Step by Step Guide to solve n8n Proxy Authentication Required Error
Who this is for: n8n operators running in corporate environments behind an authenticated HTTP proxy (Docker, Kubernetes, or bare‑metal). We cover this in detail in the n8n Authentication Errors Guide
Quick Diagnosis
The error means n8n can reach the proxy but the proxy rejects the request because it lacks valid credentials. Supply a full proxy URL that includes the username and password, then restart n8n.
# Docker‑Compose example (environment section only) environment: - HTTP_PROXY=http://myuser:mypassword@proxy.example.com:3128 - HTTPS_PROXY=http://myuser:mypassword@proxy.example.com:3128
After the container restarts, the 407 error disappears and external APIs (GitHub, Slack, etc.) become reachable.
1. What Triggers the “Proxy Authentication Required” Error?
If you encounter any self signed certificate error resolve them before continuing with the setup.
| Symptom | Typical Cause |
|---|---|
| Error: 407 Proxy Authentication Required in the n8n logs | n8n sends a request through a corporate proxy that requires Basic/Digest authentication, but the proxy URL supplied to n8n lacks credentials. |
| Failed to fetch / “Could not connect to the external service” | Proxy is reachable, but the proxy returns 407 before forwarding the request. |
| No error, but API calls always time‑out | Proxy not configured at all, causing direct‑internet traffic to be blocked. |
The error originates from HTTP 407 (RFC 7235) – the proxy demands authentication before it can forward the request.
2. Prerequisites – Know Your Proxy Details
If you encounter any database connection auth error resolve them before continuing with the setup.
| Item | Where to Find It |
|---|---|
| Proxy host & port | Network admin or proxy.pac file |
| Authentication method (Basic, NTLM, Kerberos) | Admin docs – n8n only supports Basic (username:password) out‑of‑the‑box. |
| Username & password | Corporate credential store (do not hard‑code in source control). |
| Optional: domain for NTLM | Not supported directly – use a forward‑proxy that translates NTLM to Basic, or run n8n behind a side‑car that handles NTLM. |
EEFA note – Never store plain passwords in a public repo. Use Docker secrets, Kubernetes
Secret, or a vault (HashiCorp, AWS Secrets Manager).
3. Configuring Proxy Credentials in n8n
n8n reads proxy settings from these environment variables:
| Variable | Purpose | Example |
|---|---|---|
| HTTP_PROXY | Proxy for plain‑HTTP requests | http://user:pass@proxy.company.com:8080 |
| HTTPS_PROXY | Proxy for HTTPS requests (most APIs) | http://user:pass@proxy.company.com:8080 |
| NO_PROXY | Hosts that should bypass the proxy (comma‑separated) | localhost,127.0.0.1,.internal.company.com |
3.1 Docker‑Compose (most common)
Docker‑Compose skeleton – defines the service and ports.
version: "3.8"
services:
n8n:
image: n8n
restart: unless-stopped
ports:
- "5678:5678"
Environment variables with proxy credentials – keep the block under 5 lines.
environment:
- HTTP_PROXY=http://proxy_user:proxy_pass@proxy.example.com:3128
- HTTPS_PROXY=http://proxy_user:proxy_pass@proxy.example.com:3128
- NO_PROXY=localhost,127.0.0.1
Optional security settings – basic auth for the UI (example only).
- N8N_BASIC_AUTH_ACTIVE=true
- N8N_BASIC_AUTH_USER=admin
- N8N_BASIC_AUTH_PASSWORD=supersecret
Persistent storage – mounts the n8n data directory.
volumes:
- ~/.n8n:/home/node/.n8n
3.2 Kubernetes (Helm)
Create a secret that holds the proxy credentials.
apiVersion: v1 kind: Secret metadata: name: n8n-proxy-cred type: Opaque stringData: PROXY_USER: myuser PROXY_PASS: mypassword
Inject the secret into the deployment – only the proxy variables are shown.
apiVersion: apps/v1
kind: Deployment
metadata:
name: n8n
spec:
template:
spec:
containers:
- name: n8n
image: n8n
env:
- name: HTTP_PROXY
value: "http://$(PROXY_USER):$(PROXY_PASS)@proxy.example.com:3128"
- name: HTTPS_PROXY
value: "http://$(PROXY_USER):$(PROXY_PASS)@proxy.example.com:3128"
- name: NO_PROXY
value: "localhost,127.0.0.1"
envFrom:
- secretRef:
name: n8n-proxy-cred
EEFA tip – Using
envFrominjects the secret at runtime, keeping credentials out of pod specs.
