Oct 25 • Artificial Intelligence (AI)
n8n Exposure
Hey everyone,
I’m exploring the safest way to expose an n8n instance to the internet so it can work with external services, and I’d love your input on hardening practices. I see a lot of deployment guides but far fewer security deep-dives.
My setup
- Proxmox cluster
- Virtualized pfSense
- Ubuntu 24.04 server (Docker)
- Official n8n Docker behind Traefik
- Isolated VLAN for this stack (blocked from other VLANs)
- Cloudflare Tunnel connector on a separate VM (same LAN)
- UFW: default-deny inbound; SSH allowed only from a specific IP
- Docker publishes 80/443 for Traefik (UFW doesn’t interfere with Docker’s chain)
- SSH via keys (no passwords)
- Fail2Ban enabled
What I’m asking:
- What additional layers would you add for an internet-facing n8n (especially auth, network controls, rate-limiting)?
- Any Traefik or Cloudflare Tunnel rules you recommend (mTLS, WAF, IP allow-lists, Cloudflare Access, etc.)?
- Gotchas you’ve hit with Docker/UFW/Traefik interplay or n8n webhooks under tunnels?
- Monitoring/logging tools you’ve found helpful for detecting abuse (and sane defaults for alerts)?
Goal:
A practical, defense-in-depth checklist others can reuse. Suggestions, examples, and “don’t do this” stories are all welcome.
Thanks in advance!
2
5 comments
n8n Exposure
skool.com/homelabexplorers
Build, break, and master home labs and the technologies behind them! Dive into self-hosting, Docker, Kubernetes, DevOps, virtualization, and beyond.
Leaderboard (30-day)
1
+32
2
+29
3
+25
4
+24
5
+16
Powered by