How to set up HTTPS for n8n?

Setting up HTTPS for n8n involves obtaining SSL certificates and configuring your n8n instance to use secure connections. This can be achieved through several methods including using a reverse proxy like Nginx, integrating Let's Encrypt certificates, or using Docker with proper environment variables. The process ensures encrypted communication between clients and your n8n server, protecting sensitive workflow data.

 

Comprehensive Guide to Setting Up HTTPS for n8n

 

Step 1: Choose Your Deployment Method

 

Before proceeding with HTTPS setup, determine how you've deployed n8n. There are several common deployment methods:

• Docker container
• NPM installation
• n8n cloud
• Self-hosted on a server

The approach to setting up HTTPS will vary depending on your deployment method. In this guide, we'll cover multiple approaches to suit different deployment scenarios.

 

Step 2: Understand the HTTPS Setup Options for n8n

 

There are several ways to enable HTTPS for your n8n instance:

• Using a reverse proxy (like Nginx or Apache)
• Direct SSL configuration in n8n
• Using Let's Encrypt for automatic certificate management
• Using Docker with appropriate environment variables

 

Step 3: Obtain an SSL Certificate

 

Before configuring HTTPS, you'll need a valid SSL certificate. Here are options to obtain one:

Option 1: Let's Encrypt (Free)

Let's Encrypt provides free SSL certificates valid for 90 days with automatic renewal.

# Install Certbot (for Ubuntu/Debian)
sudo apt update
sudo apt install certbot

# If using Nginx
sudo apt install python3-certbot-nginx

# If using Apache
sudo apt install python3-certbot-apache

# Obtain a certificate
sudo certbot certonly --standalone -d yourdomain.com

Option 2: Purchase a Commercial Certificate

You can purchase SSL certificates from providers like DigiCert, Comodo, or GoDaddy, then follow their instructions to generate and download your certificate files.

 

Step 4: Method 1 - Setting Up HTTPS with Nginx Reverse Proxy

 

Using Nginx as a reverse proxy is one of the most popular and flexible ways to set up HTTPS for n8n.

Step 4.1: Install Nginx

# For Ubuntu/Debian
sudo apt update
sudo apt install nginx

# For CentOS/RHEL
sudo yum install epel-release
sudo yum install nginx

# Start and enable Nginx
sudo systemctl start nginx
sudo systemctl enable nginx

Step 4.2: Configure Nginx as a Reverse Proxy

Create a new Nginx server block configuration:

sudo nano /etc/nginx/sites-available/n8n

Add the following configuration, replacing yourdomain.com with your actual domain:

server {
    listen 80;
    server\_name yourdomain.com;
    
    # Redirect all HTTP traffic to HTTPS
    location / {
        return 301 https://$host$request\_uri;
    }
}

server {
    listen 443 ssl;
    server\_name yourdomain.com;
    
    # SSL certificate configuration
    ssl\_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    
    # SSL settings
    ssl\_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server\_ciphers on;
    ssl\_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl\_stapling on;
    ssl_stapling_verify on;
    
    # Headers
    add\_header Strict-Transport-Security "max-age=63072000" always;
    add\_header X-Frame-Options SAMEORIGIN;
    add\_header X-Content-Type-Options nosniff;
    
    # Proxy settings
    location / {
        proxy\_pass http://localhost:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http\_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote\_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http\_upgrade;
    }
}

Step 4.3: Enable the Configuration and Test Nginx

# Create symbolic link to enable the site
sudo ln -s /etc/nginx/sites-available/n8n /etc/nginx/sites-enabled/

# Test the configuration for syntax errors
sudo nginx -t

# Reload Nginx to apply changes
sudo systemctl reload nginx

Step 4.4: Configure n8n to Work with the Reverse Proxy

When using a reverse proxy, you need to tell n8n about it. Edit your n8n configuration:

For npm installations, create or modify your .env file:

# If using environment variables directly
export N8N\_HOST=yourdomain.com
export N8N\_PROTOCOL=https
export N8N\_PORT=5678
export NODE\_ENV=production
export WEBHOOK\_URL=https://yourdomain.com/

# Or add these to your .env file
N8N\_HOST=yourdomain.com
N8N\_PROTOCOL=https
N8N\_PORT=5678
NODE\_ENV=production
WEBHOOK\_URL=https://yourdomain.com/

 

Step 5: Method 2 - Setting Up HTTPS Directly in n8n

 

n8n can be configured to use HTTPS directly without a reverse proxy.

