N8n.io with Docker and Traefik 2

Background:

I have only 1 Ubuntu VPS and using Docker / Docker-compose / Traefik 2 to install and run multiple web apps. Such apps like Ghost / Wordpress are running as normal, but I can’t use n8n. After installing and doing some config with docker-compose.yml, the UI shows up but it can’t run any function.

Please take a look at my docker-compose.yml as below. Please help me with this. I don’t know what’s wrong with the config.

/root/docker-compose.yml (For Traefik 2)

version: '3.7'

services:
  traefik:
    image: traefik:v2.4
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # Add folder with dynamic configuration yml
      - ./data/configurations:/configurations
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`dash.thedailymorrow.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=user-auth@file"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

/root/n8n/docker-compose.yml (For n8n)

version: "3.7"

services:
  n8n:
    image: n8nio/n8n
    restart: always
    container_name: n8n
    ports:
      - "127.0.0.1:5678:5678"
    networks:
      - proxy
      - services
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.port=5678
      - traefik.protocol=http
      - traefik.frontend.rule=Host:(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.backend=n8n-app
      - traefik.http.routers.n8n.tls=true
      - traefik.http.routers.n8n.entrypoints=websecure
      - traefik.http.routers.n8n.tls.certresolver=mytlschallenge
      - traefik.http.middlewares.n8n.headers.SSLRedirect=true
      - traefik.http.middlewares.n8n.headers.STSSeconds=315360000
      - traefik.http.middlewares.n8n.headers.browserXSSFilter=true
      - traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
      - traefik.http.middlewares.n8n.headers.forceSTSHeader=true
      - traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.n8n.headers.STSPreload=true
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER
      - N8N_BASIC_AUTH_PASSWORD
      - N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
      - WEBHOOK_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
      - VUE_APP_URL_BASE_API=https://${SUBDOMAIN}.${DOMAIN_NAME}/
    volumes:
      - ${DATA_FOLDER}/.n8n:/home/node/.n8n
      - /local-files:/files

networks:
    proxy:
      external: true
    services:
      external: true

The .env file is the same with official guidance from n8n

Please help me out. Thank you so much!

Information on your n8n setup

  • n8n version: 0.149.0
  • Running n8n with the execution process: root
  • Running n8n via: Docker version 20.10.7, build 20.10.7-0ubuntu5~20.04.2

Hi @miniduke, I’m sorry to hear you’re running into this behavior. Could elaborate a bit on the error you are facing? When saying the UI shows up that means you can open your n8n domain, log in with your basic auth credentials and see the n8n canvas? What exactly would “it can’t run any function” mean, is this a problem specific to the Function node?

Hi @MutedJam, thanks for your reply.

Yes I can still login with basic auth credentials and see the n8n canvas. I use the Telegram trigger node to test if it can retrieve the message, but after a long wait, nothing happens. I tried several times and the result is still the same.

One more thing is that the SSL doesn’t seem to work. Please see the photo below:

Please help me out. Thank you!

With n8n working in principle but also seeing your SSL/TLS certificate, I suspect something isn’t quite working as expected with your Traefik configuration. A problem with your proxy in front of n8n would also explain why Telegram might not be able to send webhooks to n8n.

I am not familiar with Traefik, but in a first step you might want to double check your Traefik configuration for any pointers (it seems you are doing this through your traefik.yml and configurations files) here. Does your configuration match the suggested configuration? Has a certificate been generated for your n8n subdomain by Traefik?

3 Likes

Thank you. I’ll take a look at it again and see if it works.

You need certificatesresolvers on traefik:

version: "3.7"

services:
  traefik:
    image: traefik:latest
    command:
      - "--api.dashboard=false"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=network_public"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencryptresolver.acme.email=youremail@gmail.com"
      - "--certificatesresolvers.letsencryptresolver.acme.storage=/etc/traefik/letsencrypt/acme.json"
      - "--log.level=DEBUG"
      - "--log.format=common"
      - "--log.filePath=/var/log/traefik/traefik.log"
      - "--accesslog=true"
      - "--accesslog.filepath=/var/log/traefik/access-log"
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.redirect-https.redirectscheme.scheme=https"
        - "traefik.http.middlewares.redirect-https.redirectscheme.permanent=true"
        - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
        - "traefik.http.routers.http-catchall.entrypoints=web"
        - "traefik.http.routers.http-catchall.middlewares=redirect-https@docker"
        - "traefik.http.routers.http-catchall.priority=1"
      resources:
        limits:
          memory: 1024M
      restart_policy:
        condition: on-failure
        delay: 11s
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "vol_certificates:/etc/traefik/letsencrypt"
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    networks:
      - network_public
volumes:
  vol_shared:
    external: true
    name: volume_swarm_shared
  vol_certificates:
    external: true
    name: volume_swarm_certificates
networks:
  network_public:
    external: true
    name: network_swarm_public

