SSL and Security

Hello, I am new to this can someone help me out with all the steps I need to follow after installing n8n on my server I am finding it quite difficult to install SSL and access n8n securely.

Yes, sorry there is currently no proper documentation about it yet. I added some examples here:

I hope that helps!

Can you just give a overview about it, where do I get started on installing SSL. It would be very helpful.

What I referenced above actually includes everything you need. SSL is sadly not something you simply “install”. Next to the software, you need also an actual certificate which you either buy or “get” from a free service like letsencrypt.

Again the setup I referenced above should take care of all of that. Think there is no simpler way to get all up and running in a platform and provider-independent way than Docker compose.

Yeah I have installed N8N on a virtual server (Virtualmin), I got a SSL certificate from Lets encrypt but I am not able to connect with https any help with that?

seems you have a very specific setup, and not everyone here is familiar with Virtualmin (maybe no one here is).

The link @jan pointed at contains everything you need, but if that isn’t enough you can try the following docker-compose file which includes n8n and traefik. It will need some adjustments in the variables I am using.

version: '2.2'
# Keep version 2 for standalone node for CPU limits

services:
  traefik:
    image: "traefik"
    container_name: "traefik"
    restart: always
    networks:
      - traefik_proxy
    command:
      - "--api=true"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--providers.docker.exposedbydefault=true"
      - "--providers.docker.watch=true"
      - "--providers.docker=true"
      - "--providers.file.watch=true"
    ports:
      - "443:443"
      - "8080:8080"
      - "80:80"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/Settings/Traefik/traefik.toml:/traefik.toml
      - ${USERDIR}/Settings/Traefik/config:/config
      - ${USERDIR}/Settings/Traefik/acme.json:/acme.json
      - ${USERDIR}/Settings/Traefik/error.log:/error.log
      - ${USERDIR}/Settings/Traefik/access.log:/access.log
    labels:
       - "traefik.docker.network=traefik_proxy"
       - "traefik.enable=true"
       - "traefik.http.middlewares.traefik.stripprefix.prefixes=traefik/"
       - "traefik.http.routers.traefik.entrypoints=http"
       - "traefik.http.routers.traefik.service=api@internal"
       - "traefik.http.routers.traefik.tls.options=default"
       - "traefik.http.routers.traefik.tls=true"
       - "traefik.http.services.traefik.loadbalancer.server.port=8080"
  n8n:
    image: n8nio/n8n 
    restart: always
    container_name: n8n 
    restart: always
    networks:
      - traefik_proxy
    ports:
      - 5678:5678
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.n8n.rule=Host(`n8n.${DOMAIN_NAME}`)"
      - "traefik.http.routers.n8n.tls=true"
      - "traefik.port=5678"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.http.middlewares.n8n.headers.SSLRedirect=true"
      - "traefik.http.middlewares.n8n.headers.STSSeconds=315360000"
      - "traefik.http.middlewares.n8n.headers.browserXSSFilter=true"
      - "traefik.http.middlewares.n8n.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.n8n.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}"
      - "traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true"
      - "traefik.http.middlewares.n8n.headers.STSPreload=true"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/bruno/n8n/.n8n:/root/.n8n
    environment:
      - N8N_HOST=n8n.${DOMAIN_NAME}
      - N8N_PROTOCOL=https
      - N8N_PORT=5678
      - VUE_APP_URL_BASE_API=https://n8n.${DOMAIN_NAME}/
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=USER
      - N8N_BASIC_AUTH_PASSWORD=PASS
networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  default:
    driver: bridge

Thanks @brunoamaral , I would like to know the steps to setup the files which @jan mentioned in his reply.

You have to save the docker-compose.yaml into it’s own folder and run sudo docker-compose pull and sudo docker-compose up -d --build.

Make sure you have docker and docker-compose installed on the server or your local machine.

The file I shared, and any other for that matter, will have settings that you need to adjust to your needs. Such as directories where you want to store information, domain names to use, etc.

@brunoamaral @jan I did install docker and docker compose on my server but I am not really familiar with those. So I was wondering if could send the steps to configure it, it would be of great help, thanks in advance.

Try to finish some kind of tutorial in the next hours.

@jan Ok thanks for the help, and great work with the application.

@Yuvadeep Nothing to thank for. It was me after all who did not find time to create a tutorial for that. Now however I did.
It is probably not the best tutorial ever but it should hopefully help anyway. It can be found now in the docs here:

2 Likes

@jan Cant thank you enough :blush: , got it up and running.

Nothing to thank for. Just very happy to hear that you got n8n up and running. Hope you enjoy it and it proves helpful for you! Have a great day!

1 Like

After install follow the steps, my server ok but ssl not ok. How can I find and check .crt and .key file on my n8n server?

1 Like

Little journal of how I’m trying to fix Traefik and LetsEncrypt, based on the official n8n docker docs.

I ran https://letsdebug.net/ on my system and it came up with two issues:

  1. IPv4 port 80 was not exposed
  2. IPv6 port 80 was not exposed

Here’s the full report: Let's Debug

Solution part 1: expose port 80 as a redirect to port 443

  • Add to the Traefik command list after --providers.docker.exposedbydefault=false:
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
  • Add to the Traefik ports:
      - "80:80"
  • Update the n8n label traefik.http.routers.n8n.entrypoints to read:
      - traefik.http.routers.n8n.entrypoints=web,websecure

OK, cool! IPv4 error is gone: Let's Debug

Solution part 2: expose IPv6

I’m reading recent accounts of Traefik / docker not correctly handling ipv6, and requiring a downgrade. Still reading.

Traefik doesn’t care about IPv6, if traffic reaches the container, traefik will handle it.
Your question is how to support IPv6 in docker. I’d suggest asking a question in r/docker

Pfft I’m just going to try deleting the IPv6 DNS record.

Yay!

I’m no expert in traefik or docker but this looks like it might be a simple improvement if the docs for future users’ self-hosting integrated the docker-compose changes I made above.

1 Like

Updated docs PR: Update docker-compose to fix LetsEncrypt config by janbaykara · Pull Request #421 · n8n-io/n8n-docs · GitHub

Thanks a lot. But do not understand. I did not expose port 80 on purpose. I agree that it is best practice for a public website to have a redirect from port 80 to 443 but do not really see it for something like n8n. I would say the less visibility the better.

The reason being that LetsEncrypt was looking for port 80 and rejected the request because it couldn’t be found. See this report Let's Debug

n8n.commonknowledge.coop has an A (IPv4) record… but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

When I exposed port 80, this error went away.

Very interesting. That makes sense. But still wonder why it is not a problem for other users. I did run a test install on DO last around 2 months ago and there it still worked fine. Also did nobody else reported issues in the meantime. Wonder if there is maybe some other issue at play here for you.

I will follow to guide again and see if it still works fine or if it now also breaks for me.