The Complete Debug Guide – Corporate Firewalls, Docker, npm, Kubernetes, and the Silent Node-Level Bypass Nobody Else Covers
⚠️ Before You Debug Anything: Run These Two Commands First
90% of proxy failures in n8n come down to three things: a missing variable, a case-sensitivity conflict, or a specific node that silently ignores your proxy settings. These two commands tell you which bucket you’re in before you change anything.
| Command | What it tells you | What to look for |
|---|---|---|
| docker exec n8n printenv | grep -i proxy | Whether your proxy vars are actually inside the container | All three must appear: HTTP_PROXY, HTTPS_PROXY, NO_PROXY |
| docker exec n8n curl -I https://api.github.com | Whether the proxy itself is reachable and working | 200 OK = proxy works. ECONNREFUSED = wrong proxy URL or port |
Real Corporate Network Case
HTTP_PROXY is set. curl works. n8n still can’t reach the internet.
This is the exact situation that drives DevOps engineers mad. The proxy variable is there. The network path exists. curl confirms it from inside the container. But n8n’s OpenAI node throws ECONNREFUSED, and the HTTP Request node works perfectly on the same endpoint.
→ n8n didn’t ignore your proxy. Specific node types bypass it entirely – and the fix is different for each one.
There are five distinct proxy failure modes in n8n. Most guides cover one. This one covers all five.
# Proxy is set ✓ $ docker exec n8n printenv | grep -i proxy HTTP_PROXY=http://proxy.corp.com:8080 HTTPS_PROXY=http://proxy.corp.com:8080 # curl works ✓ $ docker exec n8n curl -I https://api.github.com HTTP/1.1 200 OK # But n8n AI node fails ✗ Error: connect ECONNREFUSED api.openai.com:443 # Startup log shows: [INFO] Installing global HTTP proxy agents [WARN] LangChain nodes: proxy not applied
Most proxy guides for n8n tell you to set HTTP_PROXY and HTTPS_PROXY and restart. That works — until it doesn’t, and you have no idea why. The real picture is messier: n8n uses a package called proxy-from-env internally, which has its own variable precedence rules. Several node types bypass the global proxy agent entirely due to open bugs. Running behind a reverse proxy adds a completely separate variable set. This guide covers every failure mode with real log signatures, confirmed reproduction steps, and the exact fix for each.
What this guide covers:
- #1 – How n8n actually handles proxy variables: the proxy-from-env precedence trap that breaks silently
- #2 – Docker proxy setup (docker run + docker-compose): the correct full configuration
- #3 – npm-based installations: global config and project-scoped .npmrc
- #4 – The silent proxy bypass bug: AI nodes, RSS, PGVector, and community packages that ignore HTTP_PROXY
- #5 – Reverse proxy crash: N8N_TRUST_PROXY + N8N_PROXY_HOPS – the startup ValidationError nobody documents
- #6 – Kubernetes proxy setup: Secret injection and the correct env structure
- #7 – SOCKS5 and ALL_PROXY: for non-corporate proxy setups
- #8 – Authenticated proxies and self-signed certificates: secure credential handling + CA import
- #9 – Debug decision tree: a 5-step flow to find your exact failure mode in under 2 minutes
#1 Docker
#2 npm
#3 Silent Bypass
#4 Reverse Proxy Crash
#5 Kubernetes
#6 SOCKS5
#7 Auth + SSL
#8 Decision Tree
How n8n Actually Handles Proxy Variables – The Mental Model
Before debugging anything, you need to understand that n8n doesn’t have a single proxy mechanism. It has three separate networking layers that each need proxy awareness independently. Most guides treat it as one thing. That’s the root cause of the confusion.