put the n8n port on loadbalancer:

version: '3.7'

services:

  n8n:
    image: n8nio/n8n
    environment:
      - DB_TYPE=mysqldb
      - DB_MYSQLDB_DATABASE=n8n
      - DB_MYSQLDB_HOST=database
      - DB_MYSQLDB_PORT=3306
      - DB_MYSQLDB_USER=root
      - DB_MYSQLDB_PASSWORD=asdf
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=asdf
      - N8N_BASIC_AUTH_PASSWORD=asdf
      - N8N_ENCRYPTION_KEY=MdRRn2jiZuVeh5tI77A6
      - N8N_HOST=n8n.yourdomain.com
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://webhooks.yourdomain.com/
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints:
          - node.role == manager
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.n8n.rule=(Host(`n8n.yourdomain.com`) || Host(`webhooks.yourdomain.com`))"
        - "traefik.http.routers.n8n.entrypoints=websecure"
        - "traefik.http.routers.n8n.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.n8n.loadbalancer.server.port=5678"
        - "traefik.http.services.n8n.loadbalancer.passHostHeader=true"
        - "traefik.http.middlewares.n8n.headers.SSLRedirect=true"
        - "traefik.http.middlewares.n8n.headers.STSSeconds=315360000"
        - "traefik.http.middlewares.n8n.headers.browserXSSFilter=true"
        - "traefik.http.middlewares.n8n.headers.contentTypeNosniff=true"
        - "traefik.http.middlewares.n8n.headers.forceSTSHeader=true"
        - "traefik.http.middlewares.n8n.headers.SSLHost=n8n.yourdomain.com"
        - "traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true"
        - "traefik.http.middlewares.n8n.headers.STSPreload=true"
    volumes:
       - n8n-data:/var/www/html
    networks:
      - network_public
    command: /bin/sh -c "sleep 10; n8n start"

volumes:
  n8n-data:

networks:
  network_public:
    external: true
    name: network_swarm_public

3 Likes

Thanks @luizeof for your answer. It did help me a lot in further investigate the problem. However, this will require to run Docker in swarm mode right? I’m not quite familiar with this.

And furthermore, I follow your config but it shows this notice

network "network_swarm_public" is declared as external, but it is not in the right scope: "local" instead of "swarm"

Would you mind sharing your configuration for this? Thank you so much!

hello … try using the same labels and ENV on your stack that is not swarmed, I believe it works.

Thank you for your answer @luizeof . It’s true that the issue is n8n require HTTPS and it’s currently not available with my setup.

I tried with your methods but still doesn’t work (or maybe I’m missing something). I’ll keep digging and updating… Thank you so much!

could you probably solve your problem?
I have same problem and Unfortunately I cant use traefik with several web app.

Hi @mooghermez . Unfortunately, I have to use Wordpress on another host. However, I think the issue is that I was not familiar with how Traefik works, so it might limit the ability to use other web apps on the same host. I think you should dig into Traefik and work it out. Or try using the WP docker image and directing it to another port in the docker-image file.

Does anyone have a working setup with Traefik-2.x and latest n8n in docker?

Hesitating to hijack this thread, on the other hand that’s a good way to contact the few users who already tried to set that up, right?

In my case I try to set up a local instance on my desktop machine. Using test certs generated by mkcert for a $DOMAIN=docker.localhost. So the parts with the ACME resolvers are different. Things work for stuff like traefik.docker.localhost and portainer.docker.localhost.

Let me know if should keep posting here or start a new issue. I will happily share my configs then.

Hey @sgw,

It is probably best to make a new thread although this does appear to be a Traefik configuration issue and not really related to n8n so our support on that is going to be a bit limited.

As a starting point though it looks like what you would need to do is make a config file for Traefik and set your certs in there (Traefik TLS Documentation - Traefik), I think you can then drop the cert resolvers from the config and all would be good.

@Jon I understand that this is more of a Traefik issue maybe :wink: will create a new thread this afternoon.

new thread: N8n with traefik-2