DEV Community: Oscar Ricardo Sánche Gutierréz The latest articles on DEV Community by Oscar Ricardo Sánche Gutierréz (@oscar_ricardosncheguti). https://dev.to/oscar_ricardosncheguti https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3804416%2F2f910017-a0c5-45f4-99ba-cef5a096c7de.jpg DEV Community: Oscar Ricardo Sánche Gutierréz https://dev.to/oscar_ricardosncheguti en Build an AI Email Assistant with n8n and Telegram Oscar Ricardo Sánche Gutierréz Fri, 01 May 2026 23:16:32 +0000 https://dev.to/oscar_ricardosncheguti/build-an-ai-email-assistant-with-n8n-and-telegram-3ld5 https://dev.to/oscar_ricardosncheguti/build-an-ai-email-assistant-with-n8n-and-telegram-3ld5 <p>Is your inbox flooded with repetitive emails? Support queries, FAQs, information requests… they all eat up time and require manual replies.</p> <p>In this article you'll build an <strong>automated email assistant</strong> that:</p> <ol> <li>Reads incoming emails via IMAP</li> <li>Analyzes them with <strong>DeepSeek</strong> using a custom knowledge base</li> <li> <strong>Replies automatically</strong> when the model has enough context</li> <li> <strong>Notifies you via Telegram</strong> when it needs human review</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo07j8llinogs5ngd9yw6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo07j8llinogs5ngd9yw6.png" alt="Architecture" width="800" height="375"></a></p> <blockquote> <p>Diagram created with <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> What you need </h2> <ul> <li>A server with <strong>n8n up and running</strong> (if you don't have one, follow <a href="https://dev.to/oscar_ricardosncheguti/como-instalar-n8n-en-un-servidor-ubuntu-produccion-lista-2kf2">this installation guide</a>)</li> <li>An <strong>email account</strong> with IMAP access (ZohoMail, Gmail, Outlook, or any provider that supports it)</li> <li>A <strong>DeepSeek API key</strong> (<a href="https://platform.deepseek.com" rel="noopener noreferrer">platform.deepseek.com</a>)</li> <li>A <strong>Telegram bot</strong> created via <a href="https://t.me/BotFather" rel="noopener noreferrer">https://t.me/BotFather</a> </li> </ul> <blockquote> <p><strong>Note:</strong> Telegram bots have no usage costs, making them ideal for automations with no message limits.</p> </blockquote> <h2> 1. Getting your credentials </h2> <h3> DeepSeek API </h3> <p>Sign up at <a href="https://platform.deepseek.com" rel="noopener noreferrer">platform.deepseek.com</a>, head to the API Keys section and create a new one. You'll need:</p> <ul> <li><code>DEEPSEEK_API_KEY</code></li> <li>Endpoint URL: <code>https://api.deepseek.com/v1/chat/completions</code> </li> <li>Recommended model: <code>deepseek-chat</code> </li> </ul> <h3> Telegram Bot </h3> <p>Creating a Telegram bot is quick and requires no company registration or credit cards. Open Telegram, search for <code>@BotFather</code>, send <code>/newbot</code> and follow the steps. At the end you'll get a token like <code>4839574812:AAFD39kkdpWt3ywyRZergyOLMaJhac60qc</code>.</p> <blockquote> <p>For more details on bot creation: <a href="https://dev.to/simplr_sh/telegram-bot-creation-handbook-g5g">Telegram Bot Creation Handbook</a></p> </blockquote> <h4> Getting your Chat ID </h4> <p>You need to know your <strong>Chat ID</strong> (your Telegram user ID) so the bot knows where to send messages.</p> <ol> <li>Open Telegram and search for <code>@userinfobot</code> </li> <li>Start the conversation with <strong>Start</strong> </li> <li>The bot replies automatically with your info. Look for the line that says <strong>Id:</strong> — that number is your Chat ID </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Id: 1234567890 &lt;&lt;&lt; This is your Chat ID First: YourName Lang: en .... </code></pre> </div> <p>Save both values (Bot Token and Chat ID) for later use in n8n.</p> <h2> 2. Building the workflow in n8n </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3471rbtkax4tjelgo6lm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3471rbtkax4tjelgo6lm.png" alt="Workflow" width="800" height="280"></a></p> <p>If you're new to n8n, the first step is creating a workflow. At each stage I'll tell you which node to add so you can find it like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjnpm3er70jhpxgmas7if.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjnpm3er70jhpxgmas7if.gif" alt="Add node" width="731" height="389"></a></p> <h3> Step by step: </h3> <p><strong>Node 1 — IMAP Trigger</strong></p> <p>Add the <strong>Email Trigger (IMAP)</strong> node, which will be our workflow's trigger and will check for unread emails in our inbox.</p> <ol> <li>In the Credential field, configure the following (values and setup vary by email provider):</li> </ol> <ul> <li> <strong>User</strong>: your email</li> <li> <strong>Password</strong>: your password or app password</li> <li> <strong>Host</strong>: your IMAP server (e.g. <code>imap.gmail.com</code>)</li> <li> <strong>Port</strong>: <code>993</code> </li> <li> <strong>Secure</strong>: <code>true</code> </li> </ul> <ol> <li>In the rest of the form, fill in:</li> </ol> <ul> <li> <strong>Mailbox Name:</strong> the mailbox to pull emails from, defaults to <code>INBOX</code> </li> <li> <strong>Action:</strong> Mark as Read — this way every processed email gets marked as read.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41mvk2gm2vinuiiplulk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F41mvk2gm2vinuiiplulk.png" alt="Imap setup" width="800" height="364"></a></p> <p>By default, once the workflow is published the node will poll periodically (every 60 seconds by default) to detect new emails.</p> <p><strong>Node 2 — Code (Knowledge Base)</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhslhoxd1fnb11v5ffcm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhslhoxd1fnb11v5ffcm.png" alt="Code Know" width="800" height="335"></a></p> <p>The "secret sauce" of the assistant lives here. Instead of letting DeepSeek improvise, you define a clear context with the responses you expect.</p> <p>Add a <strong>Code</strong> node (<code>Code in Javascript</code>), switch the mode to <strong>"Run Once for All Items"</strong> (top-right of the editor) and connect it to Node 1 (IMAP).</p> <p>The code must <strong>preserve the email data we care about</strong> and add the <code>knowledgeBase</code> field.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">knowledgeBase</span> <span class="o">=</span> <span class="s2">` Eres un asistente de soporte técnico de [Tu Empresa]. Responde solo si encuentras una coincidencia clara en las políticas siguientes. Si no estás seguro, responde exactamente: NO_PUEDO_RESPONDER POLÍTICAS: 1. Horario de atención: Lunes a viernes de 9:00 a 18:00 (GMT-5). 2. Tiempo de respuesta estimado: 24 horas hábiles. 3. Contraseñas: Nunca solicites ni compartas contraseñas por correo. 4. Reembolsos: Se procesan dentro de los primeros 30 días. El usuario debe enviar un comprobante. 5. Problemas técnicos comunes: - Error 403: El usuario debe limpiar caché y cookies. - Error 500: Reportar al equipo interno, pedir al usuario que espere 1 hora. - Olvido de contraseña: Enviar enlace de restablecimiento a su correo registrado. 6. Facturación: Para cambios de plan o facturación, responder que el usuario ingrese al panel de pago. INSTRUCCIONES: - Responde de forma amable y profesional. - Usa el mismo idioma del correo recibido. - Si el correo contiene más de una pregunta, responde cada punto. - Si el correo es grosero o agresivo, responde: NO_PUEDO_RESPONDER `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">items</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nf">all</span><span class="p">();</span> <span class="k">return</span> <span class="nx">items</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">item</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">,</span> <span class="nx">knowledgeBase</span> <span class="p">}</span> <span class="p">}));</span> </code></pre> </div> <blockquote> <p>You can make this as detailed as you want. The more context, the better the responses. Using <code>...item.json</code> preserves the original email data so Node 3 (content extraction) receives it without issues.</p> </blockquote> <p>Name this node, for example, <code>CodeKnow</code>.</p> <p><strong>Node 3 — Code (Extract Content)</strong></p> <p>Use another <strong>Code</strong> node (<code>Code in Javascript</code>) to extract the relevant information from each email and generate the <code>chatInput</code> with the prompt we'll send to our AI. Switch the mode to <strong>"Run for Each Item"</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">subject</span> <span class="o">=</span> <span class="nx">email</span><span class="p">.</span><span class="nx">subject</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="p">(</span><span class="nx">email</span><span class="p">.</span><span class="nx">textPlain</span> <span class="o">&amp;&amp;</span> <span class="nx">email</span><span class="p">.</span><span class="nx">textPlain</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="o">||</span> <span class="p">(</span><span class="nx">email</span><span class="p">.</span><span class="nx">textHtml</span> <span class="o">&amp;&amp;</span> <span class="nx">email</span><span class="p">.</span><span class="nx">textHtml</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">subject</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">5000</span><span class="p">),</span> <span class="na">from</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="k">from</span><span class="p">,</span> <span class="na">to</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nx">to</span><span class="p">,</span> <span class="na">uid</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nx">uid</span> <span class="o">||</span> <span class="nx">email</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">chatInput</span><span class="p">:</span> <span class="s2">`From: </span><span class="p">${</span><span class="nx">email</span><span class="p">.</span><span class="k">from</span><span class="p">}</span><span class="s2">\nAsunto: </span><span class="p">${</span><span class="nx">subject</span><span class="p">}</span><span class="s2">\nCuerpo: </span><span class="p">${</span><span class="nx">body</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">5000</span><span class="p">)}</span><span class="s2">`</span> <span class="p">};</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F59kmhs8r2vb0mu3fr5ft.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F59kmhs8r2vb0mu3fr5ft.png" alt="Process Emails" width="800" height="400"></a></p> <p><strong>Node 4 — DeepSeek Chat Model (Configuration)</strong></p> <p>Add a <strong>DeepSeek Chat Model</strong> node. It will likely auto-generate 3 nodes: <strong>When chatmessage received</strong>, <strong>Basic LLM Chain</strong> and <strong>DeepSeek Chat Model</strong>. Keep only the LLM and DeepSeek — the extra one isn't needed. Connect the code block to the Basic LLM node like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqiry1ag515xd3ymu4fry.