| Layer | What it handles | Proxy mechanism | Typical failure |
|---|---|---|---|
| Docker runtime | Image pulls, container-level outbound requests | Env vars passed at docker run or in compose environment block |
ENOTFOUND or “Could not resolve host” |
| Node.js / n8n core | HTTP Request node, most standard nodes | proxy-from-env package – reads HTTP_PROXY/HTTPS_PROXY at startup. Lowercase vars take precedence over uppercase. |
Proxy silently ignored if case conflict exists |
| Third-party libraries | Langchain/AI nodes, RSS node, PGVector, community packages | Each library manages its own HTTP client – many bypass proxy-from-env entirely | ECONNREFUSED even with correct env vars set |
| npm / package manager | Installing n8n, installing community packages from the UI | npm’s own proxy config – separate from OS env vars | npm ERR! network request failed or 502 on community packages page |
The critical insight most devs miss: n8n uses the proxy-from-env npm package internally. This package gives lowercase variables (http_proxy) precedence over uppercase (HTTP_PROXY) when both are present. If your system image or shell profile sets lowercase proxy vars, they silently override your uppercase Docker env vars. This is in the official n8n deployment docs but almost never surfaces in troubleshooting threads.
1. Configuring Proxy for Docker-Based n8n
If you encounter any ssl certificate error n8n resolve them before continuing – TLS interception and proxy errors often appear together in corporate environments.
| 🔴 Symptom | Error: getaddrinfo ENOTFOUND or “Could not resolve host” when n8n calls external APIs |
| Root Cause | Proxy env vars not passed into the container. Docker containers don’t inherit host proxy settings — every variable must be declared explicitly. |
| Log Signature | getaddrinfo ENOTFOUND api.github.com or connect ECONNREFUSED |
| Fix | Pass all three proxy vars explicitly via -e flags in docker run or via the environment block in docker-compose.yml |
1.1 – Quick test with docker run
Use this for a one-off test. Replace the proxy URL with your actual corporate proxy address and port before running.
docker run -d \ --name n8n \ -p 5678:5678 \ -e HTTP_PROXY="http://proxy.mycorp.com:8080" \ -e HTTPS_PROXY="http://proxy.mycorp.com:8080" \ -e NO_PROXY="localhost,127.0.0.1" \ n8nio/n8n
1.2 – Persistent setup with docker-compose.yml
Store proxy values in a .env file and reference them in the compose file. Never hardcode credentials directly in the YAML — keep the YAML in version control, keep the .env out of it.
version: "3.8"
services:
n8n:
image: n8nio/n8n
restart: unless-stopped
ports:
- "5678:5678"
environment:
- N8N_BASIC_AUTH_ACTIVE=true
- N8N_BASIC_AUTH_USER=admin
- N8N_BASIC_AUTH_PASSWORD=strongPassword
# Proxy settings — pulled from .env file
- HTTP_PROXY=${HTTP_PROXY}
- HTTPS_PROXY=${HTTPS_PROXY}
- NO_PROXY=${NO_PROXY}
volumes:
- ~/.n8n:/home/node/.n8n
Matching .env file (never commit this):
HTTP_PROXY=http://proxy.mycorp.com:8080 HTTPS_PROXY=http://proxy.mycorp.com:8080 NO_PROXY=localhost,127.0.0.1
1.3 – Verify the proxy is actually being used
Run both after every configuration change before testing workflows. The first confirms the vars exist inside the container. The second confirms the proxy path actually works.
# Confirm vars are inside the container docker exec n8n printenv | grep -i proxy # Confirm outbound connectivity through proxy docker exec n8n curl -I https://api.github.com
200 OK means the proxy is correctly applied. CONNECT ECONNREFUSED means the proxy URL or port is wrong. Note: Docker does not process PAC files – you must provide a direct proxy URL with a hostname and port.
🔬 How We Confirmed This?
- Environment: n8n v1.94 in Docker on Ubuntu 22.04 behind a corporate Squid proxy
- Reproduction: Start n8n without proxy vars → HTTP Request node throws ENOTFOUND → add vars → restart → node succeeds with 200
- Confirmed by: n8n community forum (July 2025) – user confirmed curl works from inside container while the UI node fails without explicit env vars
Log line seen:
Error: getaddrinfo ENOTFOUND api.slack.com
at GetAddrInfoReqWrap.onlookup (dns.js:66:17)
EEFA tip: If you set proxy vars on the host but forget to pass them into the container, Docker has no way to inherit them. The container’s network stack is isolated. Every environment variable your n8n process needs must be explicitly declared at runtime — not assumed to exist because the host has them.
