WF Workflow Fixes

self hosting

N8N SSL Setup

For public n8n deployments, use HTTPS either through a reverse proxy or n8n's SSL settings, then make sure generated editor and webhook URLs also use HTTPS.

Match your incident first

Start with the symptom you can prove

Jump to checks

Test URL works, production URL returns 404

First check: Open the Webhook node and compare the active production URL with the external app callback URL.

Wrong fix to avoid: Do not rebuild the whole workflow before proving whether the active production endpoint exists.

Verify: Activate the workflow, send a POST to the production URL, and confirm one new production execution appears.

Production URL shows localhost, container hostname, or http instead of public HTTPS

First check: Check the public URL shown in n8n and compare it with WEBHOOK_URL and reverse proxy forwarded headers.

Wrong fix to avoid: Do not paste the internal Docker service name into external SaaS callback settings.

Verify: The Webhook node displays the public HTTPS domain and an external curl reaches n8n without redirect loops.

External app times out but n8n logs show no execution

First check: Run an external curl smoke test and inspect reverse proxy access logs for the same timestamp.

Wrong fix to avoid: Do not rotate credentials when the request never reaches n8n.

Verify: Proxy access log and n8n execution log both show the same request.

Use when
self-hosted, HTTPS, SSL
First check
Confirm workflows and credentials survive a restart before sending real traffic.
Time to check
5-10 minutes
Next step
Match the symptom, then run the verification checks.

Independent third-party notes. n8n is a trademark of its owner and is referenced only for compatibility and troubleshooting context.

Quick Answer

For public n8n deployments, use HTTPS either through a reverse proxy or n8n's SSL settings, then make sure generated editor and webhook URLs also use HTTPS.

Does this match your symptom?

Self-hosted Docker setup looks risky

The instance runs, but persistence, .env files, public URLs, HTTPS, Postgres, or backups are unclear.

First check: Confirm workflows and credentials survive a restart before sending real traffic.

Primary path n8n Docker Compose Setup: Persistent Volume, .env, Postgres, and Webhooks Related check n8n Docker Volume Persistence: Avoid Losing Workflows and Credentials Related check N8N Docker Compose .env File Still blocked? Generate a diagnostic brief

Version awareness

Last reviewed 2026-05-21

Applies to
n8n Cloud when using webhooks, self-hosted n8n, Docker, reverse proxy, custom domains
Official docs checked
n8n Security Environment Variables, n8n Endpoint Environment Variables, n8n Deployment Environment Variables
Version-sensitive assumptions
n8n node parameters, credential names, and queue mode defaults can change between releases; confirm against your installed version before changing production.
What may change after upgrades
Node parameter names, credential scopes, webhook behavior, Docker image defaults, and queue worker expectations may shift after n8n upgrades.

Key Facts

Security variable group
n8n documents SSL-related environment variables under security settings.
Public URL alignment
N8N_PROTOCOL and WEBHOOK_URL should reflect HTTPS when public access uses HTTPS.
Common production approach
Terminate TLS at a reverse proxy and forward traffic to n8n internally.
Webhook dependency
External apps often require HTTPS webhook targets.

Production Diagnostic Matrix

Turn checks into a brief
Exact symptom or log Likely cause First check Wrong fix to avoid Verification
Test URL works, production URL returns 404 Workflow is not active, caller is using the test URL, or the production path was changed after activation. Open the Webhook node and compare the active production URL with the external app callback URL. Do not rebuild the whole workflow before proving whether the active production endpoint exists. Activate the workflow, send a POST to the production URL, and confirm one new production execution appears.
Production URL shows localhost, container hostname, or http instead of public HTTPS WEBHOOK_URL, N8N_HOST, N8N_PROTOCOL, or proxy headers do not match the public domain. Check the public URL shown in n8n and compare it with WEBHOOK_URL and reverse proxy forwarded headers. Do not paste the internal Docker service name into external SaaS callback settings. The Webhook node displays the public HTTPS domain and an external curl reaches n8n without redirect loops.
External app times out but n8n logs show no execution DNS, firewall, Cloudflare, reverse proxy, or path routing blocks the request before it reaches n8n. Run an external curl smoke test and inspect reverse proxy access logs for the same timestamp. Do not rotate credentials when the request never reaches n8n. Proxy access log and n8n execution log both show the same request.
Workflow receives payload but caller gets wrong response or hangs Respond to Webhook is missing, configured for the wrong response mode, or waits for a branch that does not finish. Check the Webhook node response mode and the Respond to Webhook node path. Do not add arbitrary Wait nodes to hide timeout behavior. Caller receives the intended status code and body within the provider timeout window.
Webhook path works internally but fails through reverse proxy Proxy location, base path, body size, TLS termination, or forwarded proto/host headers are wrong. Compare direct container access with the public reverse proxy route and check forwarded headers. Do not disable HTTPS verification as a proxy troubleshooting shortcut. Public HTTPS request preserves method, path, body, and host all the way to n8n.
  1. Choose whether TLS terminates at a reverse proxy or n8n itself.
  2. Install and renew certificates through the chosen method.
  3. Set N8N_PROTOCOL=https for public HTTPS deployments.
  4. Set WEBHOOK_URL to the HTTPS public base URL.
  5. Test the editor and a production webhook over HTTPS.