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqiry1ag515xd3ymu4fry.gif" alt="Setup Deepseek" width="800" height="482"></a></p> <p>In the remaining blocks, set up the following:</p> <ol> <li>In DeepSeek Chat Model, just configure the credentials:</li> </ol> <ul> <li> <strong>Credential</strong>: select or create a <strong>DeepSeek account</strong> credential <ul> <li> <strong>API Key</strong>: your DeepSeek key</li> </ul> </li> <li> <strong>Model</strong>: <code>deepseek-v4-flash</code> </li> </ul> <ol> <li>In Basic LLM Chain (processor):</li> </ol> <ul> <li> <strong>Source for Prompt</strong>: Define below</li> <li> <strong>Prompt (User Message)</strong>: Analyze this email and provide a short, clear response to send via Telegram. {{ $json.chatInput }}</li> <li> <strong>Chat Messages</strong>: <ul> <li> <strong>Type</strong>: <code>System</code> → <strong>Message</strong>: <code>{{ $json.knowledgeBase }}</code> </li> </ul> </li> <li> <strong>Require Specific Output Format</strong>: disabled</li> </ul> <p>What we've done is send a prompt with our intent and the email data defined in the <code>CodeProcessEmail</code> block, along with a system message containing our knowledge base — the info we defined in the <code>CodeKnow</code> block.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5aa054pbbgfytmaso6kh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5aa054pbbgfytmaso6kh.png" alt="Setup ai" width="800" height="410"></a></p> <blockquote> <p><strong>What about cost?</strong> DeepSeek v4 charges ~$0.14 per million input tokens and ~$0.28 per output. A typical email (~1,000 tokens) costs ~$0.0002. With 1,000 emails a month you'd spend ~$0.20. In the production tweaks section I'll show you how to filter to avoid unnecessary calls.</p> </blockquote> <p>The node takes the <code>chatInput</code> from Node 3 (knowledge base + email) and returns the response generated by DeepSeek.</p> <p><strong>Node 5 — Code (Map Assistant Response)</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ix7vgknjavu179ysms7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ix7vgknjavu179ysms7.png" alt="Code Normalize" width="800" height="352"></a></p> <p>The DeepSeek block only returns the AI's raw response, which means we lose the full email data we'll need later. That's why we add this <strong>Code</strong> node in <strong>"Run Once for All Items"</strong> mode to merge the AI response with the original email data and determine whether it can reply or not:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">aiItems</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nf">all</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">emailItems</span> <span class="o">=</span> <span class="nf">$</span><span class="p">(</span><span class="dl">'</span><span class="s1">CodeProcessEmail</span><span class="dl">'</span><span class="p">).</span><span class="nf">all</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">aiItems</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">item</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">originalEmail</span> <span class="o">=</span> <span class="nx">emailItems</span><span class="p">[</span><span class="nx">index</span><span class="p">]?.</span><span class="nx">json</span> <span class="o">||</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">aiText</span> <span class="o">=</span> <span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="nx">text</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">originalEmail</span><span class="p">,</span> <span class="na">aiResponse</span><span class="p">:</span> <span class="nx">aiText</span><span class="p">.</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">canReply</span><span class="p">:</span> <span class="o">!</span><span class="nx">aiText</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">NO_PUEDO_RESPONDER</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">};</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">output</span><span class="p">;</span> </code></pre> </div> <p>This block is key because:</p> <ul> <li>It grabs the original email data (<code>subject</code>, <code>from</code>, <code>body</code>, etc.)</li> <li>It adds <code>aiResponse</code> with the clean response from DeepSeek</li> <li>It adds <code>canReply</code> (<code>true</code>/<code>false</code>) to decide whether to auto-reply</li> </ul> <p><strong>Node 6 — IF (Can it reply?)</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbr4v6kau04egpkc8ix2t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbr4v6kau04egpkc8ix2t.png" alt="Condition" width="800" height="347"></a></p> <p>With the AI response and email data at hand, we add an <code>if</code> block. This node evaluates the <code>{{ $json.canReply }}</code> field with the following:</p> <ul> <li> <strong>Yes</strong> (<code>true</code>) → goes to SMTP send</li> <li> <strong>No</strong> (<code>false</code>) → goes to Telegram notification</li> </ul> <p><strong>Node 7.1 — Email (SMTP) — Reply</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ymimhbfavejgcwvtztj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ymimhbfavejgcwvtztj.png" alt="Smtp" width="800" height="372"></a></p> <p>Configure the <code>Send Email</code> node to send the automatic reply:</p> <ul> <li> <strong>Credential:</strong> a window will open for you to register your SMTP credentials: <ul> <li>User</li> <li>Password</li> <li>Host</li> <li>Port</li> <li>SSL</li> </ul> </li> <li> <strong>From Email</strong>: we'll tell it to reply from the same address they wrote to: <code>{{ $json.to }}</code> </li> <li> <strong>To</strong>: the person who wrote in: <code>{{ $json.from }}</code> </li> <li> <strong>Subject</strong>: <code>Re: {{ $('CodeProcessEmail').item.json.subject }}</code> </li> <li> <strong>Email Format:</strong> HTML</li> <li> <strong>Text</strong>: <code>{{ $json.aiResponse }}</code> </li> </ul> <p><strong>Node 7.2 — Telegram — Send Notification</strong></p> <p>For emails the AI can't handle, we won't send an automatic reply. Instead, you'll receive an alert via <strong>Telegram</strong>.</p> <p>However, we first need to make sure we're not sending messages longer than 4,000 characters — Telegram's limit. To handle this:</p> <ol> <li>Add a <strong>Code</strong> node (JavaScript) in <code>Run Once for All Items</code> mode with the following code: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">escapeHtml</span> <span class="o">=</span> <span class="p">(</span><span class="nx">value</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">String</span><span class="p">(</span><span class="nx">value</span> <span class="o">||</span> <span class="dl">''</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&amp;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;amp;</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;lt;</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&gt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;gt;</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">items</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nf">all</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">text</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">items</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">item</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subject</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="nx">subject</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Sin asunto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">aiResponse</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="nx">aiResponse</span> <span class="o">||</span> <span class="dl">''</span><span class="p">);</span> <span class="nx">text</span> <span class="o">+=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">) </span><span class="p">${</span><span class="nx">subject</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="nx">aiResponse</span><span class="p">}</span><span class="s2">\n━━━━━━━━━━━━━━━━━━━━\n`</span><span class="p">;</span> <span class="p">});</span> <span class="c1">// ---- split into chunks ----</span> <span class="kd">const</span> <span class="nx">chunkSize</span> <span class="o">=</span> <span class="mi">3900</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">header</span> <span class="o">=</span> <span class="s2">`━━━━━━━━━━━━━━━━━━━━\n&lt;b&gt;Recibiste los siguientes correos:&lt;/b&gt;\n\n`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fullText</span> <span class="o">=</span> <span class="nx">header</span> <span class="o">+</span> <span class="nx">text</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">totalParts</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">ceil</span><span class="p">(</span><span class="nx">fullText</span><span class="p">.</span><span class="nx">length</span> <span class="o">/</span> <span class="nx">chunkSize</span><span class="p">)</span> <span class="o">||</span> <span class="mi">1</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">fullText</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="nx">chunkSize</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">part</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nx">i</span> <span class="o">/</span> <span class="nx">chunkSize</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">output</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`[</span><span class="p">${</span><span class="nx">part</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">totalParts</span><span class="p">}</span><span class="s2">]\n</span><span class="p">${</span><span class="nx">fullText</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">i</span><span class="p">,</span> <span class="nx">i</span> <span class="o">+</span> <span class="nx">chunkSize</span><span class="p">)}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">output</span><span class="p">;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0djnri63hf41ogfbfmn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0djnri63hf41ogfbfmn.png" alt="Telegram Code" width="800" height="329"></a></p> <ol> <li>Add an <code>HTTP Request</code> node to send each of the messages we defined:</li> <li> <strong>Method:</strong> POST</li> <li> <strong>URL:</strong> <a href="https://api.telegram.org/bot{YourTelegramToken,format:0000:xxxxxx}/sendMessage" rel="noopener noreferrer">https://api.telegram.org/bot{YourTelegramToken,format:0000:xxxxxx}/sendMessage</a> </li> <li> <strong>Authentication:</strong> none</li> <li> <strong>SendBody:</strong> true</li> <li> <strong>Body Content Type:</strong> JSON</li> <li> <strong>Specify Body:</strong> Using Fields Below <ol> <li> <strong>chat_id:</strong> your Telegram conversation ID</li> <li> <strong>text:</strong> {{ $json.text }}</li> <li> <strong>parse_mode:</strong> HTML</li> <li> <strong>disable_web_page_preview:</strong> TRUE</li> </ol> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs05klyth8sifcm5mt8h9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs05klyth8sifcm5mt8h9.png" alt="Telegram1" width="800" height="329"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fewk2kcrhs8cc41qprauo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fewk2kcrhs8cc41qprauo.png" alt="Telegram2" width="800" height="329"></a></p> <p>That's it — our workflow is done :D</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftys3dy12p6y5wtmes5n5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftys3dy12p6y5wtmes5n5.png" alt="Workflow" width="800" height="280"></a></p> <h2> 3. Testing the workflow </h2> <blockquote> <p>⚠️ <strong>Before going live, run controlled tests.