self hosting

N8N Custom Domain Setup

A custom domain for self-hosted n8n needs DNS, reverse proxy routing, HTTPS, and endpoint environment variables that make editor and webhook URLs use the same public host.

Match your incident first

Start with the symptom you can prove

Jump to checks

Test URL works, production URL returns 404

First check: Open the Webhook node and compare the active production URL with the external app callback URL.

Wrong fix to avoid: Do not rebuild the whole workflow before proving whether the active production endpoint exists.

Verify: Activate the workflow, send a POST to the production URL, and confirm one new production execution appears.

Production URL shows localhost, container hostname, or http instead of public HTTPS

First check: Check the public URL shown in n8n and compare it with WEBHOOK_URL and reverse proxy forwarded headers.

Wrong fix to avoid: Do not paste the internal Docker service name into external SaaS callback settings.

Verify: The Webhook node displays the public HTTPS domain and an external curl reaches n8n without redirect loops.

External app times out but n8n logs show no execution

First check: Run an external curl smoke test and inspect reverse proxy access logs for the same timestamp.

Wrong fix to avoid: Do not rotate credentials when the request never reaches n8n.

Verify: Proxy access log and n8n execution log both show the same request.

Use when: self-hosted, custom domain
First check: Copy the callback URL shown in n8n and compare it exactly with the provider app redirect URL.
Time to check: 5-10 minutes
Next step: Match the symptom, then run the verification checks.

Independent third-party notes. n8n is a trademark of its owner and is referenced only for compatibility and troubleshooting context.

Quick Answer

A custom domain for self-hosted n8n needs DNS, reverse proxy routing, HTTPS, and endpoint environment variables that make editor and webhook URLs use the same public host.

Does this match your symptom?

OAuth callback or credentials are blocking execution

The OAuth login does not return to n8n, credentials reconnect but still fail, or provider scopes and callback URLs do not match production.

First check: Copy the callback URL shown in n8n and compare it exactly with the provider app redirect URL.

Primary path n8n OAuth Callback Error: Redirect URL Checklist Related check N8N Credential Error Related check N8N Reverse Proxy Setup Still blocked? Generate a diagnostic brief

Version awareness

Last reviewed 2026-05-21

Applies to: n8n Cloud when using webhooks, self-hosted n8n, Docker, reverse proxy, custom domains
Official docs checked: n8n Deployment Environment Variables, n8n Endpoint Environment Variables
Version-sensitive assumptions: n8n node parameters, credential names, and queue mode defaults can change between releases; confirm against your installed version before changing production.
What may change after upgrades: Node parameter names, credential scopes, webhook behavior, Docker image defaults, and queue worker expectations may shift after n8n upgrades.

Key Facts

DNS: The domain must point to the server or load balancer that handles public traffic.
Host setting: N8N_HOST should match the public host name.
Webhook setting: WEBHOOK_URL should match the public base URL used by external services.
HTTPS: Public domains should serve n8n over HTTPS.

Production Diagnostic Matrix

Turn checks into a brief

Exact symptom or log	Likely cause	First check	Wrong fix to avoid	Verification
Test URL works, production URL returns 404	Workflow is not active, caller is using the test URL, or the production path was changed after activation.	Open the Webhook node and compare the active production URL with the external app callback URL.	Do not rebuild the whole workflow before proving whether the active production endpoint exists.	Activate the workflow, send a POST to the production URL, and confirm one new production execution appears.
Production URL shows localhost, container hostname, or http instead of public HTTPS	WEBHOOK_URL, N8N_HOST, N8N_PROTOCOL, or proxy headers do not match the public domain.	Check the public URL shown in n8n and compare it with WEBHOOK_URL and reverse proxy forwarded headers.	Do not paste the internal Docker service name into external SaaS callback settings.	The Webhook node displays the public HTTPS domain and an external curl reaches n8n without redirect loops.
External app times out but n8n logs show no execution	DNS, firewall, Cloudflare, reverse proxy, or path routing blocks the request before it reaches n8n.	Run an external curl smoke test and inspect reverse proxy access logs for the same timestamp.	Do not rotate credentials when the request never reaches n8n.	Proxy access log and n8n execution log both show the same request.
Workflow receives payload but caller gets wrong response or hangs	Respond to Webhook is missing, configured for the wrong response mode, or waits for a branch that does not finish.	Check the Webhook node response mode and the Respond to Webhook node path.	Do not add arbitrary Wait nodes to hide timeout behavior.	Caller receives the intended status code and body within the provider timeout window.
Webhook path works internally but fails through reverse proxy	Proxy location, base path, body size, TLS termination, or forwarded proto/host headers are wrong.	Compare direct container access with the public reverse proxy route and check forwarded headers.	Do not disable HTTPS verification as a proxy troubleshooting shortcut.	Public HTTPS request preserves method, path, body, and host all the way to n8n.

