sudo apt upgrade

Step 0: Install Docker & Docker Compose

Run the official installer:

curl -fsSL https://get.docker.com | sudo sh

Verify it’s the real "Docker-CE" (Production version):

docker version

Step 1: Create the Network

This connects all your containers together.

docker network create all-n8n-net

Step 2: Create the Directory

mkdir -p ~/n8n-stack && cd ~/n8n-stack

location: /root/n8n-stack

Step 3: Create nginx.conf

Copy and paste this entire block:

cat <<EOF > nginx.conf
events {}
http {
    server {
        listen 443 ssl;
        server_name subdomain.domain.com;

        # Internal paths for auto-generated certs
        ssl_certificate /etc/nginx/certs/server.crt;
        ssl_certificate_key /etc/nginx/certs/server.key;

        location / {
            proxy_pass http://n8n-main:5678;
            proxy_set_header Host \$host;
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto \$scheme;

            # WebSocket Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection "upgrade";
            
            proxy_read_timeout 600s;
        }
    }
}
EOF

3. Create the Complete docker-compose.yml

Copy and paste this entire block:

cat <<EOF > docker-compose.yml
services:
  nginx:
    image: nginx:latest
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    networks: [all-n8n-net]
    entrypoint: >
      /bin/sh -c "mkdir -p /etc/nginx/certs &&
      openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\
      -keyout /etc/nginx/certs/server.key \\
      -out /etc/nginx/certs/server.crt \\
      -subj '/CN=subdomain.domain.com' &&
      exec nginx -g 'daemon off;'"

  redis:
    image: redis:7-alpine
    restart: always
    networks: [all-n8n-net]
    command: redis-server --maxmemory 512mb --maxmemory-policy allkeys-lru

  browserless:
    image: browserless/chrome:latest
    restart: always
    environment:
      - MAX_CONCURRENT_SESSIONS=10
    networks: [all-n8n-net]

  n8n-main:
    image: n8nio/n8n:latest
    restart: always
    networks: [all-n8n-net]
    environment:
      - TZ=Asia/Kolkata
      - NODEJS_PREFER_IPV4=true
      - N8N_ENCRYPTION_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - N8N_HOST=subdomain.domain.com
      - N8N_PROTOCOL=https
      - WEBHOOK_URL=https://subdomain.domain.com
      - N8N_PROXY_HOPS=1
      - NODE_ENV=production
      - EXECUTIONS_MODE=queue
      - OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS=true
      - QUEUE_BULL_REDIS_HOST=redis
      - DB_TYPE=postgresdb
      - DB_POSTGRESDB_HOST=aws-1-us-east-1.pooler.supabase.com
      - DB_POSTGRESDB_PORT=6543
      - DB_POSTGRESDB_DATABASE=postgres
      - DB_POSTGRESDB_SCHEMA=n8n
      - DB_POSTGRESDB_USER=postgres.XXXXXXXXXXXXXX
      - DB_POSTGRESDB_PASSWORD=XXXXXXXXXXXXXXXXXXX
      - DB_POSTGRESDB_SSL_ENABLED=true
      - DB_POSTGRESDB_SSL_REJECT_UNAUTHORIZED=false
      - N8N_PAYLOAD_SIZE_MAX=50
      - N8N_PUPPETEER_BROWSERLESS_URL=http://browserless:3000
      - N8N_EXPRESS_TRUST_PROXY=true
    depends_on:
      - redis
      - browserless

  n8n-worker:
    image: n8nio/n8n:latest
    command: worker
    restart: always
    networks: [all-n8n-net]
    environment:
      - TZ=Asia/Kolkata
      - NODEJS_PREFER_IPV4=true
      - N8N_ENCRYPTION_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - EXECUTIONS_MODE=queue
      - QUEUE_BULL_REDIS_HOST=redis
      - DB_TYPE=postgresdb
      - DB_POSTGRESDB_HOST=aws-1-us-east-1.pooler.supabase.com
      - DB_POSTGRESDB_PORT=6543
      - DB_POSTGRESDB_DATABASE=postgres
      - DB_POSTGRESDB_SCHEMA=n8n
      - DB_POSTGRESDB_USER=postgres.XXXXXXXXXXXXXX
      - DB_POSTGRESDB_PASSWORD=XXXXXXXXXXXXXXXXXXX
      - DB_POSTGRESDB_SSL_ENABLED=true
      - DB_POSTGRESDB_SSL_REJECT_UNAUTHORIZED=false
      - N8N_PUPPETEER_BROWSERLESS_URL=http://browserless:3000
    depends_on:
      - n8n-main
      - redis