Step 5.1: Prepare Your SSL Certificate Files

Make sure you have your SSL certificate files ready:

• Certificate file (usually .crt or .pem)
• Private key file (usually .key)

Step 5.2: Configure n8n for HTTPS

Set the following environment variables:

# Direct environment variables
export N8N\_PROTOCOL=https
export N8N_SSL_KEY=/path/to/your/private.key
export N8N_SSL_CERT=/path/to/your/certificate.crt
export NODE\_ENV=production
export N8N\_PORT=443  # Standard HTTPS port

# Or in .env file
N8N\_PROTOCOL=https
N8N_SSL_KEY=/path/to/your/private.key
N8N_SSL_CERT=/path/to/your/certificate.crt
NODE\_ENV=production
N8N\_PORT=443

Step 5.3: Restart n8n to Apply Changes

# If running as a service
sudo systemctl restart n8n

# If running via PM2
pm2 restart n8n

# If running directly
n8n start

 

Step 6: Method 3 - Using Docker with HTTPS

 

If you're running n8n with Docker, you can set up HTTPS using environment variables.

Step 6.1: Create a Docker Compose File

Create a docker-compose.yml file with the following content:

version: '3'

services:
  n8n:
    image: n8nio/n8n
    restart: always
    ports:
    - "443:443"
    environment:
    - N8N\_PROTOCOL=https
    - N8N_SSL_KEY=/data/certs/privkey.pem
    - N8N_SSL_CERT=/data/certs/fullchain.pem
    - N8N\_PORT=443
    - NODE\_ENV=production
    - WEBHOOK\_URL=https://yourdomain.com/
    volumes:
    - n8n\_data:/home/node/.n8n
    - ./certs:/data/certs
      
volumes:
  n8n\_data:

Step 6.2: Create the Certificate Directory

mkdir -p ./certs

Step 6.3: Place Your SSL Certificates in the Certificates Directory

Copy your SSL certificate files to the ./certs directory, ensuring they are named according to the paths specified in the Docker Compose file:

cp /path/to/your/private.key ./certs/privkey.pem
cp /path/to/your/certificate.crt ./certs/fullchain.pem

Step 6.4: Start the Docker Container

docker-compose up -d

 

Step 7: Method 4 - Using Docker with a Reverse Proxy

 

This method combines Docker with an external reverse proxy for maximum flexibility.

Step 7.1: Create a Docker Network

docker network create n8n-network

Step 7.2: Create a Docker Compose File for n8n

Create a docker-compose.yml file:

version: '3'

services:
  n8n:
    image: n8nio/n8n
    restart: always
    ports:
    - "5678:5678"
    environment:
    - N8N\_HOST=yourdomain.com
    - N8N\_PROTOCOL=https
    - NODE\_ENV=production
    - WEBHOOK\_URL=https://yourdomain.com/
    volumes:
    - n8n\_data:/home/node/.n8n
    networks:
    - n8n-network
      
volumes:
  n8n\_data:
  
networks:
  n8n-network:
    external: true

Step 7.3: Create a Docker Compose File for Nginx

Create a nginx-docker-compose.yml file:

version: '3'

services:
  nginx:
    image: nginx:latest
    restart: always
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - ./nginx/conf.d:/etc/nginx/conf.d
    - ./nginx/ssl:/etc/nginx/ssl
    - ./nginx/html:/usr/share/nginx/html
    networks:
    - n8n-network
      
networks:
  n8n-network:
    external: true

Step 7.4: Create Nginx Configuration

Create the necessary directories:

mkdir -p ./nginx/conf.d ./nginx/ssl ./nginx/html

Create the Nginx configuration file ./nginx/conf.d/n8n.conf:

server {
    listen 80;
    server\_name yourdomain.com;
    
    # Redirect all HTTP traffic to HTTPS
    location / {
        return 301 https://$host$request\_uri;
    }
}

server {
    listen 443 ssl;
    server\_name yourdomain.com;
    
    # SSL certificate configuration
    ssl\_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    
    # SSL settings
    ssl\_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server\_ciphers on;
    ssl\_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    
    # Headers
    add\_header Strict-Transport-Security "max-age=63072000" always;
    add\_header X-Frame-Options SAMEORIGIN;
    add\_header X-Content-Type-Options nosniff;
    