Recommended Steps

Create DNS records for the n8n subdomain.
Route the domain through your reverse proxy or hosting layer.
Configure HTTPS for the public domain.
Set N8N_HOST to the domain host.
Set WEBHOOK_URL to the public HTTPS base URL.
Open the editor and copy a webhook URL to confirm the domain is correct.

Verification

The editor loads at the custom domain.
Webhook URLs use the custom domain.
A third-party service can call the production webhook successfully.

First Commands / Checks

Webhook smoke test Use when an external app reports timeout, 404, or wrong response.

curl -i -X POST https://automation.example.com/webhook/example-path \
  -H "content-type: application/json" \
  -d '{"smokeTest":true}'

Secrets note: Use a disposable path or non-sensitive payload. Do not paste provider signing secrets into curl examples.
Verification: The response status and body match the Webhook or Respond to Webhook configuration.

Check container state Use first when n8n is down, restarting, or behaving differently after a deploy.

docker compose ps

Secrets note: This lists service names and status only; it should not print credential values.
Verification: n8n, database, Redis, and worker services are running or the failing service is obvious.

Read recent n8n logs Use when the editor, webhook, or startup path fails.

docker compose logs n8n --tail=100

Secrets note: Review before sharing; remove tokens, private hostnames, and customer payloads.
Verification: The log contains a timestamped error, migration message, or clean startup line.

Check public URL variables only Use when webhook URLs show localhost, http, or the wrong domain.

docker compose exec n8n printenv WEBHOOK_URL N8N_HOST N8N_PROTOCOL N8N_EDITOR_BASE_URL

Secrets note: Do not run a full env dump in public channels; print only these non-secret routing names.
Verification: Values point to the intended HTTPS public domain.

Safe Copyable Config

Reverse proxy header shape Use when the public route reaches the proxy but n8n generates wrong URLs or websockets fail.

location / {
  proxy_pass http://n8n:5678;
  proxy_http_version 1.1;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}

What to change: Point proxy_pass to your n8n upstream. Keep TLS termination and forwarded proto consistent.
Secrets to keep private: TLS private keys and internal hostnames if sharing externally.
Verification: Webhook URLs use HTTPS public host. Editor websocket and webhook POST both work.
Common mistakes: Dropping X-Forwarded-Proto. Proxying only GET while webhook providers send POST. Mixing http public URLs with HTTPS provider callbacks.

.env.example with redacted production placeholders Use as a review checklist for self-hosted n8n environment variables.

N8N_HOST=automation.example.com
N8N_PROTOCOL=https
WEBHOOK_URL=https://automation.example.com/
GENERIC_TIMEZONE=UTC
DB_TYPE=postgresdb
DB_POSTGRESDB_HOST=postgres
DB_POSTGRESDB_DATABASE=n8n
DB_POSTGRESDB_USER=n8n_app
DB_POSTGRESDB_PASSWORD=REDACTED_CHANGE_ME
N8N_ENCRYPTION_KEY=REDACTED_GENERATE_ONCE

What to change: Replace domain and timezone. Generate private secret values outside the repo.
Secrets to keep private: Every value marked REDACTED and the real .env file.
Verification: Only expected variable names are present in tickets or docs. The real .env is not committed.
Common mistakes: Sharing full env dumps. Changing encryption key after credentials are created.

Warnings

Changing only DNS is not enough if n8n still generates localhost or internal webhook URLs.
Domain changes can break integrations that already stored old webhook URLs.

Sources

n8n Deployment Environment Variables Accessed 2026-05-07 n8n Endpoint Environment Variables Accessed 2026-05-07

Quick Answer

OAuth callback or credentials are blocking execution

Last reviewed 2026-05-21

Key Facts

Production Diagnostic Matrix

Recommended Steps

Verification

First Commands / Checks

Safe Copyable Config

Warnings

Sources

Related Pages

N8N Backup and Restore Guide

N8N Docker Compose Setup

N8N Docker Installation

N8N Docker Volume Persistence

N8N Postgres Setup