SOC Threat Hunting IAM Infrastructure

Workflow Automation
Self-Hosted n8n

Deployed a fully self-hosted automation platform using Docker, secured it with SSL and MFA, and exposed it to the internet via Cloudflare Tunnel, unlocking OAuth integrations, webhook callbacks, and API connectivity without exposing a single port.

Stack Docker · n8n · Cloudflare · Linux

Security MFA · SSL/TLS · Zero Exposed Ports

IAM Relevance OAuth · Webhooks · API Auth

Skills Applied

What This Project Demonstrates

Linux CLI

Docker & Containerization

Cloudflare Tunnel

SSL/TLS Encryption

DNS & Name Servers

OAuth Integrations

Webhook Configuration

API Authentication

Environment Variables (.env)

Self-Signed Certificates

Reverse Proxy

Prompt Engineering

Patch Management

YAML Configuration

Scripting (Bash)

Troubleshooting

IAM Relevance

Identity & Access in Practice

This project required hands-on implementation of IAM concepts that go beyond textbook definitions.

OAuth 2.0

Third-Party Authorization

Configured OAuth-based integrations within n8n workflows, requiring the platform to be publicly reachable so external services could complete authorization flows. This involved understanding token exchange, callback URLs, and scope delegation.

Webhooks

Event-Driven Authentication

Implemented secure inbound webhooks so external services could trigger automation workflows. Configured webhook endpoints, validated payloads, and ensured traffic integrity through Cloudflare's encrypted tunnel.

API Security

Credential & Key Management

Managed API keys and credentials across multiple service integrations within n8n, applying the principle of least privilege. Each connection was granted only the access it needed, stored securely in environment variables rather than hardcoded.

MFA & Access Control

Multi-Factor Authentication

Enabled MFA on the n8n instance to prevent unauthorized access to the automation platform. Combined with basic authentication and Cloudflare's access controls to enforce layered identity verification.

Use Case

What Was Automated

The infrastructure wasn't built for its own sake. It was built to run a real AI agent with real access to sensitive data.

The agent was designed to read incoming emails and act on their contents autonomously. Using Gemini as the reasoning layer and n8n as the orchestration engine, the workflow gave the agent full read and write access to Gmail, Google Contacts, and Google Calendar.

Because this required delegating broad OAuth scopes (read mail, send mail, manage contacts, manage calendar events), a dedicated isolated account was created specifically for this agent. If the account or API key was ever compromised, no personal data or primary accounts were at risk. The blast radius was contained by design.

The Gemini API key was scoped only to this workflow and stored in environment variables, never in source code.

n8n workflow diagram showing AI assistant with Gemini and Simple Memory nodes connected to Gmail, Google Contacts, and Google Calendar actions

Live n8n workflow: AI agent with full Gmail, Contacts, and Calendar access

Gap Analysis

Identifying and Closing the Gaps

Before deployment was complete, this infrastructure had real, exploitable weaknesses. Each one was identified and addressed deliberately.

Transport Encryption HTTP only. All traffic in plaintext, interceptable on the local network. HTTPS enforced via Cloudflare TLS termination. Self-signed certs used for local layer.

Credential Exposure Credentials and API keys stored in .env files with no access controls beyond file permissions. Environment variables isolated per service. Keys scoped to minimum required access and never committed to source control.

Remote Access Path No remote access. Port forwarding was considered but rejected due to inbound firewall exposure. Cloudflare Tunnel deployed. Outbound-only connection, zero inbound ports opened.

OAuth Blast Radius Broad OAuth scopes (Gmail, Contacts, Calendar) would have exposed primary account data if compromised. Dedicated isolated account created for the agent. Compromise of that account has no path to personal data.

Account Security Single admin account. No second factor. No user management. MFA enforced on all accounts. Additional users provisioned with appropriate roles.

Build Process

How It Was Built

Why Self-Host?

n8n's paid service model limited hands-on experimentation. Self-hosting provided full access to all nodes, integrations, and configurations, learning by doing rather than by watching. The goal was full data ownership and the ability to explore advanced automation in a controlled environment.

Docker Deployment

Packaged n8n inside a Docker container to ensure a consistent, isolated environment. Configured Docker volumes for data persistence, and used environment files (.env) to control service behavior. The .env file acts as the rulebook for how services behave across different environments.

LAN Accessibility

Reconfigured the environment settings to bind n8n to the host machine's private IP rather than localhost, allowing any trusted device on the local network to access the platform. This surfaced a key lesson: understanding network binding is essential before any exposure strategy.

SSL Encryption (Local)

Generated and configured self-signed SSL certificates to encrypt local traffic. Pointed n8n to the certificates via the .env file. Key takeaway: even internal traffic should be encrypted, and browsers will warn on untrusted certs, but the transport layer is secure.

Cloudflare Tunnel: Zero Port Exposure

Registered a domain, pointed it to Cloudflare's name servers, and used Cloudflare Tunnel to securely expose the local n8n instance to the internet with zero open inbound ports. This unlocked OAuth logins, webhook callbacks, and all third-party integrations that require a public endpoint.

Automation Scripts

Wrote three custom Bash scripts: one to update and restart all services, one to shut down the entire stack cleanly, and one to start everything in a consistent and predictable order, whether recovering from a power disruption or launching manually.

Security

Security Measures Implemented

✓ Multi-Factor Authentication

✓ Self-Signed SSL Certificates

✓ Secure Webhooks

✓ Zero Exposed Ports

✓ DNS Proxy (Cloudflare)

✓ Cloudflare Tunnel

✓ Basic Authentication

✓ SSL/TLS Encryption

✓ Patch Management Scripts

✓ Reverse Proxy

Lessons Learned

Key Takeaways

Docker containers, volumes, and runtime behavior: practical containerization experience, not just theory.

Environment variables control how services behave across different environments. Configuration as code matters.

Cloudflare Tunnel provides encrypted internet access without port forwarding. A clean, secure exposure strategy.

OAuth requires a publicly reachable callback URL. Understanding this directly informed my knowledge of IAM and federated identity flows.

Least privilege in API key management: each integration gets only the access it needs, stored in environment files, not hardcoded.

AI prompt engineering as a research tool: used it to fill gaps where documentation was incomplete or scattered.

Interested in what Eduardo built?

Let's talk about how this applies to your open roles.

Book a 30-Min Call Back to Recruiter Hub

Workflow AutomationSelf-Hosted n8n