</strong> Don't connect this workflow directly to your personal or company inbox. Use a test email account (IMAP + SMTP) that contains no sensitive or confidential information. If something goes wrong — a bad AI interpretation, a misconfigured domain — you could end up auto-replying to real customers with incorrect information. Better safe than sorry.</p> </blockquote> <p>With the workflow ready, do the following:</p> <ol> <li> <strong>Run it manually</strong> by clicking the <strong>Execute Workflow</strong> button (top right). This triggers the workflow immediately without waiting for automatic polling.</li> <li>Send yourself a test email with a question that's covered in your knowledge base.</li> <li>Check that you receive the automatic reply in the test sender's inbox.</li> <li>Send another email with something outside your knowledge base.</li> <li>You should receive a Telegram notification with the email content.</li> </ol> <p>When everything works as expected, just click <strong>Publish</strong> to enable polling and put it into production.</p> <h2> 4. Production tweaks </h2> <h3> Filter by sender </h3> <p>Add an <strong>IF</strong> node after the trigger to only process emails from specific domains or addresses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="k">from</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="k">from</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">allowedDomains</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">yourdomain.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">client.com</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="k">from</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">return</span> <span class="nx">allowedDomains</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">domain</span><span class="p">);</span> </code></pre> </div> <h3> Rate limiting </h3> <p>DeepSeek has rate limits per minute. If you expect a high volume of emails, add a <strong>Wait</strong> node of 1-2 seconds between processing batches, or use a queue.</p> <h3> Conversation history </h3> <p>If you want DeepSeek to remember previous conversations, you can store the history in a database (PostgreSQL, Redis) and pass it as additional context on each iteration.</p> <h3> Handling attachments </h3> <p>DeepSeek doesn't process files directly. If you receive emails with attachments, you can use a <strong>Code</strong> node to extract text from PDFs or images (via OCR) and pass it as context.</p> <h2> Conclusion </h2> <p>You now have an automated email assistant that:</p> <ul> <li>Reads emails via IMAP without missing any</li> <li>Analyzes them with DeepSeek against your own knowledge base</li> <li>Replies automatically when it can</li> <li>Notifies you via Telegram when it needs your input</li> </ul> <p>This doesn't replace a support team, but it absorbs the volume of repetitive questions and frees up time for what really matters.</p> <p>If you want to visually document this workflow or more complex infrastructure diagrams, <a href="https://savnet.co" rel="noopener noreferrer">Savnet</a> helps you design them. And if you need to continuously validate this kind of automation, <a href="https://savfalconeye.com" rel="noopener noreferrer">SavFalconEye</a> lets you keep confidence in every change.</p> <p><em>Ready to give it a try? Let me know how it went in the comments.</em></p> ai automation productivity tutorial Crea un asistente de correo con IA usando n8n y Telegram Oscar Ricardo Sánche Gutierréz Fri, 01 May 2026 23:10:52 +0000 https://dev.to/oscar_ricardosncheguti/crea-un-asistente-de-correo-con-ia-usando-n8n-y-telegram-2oed https://dev.to/oscar_ricardosncheguti/crea-un-asistente-de-correo-con-ia-usando-n8n-y-telegram-2oed <p>¿Tu bandeja de entrada está llena de correos repetitivos? Consultas de soporte, preguntas frecuentes, solicitudes de información... todo requiere tiempo y respuestas manuales.</p> <p>En este artículo vas a construir un <strong>asistente automatizado de correo electrónico</strong> que:</p> <ol> <li>Lee los correos entrantes vía IMAP</li> <li>Los analiza con <strong>DeepSeek</strong> usando una base de conocimiento personalizada</li> <li> <strong>Responde automáticamente</strong> si el modelo tiene suficiente contexto</li> <li>Te <strong>notifica por Telegram</strong> si necesita revisión manual</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fadehev3uzqlti0129n2l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fadehev3uzqlti0129n2l.png" alt="Architecture" width="800" height="375"></a></p> <blockquote> <p>Diagrama realizado con <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> ¿Qué necesitas? </h2> <ul> <li>Un servidor con <strong>n8n funcionando</strong> (si no lo tienes, sigue <a href="https://dev.to/oscar_ricardosncheguti/como-instalar-n8n-en-un-servidor-ubuntu-produccion-lista-2kf2">esta guía de instalación</a>)</li> <li>Una <strong>cuenta de correo</strong> con acceso IMAP (ZohoMail, Gmail, Outlook, o cualquier proveedor que lo soporte)</li> <li>Una <strong>clave API de DeepSeek</strong> (<a href="https://platform.deepseek.com" rel="noopener noreferrer">platform.deepseek.com</a>)</li> <li>Un <strong>bot de Telegram</strong> creado con <a href="https://t.me/BotFather" rel="noopener noreferrer">https://t.me/BotFather</a> &gt; <strong>Nota:</strong> Telegram no tiene costos asociados por uso de bots, ideal para automatizaciones sin límites de mensajes.</li> </ul> <h2> 1. Obtener credenciales </h2> <h3> DeepSeek API </h3> <p>Regístrate en <a href="https://platform.deepseek.com" rel="noopener noreferrer">platform.deepseek.com</a>, ve a la sección de API Keys y crea una nueva. Vas a necesitar:</p> <ul> <li><code>DEEPSEEK_API_KEY</code></li> <li>URL del endpoint: <code>https://api.deepseek.com/v1/chat/completions</code> </li> <li>Modelo recomendado: <code>deepseek-chat</code> </li> </ul> <h3> Bot de Telegram </h3> <p>Crear un bot en Telegram es rápido y no requiere registro de empresa ni tarjetas. Para crear el bot abre Telegram, busca <code>@BotFather</code>, envía <code>/newbot</code> y sigue los pasos. Al finalizar te dará un token como <code>4839574812:AAFD39kkdpWt3ywyRZergyOLMaJhac60qc</code>.</p> <blockquote> <p>Para más detalle sobre la creación del bot: <a href="https://dev.to/simplr_sh/telegram-bot-creation-handbook-g5g">Telegram Bot Creation Handbook</a></p> </blockquote> <h4> Obtener el Chat ID </h4> <p>Necesitas saber el <strong>Chat ID</strong> (tu ID de usuario en Telegram) para que el bot sepa a quién enviarle los mensajes. </p> <ol> <li>Abre Telegram y busca <code>@userinfobot</code> </li> <li>Inicia la conversación con <strong>Start</strong> </li> <li>El bot te responde automáticamente con tu información. Busca la línea que dice <strong>Id:</strong>, ese número es tu Chat ID </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Id: 1234567890 &lt;&lt;&lt; Este es tu Chat ID First: TuNombre Lanf: es .... </code></pre> </div> <p>Guarda ambos valores (Bot Token y Chat ID) para usarlos en n8n.</p> <h2> 2. Construir el flujo en n8n </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9dr1ilf9auorrjfmswd1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9dr1ilf9auorrjfmswd1.png" alt="Workflow" width="800" height="280"></a></p> <p>Si eres nuevo en n8n lo primero es crear un flujo. En cada paso te diré el nombre del nodo a agregar para que lo puedas buscar así:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyoub7ne3p2975mo32h3c.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyoub7ne3p2975mo32h3c.gif" alt="Add node" width="731" height="389"></a></p> <h3> Paso a paso: </h3> <p><strong>Nodo 1 - Trigger IMAP</strong></p> <p>Agrega el nodo <strong>Email Trigger (IMAP)</strong>, el cual será el activador de nuestro flujo y revisará los correos sin leer en nuestro buzón.</p> <ol> <li>En el campo Credential debes configurar (los valores y la forma de activación varían según el proveedor de correo):</li> </ol> <ul> <li> <strong>User</strong>: tu correo</li> <li> <strong>Password</strong>: tu contraseña o contraseña de aplicación</li> <li> <strong>Host</strong>: tu servidor IMAP (ej: <code>imap.gmail.com</code>)</li> <li> <strong>Port</strong>: <code>993</code> </li> <li> <strong>Secure</strong>: <code>true</code> </li> </ul> <ol> <li>En el resto de formulario ingresa:</li> </ol> <ul> <li> <strong>Mailbox Name:</strong> nombre del buzón donde se deben extraer los correos, por defecto <code>INBOX</code> (Bandeja de entrada)</li> <li> <strong>Action:</strong> Mark as Read, con esto cada mensaje que procesemos será marcado como leído.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fltxryb9d6qcxo0nxkzyg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fltxryb9d6qcxo0nxkzyg.png" alt="Imap config" width="800" height="364"></a></p> <p>Por defecto, cuando publiquemos el workflow el nodo hará polling cada cierto tiempo (por defecto cada 60 segundos) para detectar correos nuevos.</p> <p><strong>Nodo 2 - Code (Base de conocimiento)</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F07wu8omxuqcjep9i25a7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F07wu8omxuqcjep9i25a7.png" alt="Code Know" width="800" height="335"></a></p> <p>El "secreto" del asistente está aquí. En lugar de dejar que DeepSeek improvise, le defines un contexto claro con las respuestas que esperas.</p> <p>Agrega un nodo <strong>Code</strong> (<code>Code in Javascript</code>), cambia el modo a <strong>"Run Once for All Items"</strong> (arriba a la derecha del editor) y conéctalo al Nodo 1 (IMAP).</p> <p>El código debe <strong>preservar los datos del correo que nos interesan</strong> y agregar el campo <code>knowledgeBase</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">knowledgeBase</span> <span class="o">=</span> <span class="s2">` Eres un asistente de soporte técnico de [Tu Empresa]. Responde solo si encuentras una coincidencia clara en las políticas siguientes. Si no estás seguro, responde exactamente: NO_PUEDO_RESPONDER POLÍTICAS: 1. Horario de atención: Lunes a viernes de 9:00 a 18:00 (GMT-5). 2. Tiempo de respuesta estimado: 24 horas hábiles. 3. Contraseñas: Nunca solicites ni compartas contraseñas por correo. 4. Reembolsos: Se procesan dentro de los primeros 30 días. El usuario debe enviar un comprobante. 5. Problemas técnicos comunes: - Error 403: El usuario debe limpiar caché y cookies. - Error 500: Reportar al equipo interno, pedir al usuario que espere 1 hora. - Olvido de contraseña: Enviar enlace de restablecimiento a su correo registrado. 