Hey everyone, I’m exploring the safest way to expose an n8n instance to the internet so it can work with external services, and I’d love your input on hardening practices. I see a lot of deployment guides but far fewer security deep-dives. My setup - Proxmox cluster - Virtualized pfSense - Ubuntu 24.04 server (Docker) - Official n8n Docker behind Traefik - Isolated VLAN for this stack (blocked from other VLANs) - Cloudflare Tunnel connector on a separate VM (same LAN) - UFW: default-deny inbound; SSH allowed only from a specific IP - Docker publishes 80/443 for Traefik (UFW doesn’t interfere with Docker’s chain) - SSH via keys (no passwords) - Fail2Ban enabled What I’m asking: 1. What additional layers would you add for an internet-facing n8n (especially auth, network controls, rate-limiting)? 2. Any Traefik or Cloudflare Tunnel rules you recommend (mTLS, WAF, IP allow-lists, Cloudflare Access, etc.)? 3. Gotchas you’ve hit with Docker/UFW/Traefik interplay or n8n webhooks under tunnels? 4. Monitoring/logging tools you’ve found helpful for detecting abuse (and sane defaults for alerts)? 5. Goal: A practical, defense-in-depth checklist others can reuse. Suggestions, examples, and “don’t do this” stories are all welcome. Thanks in advance!