Learn how to set up HTTPS for n8n with SSL certificates, reverse proxies, Docker, Let's Encrypt, and Cloudflare to secure your workflows and data.
Book a call with an Expert
Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.
Setting up HTTPS for n8n involves obtaining SSL certificates and configuring your n8n instance to use secure connections. This can be achieved through several methods including using a reverse proxy like Nginx, integrating Let's Encrypt certificates, or using Docker with proper environment variables. The process ensures encrypted communication between clients and your n8n server, protecting sensitive workflow data.
Comprehensive Guide to Setting Up HTTPS for n8n
Step 1: Choose Your Deployment Method
Before proceeding with HTTPS setup, determine how you've deployed n8n. There are several common deployment methods:
The approach to setting up HTTPS will vary depending on your deployment method. In this guide, we'll cover multiple approaches to suit different deployment scenarios.
Step 2: Understand the HTTPS Setup Options for n8n
There are several ways to enable HTTPS for your n8n instance:
Step 3: Obtain an SSL Certificate
Before configuring HTTPS, you'll need a valid SSL certificate. Here are options to obtain one:
Option 1: Let's Encrypt (Free)
Let's Encrypt provides free SSL certificates valid for 90 days with automatic renewal.
# Install Certbot (for Ubuntu/Debian)
sudo apt update
sudo apt install certbot
# If using Nginx
sudo apt install python3-certbot-nginx
# If using Apache
sudo apt install python3-certbot-apache
# Obtain a certificate
sudo certbot certonly --standalone -d yourdomain.com
Option 2: Purchase a Commercial Certificate
You can purchase SSL certificates from providers like DigiCert, Comodo, or GoDaddy, then follow their instructions to generate and download your certificate files.
Step 4: Method 1 - Setting Up HTTPS with Nginx Reverse Proxy
Using Nginx as a reverse proxy is one of the most popular and flexible ways to set up HTTPS for n8n.
Step 4.1: Install Nginx
# For Ubuntu/Debian
sudo apt update
sudo apt install nginx
# For CentOS/RHEL
sudo yum install epel-release
sudo yum install nginx
# Start and enable Nginx
sudo systemctl start nginx
sudo systemctl enable nginx
Step 4.2: Configure Nginx as a Reverse Proxy
Create a new Nginx server block configuration:
sudo nano /etc/nginx/sites-available/n8n
Add the following configuration, replacing yourdomain.com with your actual domain:
server {
listen 80;
server\_name yourdomain.com;
# Redirect all HTTP traffic to HTTPS
location / {
return 301 https://$host$request\_uri;
}
}
server {
listen 443 ssl;
server\_name yourdomain.com;
# SSL certificate configuration
ssl\_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL settings
ssl\_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server\_ciphers on;
ssl\_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl\_stapling on;
ssl_stapling_verify on;
# Headers
add\_header Strict-Transport-Security "max-age=63072000" always;
add\_header X-Frame-Options SAMEORIGIN;
add\_header X-Content-Type-Options nosniff;
# Proxy settings
location / {
proxy\_pass http://localhost:5678;
proxy_http_version 1.1;
proxy_set_header Upgrade $http\_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote\_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http\_upgrade;
}
}
Step 4.3: Enable the Configuration and Test Nginx
# Create symbolic link to enable the site
sudo ln -s /etc/nginx/sites-available/n8n /etc/nginx/sites-enabled/
# Test the configuration for syntax errors
sudo nginx -t
# Reload Nginx to apply changes
sudo systemctl reload nginx
Step 4.4: Configure n8n to Work with the Reverse Proxy
When using a reverse proxy, you need to tell n8n about it. Edit your n8n configuration:
For npm installations, create or modify your .env
file:
# If using environment variables directly
export N8N\_HOST=yourdomain.com
export N8N\_PROTOCOL=https
export N8N\_PORT=5678
export NODE\_ENV=production
export WEBHOOK\_URL=https://yourdomain.com/
# Or add these to your .env file
N8N\_HOST=yourdomain.com
N8N\_PROTOCOL=https
N8N\_PORT=5678
NODE\_ENV=production
WEBHOOK\_URL=https://yourdomain.com/
Step 5: Method 2 - Setting Up HTTPS Directly in n8n
n8n can be configured to use HTTPS directly without a reverse proxy.
Step 5.1: Prepare Your SSL Certificate Files
Make sure you have your SSL certificate files ready:
Step 5.2: Configure n8n for HTTPS
Set the following environment variables:
# Direct environment variables
export N8N\_PROTOCOL=https
export N8N_SSL_KEY=/path/to/your/private.key
export N8N_SSL_CERT=/path/to/your/certificate.crt
export NODE\_ENV=production
export N8N\_PORT=443 # Standard HTTPS port
# Or in .env file
N8N\_PROTOCOL=https
N8N_SSL_KEY=/path/to/your/private.key
N8N_SSL_CERT=/path/to/your/certificate.crt
NODE\_ENV=production
N8N\_PORT=443
Step 5.3: Restart n8n to Apply Changes
# If running as a service
sudo systemctl restart n8n
# If running via PM2
pm2 restart n8n
# If running directly
n8n start
Step 6: Method 3 - Using Docker with HTTPS
If you're running n8n with Docker, you can set up HTTPS using environment variables.
