Restricting n8n hook subdomain

Some links may be affiliate links that keep this site running.

I run n8n for some automations as it allows me a visual view of what is happening.

My setup is quite simple.

• n8n console is facing an internal network on NetBird.
• n8n hooks is facing the public internet

One of the parts that was missing for me with n8n is the ability to restrict console access when someone is accessing the hooks subdomain that n8n is running under, currently there is no way to restrict that from happening, besides blocking that in your reverse proxy.

As I use HAProxy, I wrote a short access list, code is below. This goes into your frontend configuration.

    #  Configuration
    acl n8n_webhook_host hdr(host) -i hook.yourdomain.com
    acl n8n_webhook_path path_beg /webhook

    # Allow and deny rules
    http-request allow if n8n_webhook_host SHS_n8n_webhook_path
    http-request deny if n8n_webhook_host !SHS_n8n_webhook_path

    use_backend n8n if n8n_webhook_host n8n_webhook_path

You will notice that the backend is the same backend, and that’s because I only run 1 instance of n8n and haven’t broken it down to components.

run haproxy -c -f /etc/haproxy/haproxy.cfg to check the configuration. You may get a few warnings that your rules are not ordered properly, but as long as the configuration is valid, it will work.

finish up with:

sudo systemctl reload haproxy

I host majority of my cloud instances on HostHatch VPS (Virtual Private Server) Instance (In Asia) for a steal. Some of the other hosts I use are RackNerd (US) and WebHorizon (Asia+Europe) VPS, and decided that it is time to move away from Linode - which is a Great service, but I am looking to reduce the billing on instances. For comparison, I save more than 50% on HostHatch compared to Linode ($3.33 compared to $8) - Don't get me wrong, if this was an extremely (like REALLY) critical application, I would keep it on Linode.