    # Proxy settings
    location / {
        proxy\_pass http://n8n:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http\_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote\_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http\_upgrade;
    }
}

Step 7.5: Copy SSL Certificates

Copy your SSL certificates to the Nginx SSL directory:

cp /path/to/your/certificate.crt ./nginx/ssl/fullchain.pem
cp /path/to/your/private.key ./nginx/ssl/privkey.pem

Step 7.6: Start the Containers

# Start n8n
docker-compose up -d

# Start Nginx
docker-compose -f nginx-docker-compose.yml up -d

 

Step 8: Method 5 - Using Traefik with Docker

 

Traefik is a modern reverse proxy that can automatically handle SSL certificates through Let's Encrypt.

Step 8.1: Create a Docker Compose File with Traefik

Create a docker-compose.yml file:

version: '3'

services:
  traefik:
    image: traefik:v2.5
    restart: always
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - ./traefik/traefik.yml:/traefik.yml:ro
    - ./traefik/acme.json:/acme.json
    networks:
    - n8n-network
    
  n8n:
    image: n8nio/n8n
    restart: always
    environment:
    - N8N\_HOST=yourdomain.com
    - N8N\_PROTOCOL=https
    - NODE\_ENV=production
    - WEBHOOK\_URL=https://yourdomain.com/
    volumes:
    - n8n\_data:/home/node/.n8n
    networks:
    - n8n-network
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.n8n.rule=Host(`yourdomain.com`)"
    - "traefik.http.routers.n8n.entrypoints=websecure"
    - "traefik.http.routers.n8n.tls.certresolver=letsencrypt"
    - "traefik.http.services.n8n.loadbalancer.server.port=5678"
      
volumes:
  n8n\_data:
  
networks:
  n8n-network:

Step 8.2: Create Traefik Configuration Files

Create the Traefik directory and configuration file:

mkdir -p ./traefik
touch ./traefik/acme.json
chmod 600 ./traefik/acme.json

Create the ./traefik/traefik.yml file:

api:
  dashboard: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: acme.json
      httpChallenge:
        entryPoint: web

Step 8.3: Start the Containers

docker-compose up -d

 

Step 9: Method 6 - Using n8n with Cloudflare

 

If you use Cloudflare for DNS, you can leverage their SSL options.

Step 9.1: Set Up Cloudflare for Your Domain

• Add your domain to Cloudflare
• Update your domain's nameservers to Cloudflare's nameservers
• Enable Cloudflare's SSL/TLS protection

Step 9.2: Configure Cloudflare SSL Settings

• Log in to your Cloudflare dashboard
• Select your domain
• Go to the SSL/TLS section
• Set SSL/TLS encryption mode to "Full" or "Full (strict)"

Step 9.3: Configure n8n to Work with Cloudflare

When using Cloudflare, you can run n8n with HTTP, and Cloudflare will handle the SSL/TLS encryption between clients and Cloudflare:

# Environment variables
export N8N\_HOST=yourdomain.com
export WEBHOOK\_URL=https://yourdomain.com/
export NODE\_ENV=production

# Or in .env file
N8N\_HOST=yourdomain.com
WEBHOOK\_URL=https://yourdomain.com/
NODE\_ENV=production

 

Step 10: Testing Your HTTPS Setup

 

After configuring HTTPS for your n8n instance, you should test it thoroughly.

Step 10.1: Basic Access Test

Open your browser and navigate to your n8n instance using HTTPS:

https://yourdomain.com

You should be able to access n8n with a secure connection (look for the padlock icon in your browser).

Step 10.2: Test Webhook Functionality

Create a simple workflow with an HTTP webhook trigger to verify that webhooks are working correctly with HTTPS.

Step 10.3: Verify SSL Certificate

Use an online SSL checker tool like SSL Labs to verify your SSL configuration:

https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com

 

Step 11: Troubleshooting Common Issues

 

Issue 1: Certificate Not Found

If you see errors like "certificate not found" or "key not found":

• Check if the certificate files exist at the specified paths
• Verify file permissions (certificates should be readable by the n8n process)
• Ensure the paths in your configuration match the actual locations of your certificate files

Issue 2: Webhooks Not Working

If webhooks aren't working:

• Verify that the WEBHOOK\_URL environment variable is set correctly
• Ensure it includes the protocol (https://)
• Check that the domain in WEBHOOK\_URL matches your actual domain

