SSL docker-compose works but still accessible through http and port

Hey there! I just tested the server-setup with docker-compose and it works just fine.
http://n8n.mydomain.com doesn’t work and https://n8n.mydomain.com works.

But I noticed that I can still reach n8n through http://n8n.mydomain.com:5678

→ Is that sth on my config end of the story? Is it intended behaviour and I just don’t use it in favour of the https version? Somehow I expected it would forward me to https when trying to access through http://n8n.mydomain.com:5678

Any hints are welcome!
Love this project a lot, thank you for your efforts!

Hello @leprodude welcome to the community and very great to hear that you love n8n!

Yes, that is currently both sadly expected behavior but not correct.

About not working with http
That has to do with me simply assuming that it should only be reachable via https. It could be made to work as you thought it would work but as I thought it would not be needed I did not want to spend time on it.

Still being reachable via port 5678
That has to do with problems I had creating the basic setup with traefik and docker-compose. It should not be reachable via that port. The n8n container should use an own docker-network for traefik and expose the port only in that network. It works for my fine in docker-swarm but did not work for an unknown reason in the docker-compose for me. For that reason did I leave it like that for now. If you (or anybody else who reads that) has proper traefik experience (mine + my time is sadly more than limited) it would be amazing if the whole setup could be improved.

Okay, awesome and thank you for the quick answer!
I would love to contribute, unfortunately I have zero experience with traefik so far…

And I totally get that your priorities are better put elsewhere for now!

Thanks again for the quick reply!

You are welcome! Glad that you are happy even though I was not able to really help you with your issues :wink:

Starting to hire people now, so this any many other things will hopefully improve soon(ish).

1 Like

I know, some time passed, but I found a solution (in case it’s still relevant, I see there are new docker-compose files up already):

This is the docker-compose file I’m using, I think I only changed the 127.0.0.1:5678:5678 part
I tried to verify, but couldn’t find where I originally downloaded the file from.

This is probably more of a post towards closing it than being useful, but hey!
I love this tool so much and wanted to make sure I follow up.

version: “3”

services:
traefik:
image: “traefik”
command:
- “–api=true”
- “–api.insecure=true”
- “–providers.docker=true”
- “–providers.docker.exposedbydefault=false”
- “–entrypoints.websecure.address=:443”
- “–certificatesresolvers.mytlschallenge.acme.tlschallenge=true”
- “–certificatesresolvers.mytlschallenge.acme.email=${SSL_EMAIL}”
- “–certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json”
ports:
- “443:443”
volumes:
- ${DATA_FOLDER}/letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro

n8n:
image: n8nio/n8n
ports:
- “127.0.0.1:5678:5678”
labels:
- traefik.enable=true
- traefik.http.routers.n8n.rule=Host(${SUBDOMAIN}.${DOMAIN_NAME})
- traefik.http.routers.n8n.tls=true
- traefik.http.routers.n8n.entrypoints=websecure
- traefik.http.routers.n8n.tls.certresolver=mytlschallenge
- traefik.http.middlewares.n8n.headers.SSLRedirect=true
- traefik.http.middlewares.n8n.headers.STSSeconds=315360000
- traefik.http.middlewares.n8n.headers.browserXSSFilter=true
- traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
- traefik.http.middlewares.n8n.headers.forceSTSHeader=true
- traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
- traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
- traefik.http.middlewares.n8n.headers.STSPreload=true
environment:
- N8N_BASIC_AUTH_ACTIVE=true
- N8N_BASIC_AUTH_USER
- N8N_BASIC_AUTH_PASSWORD
- N8N_HOST=${SUBDOMAIN}.${DOMAIN_NAME}
- N8N_PORT=5678
- N8N_PROTOCOL=https
- NODE_ENV=production
- WEBHOOK_TUNNEL_URL=https://${SUBDOMAIN}.${DOMAIN_NAME}/
- VUE_APP_URL_BASE_API=https://${SUBDOMAIN}.${DOMAIN_NAME}/
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${DATA_FOLDER}/.n8n:/root/.n8n

2 Likes

Thanks a lot for sharing @leprodude!

Yes that is really helpful! Actually makes total sense to simply making it available to localhost only to solve that issue. Did already update it in the documentation.

1 Like

One other thing to think about when it comes to n8n, (or any web based tool for that matter)…Rarely is a single tool or application a “one size fits all” solution. Everything has its niche in which it excels but there is often something else that the developer or end user wants to do.

So, in this case, the focus was on security and remote access. While I would expect n8n to have some basic security features, it is not a security tool. I would expect that I have to augment this piece of the total solution with some other application, device, or system. Depending on your system or configuration, you could:

  • Block port 80 on your external firewall
  • Use a local firewall to prevent port 80 access

I would also suggest that if you are running this on a remote host on the internet, at the bare minimum restrict access to your n8n interface to your static IP. Better yet, if it is a VM, set up a VPN tunnel and only allow access through that tunnel.

2 Likes