6. Facturación: Para cambios de plan o facturación, responder que el usuario ingrese al panel de pago. INSTRUCCIONES: - Responde de forma amable y profesional. - Usa el mismo idioma del correo recibido. - Si el correo contiene más de una pregunta, responde cada punto. - Si el correo es grosero o agresivo, responde: NO_PUEDO_RESPONDER `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">items</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nf">all</span><span class="p">();</span> <span class="k">return</span> <span class="nx">items</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">item</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">,</span> <span class="nx">knowledgeBase</span> <span class="p">}</span> <span class="p">}));</span> </code></pre> </div> <blockquote> <p>Puedes hacer esto tan detallado como quieras. Mientras más contexto, mejor responderá. Al usar <code>...item.json</code> los datos del correo original se conservan y el Nodo 3 (extraer contenido) los recibe sin problema.</p> </blockquote> <p>Este nodo se llamará, por ejemplo, <code>CodeKnow</code>.</p> <p><strong>Nodo 3 - Code (extraer contenido)</strong></p> <p>Usa otro nodo <strong>Code</strong> (<code>Code in Javascript</code>) para extraer la información necesaria de cada correo y generar el <code>chatInput</code> con el prompt que enviaremos a nuestra IA. Cambia el modo a <strong>"Run for Each Item"</strong> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">subject</span> <span class="o">=</span> <span class="nx">email</span><span class="p">.</span><span class="nx">subject</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="p">(</span><span class="nx">email</span><span class="p">.</span><span class="nx">textPlain</span> <span class="o">&amp;&amp;</span> <span class="nx">email</span><span class="p">.</span><span class="nx">textPlain</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="o">||</span> <span class="p">(</span><span class="nx">email</span><span class="p">.</span><span class="nx">textHtml</span> <span class="o">&amp;&amp;</span> <span class="nx">email</span><span class="p">.</span><span class="nx">textHtml</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">subject</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">5000</span><span class="p">),</span> <span class="na">from</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="k">from</span><span class="p">,</span> <span class="na">to</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nx">to</span><span class="p">,</span> <span class="na">uid</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nx">uid</span> <span class="o">||</span> <span class="nx">email</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">chatInput</span><span class="p">:</span> <span class="s2">`From: </span><span class="p">${</span><span class="nx">email</span><span class="p">.</span><span class="k">from</span><span class="p">}</span><span class="s2">\nAsunto: </span><span class="p">${</span><span class="nx">subject</span><span class="p">}</span><span class="s2">\nCuerpo: </span><span class="p">${</span><span class="nx">body</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">5000</span><span class="p">)}</span><span class="s2">`</span> <span class="p">};</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3nnuicwf4znvj6p639o3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3nnuicwf4znvj6p639o3.png" alt="Process emails" width="800" height="400"></a></p> <p><strong>Nodo 4 - DeepSeek Chat Model (configuración)</strong></p> <p>Agrega un nodo <strong>DeepSeek Chat Model</strong>. Es probable que esto te genere 3 nodos automáticamente: <strong>When chatmessage received</strong>, <strong>Basic LLM Chain</strong> y <strong>DeepSeek Chat Model</strong>. Quédate solo con el LLM y DeepSeek, el otro sobra. Conecta el bloque de código con el de Basic LLM, así:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpxmt063v8xg6qz22a4u.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpxmt063v8xg6qz22a4u.gif" alt="Setup Deepseek" width="800" height="482"></a></p> <p>En los bloques que nos quedan debemos:</p> <ol> <li>En DeepSeek Chat Model, solo especificar las credenciales:</li> </ol> <ul> <li> <strong>Credential</strong>: selecciona o crea una credencial <strong>DeepSeek account</strong> <ul> <li> <strong>API Key</strong>: tu clave de DeepSeek</li> </ul> </li> <li> <strong>Model</strong>: <code>deepseek-v4-flash</code> </li> </ul> <ol> <li>En Basic LLM Chain (procesador):</li> </ol> <ul> <li> <strong>Source for Prompt</strong>: Define below</li> <li> <strong>Prompt (User Message)</strong>: Analyze this email and provide a short, clear response to send via Telegram. {{ $json.chatInput }}</li> <li> <strong>Chat Messages</strong>: <ul> <li> <strong>Type</strong>: <code>System</code> → <strong>Message</strong>: <code>{{ $json.knowledgeBase }}</code> </li> </ul> </li> <li> <strong>Require Specific Output Format</strong>: desactivado</li> </ul> <p>Lo que hemos hecho es enviarle un prompt con nuestra intención y la data del correo que definimos en el bloque <code>CodeProcessEmail</code> junto con un mensaje de sistema con nuestra base de conocimiento, información que definimos en el bloque <code>CodeKnow</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg19gjl3yox2rpepp8sn2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg19gjl3yox2rpepp8sn2.png" alt="IA config" width="800" height="410"></a></p> <blockquote> <p><strong>¿Y el costo?</strong> DeepSeek v4 cobra ~$0.14 por millón de tokens de entrada y ~$0.28 por salida. Un correo típico (~1,000 tokens) cuesta ~$0.0002. Con 1,000 correos al mes gastarías ~$0.20. En ajustes para producción te muestro cómo filtrar para evitar llamadas innecesarias.</p> </blockquote> <p>El nodo toma el <code>chatInput</code> del Nodo 3 (base de conocimiento + correo) y devuelve la respuesta generada por DeepSeek.</p> <p><strong>Nodo 5 - Code (mapear respuesta del asistente)</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvu7noozm3dsy9i46ua19.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvu7noozm3dsy9i46ua19.png" alt="Code Normalize" width="800" height="352"></a></p> <p>El bloque de DeepSeek solo nos retorna la respuesta de la IA con lo cual perdemos la información completa del correo que necesitamos más adelante. Por eso agregamos este nodo <strong>Code</strong> en modo <strong>"Run Once for All Items"</strong> que combina la respuesta de la IA con los datos del correo original y determina si puede responder o no:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">aiItems</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nf">all</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">emailItems</span> <span class="o">=</span> <span class="nf">$</span><span class="p">(</span><span class="dl">'</span><span class="s1">CodeProcessEmail</span><span class="dl">'</span><span class="p">).</span><span class="nf">all</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">aiItems</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">item</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">originalEmail</span> <span class="o">=</span> <span class="nx">emailItems</span><span class="p">[</span><span class="nx">index</span><span class="p">]?.</span><span class="nx">json</span> <span class="o">||</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">aiText</span> <span class="o">=</span> <span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="nx">text</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">originalEmail</span><span class="p">,</span> <span class="na">aiResponse</span><span class="p">:</span> <span class="nx">aiText</span><span class="p">.</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">canReply</span><span class="p">:</span> <span class="o">!</span><span class="nx">aiText</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">NO_PUEDO_RESPONDER</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">};</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">output</span><span class="p">;</span> </code></pre> </div> <p>Este bloque es clave porque:</p> <ul> <li>Toma los datos originales del correo (<code>subject</code>, <code>from</code>, <code>body</code>, etc.)</li> <li>Agrega <code>aiResponse</code> con la respuesta limpia de DeepSeek</li> <li>Agrega <code>canReply</code> (<code>true</code>/<code>false</code>) para decidir si se responde automáticamente</li> </ul> <p><strong>Nodo 6 - IF (¿Puede responder?)</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkdf388u901qtze0770m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkdf388u901qtze0770m.png" alt="Condition" width="800" height="347"></a></p> <p>Teniendo a la mano la respuesta de la IA y la información del correo, agregamos un bloque <code>if</code>. Este bloque evalúa el campo <code>{{ $json.canReply }}</code> con la condición:</p> <ul> <li> <strong>Sí</strong> (<code>true</code>) → va a envío SMTP</li> <li> <strong>No</strong> (<code>false</code>) → va a notificación Telegram</li> </ul> <p><strong>Nodo 7.1 - Email (SMTP) - Responder</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwujwcxfscrswocy5fk4u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwujwcxfscrswocy5fk4u.png" alt="Smtp" width="800" height="372"></a></p> <p>Configura el nodo <code>Send Email</code> para enviar la respuesta automática:</p> <ul> <li> <strong>Credential:</strong> te abrirá una ventana para registrar tus credenciales SMTP: <ul> <li>User</li> <li>Password</li> <li>Host</li> <li>Port</li> <li>SSL</li> </ul> </li> <li> <strong>From Email</strong>: le diremos que responda desde el mismo correo al que escribieron: <code>{{ $json.to}}</code> </li> <li> <strong>To</strong>: la persona que escribió <code>{{ $json.from }}</code> </li> <li> <strong>Subject</strong>: <code>Re: {{ $('CodeProcessEmail').item.json.subject }}</code> </li> <li> <strong>Email Format:</strong> HTML</li> <li> <strong>Text</strong>: <code>{{ $json.aiResponse }}</code> </li> </ul> <p><strong>Nodo 7.2 - Telegram - Enviar notificación</strong></p> <p>Para los correos que la IA no puede responder, no enviaremos una respuesta automática. En su lugar, recibirás una alerta por <strong>Telegram</strong>.