networks:
  all-n8n-net:
    external: true
EOF

4. Final Execution

chmod 600 docker-compose.yml nginx.conf
docker compose up -d

Step 1: Go to AI Crawl Control >> Select all the "Crawler" >> Block >> Confirm

Step 2: Go to Rules >> Overview >> Delete/Disable existing redirect rule (if exists) - But don't delete managed rules (i.e.: kind = managed)

Step 3: Go to SSL/TLS >> Overview >> Configure >> Custom SSL/TLS >> Full (Strict)

Step 4: Go to SSL/TLS >> Edge Certificates >> Always Use HTTPS >> Disable

Step 5: Go to Security >> Settings >> Block AI bots >> Edit (Pencil icon) >> Select "Block on all pages" >> Save

Step 6: Go to Security >> Settings >> Bot fight mode >> Enable

Step 7: Go to Security >> Security rules >> Create rule >> Custom rules

Rule name: Block hostname

Field: Hostname

Operator: wildcard

Value: *domain.com

Choose action: Managed Challenge

Select order: First (if option available)

Step 8: Go to Workers Routes >> Manage Workers >> Create Application >> Start with Hello World! >> Enter "Worker name" as domain (without extension) >> Deploy >> Edit code >> Replace existing code with the below >> Deploy >> Go to back page.

// The destination domain you want to redirect to
const DESTINATION_URL = "https://maindomain.com";

export default {
  async fetch(request) {
    const url = new URL(request.url);

    // Check if the request is already going to the destination to prevent loops
    if (url.hostname === new URL(DESTINATION_URL).hostname) {
      return fetch(request); // Just handle the request normally
    }

    // Check for the cf_clearance cookie, which is set AFTER a human passes a WAF challenge
    const cookieHeader = request.headers.get('Cookie');
    const hasClearanceCookie = cookieHeader && cookieHeader.includes('cf_clearance');

    if (hasClearanceCookie) {
      // If the user has passed the challenge (has the cookie), redirect them
      return Response.redirect(DESTINATION_URL, 302);
    } else {
      // If no clearance cookie is present, allow the request to proceed normally
      // so that Cloudflare's WAF/Bot Fight Mode can intercept and issue the challenge.
      // After they pass the challenge, the cookie will be set for the next request.
      return fetch(request);
    }
  },
};

Step 9: Go to Workers & Pages >> Click the domain name >> Settings >> Domains & Routes >> Click Add >> Route

Zone: Domain

Route: *domain.com/* (make sure to add the wildcard and slash as mentioned)

Failure mode: Fail closed (block)

>> Click "Add route".

Change below details in the above code; then copy-paste the above code in Azure CLI.

display_name=""
email_service="outreachEmail"
resource_group="Email"

domains=(
"domain1.com"
"domain2.com"
)

usernames=(
"username1"
"username2"
)

Replace below:

• email-service-name

• resource-group

• domain-name

• senders list (usernames)

1. Go to the Google Cloud Console.

2. Create a new project (top left corner) by adding a 'Project Name' like Robomotion or n8n.

3. In the left sidebar (hamburger icon), navigate to:
   IAM & Admin → Service Accounts

4. Click “+ Create Service Account”.

   1. Name: Choose a clear, unique name (e.g., n8n-workflow-sa)

   2. ID: Auto-generated or customize as desired

   3. Click Done

B. Create and Download a Private Key

1. In the Service Accounts list, click your new account.

2. Go to the “Keys” tab.

3. Click “Add Key” > “Create new key”.

4. Select JSON and click Create.

5. It will also download the JSON key to your downloads folder.

   1. Now, open the dowloaded key (txt file) and copy the part between '-----BEGIN PRIVATE KEY----- <your_key>-----END PRIVATE KEY-----'

   2. You need to replace the '\n' in the key with an actual line break; to do that:

      1. Open notepad++ and paste the key there.

      2. Use the below setting as shown in image & it will do the work.

         

   3. Save this new key file as it will now be used in your n8n workflows to retrieve the access tokens.

C. Enable Domain-Wide Delegation

1. In your service account page, in the 'Details' tab, click “Advanced settings”.

2. Note the Client ID displayed.

   

3. You’ll use this in the Google Workspace Admin steps below.

D. Enable Required Google APIs

In the Cloud Console, enable Admin SDK API

• Required for:

  • Managing users (add/remove emails, manage user accounts)

  • Managing domains (add/remove verified domains to Google Workspace)

  • Managing groups, organizational units, directory resources, etc.