# Correct webhook URL configuration
WEBHOOK\_URL=https://yourdomain.com/

Issue 3: Mixed Content Warnings

If you see mixed content warnings in the browser:

• Ensure all resources (images, scripts) are loaded over HTTPS
• Verify that the n8n frontend is correctly configured to use HTTPS for all requests

Issue 4: Certificate Expiration

SSL certificates eventually expire. To prevent this from causing downtime:

• Set up automatic renewal for Let's Encrypt certificates
• Add monitoring to alert you before certificates expire
• Create a calendar reminder for manual certificate renewals

For Let's Encrypt certificates, set up a cron job to renew:

# Add to crontab to check twice daily
0 0,12 _ _ \* certbot renew --quiet

 

Step 12: Advanced Configuration Options

 

Step 12.1: Enforcing Secure Cookies

To enhance security, configure n8n to use secure cookies:

# Add to environment variables
N8N_SECURE_COOKIE=true

Step 12.2: Implementing HTTP Strict Transport Security (HSTS)

HSTS tells browsers to only use HTTPS for your domain. If using Nginx, add:

add\_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Step 12.3: Configuring Content Security Policy

Enhance security with a Content Security Policy header in your reverse proxy:

add\_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss:; font-src 'self'; object-src 'none'; media-src 'self'; frame-src 'self'; worker-src 'self' blob:; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; manifest-src 'self'";

 

Step 13: Maintaining Your HTTPS Setup

 

Step 13.1: Certificate Renewal Process

For Let's Encrypt certificates, set up automatic renewal:

# Test renewal process
sudo certbot renew --dry-run

# Set up cron job for automatic renewal
echo "0 3 _ _ \* /usr/bin/certbot renew --quiet --post-hook 'systemctl reload nginx'" | sudo tee -a /etc/crontab

Step 13.2: Monitoring Certificate Expiration

Set up monitoring to alert you before certificates expire:

• Use a service like SSL Monitor, Uptime Robot, or Certwatch
• Configure your monitoring system to alert you 30 days before expiration

Step 13.3: Regular Security Audits

Regularly check your SSL configuration for security best practices:

• Use SSL Labs to test your configuration (aim for A+ rating)
• Keep your SSL libraries updated
• Periodically review and update your cipher configurations

 

Step 14: Additional Security Considerations

 

Step 14.1: Implementing IP Restrictions

If your n8n instance is for internal use only, consider restricting access by IP. In Nginx:

# Add to your Nginx server block
location / {
    # Allow specific IPs or networks
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    # Deny all other IPs
    deny all;
    
    # Regular proxy configuration
    proxy\_pass http://localhost:5678;
    # ... other proxy settings
}

Step 14.2: Setting Up Basic Authentication

Add an additional layer of security with basic authentication:

# Generate a password file
sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd username

# Add to your Nginx location block
location / {
    auth\_basic "Restricted Area";
    auth_basic_user\_file /etc/nginx/.htpasswd;
    
    # Regular proxy configuration
    proxy\_pass http://localhost:5678;
    # ... other proxy settings
}

Step 14.3: Setting Up n8n Behind a VPN

For maximum security, consider placing n8n behind a VPN:

• Set up a VPN server like WireGuard or OpenVPN
• Configure your network to only allow n8n access through the VPN
• Provide VPN credentials to authorized users

 

Step 15: SSL for Special n8n Deployments

 

Step 15.1: SSL for n8n with Custom Domain in Kubernetes

If running n8n in Kubernetes, use cert-manager for certificate management:

# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml

# Create an Issuer for Let's Encrypt
cat <

Step 15.2: SSL for n8n in a Multi-Service Environment

If n8n is part of a larger application stack, consider using an API gateway:

• Kong API Gateway
• Traefik
• Istio Service Mesh

These tools can handle SSL termination and routing for multiple services.

 

Conclusion

 

Setting up HTTPS for n8n is crucial for secure operation, especially in production environments. This guide covered multiple approaches to suit different deployment scenarios:

• Using reverse proxies like Nginx
• Direct SSL configuration in n8n
• Docker-based deployments with SSL
• Cloudflare integration
• Advanced configuration options for enhanced security

Remember to maintain your SSL certificates by setting up automatic renewals and monitoring to prevent unexpected expirations. Regularly audit your SSL configuration to ensure it follows current security best practices.

With HTTPS properly configured, your n8n instance will have encrypted communications, protecting sensitive workflow data and credentials from potential attackers.