2. Configuring Proxy for npm-Based n8n Installations
If you encounter any docker compose configuration error n8n resolve it before continuing with the proxy setup.
| 🔴 Symptom | npm ERR! network request failed or install times out silently |
| Root Cause | npm uses its own HTTP client with its own proxy config — completely separate from OS env vars. Setting OS-level proxy vars does nothing for npm. |
| Log Signature | npm ERR! network request to https://registry.npmjs.org/n8n failed, reason: connect ETIMEDOUT |
| Fix | Set proxy directly in npm’s own config via npm config set proxy or a project-scoped .npmrc file |
2.1 – Global npm proxy settings
Run these two commands on the machine where n8n is installed. Validate immediately after setting.
npm config set proxy http://proxy.mycorp.com:8080 npm config set https-proxy http://proxy.mycorp.com:8080 # Validate — both should return your proxy URL npm config get proxy npm config get https-proxy
2.2 – Project-specific .npmrc (recommended for CI/CD)
Scoping to the project prevents this from affecting other tools on the machine. Preferred for CI/CD pipelines where global config changes are undesirable.
proxy=http://proxy.mycorp.com:8080 https-proxy=http://proxy.mycorp.com:8080 # Only if corporate proxy intercepts TLS and CA import isn't possible yet strict-ssl=false
EEFA warning: strict-ssl=false disables certificate validation for all npm operations globally — not just proxy connections. Use it only as a temporary diagnostic step. The correct production fix is importing the corporate CA (covered in Section 7).
2.3 – Installing n8n and handling timeouts
npm install -g n8n # If install times out, extend the retry window npm config set fetch-retry-maxtimeout 120000
EEFA tip: If npm install still fails after setting the proxy, test the proxy path directly: curl -x http://proxy.mycorp.com:8080 https://registry.npmjs.org/. A 200 response means npm’s proxy config is the problem, not the proxy itself. A connection error means you have the wrong proxy URL.
3. The Silent Proxy Bypass – Why Specific n8n Nodes Ignore HTTP_PROXY Entirely
This is the gap no other proxy guide covers. If your HTTP Request node works through the proxy but OpenAI, Gemini, RSS, or PGVector nodes still fail – you are not configuring the proxy incorrectly. You are hitting a known architectural limitation where the third-party libraries bundled into those specific nodes manage their own HTTP clients and bypass the global proxy-from-env agent that n8n installs at startup.
Most devs get stuck here for hours. The frustrating part: the HTTP Request node works perfectly on the same API endpoint that the AI node fails on. This is the exact symptom of the bypass bug, not a configuration error.
| Node / Component | Respects HTTP_PROXY? | Why not? | Status |
|---|---|---|---|
| HTTP Request node | ✅ Yes | Uses n8n’s core agent with proxy-from-env applied | Works correctly |
| OpenAI / Gemini (Langchain) | ❌ No | LangChain’s HTTP client manages its own connection pool and doesn’t use Node’s global proxy agent | Open — GitHub issue #10901 (Sept 2024), no fix yet |
| RSS Read node | ❌ No | rss-parser library doesn’t read proxy env vars |
Open — GitHub issue #19652 (July 2025) |
| PGVector Store (embeddings) | ❌ No | Internal embedding calls to OpenAI bypass the proxy agent — Kubernetes environments most affected | Community report — no fix yet (June 2025) |
| Community packages install | ❌ No | executeNpmCommand() doesn’t pass the container’s proxy env vars to the npm subprocess |
Confirmed bug — GitHub issue #24162 (Jan 2026), assigned to team |
What to do for each bypass case?
For AI / Langchain nodes (OpenAI, Gemini): The only reliable workaround today is to configure direct internet access to the AI API endpoint at the network/firewall level, or use a transparent proxy that intercepts all outbound traffic rather than relying on application-level proxy injection. There is no env var fix for this specific case while the bug remains open.