E. Grant API Scopes in the Google Admin Console

1. Go https://admin.google.com/ac/owl/domainwidedelegation

2. Click “Add new”.

3. Enter the Client ID of your service account (from above).

4. Enter the below scopes that your workflow will use, e.g.:

   • https://www.googleapis.com/auth/admin.directory.user

   • https://www.googleapis.com/auth/admin.directory.domain

5. Click Authorize.

F. Notes (for Every Workspace):

1. Service account’s Client ID must be entered in each Google Workspace’s Admin Console domain-wide delegation page.

2. All required OAuth scopes must be listed in the Admin Console for the Client ID.

3. A valid admin user’s email (the sub claim) must be known and used in the JWT.

4. If you add new scopes or use in a new Google Workspace, repeat step E.

5. If you renew the private key, update your n8n workflow with the new key.

Forward Emails Using Azure
https://koka-tic.medium.com/forward-emails-using-azure-094ea7cdda8a

This tutorial will guide you through the process of forwarding emails using Azure, without relying on third-party services. We will leverage Azure DNS and Azure Communication Services (ACS) to achieve this.

What You’ll Need:

1. A registered custom domain (e.g., yourdomain.com).

2. Azure subscription with DNS Zone management.

3. Azure Communication Services (ACS) resource.

4. Basic knowledge of Azure Functions for automation.

Step 1: Add and Verify Your Domain in Azure

1. Add Your Domain

Log in to Azure Portal:

• Navigate to Azure Portal.

Go to Azure Active Directory:

• In the left menu, select Azure Active Directory.

Add a Custom Domain:

• Under Custom Domain Names, click Add custom domain.

• Enter your domain name (e.g., yourdomain.com) and click Add.

2. Verify Your Domain

Get the TXT Record for Verification:

• Azure will provide a TXT record to verify your domain.

Add TXT Record in Azure DNS:

• If your domain is hosted in Azure:

• Navigate to DNS Zones → Select your domain.

• Add a TXT record as follows:

• Name: @ or _acme-challenge

• Type: TXT

• TTL: 3600

• Value: (provided by Azure).

Complete Verification:

• Return to Azure Active Directory → Custom Domain Names.

• Click Verify once the DNS changes propagate (this may take a few minutes).

Step 2: Set Up Azure DNS for Email Forwarding

1. Configure MX Records

1. Navigate to DNS Zones → Select your domain.

2. Add the following MX records:

• Name: @

• Type: MX

• TTL: 3600

• Priority: 10

• Value: The endpoint for Azure Communication Services (you’ll get this when setting up ACS).

2. Add SPF Record (Optional but Recommended)

1. Add a TXT Record to improve email deliverability:

• Name: @

• Type: TXT

• Value: v=spf1 include:spf.protection.outlook.com ~all.

Step 3: Enable Azure Communication Services (ACS)

1. Create an ACS Resource

• In the Azure Portal, create a new Azure Communication Services resource.

Go to Create a resource → Search for Azure Communication Services → Click Create.

• Configure the resource and deploy it.

2. Enable Email Capability

1. Navigate to the ACS resource → Email → Enable the email service.

2. Verify your domain for ACS by adding the required DNS records (Azure will provide these during setup):

Example:

• Name: @

• Type: TXT

• Value: Verification string from Azure.