</p> <p>Sin embargo, antes debemos verificar que no vamos a enviar mensajes de más de 4.000 caracteres —el límite de Telegram—. Para ello:</p> <ol> <li>Agregamos un nodo <strong>Code</strong> (JavaScript) en modo <code>Run Once for All Items</code> con el código: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">escapeHtml</span> <span class="o">=</span> <span class="p">(</span><span class="nx">value</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">String</span><span class="p">(</span><span class="nx">value</span> <span class="o">||</span> <span class="dl">''</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&amp;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;amp;</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;lt;</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&gt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;gt;</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">items</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nf">all</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">text</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">items</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">item</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subject</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="nx">subject</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Sin asunto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">aiResponse</span> <span class="o">=</span> <span class="nf">escapeHtml</span><span class="p">(</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="nx">aiResponse</span> <span class="o">||</span> <span class="dl">''</span><span class="p">);</span> <span class="nx">text</span> <span class="o">+=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">) </span><span class="p">${</span><span class="nx">subject</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="nx">aiResponse</span><span class="p">}</span><span class="s2">\n━━━━━━━━━━━━━━━━━━━━\n`</span><span class="p">;</span> <span class="p">});</span> <span class="c1">// ---- dividir en partes ----</span> <span class="kd">const</span> <span class="nx">chunkSize</span> <span class="o">=</span> <span class="mi">3900</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">header</span> <span class="o">=</span> <span class="s2">`━━━━━━━━━━━━━━━━━━━━\n&lt;b&gt;Recibiste los siguientes correos:&lt;/b&gt;\n\n`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fullText</span> <span class="o">=</span> <span class="nx">header</span> <span class="o">+</span> <span class="nx">text</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">totalParts</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">ceil</span><span class="p">(</span><span class="nx">fullText</span><span class="p">.</span><span class="nx">length</span> <span class="o">/</span> <span class="nx">chunkSize</span><span class="p">)</span> <span class="o">||</span> <span class="mi">1</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">fullText</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="nx">chunkSize</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">part</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nx">i</span> <span class="o">/</span> <span class="nx">chunkSize</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">output</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`[</span><span class="p">${</span><span class="nx">part</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">totalParts</span><span class="p">}</span><span class="s2">]\n</span><span class="p">${</span><span class="nx">fullText</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">i</span><span class="p">,</span> <span class="nx">i</span> <span class="o">+</span> <span class="nx">chunkSize</span><span class="p">)}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">output</span><span class="p">;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyuv6puaf9ak8sr2zs2l0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyuv6puaf9ak8sr2zs2l0.png" alt="Telegram code" width="800" height="329"></a></p> <ol> <li>Agregamos un nodo de tipo <code>HTTP Request</code> para enviar cada uno de los mensajes que definimos</li> <li> <strong>Method:</strong> POST</li> <li> <strong>URL:</strong> <a href="https://api.telegram.org/bot{TuTokenTelegram,formato:0000:xxxxxx}/sendMessage" rel="noopener noreferrer">https://api.telegram.org/bot{TuTokenTelegram,formato:0000:xxxxxx}/sendMessage</a> </li> <li> <strong>Authentication:</strong> none</li> <li> <strong>SendBody:</strong> true</li> <li> <strong>Body Content Type:</strong> JSON</li> <li> <strong>Specify Body:</strong> Using Fields Below <ol> <li> <strong>chat_id:</strong> tu ID de conversación en Telegram</li> <li> <strong>text:</strong> {{ $json.text }}</li> <li> <strong>parse_mode:</strong> HTML</li> <li> <strong>disable_web_page_preview:</strong> TRUE</li> </ol> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqaoxhiqww37pwqk7f7p6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqaoxhiqww37pwqk7f7p6.png" alt="Setup telegram1" width="800" height="329"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyu1xb4l5jupjwqsbjn0v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyu1xb4l5jupjwqsbjn0v.png" alt="Setup telegram2" width="800" height="329"></a></p> <p>Listo, con esto hemos terminado nuestro flujo :D</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx0f3h6diztsgj6i4p0qh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx0f3h6diztsgj6i4p0qh.png" alt="Workflow" width="800" height="280"></a></p> <h2> 3. Probar el flujo </h2> <blockquote> <p>⚠️ <strong>Antes de lanzarte a producción, haz pruebas controladas.</strong> No conectes este flujo directamente a tu buzón personal o corporativo. Usa una cuenta de correo de pruebas (IMAP + SMTP) que no contenga información sensible ni confidencial. Si algo sale mal — una mala interpretación de la IA, un dominio mal configurado — podrías terminar respondiendo automáticamente a clientes reales con información incorrecta. Mejor prevenir.</p> </blockquote> <p>Con el flujo listo, haz lo siguiente:</p> <ol> <li> <strong>Ejecuta manualmente</strong> haciendo clic en el botón <strong>Execute Workflow</strong> (arriba a la derecha). Esto dispara el flujo de inmediato sin esperar el polling automático.</li> <li>Envíate un correo de prueba con una pregunta que esté en tu base de conocimiento.</li> <li>Revisa que recibas la respuesta automática en la bandeja del remitente de prueba.</li> <li>Envíate otro correo con algo fuera de tu base de conocimiento.</li> <li>Deberías recibir la notificación en Telegram con el contenido del correo.</li> </ol> <p>Cuando todo funcione como esperas, solo da clic en <strong>Publish</strong> para activar el polling y dejarlo en producción.</p> <h2> 4. Ajustes para producción </h2> <h3> Filtrar por remitente </h3> <p>Agrega un nodo <strong>IF</strong> después del trigger para procesar solo correos de dominios o direcciones específicas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="k">from</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nx">item</span><span class="p">.</span><span class="nx">json</span><span class="p">.</span><span class="k">from</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">allowedDomains</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">tudominio.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cliente.com</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="k">from</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">return</span> <span class="nx">allowedDomains</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">domain</span><span class="p">);</span> </code></pre> </div> <h3> Rate limiting </h3> <p>DeepSeek tiene límites de peticiones por minuto. Si esperas muchos correos, agrega un nodo <strong>Wait</strong> de 1-2 segundos entre procesamiento y procesamiento, o usa una cola.</p> <h3> Historial de conversación </h3> <p>Si quieres que DeepSeek recuerde conversaciones anteriores, puedes almacenar el historial en una base de datos (PostgreSQL, Redis) y pasarlo como contexto adicional en cada iteración.</p> <h3> Manejo de adjuntos </h3> <p>DeepSeek no procesa archivos directamente. Si recibes correos con adjuntos, puedes usar un nodo <strong>Code</strong> para extraer el texto de PDFs o imágenes (con OCR) y pasarlo como contexto.</p> <h2> Conclusión </h2> <p>Tienes un asistente de correo automatizado que:</p> <ul> <li>Lee correos vía IMAP sin perder ninguno</li> <li>Los analiza con DeepSeek contra tu propia base de conocimiento</li> <li>Responde automáticamente cuando puede</li> <li>Te notifica por Telegram cuando necesita tu intervención</li> </ul> <p>Esto no reemplaza un equipo de soporte, pero sí absorbe el volumen de preguntas repetitivas y libera tiempo para lo que realmente importa.</p> <p>Si quieres documentar visualmente este flujo o diagramas de infraestructura más complejos, <a href="https://savnet.co" rel="noopener noreferrer">Savnet</a> te ayuda a diseñarlos. Y si necesitas validar este tipo de automatizaciones de forma continua, <a href="https://savfalconeye.com" rel="noopener noreferrer">SavFalconEye</a> te permite mantener la confianza en cada cambio.</p> <p><em>¿Te animas a probarlo? Cuéntame en los comentarios cómo te fue.</em></p> ai automation spanish tutorial How to Install n8n on an Ubuntu Server (Production-Ready) Oscar Ricardo Sánche Gutierréz Wed, 29 Apr 2026 19:41:34 +0000 https://dev.to/oscar_ricardosncheguti/how-to-install-n8n-on-an-ubuntu-server-production-ready-djb https://dev.to/oscar_ricardosncheguti/how-to-install-n8n-on-an-ubuntu-server-production-ready-djb <p><strong>n8n</strong> is an open-source workflow automation platform. It lets you connect services, APIs, and databases through a visual editor without writing hundreds of lines of code — though you can still use JavaScript or Python when custom logic is needed.</p> <p>In this guide, you'll deploy n8n on an Ubuntu server using Docker Compose, with PostgreSQL as the database, Redis as the queue manager, dedicated workers for background execution, Caddy as a reverse proxy with automatic SSL, and best practices for a production environment.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fap6d26ytfjd815re8k0b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fap6d26ytfjd815re8k0b.png" alt="Architecture" width="800" height="408"></a></p> <blockquote> <p>Diagram made with <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> Prerequisites </h2> <ul> <li>A server running <strong>Ubuntu 22.04 or 24.04</strong> (1 vCPU, 2 GB RAM minimum; 2 vCPU, 4 GB RAM recommended)</li> <li> <strong>Root</strong> access for initial setup</li> <li>A <strong>domain or subdomain</strong> pointing (A record) to your server's IP</li> <li>Ports <strong>80</strong> and <strong>443</strong> open in the firewall</li> <li>Basic command-line knowledge</li> </ul> <blockquote> <p><strong>Don't have a server yet?</strong><br><br> If you're looking for affordability and good performance, DigitalOcean is a solid choice. You can get started with this referral link:<br><br> <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">https://m.do.co/c/2c579acd7121</a></p> </blockquote> <h2> 1. Initial Connection and System Update </h2> <p>SSH in as root and update the system packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh root@your-server apt update <span class="o">&amp;&amp;</span> apt upgrade <span class="nt">-y</span> </code></pre> </div> <h2> 2. Create a Dedicated Admin User </h2> <p>We'll create an <code>n8n</code> user with sudo privileges. From this point on, all work will be done with this user, not root.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the user</span> adduser <span class="nt">--gecos</span> <span class="s2">""</span> n8n <span class="c"># Add to sudo group</span> usermod <span class="nt">-aG</span> <span class="nb">sudo </span>n8n <span class="c"># Verify</span> <span class="nb">id </span>n8n </code></pre> </div> <p>Before logging out, copy your public key from root to the new user so you can connect directly as <code>n8n</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Copy authorized SSH key from root to n8n</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /home/n8n/.ssh <span class="nb">cp</span> ~/.ssh/authorized_keys /home/n8n/.ssh/authorized_keys <span class="nb">chown</span> <span class="nt">-R</span> n8n:n8n /home/n8n/.ssh <span class="nb">chmod </span>700 /home/n8n/.ssh <span class="nb">chmod </span>600 /home/n8n/.ssh/authorized_keys </code></pre> </div> <p>Now log out and reconnect as <code>n8n</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">exit </span>ssh n8n@your-server </code></pre> </div> <blockquote> <p><strong>Why a dedicated user?