Step 6.1: Create a Docker Compose File
Create a docker-compose.yml
file with the following content:
version: '3'
services:
n8n:
image: n8nio/n8n
restart: always
ports:
- "443:443"
environment:
- N8N\_PROTOCOL=https
- N8N_SSL_KEY=/data/certs/privkey.pem
- N8N_SSL_CERT=/data/certs/fullchain.pem
- N8N\_PORT=443
- NODE\_ENV=production
- WEBHOOK\_URL=https://yourdomain.com/
volumes:
- n8n\_data:/home/node/.n8n
- ./certs:/data/certs
volumes:
n8n\_data:
Step 6.2: Create the Certificate Directory
mkdir -p ./certs
Step 6.3: Place Your SSL Certificates in the Certificates Directory
Copy your SSL certificate files to the ./certs
directory, ensuring they are named according to the paths specified in the Docker Compose file:
cp /path/to/your/private.key ./certs/privkey.pem
cp /path/to/your/certificate.crt ./certs/fullchain.pem
Step 6.4: Start the Docker Container
docker-compose up -d
Step 7: Method 4 - Using Docker with a Reverse Proxy
This method combines Docker with an external reverse proxy for maximum flexibility.
Step 7.1: Create a Docker Network
docker network create n8n-network
Step 7.2: Create a Docker Compose File for n8n
Create a docker-compose.yml
file:
version: '3'
services:
n8n:
image: n8nio/n8n
restart: always
ports:
- "5678:5678"
environment:
- N8N\_HOST=yourdomain.com
- N8N\_PROTOCOL=https
- NODE\_ENV=production
- WEBHOOK\_URL=https://yourdomain.com/
volumes:
- n8n\_data:/home/node/.n8n
networks:
- n8n-network
volumes:
n8n\_data:
networks:
n8n-network:
external: true
Step 7.3: Create a Docker Compose File for Nginx
Create a nginx-docker-compose.yml
file:
version: '3'
services:
nginx:
image: nginx:latest
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/ssl:/etc/nginx/ssl
- ./nginx/html:/usr/share/nginx/html
networks:
- n8n-network
networks:
n8n-network:
external: true
Step 7.4: Create Nginx Configuration
Create the necessary directories:
mkdir -p ./nginx/conf.d ./nginx/ssl ./nginx/html
Create the Nginx configuration file ./nginx/conf.d/n8n.conf
:
server {
listen 80;
server\_name yourdomain.com;
# Redirect all HTTP traffic to HTTPS
location / {
return 301 https://$host$request\_uri;
}
}
server {
listen 443 ssl;
server\_name yourdomain.com;
# SSL certificate configuration
ssl\_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# SSL settings
ssl\_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server\_ciphers on;
ssl\_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Headers
add\_header Strict-Transport-Security "max-age=63072000" always;
add\_header X-Frame-Options SAMEORIGIN;
add\_header X-Content-Type-Options nosniff;
# Proxy settings
location / {
proxy\_pass http://n8n:5678;
proxy_http_version 1.1;
proxy_set_header Upgrade $http\_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote\_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http\_upgrade;
}
}
Step 7.5: Copy SSL Certificates
Copy your SSL certificates to the Nginx SSL directory:
cp /path/to/your/certificate.crt ./nginx/ssl/fullchain.pem
cp /path/to/your/private.key ./nginx/ssl/privkey.pem
Step 7.6: Start the Containers
# Start n8n
docker-compose up -d
# Start Nginx
docker-compose -f nginx-docker-compose.yml up -d
Step 8: Method 5 - Using Traefik with Docker
Traefik is a modern reverse proxy that can automatically handle SSL certificates through Let's Encrypt.
Step 8.1: Create a Docker Compose File with Traefik
Create a docker-compose.yml
file:
version: '3'
services:
traefik:
image: traefik:v2.5
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.yml:/traefik.yml:ro
- ./traefik/acme.json:/acme.json
networks:
- n8n-network
n8n:
image: n8nio/n8n
restart: always
environment:
- N8N\_HOST=yourdomain.com
- N8N\_PROTOCOL=https
- NODE\_ENV=production
- WEBHOOK\_URL=https://yourdomain.com/
volumes:
- n8n\_data:/home/node/.n8n
networks:
- n8n-network
labels:
- "traefik.enable=true"
- "traefik.http.routers.n8n.rule=Host(`yourdomain.com`)"
- "traefik.http.routers.n8n.entrypoints=websecure"
- "traefik.http.routers.n8n.tls.certresolver=letsencrypt"
- "traefik.http.services.n8n.loadbalancer.server.port=5678"
volumes:
n8n\_data:
networks:
n8n-network:
Step 8.2: Create Traefik Configuration Files
Create the Traefik directory and configuration file:
mkdir -p ./traefik
touch ./traefik/acme.json
chmod 600 ./traefik/acme.json
Create the ./traefik/traefik.yml
file:
api:
dashboard: false
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: acme.json
httpChallenge:
entryPoint: web
Step 8.3: Start the Containers
docker-compose up -d
Step 9: Method 6 - Using n8n with Cloudflare
If you use Cloudflare for DNS, you can leverage their SSL options.