Step 4: Automate Email Forwarding with Azure Functions

1. Create an Azure Function App

1. Navigate to the Azure Portal → Function App → Click Create.

2. Choose the runtime (e.g., Python, Node.js, or C#) and configure the Function App.

2. Write the Forwarding Logic

Here’s an example using Python:

Install Dependencies:

pip install azure-communication-email

Example:

from azure.communication.email import EmailClient

def main(req):
    connection_string = "YOUR_ACS_CONNECTION_STRING"
    email_client = EmailClient.from_connection_string(connection_string)

    # Email details
    to_address = "your-gmail@gmail.com"
    from_address = "forwarded@yourdomain.com"
    subject = "Forwarded Email"
    body = "This is a forwarded email."

    email_message = {
        "content": {
            "subject": subject,
            "plainText": body,
        },
        "recipients": {
            "to": [{"address": to_address}]
        },
        "senderAddress": from_address
    }

    response = email_client.send(email_message)
    return response

3. Deploy the Function App

1. Deploy the function to Azure.

2. Configure the function to trigger when an email is received.

Step 5: Test the Configuration

1. Send an email to an address on your domain (e.g., info@yourdomain.com).

2. Verify that the email is forwarded to your Gmail.

Cost Considerations

Azure DNS:

• ~$0.50/month per zone.

Azure Communication Services

• $0.00025 per email sent.

https://learn.microsoft.com/en-us/azure/communication-services/concepts/service-limits

Azure Quota Increase Guide:
https://learn.microsoft.com/en-us/answers/questions/5554907/request-for-acs-email-sending-quota-increase

Link to increase quota: https://portal.azure.com/#create/Microsoft.Support

Azure Functions:

• Pay-as-you-go, based on executions (minimal for low volumes).

• With this setup, you can forward emails using Azure while avoiding third-party services. Let me know if you’d like more details on any step!

  Setting for receiving emails. - Use GMAIL IMAP for connecting in Instantly or Pipl or MX Route.
  
  Yes, you can connect Azure SMTP with Google IMAP to Instantly! This is a common setup that many users implement.

  Steps to Connect:

  1. Generate Google App Password
     • Create an app-specific password in your Google account settings

  2. Use IMAP/SMTP Method
     • Go to Email Accounts
     • Click "Add New"
     • Select "IMAP/SMTP"
     • Choose "Single Account"

  3. Configure Settings
     • Enter your email address
     • Provide Google IMAP configuration details
     • Add your Azure SMTP settings

  Requirements:

  • You need both IMAP and SMTP protocols properly configured

  • SMTP-only connections are not permitted

  This setup allows you to receive emails through Google's IMAP while sending through Azure's SMTP service, giving you the best of both platforms for your email outreach needs.
  
  
  Other Helpful Videos for creating and sending emails via Azure Communication Services (ACS)

• https://www.youtube.com/watch?v=BASe-Cbys_o

• https://www.youtube.com/watch?v=OyJ2FILswtY

• https://www.youtube.com/watch?v=sQA95pc5Qcw

  Pricing & Limit Info:

• https://learn.microsoft.com/en-us/azure/communication-services/concepts/service-limits#rate-limits-for-email

• https://learn.microsoft.com/en-us/azure/communication-services/concepts/email-pricing

Step 1: Prepare Your Private GitHub Repository

1. Create a new private GitHub repository (e.g., runcloud-n8n-deployment).

2. Add the following three files to the root of this repository.

   File 1: initial-setup.sh (For one-time setup)

   Bash

   #!/bin/bash
   set -e
   
   # Check for and install Docker if not present
   if command -v docker &> /dev/null; then
       echo "Docker already installed. Skipping installation."
   else
       echo "Installing Docker..."
       curl -fsSL https://get.docker.com -o get-docker.sh
       sh get-docker.sh
       usermod -aG docker runcloud
       usermod -aG docker n8nuser
       apt-get update
       apt-get install -y docker-compose-plugin
       rm get-docker.sh
       echo "Docker installation complete."
   fi
   
   # Initial setup of directories and permissions
   APP_DIR="/home/n8nuser/webapps/n8n-control"
   echo "Creating and setting permissions for data directories..."
   mkdir -p "$APP_DIR/n8n_data" "$APP_DIR/local_files" "$APP_DIR/postgres_data"
   chown -R n8nuser:n8nuser "$APP_DIR/n8n_data" "$APP_DIR/local_files" "$APP_DIR/postgres_data"
   
   echo "Initial setup complete."