</strong><br><br> Running services directly as root is a bad security practice. If someone compromises the n8n process, they'd have full access to the server. A dedicated user limits the potential damage.</p> </blockquote> <h2> 3. Install Docker and Docker Compose </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Required packages</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> ca-certificates curl gnupg <span class="c"># Add Docker's official GPG key</span> <span class="nb">sudo install</span> <span class="nt">-m</span> 0755 <span class="nt">-d</span> /etc/apt/keyrings curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg | <span class="nb">sudo </span>gpg <span class="nt">--dearmor</span> <span class="nt">-o</span> /etc/apt/keyrings/docker.gpg <span class="nb">sudo chmod </span>a+r /etc/apt/keyrings/docker.gpg <span class="c"># Add repository</span> <span class="nb">echo</span> <span class="s2">"deb [arch=</span><span class="si">$(</span>dpkg <span class="nt">--print-architecture</span><span class="si">)</span><span class="s2"> signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu </span><span class="si">$(</span><span class="nb">.</span> /etc/os-release <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$VERSION_CODENAME</span><span class="s2">"</span><span class="si">)</span><span class="s2"> stable"</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/docker.list <span class="o">&gt;</span> /dev/null <span class="c"># Install Docker Engine and Compose plugin</span> <span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin <span class="c"># Add your user to the docker group (to avoid using sudo with every command)</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker <span class="nv">$USER</span> <span class="c"># Verify</span> docker <span class="nt">--version</span> docker compose version <span class="c"># Reboot to apply group changes</span> <span class="nb">sudo </span>init 6 ssh n8n@your-server </code></pre> </div> <h2> 4. Create Directory Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /opt/n8n/<span class="o">{</span>data/postgres,data/redis,data/n8n,data/caddy,backups<span class="o">}</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="nv">$USER</span>:<span class="nv">$USER</span> /opt/n8n/data/<span class="o">{</span>postgres,redis,data/caddy,backups<span class="o">}</span> <span class="c"># The data/n8n directory must belong to UID 1000 (the 'node' user inside the container)</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 1000:1000 /opt/n8n/data/n8n <span class="nb">cd</span> /opt/n8n </code></pre> </div> <h2> 5. Configure Environment Variables </h2> <p>Create a <code>.env</code> file to store sensitive configuration:</p> <p><strong>Tips before you start:</strong></p> <ul> <li> <strong>Make sure your domain points to the server.</strong> Before proceeding, go to your DNS provider and add an A record pointing to your server's IP. Caddy needs to resolve the domain to obtain the SSL certificate.</li> <li> <strong>Generate a secure PostgreSQL password</strong> and an <strong>encryption key</strong> for n8n with these commands: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> openssl rand <span class="nt">-base64</span> 24 <span class="c"># For POSTGRES_PASSWORD</span> openssl rand <span class="nt">-hex</span> 20 <span class="c"># For N8N_ENCRYPTION_KEY</span> </code></pre> </div> <p>Save the values for the <code>.env</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /opt/n8n/.env </code></pre> </div> <p>Contents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Domain N8N_DOMAIN=n8n.yourdomain.com # PostgreSQL POSTGRES_USER=n8n POSTGRES_PASSWORD=your_secure_postgres_password POSTGRES_DB=n8n # n8n DB_TYPE=postgresdb DB_POSTGRESDB_HOST=postgres DB_POSTGRESDB_PORT=5432 DB_POSTGRESDB_DATABASE=n8n DB_POSTGRESDB_USER=n8n DB_POSTGRESDB_PASSWORD=your_secure_postgres_password N8N_ENCRYPTION_KEY=your_encryption_key N8N_HOST=${N8N_DOMAIN} N8N_PROTOCOL=https WEBHOOK_URL=https://${N8N_DOMAIN}/ N8N_PORT=5678 # Queue mode (Redis) EXECUTIONS_MODE=queue QUEUE_BULL_REDIS_HOST=redis QUEUE_BULL_REDIS_PORT=6379 </code></pre> </div> <p>Protect the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod </span>600 /opt/n8n/.env </code></pre> </div> <h2> 6. Create the docker-compose.yml File </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /opt/n8n/docker-compose.yml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-postgres</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">env_file</span><span class="pi">:</span> <span class="s">.env</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=${POSTGRES_USER}</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=${POSTGRES_PASSWORD}</span> <span class="pi">-</span> <span class="s">POSTGRES_DB=${POSTGRES_DB}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data/postgres:/var/lib/postgresql/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">${POSTGRES_USER}</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">${POSTGRES_DB}"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-redis</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data/redis:/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">redis-cli"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">ping"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">n8n</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">n8nio/n8n:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-app</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">env_file</span><span class="pi">:</span> <span class="s">.env</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_TYPE=${DB_TYPE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_HOST=${DB_POSTGRESDB_HOST}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PORT=${DB_POSTGRESDB_PORT}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_DATABASE=${DB_POSTGRESDB_DATABASE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_USER=${DB_POSTGRESDB_USER}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PASSWORD=${DB_POSTGRESDB_PASSWORD}</span> <span class="pi">-</span> <span class="s">N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}</span> <span class="pi">-</span> <span class="s">N8N_HOST=${N8N_HOST}</span> <span class="pi">-</span> <span class="s">N8N_PROTOCOL=${N8N_PROTOCOL}</span> <span class="pi">-</span> <span class="s">WEBHOOK_URL=${WEBHOOK_URL}</span> <span class="pi">-</span> <span class="s">N8N_PORT=${N8N_PORT}</span> <span class="pi">-</span> <span class="s">N8N_METRICS=true</span> <span class="pi">-</span> <span class="s">EXECUTIONS_DATA_PRUNE=true</span> <span class="pi">-</span> <span class="s">EXECUTIONS_DATA_MAX_AGE=168</span> <span class="pi">-</span> <span class="s">EXECUTIONS_MODE=${EXECUTIONS_MODE}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_HOST=${QUEUE_BULL_REDIS_HOST}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PORT=${QUEUE_BULL_REDIS_PORT}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data/n8n:/home/node/.n8n</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">n8n-worker</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">n8nio/n8n:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-worker</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">env_file</span><span class="pi">:</span> <span class="s">.env</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">EXECUTIONS_MODE=${EXECUTIONS_MODE}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_HOST=${QUEUE_BULL_REDIS_HOST}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PORT=${QUEUE_BULL_REDIS_PORT}</span> <span class="pi">-</span> <span class="s">DB_TYPE=${DB_TYPE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_HOST=${DB_POSTGRESDB_HOST}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PORT=${DB_POSTGRESDB_PORT}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_DATABASE=${DB_POSTGRESDB_DATABASE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_USER=${DB_POSTGRESDB_USER}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PASSWORD=${DB_POSTGRESDB_PASSWORD}</span> <span class="na">command</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">caddy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">caddy:2-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-caddy</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443/udp"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./Caddyfile:/etc/caddy/Caddyfile</span> <span class="pi">-</span> <span class="s">./data/caddy:/data</span> <span class="pi">-</span> <span class="s">./data/caddy:/config</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">n8n-network</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <h3> Why use queue mode from the start? </h3> <p>n8n can run workflows in two ways:</p> <ul> <li> <strong>Direct mode (default)</strong>: the main container handles everything. If a workflow takes too long, it blocks subsequent executions.</li> <li> <strong>Queue mode</strong>: jobs are queued in Redis and processed by independent workers. You can have multiple workers, scale horizontally, and heavy executions won't affect the main container.</li> </ul> <p>With the <code>docker-compose.yml</code> above, <strong>queue mode</strong> is active from the first <code>docker compose up</code>.</p> <h2> 7. Create the Caddyfile </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /opt/n8n/Caddyfile </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">n8n.yourdomain.com</span> <span class="p">{</span> <span class="kn">reverse_proxy</span> <span class="nf">n8n</span><span class="p">:</span><span class="mi">5678</span> <span class="err">}</span> </code></pre> </div> <p>Caddy will automatically obtain an SSL certificate from Let's Encrypt and renew it without manual intervention.</p> <h2> 8. Configure the Firewall (UFW) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ufw default deny incoming <span class="nb">sudo </span>ufw default allow outgoing <span class="nb">sudo </span>ufw allow ssh <span class="nb">sudo </span>ufw allow 80/tcp <span class="nb">sudo </span>ufw allow 443/tcp <span class="nb">sudo </span>ufw <span class="nt">--force</span> <span class="nb">enable sudo </span>ufw status verbose </code></pre> </div> <h2> 9. Start the Stack </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/n8n docker compose up <span class="nt">-d</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk4qujzsoo055a0nwdznl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk4qujzsoo055a0nwdznl.png" alt="docker compose up" width="800" height="205"></a></p> <p>Verify all services are running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose ps </code></pre> </div> <p>You should see something like:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs1ywb9qaay1mbv767mw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs1ywb9qaay1mbv767mw.png" alt="docker compose ps" width="800" height="141"></a></p> <p>Check the worker logs to confirm it's picking up jobs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose logs <span class="nt">-f</span> n8n-worker </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp7occsdrzmbqil80noe7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp7occsdrzmbqil80noe7.png" alt="docker compose logs" width="800" height="185"></a></p> <h2> 10. Access n8n and Initial Setup </h2> <p>Open your browser at <code>https://n8n.yourdomain.com</code>. You'll see the registration screen. Create your admin account:</p> <ul> <li> <strong>Email</strong>: your email</li> <li> <strong>Full name</strong>: your name</li> <li> <strong>Password</strong>: a strong password</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0yy6o43wzo0a90ji4x55.