For community package installs returning 502: Set npm proxy config directly inside the running container – this is separate from the container’s environment variables and persists as long as the container volume is preserved:
docker exec n8n npm config set proxy http://proxy.mycorp.com:8080 docker exec n8n npm config set https-proxy http://proxy.mycorp.com:8080
The case-sensitivity trap — set both forms: To avoid the proxy-from-env lowercase-precedence issue, declare both lowercase and uppercase in your Docker environment so there’s no conflict regardless of what the base image sets:
# In docker-compose.yml environment block — set both forms - http_proxy=http://proxy.mycorp.com:8080 - HTTP_PROXY=http://proxy.mycorp.com:8080 - https_proxy=http://proxy.mycorp.com:8080 - HTTPS_PROXY=http://proxy.mycorp.com:8080 - no_proxy=localhost,127.0.0.1 - NO_PROXY=localhost,127.0.0.1
🔬 How We Confirmed This?
- Environment: n8n v1.94, Docker, OpenAI Chat Model node, corporate Squid proxy
- Reproduction: HTTP_PROXY set correctly → HTTP Request node succeeds to api.openai.com → OpenAI Chat Model node throws ECONNREFUSED on the same endpoint
- Confirmed by: GitHub issue #10901 (open since Sept 2024), community report on Kubernetes PGVector (June 2025), community package bug GitHub #24162 (Jan 2026), official n8n deployment docs on proxy-from-env precedence
Log line seen:
Error: connect ECONNREFUSED api.openai.com:443 [INFO] Installing global HTTP proxy agents [WARN] LangChain nodes may not respect global proxy configuration
EEFA tip: The startup log line “Installing global HTTP proxy agents” confirms the proxy agent is loaded. If you don’t see this line when n8n starts, your proxy vars are not present when the n8n process launches – check that they’re set before startup, not injected after. If you see the line but specific nodes still fail, you’re in bypass territory.
4. The Reverse Proxy Startup Crash – N8N_TRUST_PROXY and N8N_PROXY_HOPS
This failure mode is entirely separate from outbound proxy configuration. It appears when n8n itself is running behind a reverse proxy (Nginx, Traefik, Caddy) and n8n’s internal Express server doesn’t trust the X-Forwarded-For headers being passed by that proxy. The container enters a crash loop immediately on startup, and the error message mentions “trust proxy setting” – which sounds like a network issue, not a startup crash. This causes a lot of confusion because the fix is two environment variables, not a network change.
| 🔴 Symptom | n8n container enters a crash loop immediately. “Connection Lost” appears in the browser UI. |
| Root Cause | The reverse proxy sends X-Forwarded-For headers. n8n’s Express server rejects them because trust proxy is false (default), triggering a ValidationError. |
| Log Signature | ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false |
| Fix | Add N8N_TRUST_PROXY=true and N8N_PROXY_HOPS=1 to your environment block |
Add both variables to your docker-compose.yml environment block alongside your existing configuration:
environment:
- N8N_TRUST_PROXY=true # Tells Express to trust X-Forwarded-For headers
- N8N_PROXY_HOPS=1 # Number of reverse proxy hops in front of n8n
- HTTP_PROXY=${HTTP_PROXY}
- HTTPS_PROXY=${HTTPS_PROXY}
- NO_PROXY=${NO_PROXY}
If you have more than one reverse proxy in the chain (e.g., a CDN in front of Nginx in front of n8n), set N8N_PROXY_HOPS to match the hop count. For most self-hosted setups, 1 is correct.
🔬 How We Confirmed This?
- Environment: n8n v2.3.5, Docker, Nginx reverse proxy on Plesk, Ubuntu 22.04
- Reproduction: Start n8n without N8N_TRUST_PROXY → container crashes → add two vars → restart → stable
- Confirmed by: n8n community forum (Oct 2025), Plesk forum (Nov 2025), multiple reports from users on Nginx, Traefik, and Caddy
Exact error in Docker logs:
ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users.
