/acme.json"
      - "--log.level=DEBUG"
      - "--log.format=common"
      - "--log.filePath=/var/log/traefik/traefik.log"
      - "--accesslog=true"
      - "--accesslog.filepath=/var/log/traefik/access-log"
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.redirect-https.redirectscheme.scheme=https"
        - "traefik.http.middlewares.redirect-https.redirectscheme.permanent=true"
        - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
        - "traefik.http.routers.http-catchall.entrypoints=web"
        - "[email protected]cker"
        - "traefik.http.routers.http-catchall.priority=1"
      resources:
        limits:
          memory: 1024M
      restart_policy:
        condition: on-failure
        delay: 11s
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "vol_certificates:/etc/traefik/letsencrypt"
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    networks:
      - network_public
volumes:
  vol_shared:
    external: true
    name: volume_swarm_shared
  vol_certificates:
    external: true
    name: volume_swarm_certificates
networks:
  network_public:
    external: true
    name: network_swarm_public

put the n8n port on loadbalancer:

version: '3.7'

services:

  n8n:
    image: n8nio/n8n
    environment:
      - DB_TYPE=mysqldb
      - DB_MYSQLDB_DATABASE=n8n
      - DB_MYSQLDB_HOST=database
      - DB_MYSQLDB_PORT=3306
      - DB_MYSQLDB_USER=root
      - DB_MYSQLDB_PASSWORD=asdf
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=asdf
      - N8N_BASIC_AUTH_PASSWORD=asdf
      - N8N_ENCRYPTION_KEY=MdRRn2jiZuVeh5tI77A6
      - N8N_HOST=n8n.yourdomain.com
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://webhooks.yourdomain.com/
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.n8n.rule=(Host(`n8n.yourdomain.com`) || Host(`webhooks.yourdomain.com`))"
        - "traefik.http.routers.n8n.entrypoints=websecure"
        - "traefik.http.routers.n8n.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.n8n.loadbalancer.server.port=5678"
        - "traefik.http.services.n8n.loadbalancer.passHostHeader=true"
        - "traefik.http.middlewares.n8n.headers.SSLRedirect=true"
        - "traefik.http.middlewares.n8n.headers.STSSeconds=315360000"
        - "traefik.http.middlewares.n8n.headers.browserXSSFilter=true"
        - "traefik.http.middlewares.n8n.headers.contentTypeNosniff=true"
        - "traefik.http.middlewares.n8n.headers.forceSTSHeader=true"
        - "traefik.http.middlewares.n8n.headers.SSLHost=n8n.yourdomain.com"
        - "traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true"
        - "traefik.http.middlewares.n8n.headers.STSPreload=true"
    volumes:
       - n8n-data:/var/www/html
    networks:
      - network_public
    command: /bin/sh -c "sleep 10; n8n start"

volumes:
  n8n-data:

networks:
  network_public:
    external: true
    name: network_swarm_public

3 Likes

Thanks @luizeof for your answer. It did help me a lot in further investigate the problem. However, this will require to run Docker in swarm mode right? I’m not quite familiar with this.

And furthermore, I follow your config but it shows this notice

network "network_swarm_public" is declared as external, but it is not in the right scope: "local" instead of "swarm"

Would you mind sharing your configuration for this? Thank you so much!

hello … try using the same labels and ENV on your stack that is not swarmed, I believe it works.

Thank you for your answer @luizeof . It’s true that the issue is n8n require HTTPS and it’s currently not available with my setup.

I tried with your methods but still doesn’t work (or maybe I’m missing something). I’ll keep digging and updating… Thank you so much!