   File 2: docker-compose.yml

   YAML

   version: '3.8'
   
   services:
     n8n:
       image: docker.n8n.io/n8nio/n8n:latest
       container_name: n8n_main
       restart: always
       ports:
         - "127.0.0.1:5678:5678"
       env_file:
         - .env
       volumes:
         - ./n8n_data:/home/node/.n8n
         - ./local_files:/files
       user: "${UID_GID}"
       depends_on:
         - postgres
   
     postgres:
       image: postgres:15
       container_name: n8n_postgres
       restart: always
       environment:
         - POSTGRES_USER=${POSTGRES_USER}
         - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
         - POSTGRES_DB=${POSTGRES_DB}
       volumes:
         - ./postgres_data:/var/lib/postgresql/data
   
     watchtower:
       image: containrrr/watchtower:latest
       container_name: n8n_watchtower
       restart: always
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock
       command: --interval 86400 n8n_main n8n_postgres

   File 3: deploy.sh

   Bash

   #!/bin/bash
   set -e
   
   APP_DIR="/home/n8nuser/webapps/n8n-control"
   
   echo "--- Updating Git repository and deploying n8n containers ---"
   cd $APP_DIR
   # Pull latest changes from the main branch
   git pull origin main
   
   # Restart Docker containers with the updated configuration
   docker compose pull
   docker compose up --force-recreate -d
   
   echo "--- Deployment complete ---"
   

3. Commit and push these files to your private repository.

Step 2: Initial RunCloud Setup

1. In RunCloud, go to Web Applications > Deploy New Web App.

2. Select the Git Repository > GitHub tab.

3. Use these settings:

   • Application Name: n8n-control

   • Web Application Owner: Create a new user (e.g., n8nuser).

   • Domain Name: n8n.zeniusco.com

   • Repository: zeniusco/runcloud-n8n-deployment

   • Branch: main

   • Backup: Enable

   • Web Application Stack: Select Native NGINX + Custom Config.

4. After creation, go to the SSL/TLS section and install a Let's Encrypt certificate.

Step 3: One-Time Docker Installation

1. Link your new GitHub repo to the n8n-control web app in RunCloud under the Git tab.

2. Go to the Deployment > Deployment Script tab and enter this script:

   Bash

   #!/bin/bash
   set -e
   
   echo "--- Manual update triggered ---"
   cd /home/n8nuser/webapps/n8n-control
   
   # Pull latest n8n and Postgres images from Docker Hub
   docker compose pull n8n
   docker compose up -d --force-recreate n8n
   
   echo "--- Manual update complete ---"

#!/bin/bash
set -e

echo "--- Executing one-time Docker installation ---"
bash install-docker.sh

1. Click Save Script, then Deploy Now. Wait for the log to show completion.

Step 4: Create the .env File on the Server

1. In your n8n-control app, go to File Manager.

2. Create a new file named .env in the application root (/home/runcloud/webapps/n8n-control/). This file contains secrets and should NOT be in your GitHub repo.

3. Paste the following content into the .env file and customize the values:

   Code snippet

   # Example: Europe/London
   GENERIC_TIMEZONE=Your_Timezone
   TZ=Your_Timezone
   
   # Do not change these values
   N8N_HOST=0.0.0.0
   N8N_PORT=5678
   N8N_PROTOCOL=http
   
   # Set this to your public n8n URL
   WEBHOOK_URL=https://n8n.zeniusco.com/
   
   # Generate and save a long, random, secret string (at least 32 chars)
   N8N_ENCRYPTION_KEY=Your_Very_Long_and_Secret_Random_String_Here
   
   # This is a placeholder, do not change
   UID_GID=1000:1000
   
   # --- PostgreSQL Settings ---
   DB_TYPE=postgresdb
   POSTGRES_DB=n8n
   POSTGRES_USER=YourSecureUsername
   POSTGRES_PASSWORD=YourVerySecurePassword
   
   # Internal connection details - DO NOT CHANGE
   DB_POSTGRESDB_HOST=postgres
   DB_POSTGRESDB_PORT=5432
   DB_POSTGRESDB_DATABASE=${POSTGRES_DB}
   DB_POSTGRESDB_USER=${POSTGRES_USER}
   DB_POSTGRESDB_PASSWORD=${POSTGRES_PASSWORD}
   

4. Save the file.

Step 5: Deploy n8n from GitHub

1. In RunCloud, go to Deployment > Deployment Script and replace the content with this script. This script copies your config from GitHub to the correct location and then runs the deployment.

