Rest callback url behind cloudflare tunel 401 Unauthorized

Valdri · January 19, 2024, 3:20pm

Hi there,
I use cloudflare tunnel to expose n8n to the Internet.
Recently I had a problem adding a new integration that used OAuth for authorization, my rest callback url always returns a 401 Unauthorized error.
It worked fine before, but I don’t know exactly when it stopped and after which update.
My docker compose:

version: '3.8'
x-shared: &shared
    image: n8nio/n8n:1.22.6
    restart: unless-stopped
    environment:
        - N8N_PORT=5678
        - N8N_PROTOCOL=https
        - NODE_ENV=production
        - WEBHOOK_URL=https://${domain}/
        - N8N_HOST=${domain}
        - N8N_ONBOARDING_FLOW_DISABLED=true
        - NODE_FUNCTION_ALLOW_BUILTIN=crypto
        - EXECUTIONS_DATA_PRUNE=true
        - EXECUTIONS_DATA_MAX_AGE=730
        - EXECUTIONS_DATA_PRUNE_MAX_COUNT=0
        - EXECUTIONS_DATA_SAVE_ON_ERROR=all
        - EXECUTIONS_DATA_SAVE_ON_SUCCESS=all
        - EXECUTIONS_DATA_SAVE_ON_PROGRESS=false
        - EXECUTIONS_DATA_SAVE_MANUAL_EXECUTIONS=true
        - EXECUTIONS_TIMEOUT=1800
        - GENERIC_TIMEZONE=Europe/Warsaw
        - TZ=Europe/Warsaw
        - 'N8N_ENCRYPTION_KEY=${n8n_key}'
        - DB_TYPE=postgresdb
        - DB_POSTGRESDB_DATABASE=n8n
        - DB_POSTGRESDB_HOST=postgres
        - DB_POSTGRESDB_USER=${db_user}
        - DB_POSTGRESDB_PASSWORD=${db_pass}
        - DB_POSTGRESDB_SCHEMA=n8n
        - EXECUTIONS_MODE=queue
        - QUEUE_BULL_REDIS_HOST=redis
        - 'QUEUE_BULL_REDIS_PASSWORD=${redis_pass}'
        - QUEUE_HEALTH_CHECK_ACTIVE=true
    networks:
      - default
      - n8n_addon
    depends_on:
     redis:
       condition: service_healthy
     postgres:
       condition: service_healthy
services:
  postgres:
    container_name: postgres
    image: postgres:15
    restart: unless-stopped
    volumes:
      - /home/docker/ct/n8n-DB/PostgresDB:/var/lib/postgresql/data
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -h localhost -U ${db_user}']
      interval: 5s
      timeout: 5s
      retries: 10
    environment:
      POSTGRES_PASSWORD: ${db_pass}
      POSTGRES_USER: ${db_user}
      TZ: Europe/Warsaw
      PGTZ: Europe/Warsaw
  redis:
    container_name: redis
    image: redis:7-alpine
    restart: unless-stopped
    command: redis-server --requirepass ${redis_pass}
    volumes:
      - /home/docker/ct/n8n-DB/redis:/data
    healthcheck:
      test: ['CMD', 'redis-cli', 'ping']
      interval: 5s
      timeout: 5s
      retries: 10
  n8n-worker:
    <<: *shared
    command: worker --concurrency=5
    deploy:
      mode: replicated
      replicas: 8
    volumes:
        - /home/docker/ct/n8n-DB/n8n/ssh:/home/node/.n8n/ssh
        - /home/docker/ct/n8n-DB/n8n/nodes:/home/node/.n8n/nodes
        - /home/docker/ct/n8n-DB/storage:/localstorage
        - /home/docker/ct/graylog/graylog/data/lookup_tables:/graylog_lookup_tables
    depends_on:
      - n8n
  n8n:
    <<: *shared
    container_name: n8n-db
    ports:
        - 192.168.0.106:5678:5678
    volumes:
        - /home/docker/ct/n8n-DB/n8n:/home/node/.n8n
        - /home/docker/ct/n8n-DB/storage:/localstorage
        - /home/docker/ct/graylog/graylog/data/lookup_tables:/graylog_lookup_tables

  cloudflared:
    container_name: cf-tunnel-n8n
    image: cloudflare/cloudflared
    restart: unless-stopped
    labels:
       - com.centurylinklabs.watchtower.enable=true
       - com.centurylinklabs.watchtower.scope=watchtower
    environment:
        - NO_AUTOUPDATE=true
    command: tunnel run --token ${cf_token}

  n8n_addon:
    name: n8n_addon
    external: true

Cloudflare tunel configuration:

I can execute externally any URL defined in cloudflare tunnel, except rest/oauth2-credential/callback
It always returns Unauthorized

n8n · January 19, 2024, 3:20pm

It looks like your topic is missing some important information. Could you provide the following if applicable.

n8n version:
Database (default: SQLite):
n8n EXECUTIONS_PROCESS setting (default: own, main):
Running n8n via (Docker, npm, n8n cloud, desktop app):
Operating system:

Jon · January 19, 2024, 3:27pm

Hey @Valdri,

It sounds like you might need to make some changes to your Cloudflare configuration, Are you maybe stripping url parameters and headers?

Valdri · January 19, 2024, 3:44pm

Hey @Jon,
This is my configuration for rest callback:

And this for webhook:

The webhook works, but the callback does not

I can access the callback directly through the local IP address:

http://192.168.0.106:5678/rest/oauth2-credential/callback

But when I try to do it in an external domain, I get an Unauthorized error.

Valdri · January 19, 2024, 4:26pm

I have found the reason why it does not work.
I found out that if I go to

http://192.168.0.106:5678/rest/oauth2-credential/callback

in incognito mode I get the Unauthorized error
So calback requires an authorized n8n user session to access, and when I use the external calback URL via the domain, there is no such session because I am logged into http://192.168.0.106:5678.

I changed the cloudfalre configuration and now use n8n through an external domain.

system · January 26, 2024, 4:26pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.