Skip to content

Glossary

Key terms used throughout this documentation.

Cloudflare Access — Cloudflare's authentication layer. When you visit n8n.exzentcg.com, Access checks your email before letting you through. Think of it as a security guard at the door.

Cloudflare Tunnel — An encrypted pipe from our server to Cloudflare's network. No ports need to be opened on our router. Traffic flows outbound only — Cloudflare can reach us, but nobody on the internet can reach us directly.

Container (CT) — A lightweight virtual machine running on the Proxmox server. Each service (n8n, edge-gateway) runs in its own container, isolated from the others.

Docker / Docker Compose — A tool for running applications in standardised packages. Our services (n8n, NPM, cloudflared) run as Docker containers inside Proxmox containers.

edge-gateway — Our container (CT 101) that sits between Cloudflare and the internal services. It runs cloudflared (the tunnel endpoint) and NPM (the traffic router). All incoming traffic passes through here first.

Firewall rules — Rules that control which network traffic is allowed or blocked. Our setup has multiple layers: Cloudflare (external), Proxmox host (node), and per-container (LXC). The critical rule: containers cannot reach the home LAN even if compromised.

IP set — A named group of IP addresses used in firewall rules. Instead of writing "allow 192.168.0.16 and 100.97.244.32", we write "allow +admin_desktop" — easier to read and update.

Lateral movement — When an attacker compromises one system and uses it to reach others on the same network. Our firewall rules specifically prevent this — each container can only talk to what it needs.

LXC — Linux Containers. The virtualisation technology Proxmox uses to create isolated containers. Lighter than full virtual machines.

n8n — An open-source workflow automation tool (like Zapier or Make, but self-hosted). We use it to connect business tools and automate processes. Runs at n8n.exzentcg.com.

NPM (Nginx Proxy Manager) — A reverse proxy that routes web traffic to the correct service based on the domain name. When a request comes in for "n8n.exzentcg.com", NPM sends it to the n8n container.

Proxmox VE — The hypervisor (server management software) that runs on our physical hardware. It manages all the containers and provides the firewall.

Tailscale — A mesh VPN that lets us access the Proxmox server remotely without opening ports. Uses WireGuard encryption. Independent of Cloudflare — if Cloudflare goes down, we can still manage the server via Tailscale.

Webhook — A URL that external services (Shopify, Telegram, Stripe) can send data to. n8n's webhook endpoints are at n8n.exzentcg.com/webhook/... and are deliberately exempt from login requirements so external services can reach them.

Zero Trust — A security model where nothing is trusted by default. Every request must prove its identity, regardless of where it comes from. Cloudflare Zero Trust is the product that implements this for our services.