Bypassing webhooks with Zerotrust + N8N

Zero Trust Cloudflare Tunnel
1

What is the name of the domain?

n8n.domain.com

What is the error message?

2024-12-24T14:08:33Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 172.18.0.2:5678: connect: connection refused” connIndex=2 event=1 ingressRule=1 originService=http://n8n:5678

What is the issue you’re encountering

Hello everyone, I’m using Cloudflare Zero Trust for an N8N application. My goal is to access the application through Zero Trust with authentication, while using a bypass policy for webhooks. Additionally, I need the webhook domain to be different from the main domain and include random characters in the path, like: mydomain/daksfhkjhoifhsdfjksfklsdfjk for enhanced security. N8N is running on port 5678. I’ve already created two applications in Zero Trust and configured the rules. The application itself is protected by Zero Trust and works fine, but I’m struggling with the webhooks. I followed the instructions from this guide: Access policy to bypass auth requirements for specific subpath, and managed to get the domain mydomain to display the application’s main page. However, when I add a /path to the application URL, the tunnel fails to recognize the application.

What steps have you taken to resolve the issue?

I also tried specifying different URLs and paths, changing domains and subdomains, and adding or removing /path in the N8N configuration. Unfortunately, none of these attempts resolved the issue.

What are the steps to reproduce the issue?

  1. Create 2 applications pointing to http://n8n:5678
  2. Create public URL with path like n8n.domain.com/odasjjfksdfsffsdhkjfj
  3. Put the URL into “webhook url” config in N8N
2

My n8n docker compose config:

volumes:
  db_storage:
  n8n_storage:
  traefik_data:
    external: true

services:
  postgres:
    image: postgres:16
    restart: always
    environment:
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - POSTGRES_DB
      - POSTGRES_NON_ROOT_USER
      - POSTGRES_NON_ROOT_PASSWORD
    volumes:
      - db_storage:/var/lib/postgresql/data
      - ./init-data.sh:/docker-entrypoint-initdb.d/init-data.sh
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -h localhost -U ${POSTGRES_USER} -d ${POSTGRES_DB}']
      interval: 5s
      timeout: 5s
      retries: 10
    networks:
      - internal

  n8n:
    image: docker.n8n.io/n8nio/n8n
      #    container_name: n8n
    restart: always
    ports:
      - 5678:5678
    links:
      - postgres
    volumes:
      - n8n_storage:/home/node/.n8n
    depends_on:
      postgres:
        condition: service_healthy
          # labels:
    environment:
      - N8N_HOST=${DOMAIN_NAME}
      - N8N_PORT=5678
      - N8N_PROTOCOL=http
      - NODE_ENV=production
      - WEBHOOK_URL=https://n8n.domain.com
        #- WEBHOOK_URL=https://n8n:5678/
      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
      - DB_TYPE=postgresdb
      - DB_POSTGRESDB_HOST=postgres
      - DB_POSTGRESDB_PORT=5432
      - DB_POSTGRESDB_DATABASE=${POSTGRES_DB}
      - DB_POSTGRESDB_USER=${POSTGRES_NON_ROOT_USER}
      - DB_POSTGRESDB_PASSWORD=${POSTGRES_NON_ROOT_PASSWORD}
      - N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true
    networks:
      - zerotrusttunnel
      - internal

networks:
  internal:
  zerotrusttunnel:
    external: true
3

I need to figure this out too. Hope someone can add some insight.