n8n deployment
Self-hosted n8n is commonly run on a VPS or Kubernetes with a reverse proxy terminating TLS. The goal is: correct public URL, TLS, health checks, and no accidental exposure of the editor.
Public URL variables
n8n must know how it is reached on the internet so webhooks, OAuth redirects, and emails generate correct links. Key deployment variables include:
N8N_HOST,N8N_PORT,N8N_PROTOCOL— How n8n describes itself (deployment variables).N8N_EDITOR_BASE_URL— Public editor URL; also used for SAML redirect URL and emails (same page).WEBHOOK_URL— Often set to your public base (see base URL configuration).
Misconfiguration produces broken webhooks or wrong OAuth callbacks—debug those first when integrations fail behind proxies.
Reverse proxies
Place Caddy or Nginx in front of n8n:
- Terminate HTTPS (Let’s Encrypt).
- Forward WebSockets if the UI uses them (
N8N_PUSH_BACKENDdefaults include websocket—ensure proxy supports upgrade). - Set
N8N_PROXY_HOPSto the number of reverse proxies so n8n trustsX-Forwarded-*correctly (deployment variables).
Example conceptual Nginx location (adapt paths/certs):
location / {
proxy_pass http://127.0.0.1:5678;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
TLS
- Prefer automatic ACME (Caddy or certbot) over long-lived self-signed certs for public webhooks.
- If terminating TLS at the proxy, keep
N8N_PROTOCOL=httpsconsistent with what users use in the browser.
VPS baseline
- Firewall — Allow
22(locked down),80/443to proxy; do not expose Postgres/redis to the world. - Unattended upgrades or a patch cadence for the host OS.
- Backups — Database dumps and
/home/node/.n8nstate (setup notes). - Health — Monitor process, disk, and DB connections.
Scaling pointer
For large teams or heavy workloads, n8n documents queue mode and scaling topics (scaling overview). See Configuration.