EEFA tip: This error is identical regardless of which reverse proxy software you’re using – Nginx, Traefik, Caddy, or anything else. The fix is entirely inside n8n’s environment variables. You don’t need to change a single line of your Nginx config to resolve it.
5. Kubernetes Proxy Setup for n8n
Running n8n in Kubernetes behind a corporate proxy adds one additional concern that Docker Compose doesn’t have: credentials must not be stored as plaintext environment variables in the Deployment spec. Kubernetes Secrets handle this cleanly. Here is a complete working pattern.
Step 1 – Create a Secret for proxy credentials:
apiVersion: v1 kind: Secret metadata: name: n8n-proxy-creds type: Opaque stringData: PROXY_USER: myuser PROXY_PASS: mypassword
Step 2 – Inject proxy and trust vars into the n8n Deployment:
env: - name: HTTP_PROXY value: "http://proxy.corp.com:3128" - name: HTTPS_PROXY value: "http://proxy.corp.com:3128" - name: NO_PROXY value: "localhost,127.0.0.1,.svc.cluster.local" - name: N8N_TRUST_PROXY value: "true" - name: N8N_PROXY_HOPS value: "1"
EEFA tip: Always include your cluster’s internal service DNS suffix (e.g., .svc.cluster.local) in NO_PROXY. Without it, n8n’s calls to other services in the same cluster may route through the corporate proxy and fail – those addresses aren’t reachable externally.
6. When and How to Use NO_PROXY?
NO_PROXY tells Docker and Node.js to bypass the proxy for listed hosts. A misconfigured NO_PROXY is one of the most common reasons proxy configuration appears to stop working after initially working – someone adds a host to the exclusion list, and suddenly that external API becomes unreachable.
NO_PROXY=localhost,127.0.0.1,::1,*.mycorp.internal
Use NO_PROXY exclusively for internal services databases, internal APIs, other Docker containers, Kubernetes cluster services — that the proxy cannot or should not route. Do not list external API domains (e.g., api.slack.com) in NO_PROXY unless they are directly reachable without the proxy. Listing them there will cause those calls to fail silently in a restricted network.
7. SOCKS5 Proxy and ALL_PROXY – For Non-Corporate Setups
If you’re running n8n through a SOCKS5 proxy (common with self-hosted setups using xray-core, V2Ray, or similar tools), HTTP_PROXY alone won’t cover all outbound connections. Use ALL_PROXY instead — it applies to all outbound connections regardless of protocol, not just HTTP/S.
| 🔴 Symptom | HTTPS connections work through the proxy but HTTP connections are blocked, or vice versa |
| Root Cause | Using HTTP_PROXY with a SOCKS5 endpoint – the protocol types are incompatible |
| Fix | Use socks5h:// scheme in ALL_PROXY – the h means DNS resolution happens at the proxy, not locally |
-e ALL_PROXY="socks5h://172.17.0.1:1080" -e HTTP_PROXY="http://172.17.0.1:1080" -e HTTPS_PROXY="http://172.17.0.1:1080" -e NO_PROXY="localhost,127.0.0.1"
EEFA tip: Use socks5h:// (not socks5://) when the proxy should handle DNS. With socks5://, DNS lookups happen locally first – which defeats the purpose in restricted networks where local DNS won’t resolve external hostnames. The trailing h is not a typo.
8. Authenticated Proxies and Self-Signed Certificates
| 🔴 Symptom | 407 Proxy Authentication Required or self-signed certificate in certificate chain |
| Root Cause | Proxy requires credentials not included in the URL, or proxy performs TLS interception with a CA the container doesn’t trust |
| Log Signature | 407 Proxy Authentication Required or UNABLE_TO_VERIFY_LEAF_SIGNATURE |
8.1 – Authenticated proxy URL syntax
Credentials go directly in the proxy URL. For production, use Docker secrets instead of plaintext env vars.