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0yy6o43wzo0a90ji4x55.png" alt="n8n dashboard" width="800" height="509"></a></p> <p>You're ready to start creating workflows. All workflows will run through the worker.</p> <h2> 11. Scale Workers </h2> <p>If your workflows grow, scaling is as simple as adding more replicas of the <code>n8n-worker</code> service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> <span class="nt">--scale</span> n8n-worker<span class="o">=</span>3 </code></pre> </div> <p>Each additional worker picks up jobs from the same Redis queue. No other changes needed.</p> <h2> 13. Production Best Practices </h2> <ul> <li> <strong>Use a fixed tag</strong>: Instead of <code>n8nio/n8n:latest</code>, use a specific version like <code>n8nio/n8n:1.80.3</code> to avoid surprises from updates.</li> <li> <strong>Monitoring</strong>: n8n exposes Prometheus metrics at <code>/metrics</code>. You can integrate them with a monitoring stack.</li> <li> <strong>Regular backups</strong>: Schedule a cron job to back up the <code>data/postgres</code>, <code>data/redis</code>, <code>data/n8n</code>, and <code>data/caddy</code> directories. Since they're bind mounts, you can copy them directly with <code>rsync</code> or <code>tar</code>.</li> <li> <strong>Security</strong>: Don't expose port 5678 directly. Caddy handles the proxy. If you need local access, use a VPN or SSH tunnels.</li> <li> <strong>Execution pruning</strong>: The <code>EXECUTIONS_DATA_PRUNE=true</code> and <code>EXECUTIONS_DATA_MAX_AGE=168</code> variables automatically delete old executions after 7 days.</li> </ul> <h2> Conclusion </h2> <p>You now have n8n running in production on Ubuntu with PostgreSQL as a persistent database, Redis as the queue manager, dedicated workers, automatic SSL with Caddy, and a structure ready to scale. All running under a dedicated system user — not root.</p> <p>This queue-mode setup is the same one we use in real-world environments to automate client processes that require high availability and predictable performance, from notifications and CRMs to complex integrations with external APIs.</p> <p>If you work with networks or visual infrastructure documentation, you can use <a href="https://savnet.co" rel="noopener noreferrer">Savnet</a> to design diagrams for your deployed workflows. And if you need to continuously validate or test automations, <a href="https://savfalconeye.com" rel="noopener noreferrer">SavFalconEye</a> helps maintain confidence in every deployment.</p> <p><em>Any questions? Drop them in the comments.</em></p> automation devops docker tutorial Cómo instalar n8n en un servidor Ubuntu (listo para produción) Oscar Ricardo Sánche Gutierréz Wed, 29 Apr 2026 19:37:49 +0000 https://dev.to/oscar_ricardosncheguti/como-instalar-n8n-en-un-servidor-ubuntu-produccion-lista-2kf2 https://dev.to/oscar_ricardosncheguti/como-instalar-n8n-en-un-servidor-ubuntu-produccion-lista-2kf2 <p><strong>n8n</strong> es una plataforma de automatización de flujos de trabajo de código abierto. Permite conectar servicios, APIs y bases de datos mediante un editor visual sin necesidad de escribir cientos de líneas de código, aunque sí permite ejecutar JavaScript o Python cuando se necesita lógica personalizada.</p> <p>En esta guía vas a desplegar n8n en un servidor Ubuntu usando Docker Compose, con PostgreSQL como base de datos, Redis como gestor de colas, workers dedicados para ejecución en segundo plano, Caddy como proxy inverso con SSL automático, y buenas prácticas para un entorno de producción.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jcski3per0yk3fxvljz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jcski3per0yk3fxvljz.png" alt="Architecture" width="800" height="408"></a></p> <blockquote> <p>Diagrama realizado con <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> Prerrequisitos </h2> <ul> <li>Un servidor con <strong>Ubuntu 22.04 o 24.04</strong> (1 vCPU, 2 GB RAM mínimo; 2 vCPU, 4 GB RAM recomendado)</li> <li>Acceso <strong>root</strong> para la configuración inicial</li> <li>Un <strong>dominio o subdominio</strong> apuntando (registro A) a la IP del servidor</li> <li>Puertos <strong>80</strong> y <strong>443</strong> abiertos en el firewall</li> <li>Conocimientos básicos de línea de comandos</li> </ul> <blockquote> <p><strong>¿Aún no tienes servidor?</strong><br><br> Si buscas economía y buen rendimiento, DigitalOcean es una opción sólida. Puedes empezar con este enlace de referido:<br><br> <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">https://m.do.co/c/2c579acd7121</a></p> </blockquote> <h2> 1. Conexión inicial y actualización del sistema </h2> <p>Conéctate vía SSH como root y actualiza los paquetes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh root@tu-servidor apt update <span class="o">&amp;&amp;</span> apt upgrade <span class="nt">-y</span> </code></pre> </div> <h2> 2. Crear usuario administrador dedicado </h2> <p>Vamos a crear un usuario <code>n8n</code> con permisos sudo. A partir de este punto, todo el trabajo se hará con este usuario, no con root.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Crear el usuario</span> adduser <span class="nt">--gecos</span> <span class="s2">""</span> n8n <span class="c"># Agregarlo al grupo sudo</span> usermod <span class="nt">-aG</span> <span class="nb">sudo </span>n8n <span class="c"># Verificar</span> <span class="nb">id </span>n8n </code></pre> </div> <p>Antes de cerrar la sesión, copia tu clave pública de root al nuevo usuario para poder conectarte directamente como <code>n8n</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Copiar la llave autorizada para conexión SSH de root a n8n</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /home/n8n/.ssh <span class="nb">cp</span> ~/.ssh/authorized_keys /home/n8n/.ssh/authorized_keys <span class="nb">chown</span> <span class="nt">-R</span> n8n:n8n /home/n8n/.ssh <span class="nb">chmod </span>700 /home/n8n/.ssh <span class="nb">chmod </span>600 /home/n8n/.ssh/authorized_keys </code></pre> </div> <p>Ahora cierra sesión y reconéctate como <code>n8n</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">exit </span>ssh n8n@tu-servidor </code></pre> </div> <blockquote> <p><strong>¿Por qué un usuario dedicado?</strong><br><br> Porque ejecutar servicios directamente con root es una mala práctica de seguridad. Si alguien compromete el proceso de n8n, tendría acceso total al servidor. Con un usuario dedicado, el daño queda acotado.</p> </blockquote> <h2> 3. Instalar Docker y Docker Compose </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Paquetes necesarios</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> ca-certificates curl gnupg <span class="c"># Agregar clave GPG oficial de Docker</span> <span class="nb">sudo install</span> <span class="nt">-m</span> 0755 <span class="nt">-d</span> /etc/apt/keyrings curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg | <span class="nb">sudo </span>gpg <span class="nt">--dearmor</span> <span class="nt">-o</span> /etc/apt/keyrings/docker.gpg <span class="nb">sudo chmod </span>a+r /etc/apt/keyrings/docker.gpg <span class="c"># Agregar repositorio</span> <span class="nb">echo</span> <span class="s2">"deb [arch=</span><span class="si">$(</span>dpkg <span class="nt">--print-architecture</span><span class="si">)</span><span class="s2"> signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu </span><span class="si">$(</span><span class="nb">.</span> /etc/os-release <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$VERSION_CODENAME</span><span class="s2">"</span><span class="si">)</span><span class="s2"> stable"</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/docker.list <span class="o">&gt;</span> /dev/null <span class="c"># Instalar Docker Engine y Compose plugin</span> <span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin <span class="c"># Agregar tu usuario al grupo docker (para no usar sudo con cada comando)</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker <span class="nv">$USER</span> <span class="c"># Verificar</span> docker <span class="nt">--version</span> docker compose version <span class="c"># Reingresar para hacer efectivos los cambios de grupo</span> <span class="nb">sudo </span>init 6 ssh n8n@tu-servidor </code></pre> </div> <h2> 4. Crear estructura de directorios </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /opt/n8n/<span class="o">{</span>data/postgres,data/redis,data/n8n,data/caddy,backups<span class="o">}</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="nv">$USER</span>:<span class="nv">$USER</span> /opt/n8n/data/<span class="o">{</span>postgres,redis,data/caddy,backups<span class="o">}</span> <span class="c"># El directorio data/n8n debe pertenecer al UID 1000 (usuario 'node' dentro del contenedor)</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> 1000:1000 /opt/n8n/data/n8n <span class="nb">cd</span> /opt/n8n </code></pre> </div> <h2> 5. Configurar variables de entorno </h2> <p>Crea un archivo <code>.env</code> para almacenar la configuración sensible:</p> <p><strong>Tips antes de empezar:</strong></p> <ul> <li> <strong>Asegúrate de que tu dominio apunte al servidor.</strong> Antes de continuar, ve a tu proveedor de DNS y agrega un registro A con la IP de tu servidor. Caddy necesita resolver el dominio para obtener el certificado SSL.