n8n Masterclass IModule 1

1.3Securing Your Instance with Nginx

25 min 2 code blocks Practice Lab Homework Quiz (5Q)

Securing Your Instance with Nginx: The Reverse Proxy Pattern

Running automation on a raw port (e.g., :5678) is a major security vulnerability. In this lesson, we implement an Nginx Reverse Proxy with SSL to secure your "Automation Factory" behind an encrypted, high-status URL.

🏗️ The Proxy Architecture

Nginx acts as the "Gatekeeper" for your server. It intercepts traffic on port 443 (HTTPS), validates the SSL certificate, and securely passes the request to n8n on port 5678 internally.

Technical Snippet

Technical Snippet: Nginx Configuration for n8n

Create this file at /etc/nginx/sites-available/n8n:

nginx
server {
    listen 80;
    server_name automate.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name automate.yourdomain.com;

    location / {
        proxy_pass http://localhost:5678;
        proxy_set_header Connection '';
        proxy_http_version 1.1;
        chunked_transfer_encoding off;
        proxy_buffering off;
        proxy_cache off;
    }
}
Key Insight

Nuance: SSL via Certbot

In 2026, there is zero excuse for unencrypted traffic. Use Certbot (Let's Encrypt) to automate your SSL renewal: sudo certbot --nginx -d automate.yourdomain.com

Practice Lab

Practice Lab: The Proxy Test

  1. Configure: Setup a basic Nginx site pointing to a local HTML file.
  2. Redirect: Implement a port-forward from port 80 to port 8080.
  3. Verify: Access the site via your domain and verify the "Green Padlock" is active.

🇵🇰 Pakistan Scenario: Securing Your Client's Automation

You're building an automation for a Lahore e-commerce brand. They process 500 orders/day through Daraz and their own Shopify store. Their data includes customer names, phone numbers, and addresses.

Why SSL matters here: Pakistan's PECA (Prevention of Electronic Crimes Act) requires data protection. If customer data leaks because you ran n8n on an unencrypted port, you're legally liable. The 5-minute Certbot setup protects you AND builds client trust.

Domain tip: Buy a .pk or .com.pk domain from PKNIC for PKR 2,500/year. Point automate.yourbrand.pk to your VPS. Pakistani clients trust local domains more.

Homework

Homework: The Secure Factory

Link your n8n Docker container to your Nginx proxy. Ensure that n8n can only be accessed via your HTTPS domain and that the raw port 5678 is blocked by your server's firewall (ufw).

📺 Recommended Videos & Resources

🎯 Mini-Challenge

Secure your domain today: Buy or use a free test domain, point it to your VPS IP, run Certbot to generate a free SSL certificate, and verify the green padlock in your browser. (Bonus: Add your n8n instance behind the proxy and share the HTTPS URL with a friend to test.)

🖼️ Visual Reference

code
📊 Nginx Reverse Proxy Security Layer

┌─────────────────────────────────────────┐
│        Internet Traffic (Port 443)      │
│         automate.yourdomain.com         │
└──────────────────┬──────────────────────┘
                   │ HTTPS (Encrypted)
                   ↓
        ┌──────────────────────┐
        │  Nginx Reverse Proxy │
        │ (Gatekeeper)         │
        │ - SSL Validation     │
        │ - Request Filtering  │
        └──────────────┬───────┘
                       │ HTTP (Local)
                       ↓
            ┌──────────────────────┐
            │  n8n Container      │
            │  (Port 5678)        │
            │  - Isolated         │
            │  - Protected        │
            └──────────────────────┘

Only HTTPS traffic enters. Raw port 5678 is invisible to the world.

Lesson Summary

Includes hands-on practice labHomework assignment included2 runnable code examples5-question knowledge check below

Quiz: Securing Your Instance with Nginx

5 questions to test your understanding. Score 60% or higher to pass.

Previous
1.2Docker Setup & Deployment
Next
2.1Webhook Triggers & API Orchestration