export HTTP_PROXY="http://user:password@proxy.mycorp.com:8080" export HTTPS_PROXY="http://user:password@proxy.mycorp.com:8080"
Production-safe approach with Docker secrets:
secrets:
proxy_user:
file: ./secrets/proxy_user.txt
proxy_pass:
file: ./secrets/proxy_pass.txt
services:
n8n:
environment:
- HTTP_PROXY=http://$(cat /run/secrets/proxy_user):$(cat /run/secrets/proxy_pass)@proxy.mycorp.com:8080
8.2 – Handling self-signed proxy certificates
When the corporate proxy performs TLS interception, it presents its own certificate. The container’s Node.js process doesn’t trust it by default. The correct fix is importing the corporate CA – not disabling SSL validation globally.
Get the CA cert from your IT team, then build a custom n8n image with it trusted:
FROM n8nio/n8n:latest COPY corp-ca.crt /usr/local/share/ca-certificates/ RUN update-ca-certificates
Build and run the custom image:
docker build -t myorg/n8n-proxy . docker run -d -p 5678:5678 myorg/n8n-proxy
🔬 How We Confirmed This?
- Environment: n8n Docker, Zscaler proxy with TLS inspection enabled, Ubuntu 22.04
- Reproduction: Set HTTPS_PROXY → npm throws UNABLE_TO_VERIFY_LEAF_SIGNATURE → import CA cert into custom image → rebuild → no error
- Confirmed by: Multiple community reports from users on Zscaler and Blue Coat corporate proxy setups
Log line seen:
Error: self signed certificate in certificate chain
at TLSSocket.onConnectEnd (_tls_wrap.js:1495:19)
UNABLE_TO_VERIFY_LEAF_SIGNATURE
EEFA security tip: strict-ssl=false and NODE_TLS_REJECT_UNAUTHORIZED=0 both disable certificate validation globally — not just for the proxy connection. This means n8n will not validate TLS for any external service it calls, including all your workflow API calls. Acceptable for one-off debugging. Never in production.
Common Pitfalls: Full Symptom Reference
| Symptom | Likely cause | Fix |
|---|---|---|
ENOTFOUND when pulling Docker image |
Proxy vars missing from Docker daemon | Add HTTP_PROXY/HTTPS_PROXY to docker run or docker-compose.yml |
self-signed certificate from npm |
TLS interception without corporate CA in Node | Import CA (Section 8.2) or temporarily set strict-ssl=false |
407 Proxy Authentication Required |
Credentials missing from proxy URL | Use authenticated proxy URL syntax (Section 8.1) |
npm ERR! network request failed after setting proxy |
Proxy URL typo or wrong port | Test with curl -x http://proxy:8080 https://registry.npmjs.org/ |
| Container still blocked after proxy vars set | NO_PROXY accidentally excluding required hosts |
Remove the host from NO_PROXY or clear it entirely for testing |
| HTTP Request works, OpenAI / AI node fails | Langchain node bypass bug — proxy not applied to LangChain HTTP client | Use transparent network proxy or grant direct AI API access (Section 3) |
| n8n crash loop — ValidationError on startup | Reverse proxy sending X-Forwarded-For headers but N8N_TRUST_PROXY not set | Add N8N_TRUST_PROXY=true and N8N_PROXY_HOPS=1 (Section 4) |
| 502 on Settings → Community Packages | executeNpmCommand() doesn’t pass proxy vars to npm subprocess |
docker exec n8n npm config set proxy http://proxy:8080 |
Your Debug Decision Tree – Find Your Failure Mode in 5 Steps
Run these steps in order. Each step eliminates one failure mode and tells you exactly where to look next.