Step 9.1: Set Up Cloudflare for Your Domain
Step 9.2: Configure Cloudflare SSL Settings
Step 9.3: Configure n8n to Work with Cloudflare
When using Cloudflare, you can run n8n with HTTP, and Cloudflare will handle the SSL/TLS encryption between clients and Cloudflare:
# Environment variables
export N8N\_HOST=yourdomain.com
export WEBHOOK\_URL=https://yourdomain.com/
export NODE\_ENV=production
# Or in .env file
N8N\_HOST=yourdomain.com
WEBHOOK\_URL=https://yourdomain.com/
NODE\_ENV=production
Step 10: Testing Your HTTPS Setup
After configuring HTTPS for your n8n instance, you should test it thoroughly.
Step 10.1: Basic Access Test
Open your browser and navigate to your n8n instance using HTTPS:
https://yourdomain.com
You should be able to access n8n with a secure connection (look for the padlock icon in your browser).
Step 10.2: Test Webhook Functionality
Create a simple workflow with an HTTP webhook trigger to verify that webhooks are working correctly with HTTPS.
Step 10.3: Verify SSL Certificate
Use an online SSL checker tool like SSL Labs to verify your SSL configuration:
https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com
Step 11: Troubleshooting Common Issues
Issue 1: Certificate Not Found
If you see errors like "certificate not found" or "key not found":
Issue 2: Webhooks Not Working
If webhooks aren't working:
# Correct webhook URL configuration
WEBHOOK\_URL=https://yourdomain.com/
Issue 3: Mixed Content Warnings
If you see mixed content warnings in the browser:
Issue 4: Certificate Expiration
SSL certificates eventually expire. To prevent this from causing downtime:
For Let's Encrypt certificates, set up a cron job to renew:
# Add to crontab to check twice daily
0 0,12 _ _ \* certbot renew --quiet
Step 12: Advanced Configuration Options
Step 12.1: Enforcing Secure Cookies
To enhance security, configure n8n to use secure cookies:
# Add to environment variables
N8N_SECURE_COOKIE=true
Step 12.2: Implementing HTTP Strict Transport Security (HSTS)
HSTS tells browsers to only use HTTPS for your domain. If using Nginx, add:
add\_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
Step 12.3: Configuring Content Security Policy
Enhance security with a Content Security Policy header in your reverse proxy:
add\_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss:; font-src 'self'; object-src 'none'; media-src 'self'; frame-src 'self'; worker-src 'self' blob:; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; manifest-src 'self'";
Step 13: Maintaining Your HTTPS Setup
Step 13.1: Certificate Renewal Process
For Let's Encrypt certificates, set up automatic renewal:
# Test renewal process
sudo certbot renew --dry-run
# Set up cron job for automatic renewal
echo "0 3 _ _ \* /usr/bin/certbot renew --quiet --post-hook 'systemctl reload nginx'" | sudo tee -a /etc/crontab
Step 13.2: Monitoring Certificate Expiration
Set up monitoring to alert you before certificates expire:
Step 13.3: Regular Security Audits
Regularly check your SSL configuration for security best practices:
Step 14: Additional Security Considerations
Step 14.1: Implementing IP Restrictions
If your n8n instance is for internal use only, consider restricting access by IP. In Nginx:
# Add to your Nginx server block
location / {
# Allow specific IPs or networks
allow 192.168.1.0/24;
allow 10.0.0.0/8;
# Deny all other IPs
deny all;
# Regular proxy configuration
proxy\_pass http://localhost:5678;
# ... other proxy settings
}
Step 14.2: Setting Up Basic Authentication
Add an additional layer of security with basic authentication:
# Generate a password file
sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd username
# Add to your Nginx location block
location / {
auth\_basic "Restricted Area";
auth_basic_user\_file /etc/nginx/.htpasswd;
# Regular proxy configuration
proxy\_pass http://localhost:5678;
# ... other proxy settings
}
Step 14.3: Setting Up n8n Behind a VPN
For maximum security, consider placing n8n behind a VPN:
Step 15: SSL for Special n8n Deployments
Step 15.1: SSL for n8n with Custom Domain in Kubernetes
If running n8n in Kubernetes, use cert-manager for certificate management:
# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
# Create an Issuer for Let's Encrypt
cat <
Step 15.2: SSL for n8n in a Multi-Service Environment
If n8n is part of a larger application stack, consider using an API gateway:
These tools can handle SSL termination and routing for multiple services.
Conclusion
Setting up HTTPS for n8n is crucial for secure operation, especially in production environments. This guide covered multiple approaches to suit different deployment scenarios:
Remember to maintain your SSL certificates by setting up automatic renewals and monitoring to prevent unexpected expirations. Regularly audit your SSL configuration to ensure it follows current security best practices.
With HTTPS properly configured, your n8n instance will have encrypted communications, protecting sensitive workflow data and credentials from potential attackers.
When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.