   Bash

   #!/bin/bash
   set -e
   
   APP_DIR="/home/n8nuser/webapps/n8n-control"
   
   echo "--- Updating Git repository and deploying n8n containers ---"
   cd $APP_DIR
   # Pull latest changes from the main branch
   git pull origin main
   
   # Restart Docker containers with the updated configuration
   docker compose pull
   docker compose up --force-recreate -d
   
   echo "--- Deployment complete ---"
   

2. Click Save Script, then Deploy Now.

Step 6: Configure Nginx Reverse Proxy

1. In your n8n-control app, go to the NGINX Config tab.

2. Click Add a New Config, select Create from Predefined Config, and choose the Proxy template.

3. Replace the entire Config Content with the following:

   Nginx

   proxy_pass http://127.0.0.1:5678;
   proxy_http_version 1.1;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   
   # Critical for WebSocket support to prevent "Connection Lost" errors
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
   

4. Click Run and Debug, then Create Config. Your n8n instance is now live.

Step 7: Set Up Manual Update Workflow

1. In your n8n-control app, go to the Git tab and copy the Webhook URL.

2. Go to Deployment > Deployment Script and replace the content with this update script:

   Bash

   #!/bin/bash
   set -e
   echo "--- Manual update triggered ---"
   cd /home/runcloud/webapps/n8n-control
   docker compose pull n8n
   docker compose up -d --force-recreate n8n
   echo "--- Manual update complete ---"
   

3. Save the script.

4. In your n8n instance, import the following workflow JSON:

   JSON

   {
     "name": "Manual n8n Update Trigger",
     "nodes":,
         "credentials": {
           "httpBasicAuth": {
             "id": "1",
             "name": "n8n Update Trigger Auth"
           }
         }
       },
       {
         "parameters": {
           "url": "PASTE_YOUR_RUNCLOUD_WEBHOOK_URL_HERE",
           "requestMethod": "POST",
           "options": {}
         },
         "name": "Call RunCloud Webhook",
         "type": "n8n-nodes-base.httpRequest",
         "typeVersion": 4.1,
         "position": 
       }
     ],
     "connections": {
       "Trigger Update": {
         "main":
       }
     }
   }
   

5. Open the Call RunCloud Webhook node and paste the webhook URL you copied from RunCloud.

6. Configure the Trigger Update node with new Basic Auth credentials for security.

7. Save and activate the workflow.

Follow the instructions mentioned here: https://github.com/futurminds/n8n-self-hosting
Video of the same: https://www.youtube.com/watch?v=Temh_Ddxp24

Install Ubuntu 24.04 LTS (do not install Ubuntu Minimal)

But in Step 4: Make sure you do not include this line.
// subdomain.your-domain.com if you have a subdomain

As mentioned here: https://github.com/n8n-io/n8n/issues/14572#issuecomment-2808463328
Add the below in the above Step 4 code.

proxy_set_header Host n8n.example.com;
proxy_set_header Origin https://n8n.example.com;

(change example.com to your subdomain)

Disable CloudFlare cache for subdomain.
Keep CloudFlare SSL enabled.

Creating n8n server with runcloud guide

Guide: https://runcloud.io/blog/n8n-hosting-docker-nginx

In step 4; instead of using runcloud.io code; use below code.

docker run \
  -d \
  --rm \
  --name n8n \
  --restart unless-stopped \
  -p 5678:5678 \
  -e N8N_HOST="subdomain.your-domain.com" \
  -e WEBHOOK_TUNNEL_URL="https://subdomain.your-domain.com/" \
  -e WEBHOOK_URL="https://subdomain.your-domain.com/" \
  -v my_n8n_data:/home/node/.n8n \
  -v ./local-files:/files \
  docker.n8n.io/n8nio/n8n

Remember to replace subdomain.your-domain.com with your actual domain name.

(If you use runcloud code, webhook urls will point to localhost, instead of the domain.)




Below is an updated version of the runcloud guide with yml file so that updates can be done easily.