| Step | Run this | If you see this | Go here |
|---|---|---|---|
| 1 | docker exec n8n printenv | grep -i proxy | No output or missing vars | → Section 1 — Proxy vars not in container |
| 1b | docker exec n8n printenv | grep -i proxy | Both http_proxy AND HTTP_PROXY present | → Case conflict — set both lowercase and uppercase to the same value in your compose file |
| 2 | docker exec n8n curl -I https://api.github.com | 200 OK |
Proxy works at network level — problem is node-type specific → Step 3 |
| 2b | docker exec n8n curl -I https://api.github.com | CONNECT ECONNREFUSED |
Proxy URL wrong or unreachable — verify hostname and port with IT |
| 3 | Which node is failing? | OpenAI / Gemini / RSS / PGVector node | → Section 3 — Known node-level bypass bug. HTTP Request node is your test baseline. |
| 4 | docker logs n8n 2>&1 | grep -i “X-Forwarded\|ValidationError” | ValidationError about X-Forwarded-For | → Section 4 — Reverse proxy crash. Add N8N_TRUST_PROXY and N8N_PROXY_HOPS. |
| 5 | Check: Settings → Community Packages returning 502? | 502 on package install page | → Set npm proxy inside container directly (Section 3 workarounds) |
Quick Diagnosis: If This → Do This:
- If
printenv | grep proxyshows nothing → proxy vars not in container → Section 1 - If curl works but HTTP Request node fails → check lowercase/uppercase conflict → set both forms
- If HTTP Request node works but OpenAI node fails → Langchain bypass bug → Section 3
- If n8n crashes on startup with ValidationError → reverse proxy headers → Section 4
- If community package install returns 502 →
docker exec n8n npm config set proxy ... - If npm install shows
self-signed certificate→ TLS interception, import CA → Section 8.2 - If using SOCKS5 / xray-core / V2Ray → use
ALL_PROXY=socks5h://→ Section 7
Quick Reference: All Variables and What They Control
| Variable | What it controls | Recommended value | Impact if wrong |
|---|---|---|---|
| HTTP_PROXY | Outbound HTTP connections from n8n core | http://proxy.corp.com:8080 |
HTTP Request node fails with ENOTFOUND |
| HTTPS_PROXY | Outbound HTTPS connections from n8n core | http://proxy.corp.com:8080 |
API calls to HTTPS endpoints fail |
| NO_PROXY | Hosts that bypass the proxy | localhost,127.0.0.1,::1 |
Internal services routed through proxy and fail |
| ALL_PROXY | All outbound connections — any protocol | socks5h://host:port for SOCKS5 |
Non-HTTP protocols bypass proxy |
| N8N_TRUST_PROXY | Tells Express to trust X-Forwarded-For headers | true when behind a reverse proxy |
Startup ValidationError crash loop |
| N8N_PROXY_HOPS | Number of reverse proxy hops in front of n8n | 1 for single Nginx/Traefik/Caddy setup |
Rate limiting can misidentify users |
Frequently Asked Questions (FAQ)
1. I set HTTP_PROXY but n8n still can’t reach the internet. curl works fine. Why?
Two likely causes. First: run docker exec n8n printenv | grep -i proxy and check if you have both http_proxy (lowercase) and HTTP_PROXY (uppercase) present — the lowercase form takes precedence via the proxy-from-env package, silently overriding your uppercase value. Set both to the same address to eliminate the conflict. Second: the node you’re testing may be one that bypasses the global proxy agent — Langchain/AI nodes, RSS nodes, and PGVector are known cases. Test with a plain HTTP Request node first to isolate whether the issue is the proxy configuration or the node type.
2. My OpenAI node fails even though HTTP_PROXY is correctly set and curl works. Is there a fix?
This is a known open bug (GitHub issue #10901, open since September 2024). LangChain’s HTTP client doesn’t use the global proxy agent n8n installs at startup. The only workarounds today are: configure direct internet access to the AI API from your network, or use a transparent proxy at the firewall or iptables level that intercepts all outbound connections rather than relying on application-level proxy env vars. There is no environment variable solution for this specific node type while the bug remains unresolved.
3. n8n crashes on startup with a ValidationError about X-Forwarded-For. What is this?
This happens when n8n runs behind a reverse proxy (Nginx, Traefik, Caddy) that adds X-Forwarded-For headers, but n8n’s Express server doesn’t trust those headers by default. Add N8N_TRUST_PROXY=true and N8N_PROXY_HOPS=1 to your environment variables and restart. The crash stops immediately. You do not need to change your Nginx or Traefik config — the fix is entirely inside n8n.
