Restrict access by IP

Hello, I’m running a self-hosted n8n server, and I would like to add more security to this server.

I would like to have 2FA, but as I have seen, it is on the roadmap, and there’s no ETA available yet.

So I would like to approach this differently. I want to allow only to see my backend URL (i.e., something.backend.io) only to whitelisted IP addresses.

How can I achieve that?

Thanks!

Hey @yukyo,

Best option would be to do it externally so through a firewall or reverse proxy. What I do with one of my instances that has no need for external webhooks or triggers is I have it listening on the loop back address then to access it I just use an SSH tunnel.

Hi @jon, thanks for the answer.
Maybe I have not described what I’m trying to do correctly.

Ideally, I would like to have 2FA with my self-hosted n8n server: So whenever I open my backend URL (where I edit the scenarios), i.e., backend.something.io, I get asked to complete a 2FA to log in and see the scenarios (and the executions) where sensitive data may be exposed.

As I have seen, 2FA is something you guys are working on, but there’s no ETA. So I would like to “block” all the users from seeing the backend.something.io login pop-up (where it asks for the user/password) to log in and only allow them to see that pop-up if the IP is whitelisted.

I know this is doable with Apache, but I don’t know if n8n runs over Apache. And if I restrict the IPs that can visit the n8n backend scenario, I’m not sure if the API requests sent to this server would run or they would be rejected as the sender servers are not whitelisted.

Thanks.

Hey @yukyo,

You were clear, there is nothing I can add to the MFA request it is something we have on our list but have not implemented yet.

The solution would be to use a reverse proxy or a firewall to restrict access to the paths. This would be some outside of n8n using something like Apache or nginx.

Got it, something like this would work: Apache Restrict Access to URL by IP - Ubiq BI ?

Do you know if I restrict the access to the url by IP the webhooks that I have created in the n8n would still work?

Thanks.

Hey @yukyo,

To be honest I don’t have an answer for that one, it all depends on your rule.

If you allow the webhook to be called from the IP then it will work.