3.3 Stand‑alone binary / npm start
Create a local .env file – keep it out of version control.
HTTP_PROXY=http://myuser:mypassword@proxy.example.com:8080 HTTPS_PROXY=http://myuser:mypassword@proxy.example.com:8080 NO_PROXY=localhost,127.0.0.1
Start n8n – the process automatically reads the .env file.
n8n start
4. Verifying the Proxy Is Working
- Check the logs – after restart you should see a line similar to:
> [2026-01-01 12:34:56] INFO Proxy configuration detected – using HTTP_PROXY and HTTPS_PROXY
- Test an outbound request from inside the container/pod.
curl -s -o /dev/null -w "%{http_code}" https://api.github.comExpected output:
200. A407means the credentials are still wrong. - Use n8n’s built‑in “HTTP Request” node
- Set URL to
https://httpbin.org/ip - Execute the node. The response should contain the proxy’s public IP, confirming the request passed through the proxy.
- Set URL to
5. Common Pitfalls & Troubleshooting Checklist
| Check | How to Verify |
|---|---|
Credentials URL‑encoded (special characters @, :) |
Verify myuser:pa%40ss!word@proxy.example.com |
Proxy URL uses http:// even for HTTPS traffic |
Both HTTP_PROXY and HTTPS_PROXY must start with http:// (the proxy scheme). |
| Docker environment overriding earlier values | docker inspect <container> → inspect the Env array. |
NO_PROXY mistakenly includes the API host |
Ensure the API domain is not listed in NO_PROXY. |
| Running behind a reverse proxy that also needs auth | Confirm the 407 originates from the outbound proxy, not from Traefik/Nginx. |
| Using NTLM – unsupported directly | Switch to a Basic‑auth forward proxy or side‑car like cntlm. |
Quick Debug Script (Bash)
#!/usr/bin/env bash
set -euo pipefail
echo "HTTP_PROXY=$HTTP_PROXY"
echo "HTTPS_PROXY=$HTTPS_PROXY"
echo "NO_PROXY=$NO_PROXY"
curl -s -o /dev/null -w "%{http_code}" https://httpbin.org/status/200 || echo "Curl failed"
6. Per‑Workflow Proxy Overrides (Advanced)
When only a specific workflow needs a different outbound proxy, you can set the proxy at the node level.
Node‑level proxy definition – add a JSON object in the “Authentication → Custom” field of the **HTTP Request** node.
{
"proxy": "http://altuser:altpass@alt-proxy.example.com:3128"
}
EEFA warning – Node‑level credentials are stored in workflow JSON unencrypted. Use this only for testing or store the credentials in n8n’s Credential store and reference them via expressions.
7. Production‑Grade Hardening
| Best Practice | Implementation |
|---|---|
| Never expose proxy passwords in logs | Set LOG_LEVEL=error and avoid console.log(process.env.HTTP_PROXY) in production. |
| Rotate credentials regularly | Use a secret manager with automatic rotation; update the secret and restart the n8n deployment. |
| Restrict proxy scope | Add only required domains to NO_PROXY and keep the proxy URL limited to needed services. |
| Audit proxy usage | Enable proxy access logs (e.g., Squid access.log) and correlate with n8n audit logs. |
| Fail‑open vs. fail‑closed | Decide whether n8n should continue without a proxy (NO_PROXY=*) or stop on 407 errors (default). |
Conclusion
Supply a fully‑qualified proxy URL that includes the username and password, inject it via HTTP_PROXY / HTTPS_PROXY (and optionally NO_PROXY), and restart n8n. Verify with log messages, a simple curl test, or the built‑in HTTP Request node. Follow production hardening practices—store credentials securely, rotate them, and audit proxy usage—to keep your n8n instance reliable behind corporate proxies. If the error persists, test connectivity from a separate host or involve your network security team to confirm the proxy allows the target API’s IP range.
All configurations shown are illustrative. Adjust hostnames, ports, and secret handling to match your environment.