Verification

  • The browser shows a valid HTTPS connection.
  • Generated webhook URLs start with https://.
  • External webhook providers can deliver requests without TLS errors.

First Commands / Checks

Webhook smoke test Use when an external app reports timeout, 404, or wrong response. 
curl -i -X POST https://automation.example.com/webhook/example-path \
  -H "content-type: application/json" \
  -d '{"smokeTest":true}'
Secrets note
Use a disposable path or non-sensitive payload. Do not paste provider signing secrets into curl examples.
Verification
The response status and body match the Webhook or Respond to Webhook configuration.
Check container state Use first when n8n is down, restarting, or behaving differently after a deploy. 
docker compose ps
Secrets note
This lists service names and status only; it should not print credential values.
Verification
n8n, database, Redis, and worker services are running or the failing service is obvious.
Read recent n8n logs Use when the editor, webhook, or startup path fails. 
docker compose logs n8n --tail=100
Secrets note
Review before sharing; remove tokens, private hostnames, and customer payloads.
Verification
The log contains a timestamped error, migration message, or clean startup line.
Check public URL variables only Use when webhook URLs show localhost, http, or the wrong domain. 
docker compose exec n8n printenv WEBHOOK_URL N8N_HOST N8N_PROTOCOL N8N_EDITOR_BASE_URL
Secrets note
Do not run a full env dump in public channels; print only these non-secret routing names.
Verification
Values point to the intended HTTPS public domain.

Safe Copyable Config

Reverse proxy header shape Use when the public route reaches the proxy but n8n generates wrong URLs or websockets fail. 
location / {
  proxy_pass http://n8n:5678;
  proxy_http_version 1.1;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}
What to change
Point proxy_pass to your n8n upstream. Keep TLS termination and forwarded proto consistent.
Secrets to keep private
TLS private keys and internal hostnames if sharing externally.
Verification
Webhook URLs use HTTPS public host. Editor websocket and webhook POST both work.
Common mistakes
Dropping X-Forwarded-Proto. Proxying only GET while webhook providers send POST. Mixing http public URLs with HTTPS provider callbacks.

Warnings

  • Do not expose credentials or webhook payloads over plain HTTP on public networks.
  • Certificate renewal failures can break webhook integrations.

Best For

  • Public self-hosted n8n instances.
  • Webhook integrations from third-party services that require HTTPS.
  • Deployments that need secure browser access to credentials and workflow data.

Not For

  • Local-only disposable testing on localhost.
  • Situations where a managed platform already handles TLS completely.
  • Cases where the domain or proxy route is still not configured.

Common Mistakes

  • Serving the editor over HTTPS while generated webhook URLs still use http://.
  • Letting certificates expire without monitoring.
  • Exposing n8n publicly over plain HTTP.
  • Confusing TLS termination at the proxy with SSL settings inside n8n.

Examples

HTTPS URL alignment The browser URL and webhook URL should agree. 
Browser URL:
https://automation.example.com

Generated webhook URL:
https://automation.example.com/webhook/order-created

Mismatch to fix:
http://automation.example.com/webhook/order-created
TLS readiness checklist Use this before connecting production apps. 
Valid certificate: yes
Auto-renewal: yes
N8N_PROTOCOL=https: yes
WEBHOOK_URL=https://...: yes
External webhook smoke test: yes

FAQ

Should TLS terminate at the reverse proxy or n8n?

Many production deployments terminate TLS at a reverse proxy. The key is that public URLs and n8n endpoint settings still generate HTTPS links.

Why do webhooks show http:// after I enabled HTTPS?

The public endpoint variables may still indicate HTTP or the old base URL. Check N8N_PROTOCOL and WEBHOOK_URL.

Is HTTPS required?

For public deployments handling credentials, webhook payloads, or browser sessions, HTTPS should be treated as required.

Sources

n8n Security Environment Variables Accessed 2026-05-07 n8n Endpoint Environment Variables Accessed 2026-05-07 n8n Deployment Environment Variables Accessed 2026-05-07

Related Pages

self hosting

N8N Reverse Proxy Setup

When n8n runs behind a reverse proxy, configure the public host, protocol, and webhook base URL so editor links and incoming webhook URLs match the external domain.

 self hosting

N8N Custom Domain Setup

A custom domain for self-hosted n8n needs DNS, reverse proxy routing, HTTPS, and endpoint environment variables that make editor and webhook URLs use the same public host.

 error fix

N8N Webhook Troubleshooting

Fix n8n webhook failures by checking test vs production URLs, workflow activation or publishing, WEBHOOK_URL, public domains, reverse proxies, and external request routing.

 self hosting

N8N VPS Hosting Guide

A VPS is a good starting point for self-hosted n8n when it has enough memory, persistent storage, backups, public HTTPS, and room to move to Postgres or queue mode later.