Excellent security thinking! You're absolutely right. Here's the updated guide with the docker-compose.yml file placed outside the web-accessible directory:

# Complete n8n Installation Guide with Docker Compose (Secure Version)

## Step 1: Create a New Web Application

1. Login to RunCloud dashboard

2. Click "Create New Web App"

3. Configure:

- Application Name: n8n (or your preferred name)

- User: runcloud

- PHP Version: Select "NATIVE (NONE)"

- Web Application Stack: Select "NATIVE (CUSTOM)"

- Advanced Settings: Enable "This is a Proxy App"

4. Click "Add Web Application"

## Step 2: Install Docker and Docker Compose

```bash

# SSH into your server as runcloud user

# Update package list

sudo apt update

# Install Docker

sudo apt install docker.io

# Install Docker Compose

sudo apt install docker-compose -y

# Add runcloud user to docker group

sudo usermod -aG docker runcloud

# Logout and login again for docker group to take effect

exit

# SSH back in

```

## Step 3: Set Up n8n Directory and Files

```bash

# Create a dedicated n8n directory in runcloud home (NOT web-accessible)

mkdir -p /home/runcloud/n8n/<app-name>

cd /home/runcloud/n8n/<app-name>

# Create the local-files directory for n8n storage

mkdir -p /home/runcloud/webapps/<app-name>/local-files

# Create docker-compose.yml file in the secure location

nano docker-compose.yml

```

Paste this content (replace subdomain.your-domain.com with your actual domain):

```yaml

version: '3'

services:

n8n:

image: docker.n8n.io/n8nio/n8n

ports:

- "5678:5678"

environment:

- N8N_HOST=subdomain.your-domain.com

- WEBHOOK_TUNNEL_URL=https://subdomain.your-domain.com/

- WEBHOOK_URL=https://subdomain.your-domain.com/

volumes:

- my_n8n_data:/home/node/.n8n

- /home/runcloud/webapps/<app-name>/local-files:/files

container_name: n8n

volumes:

my_n8n_data:

```

Save with Ctrl+X, then Y, then Enter.

Note: Replace <app-name> in the volumes path with your actual app name.

## Step 4: Start n8n for the First Time

```bash

# Make sure you're in the secure directory

cd /home/runcloud/n8n/<app-name>

# Start n8n

docker-compose up -d

# Check if it's running

docker-compose ps

# View logs (optional)

docker-compose logs -f

# Press Ctrl+C to exit logs

```

## Step 5: Configure Nginx Proxy

In RunCloud dashboard:

1. Go to your n8n web application

2. Click "NGINX Config"

3. Add this to the location block:

```nginx

location / {

proxy_pass http://127.0.0.1:5678;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_buffering off;

}

```

4. Click "Update NGINX Config"

## Step 6: Set Up SSL Certificate

1. In RunCloud dashboard, go to your n8n web application

2. Click "SSL/TLS" tab

3. Enable "Let's Encrypt"

4. Enter your email

5. Click "Generate Certificate"

## Step 7: Test Your Installation

1. Open your browser

2. Navigate to https://subdomain.your-domain.com

3. You should see the n8n setup page

4. Create your first user account

## Updating n8n

### First Update (and all subsequent updates):

```bash

cd /home/runcloud/n8n/<app-name>

docker-compose pull && docker-compose down && docker-compose up -d

```

### To check update status:

```bash

docker-compose ps

docker-compose logs -f n8n

```

## Useful Commands

```bash

# Always run from the secure directory

cd /home/runcloud/n8n/<app-name>

# Stop n8n

docker-compose down

# Start n8n

docker-compose up -d

# Restart n8n

docker-compose restart

# View logs

docker-compose logs -f

# Check container status

docker-compose ps

```

## File Locations Summary

- docker-compose.yml: /home/runcloud/n8n/<app-name>/ (NOT web-accessible)

- n8n files: /home/runcloud/webapps/<app-name>/local-files/ (web-accessible but n8n handles security)

- n8n data/workflows: Inside Docker volume my_n8n_data

## Troubleshooting

If n8n isn't accessible:

1. Check container is running: docker-compose ps

2. Check logs: docker-compose logs n8n

3. Ensure port 5678 is not blocked by firewall

4. Verify Nginx config is correct

5. Check SSL certificate is properly installed