nginx config for N8N proxy

n8n.example.com

# Configuration for n8n
# Make sure to adjust: server_name, SSL certificate paths, and proxy_pass settings

##############################################################################
# HTTP Server Block - Redirects all HTTP traffic to HTTPS
##############################################################################
server {
    # Listen directives
    listen 80;                  # IPv4
    listen [::]:80;             # IPv6
    
    # Server identification
    server_name n8n.example.com;
    
    # Logging configuration
    access_log /var/log/nginx/n8n.access.log;
    error_log /var/log/nginx/n8n.error.log;
    
    # Redirect all HTTP traffic to HTTPS
    return 301 https://n8n.example.com$request_uri;
}

##############################################################################
# HTTPS Server Block - Main configuration
##############################################################################
server {
    # Logging configuration
    access_log /var/log/nginx/n8n.access.log;
    error_log /var/log/nginx/n8n.error.log;
    
    #####################################
    # Basic Server Configuration
    #####################################
    # Listen directives
    listen 443 ssl http2;       # IPv4
    listen [::]:443 ssl http2;  # IPv6
    
    # Server identification
    server_name n8n.example.com;
    
    #####################################
    # SSL Configuration
    #####################################
    # Certificate paths - Ensure these paths are correct for your setup.
    # Typically managed by Certbot or another ACME client.
    ssl_certificate     /etc/letsencrypt/live/n8n.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/n8n.example.com/privkey.pem;
    
    # The following configuration can also be included from LetsEncrypt's config by uncommenting this line and commenting the other lines in this block:
    # include /etc/letsencrypt/options-ssl-nginx.conf;

    # SSL optimizations
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
    # OCSP Stapling - Uncomment after verifying SSL setup
    # ssl_stapling on;
    # ssl_stapling_verify on;
    # ssl_trusted_certificate /etc/letsencrypt/live/n8n.example.com/chain.pem;
    # resolver 8.8.8.8 8.8.4.4 valid=300s;
    # resolver_timeout 5s;
    
    #####################################
    # Security Headers
    #####################################
    # HSTS (HTTP Strict Transport Security) - Uncomment after verifying HTTPS works
    # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    
    # Additional security headers could be added here
    # add_header X-Content-Type-Options "nosniff" always;
    # add_header X-Frame-Options "SAMEORIGIN" always;
    # add_header X-XSS-Protection "1; mode=block" always;
    # add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    #####################################
    # Rate Limiting - This should be added to the http{} block in main nginx.conf
    #####################################
    # limit_req_zone $binary_remote_addr zone=n8n_limit:10m rate=10r/s;
    
    #####################################
    # Proxy Configuration
    #####################################
    # Buffer sizes for handling large payloads
    client_max_body_size 100M;
    client_body_buffer_size 20M;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    
    # Timeouts
    proxy_connect_timeout 180s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;
    
    # Proxy headers
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    
    # WebSocket and Server-Sent Events (SSE) support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    # Optional header handling - uncomment if needed
    # proxy_set_header Authorization $http_authorization;
    # proxy_pass_header Authorization;
    # proxy_cookie_path / "/; SameSite=None; Secure";
    
    # Disable buffering for real-time updates
    proxy_buffering off;
    
    #####################################
    # Compression Settings
    #####################################
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
    
    #####################################
    # Location Blocks
    #####################################
    # Static content with caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        proxy_pass http://localhost:5678;
        expires 30d;
        add_header Cache-Control "public, no-transform";
    }
    
    # Main application
    location / {
        proxy_pass http://localhost:5678;
        limit_req zone=n8n_limit burst=20 nodelay;
    }
    
    # Webhooks and MCP
    location ~ ^/(webhook|mcp) {
      proxy_pass http://localhost:5678;
      proxy_buffering off;
      gzip off;
      proxy_set_header Connection "";
    }

}

Consider adding the following directives at a certain point.
Currently not sure they are essential.

    # # Add MCP protocol endpoint handling
    # location /mcp/ {
    #   proxy_pass http://localhost:5678/mcp/;
      
    #   # CORS headers for API
    #   add_header 'Access-Control-Allow-Origin' '*' always;
    #   add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
    #   add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
    #   add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range,Authorization' always;
      
    #   # Handle preflight requests
    #   if ($request_method = 'OPTIONS') {
    #       add_header 'Access-Control-Allow-Origin' '*';
    #       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
    #       add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
    #       add_header 'Access-Control-Max-Age' 1728000;
    #       add_header 'Content-Type' 'text/plain; charset=utf-8';
    #       add_header 'Content-Length' 0;
    #       return 204;
    #   }
    # }

Added a dedicated block for webhooks and mcp, per n8n-io/n8n#14546 (comment)