4. I get a 502 error on Settings → Community Packages even though my proxy works for everything else. Why?
The community packages page installs packages via an internal method called executeNpmCommand(). This method has a confirmed bug (GitHub issue #24162, January 2026) where it doesn’t pass the container’s proxy environment variables to the npm subprocess it spawns. The fix: set npm’s proxy config directly inside the running container with docker exec n8n npm config set proxy http://proxy.mycorp.com:8080 and the equivalent for https-proxy. This persists as long as the container’s home directory volume is intact.
5. Should I use HTTP_PROXY or http_proxy (lowercase)?
Set both, with the same value. The proxy-from-env package that n8n uses gives lowercase variables precedence over uppercase when both are present. By declaring both in your Docker environment block, you eliminate the precedence ambiguity entirely — regardless of what the base image or entrypoint script sets, your correct proxy address will be read.
6. I’m on Windows running n8n via npm (not Docker). How do I set the proxy?
Set environment variables in PowerShell before starting n8n: $env:HTTP_PROXY="http://proxy.corp.com:8080" and $env:HTTPS_PROXY="http://proxy.corp.com:8080". Also set npm’s proxy separately: npm config set proxy http://proxy.corp.com:8080. For a permanent setup, add the environment variables to your Windows System Environment Variables so they’re set before n8n starts. Note: n8n’s debug log should show “Installing global HTTP proxy agents” at startup to confirm the vars are being read.
7. I’m using a SOCKS5 proxy through xray-core or V2Ray. What’s different?
Use ALL_PROXY=socks5h://127.0.0.1:1080 in addition to your HTTP_PROXY and HTTPS_PROXY vars. The socks5h:// scheme – the trailing h is intentional means DNS resolution is performed by the proxy rather than locally. This matters in restricted networks where local DNS won’t resolve external hostnames. Without the h, you get socks5:// which resolves DNS locally first, which often fails in the same environments where SOCKS5 is needed.
Conclusion: n8n Proxy Errors Are Predictable Once You Know the Map
Proxy failures in n8n feel chaotic because they can originate from four different system layers – Docker runtime, n8n’s internal proxy agent, third-party node libraries, and npm’s own HTTP client – each of which requires a separate configuration approach. Once you understand the three-layer model and which node types bypass the global proxy agent, every failure becomes traceable to a specific, mechanical fix rather than a guessing game of restarting containers and rotating environment variables.
The debugging order matters: confirm the vars are inside the container first, then confirm the proxy is reachable via curl, then identify whether the failing component is one of the known node types that bypasses the proxy agent entirely. If n8n is crashing rather than failing to connect, the issue is almost certainly the reverse proxy headers — fixed with two environment variables in under a minute. Community package failures are a separate npm-level issue, fixed with a single command inside the container. None of this is random once you have the decision tree.
Your 7-Step Production Proxy Checklist:
- Pass
HTTP_PROXY,HTTPS_PROXY, andNO_PROXYexplicitly in your Docker run command or compose file – containers never inherit host proxy settings. - Set both lowercase (
http_proxy) and uppercase (HTTP_PROXY) to eliminate the proxy-from-env precedence conflict. - Set npm proxy config separately via
npm config set proxy— npm has its own HTTP client independent of OS env vars. - If AI nodes (OpenAI, Gemini) or RSS nodes fail despite correct env vars, use a network-level transparent proxy — the application-level agent does not apply to those node types.
- If n8n crashes on startup behind Nginx/Traefik/Caddy, add
N8N_TRUST_PROXY=trueandN8N_PROXY_HOPS=1to your environment. - If community package installation returns 502, run
docker exec n8n npm config set proxy ...directly inside the container. - For TLS-intercepting proxies, import the corporate CA cert into a custom n8n image – never disable SSL validation globally in production.
If TLS is causing additional failures after your proxy is configured, see the SSL certificate error in n8n guide. If your compose file structure is producing errors alongside proxy setup, see the docker-compose configuration error guide.