</li> <li> <strong>Genera una contraseña segura para PostgreSQL</strong> y una <strong>encryption key</strong> para n8n con estos comandos: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> openssl rand <span class="nt">-base64</span> 24 <span class="c"># Para POSTGRES_PASSWORD</span> openssl rand <span class="nt">-hex</span> 20 <span class="c"># Para N8N_ENCRYPTION_KEY</span> </code></pre> </div> <p>Guarda los valores para el <code>.env</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /opt/n8n/.env </code></pre> </div> <p>Contenido:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Dominio N8N_DOMAIN=n8n.tudominio.com # PostgreSQL POSTGRES_USER=n8n POSTGRES_PASSWORD=password_seguro_postgres POSTGRES_DB=n8n # n8n DB_TYPE=postgresdb DB_POSTGRESDB_HOST=postgres DB_POSTGRESDB_PORT=5432 DB_POSTGRESDB_DATABASE=n8n DB_POSTGRESDB_USER=n8n DB_POSTGRESDB_PASSWORD=password_seguro_postgres N8N_ENCRYPTION_KEY=encryption_key_seguro N8N_HOST=${N8N_DOMAIN} N8N_PROTOCOL=https WEBHOOK_URL=https://${N8N_DOMAIN}/ N8N_PORT=5678 # Queue mode (Redis) EXECUTIONS_MODE=queue QUEUE_BULL_REDIS_HOST=redis QUEUE_BULL_REDIS_PORT=6379 </code></pre> </div> <p>Protege el archivo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod </span>600 /opt/n8n/.env </code></pre> </div> <h2> 6. Crear el archivo docker-compose.yml </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /opt/n8n/docker-compose.yml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-postgres</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">env_file</span><span class="pi">:</span> <span class="s">.env</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=${POSTGRES_USER}</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=${POSTGRES_PASSWORD}</span> <span class="pi">-</span> <span class="s">POSTGRES_DB=${POSTGRES_DB}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data/postgres:/var/lib/postgresql/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">${POSTGRES_USER}</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">${POSTGRES_DB}"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-redis</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data/redis:/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">redis-cli"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">ping"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">n8n</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">n8nio/n8n:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-app</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">env_file</span><span class="pi">:</span> <span class="s">.env</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_TYPE=${DB_TYPE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_HOST=${DB_POSTGRESDB_HOST}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PORT=${DB_POSTGRESDB_PORT}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_DATABASE=${DB_POSTGRESDB_DATABASE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_USER=${DB_POSTGRESDB_USER}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PASSWORD=${DB_POSTGRESDB_PASSWORD}</span> <span class="pi">-</span> <span class="s">N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}</span> <span class="pi">-</span> <span class="s">N8N_HOST=${N8N_HOST}</span> <span class="pi">-</span> <span class="s">N8N_PROTOCOL=${N8N_PROTOCOL}</span> <span class="pi">-</span> <span class="s">WEBHOOK_URL=${WEBHOOK_URL}</span> <span class="pi">-</span> <span class="s">N8N_PORT=${N8N_PORT}</span> <span class="pi">-</span> <span class="s">N8N_METRICS=true</span> <span class="pi">-</span> <span class="s">EXECUTIONS_DATA_PRUNE=true</span> <span class="pi">-</span> <span class="s">EXECUTIONS_DATA_MAX_AGE=168</span> <span class="pi">-</span> <span class="s">EXECUTIONS_MODE=${EXECUTIONS_MODE}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_HOST=${QUEUE_BULL_REDIS_HOST}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PORT=${QUEUE_BULL_REDIS_PORT}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data/n8n:/home/node/.n8n</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">n8n-worker</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">n8nio/n8n:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-worker</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">env_file</span><span class="pi">:</span> <span class="s">.env</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">EXECUTIONS_MODE=${EXECUTIONS_MODE}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_HOST=${QUEUE_BULL_REDIS_HOST}</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PORT=${QUEUE_BULL_REDIS_PORT}</span> <span class="pi">-</span> <span class="s">DB_TYPE=${DB_TYPE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_HOST=${DB_POSTGRESDB_HOST}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PORT=${DB_POSTGRESDB_PORT}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_DATABASE=${DB_POSTGRESDB_DATABASE}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_USER=${DB_POSTGRESDB_USER}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PASSWORD=${DB_POSTGRESDB_PASSWORD}</span> <span class="na">command</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">caddy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">caddy:2-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n-caddy</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443/udp"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./Caddyfile:/etc/caddy/Caddyfile</span> <span class="pi">-</span> <span class="s">./data/caddy:/data</span> <span class="pi">-</span> <span class="s">./data/caddy:/config</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n-network</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">n8n-network</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <h3> ¿Por qué usar queue mode desde el inicio? </h3> <p>n8n puede ejecutar workflows de dos formas:</p> <ul> <li> <strong>Modo directo (default)</strong>: el contenedor principal ejecuta todo. Si un workflow tarda mucho, bloquea las ejecuciones siguientes.</li> <li> <strong>Modo queue</strong>: los trabajos se encolan en Redis y los procesan workers independientes. Puedes tener varios workers, escalarlos horizontalmente y las ejecuciones pesadas no afectan al contenedor principal.</li> </ul> <p>Con el <code>docker-compose.yml</code> de arriba, ya tienes el <strong>modo queue</strong> activo desde el primer <code>docker compose up</code>.</p> <h2> 7. Crear el Caddyfile </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano /opt/n8n/Caddyfile </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">n8n.tudominio.com</span> <span class="p">{</span> <span class="kn">reverse_proxy</span> <span class="nf">n8n</span><span class="p">:</span><span class="mi">5678</span> <span class="err">}</span> </code></pre> </div> <p>Caddy obtendrá automáticamente un certificado SSL de Let's Encrypt y lo renovará sin intervención manual.</p> <h2> 8. Configurar el firewall (UFW) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ufw default deny incoming <span class="nb">sudo </span>ufw default allow outgoing <span class="nb">sudo </span>ufw allow ssh <span class="nb">sudo </span>ufw allow 80/tcp <span class="nb">sudo </span>ufw allow 443/tcp <span class="nb">sudo </span>ufw <span class="nt">--force</span> <span class="nb">enable sudo </span>ufw status verbose </code></pre> </div> <h2> 9. Iniciar el stack </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /opt/n8n docker compose up <span class="nt">-d</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fft797n4jw64ewu3qygpv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fft797n4jw64ewu3qygpv.png" alt="docker compose up" width="800" height="205"></a></p> <p>Verifica que todos los servicios estén funcionando:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose ps </code></pre> </div> <p>Deberías ver algo como:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy3dbbnhb0g0o9emp34yl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy3dbbnhb0g0o9emp34yl.png" alt="docker compose ps" width="800" height="141"></a></p> <p>Revisa los logs del worker para confirmar que está recibiendo trabajos:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose logs <span class="nt">-f</span> n8n-worker </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F10eao0spef7vkhriy5nr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F10eao0spef7vkhriy5nr.png" alt="docker compose logs" width="800" height="185"></a></p> <h2> 10. Acceder a n8n y configuración inicial </h2> <p>Abre tu navegador en <code>https://n8n.tudominio.com</code>. Verás la pantalla de registro. Crea tu cuenta de administrador:</p> <ul> <li> <strong>Email</strong>: tu correo</li> <li> <strong>Nombre</strong>: tu nombre</li> <li> <strong>Contraseña</strong>: una contraseña segura</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsycmilrj8gvbl6otw4ra.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsycmilrj8gvbl6otw4ra.png" alt="N8n Dashboard" width="800" height="509"></a></p> <p>Ya puedes empezar a crear flujos de trabajo. Todos los workflows se ejecutarán a través del worker.</p> <h2> 11. Escalar workers </h2> <p>Si tus workflows crecen, escalar es tan simple como agregar más réplicas del servicio <code>n8n-worker</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> <span class="nt">--scale</span> n8n-worker<span class="o">=</span>3 </code></pre> </div> <p>Cada worker adicional toma trabajos de la misma cola en Redis. No necesitas cambiar nada más.</p> <h2> 13. Buenas prácticas en producción </h2> <ul> <li> <strong>Usa etiqueta fija</strong>: En lugar de <code>n8nio/n8n:latest</code>, usa una versión específica como <code>n8nio/n8n:1.80.3</code> para evitar sorpresas con actualizaciones.</li> <li> <strong>Monitoreo</strong>: n8n expone métricas Prometheus en <code>/metrics</code>. Puedes integrarlas con un stack de monitoreo.</li> <li> <strong>Backups periódicos</strong>: Programa un cron para respaldar los directorios <code>data/postgres</code>, <code>data/redis</code>, <code>data/n8n</code> y <code>data/caddy</code>. Al estar en bind mounts, puedes copiarlos directamente con <code>rsync</code> o <code>tar</code>.</li> <li> <strong>Seguridad</strong>: No expongas el puerto 5678 directamente. Caddy ya se encarga del proxy. Si necesitas acceso local, usa una VPN o túneles SSH.</li> <li> <strong>Limpieza de ejecuciones</strong>: Las variables <code>EXECUTIONS_DATA_PRUNE=true</code> y <code>EXECUTIONS_DATA_MAX_AGE=168</code> eliminan automáticamente ejecuciones antiguas después de 7 días.</li> </ul> <h2> Conclusión </h2> <p>Tienes n8n corriendo en producción sobre Ubuntu con PostgreSQL como base de datos persistente, Redis como gestor de colas, workers dedicados, SSL automático con Caddy y una estructura lista para escalar. Y todo ejecutándose bajo un usuario del sistema dedicado, no como root.</p> <p>Este setup con modo queue es el mismo que usamos en entornos reales para automatizar procesos de clientes que requieren alta disponibilidad y rendimiento predecible, desde notificaciones y CRMs hasta integraciones complejas con APIs externas.</p> <p>Si trabajas con redes o documentación visual de infraestructura, puedes usar <a href="https://savnet.co" rel="noopener noreferrer">Savnet</a> para diseñar los diagramas de tus flujos desplegados. Y si necesitas validar o testear automatizaciones de forma continua, <a href="https://savfalconeye.com" rel="noopener noreferrer">SavFalconEye</a> te ayuda a mantener la confianza en cada despliegue.</p> <p><em>¿Te quedó alguna duda? Déjala en los comentarios.</em></p> automation docker spanish tutorial How to Secure a System with mTLS Certificates (Mutual TLS) Oscar Ricardo Sánche Gutierréz Thu, 23 Apr 2026 19:12:06 +0000 https://dev.to/oscar_ricardosncheguti/how-to-secure-a-system-with-mtls-certificates-mutual-tls-3i39 https://dev.to/oscar_ricardosncheguti/how-to-secure-a-system-with-mtls-certificates-mutual-tls-3i39 <p>In the world of modern application security, <strong>mTLS (Mutual TLS)</strong> has become a fundamental standard for protecting communications between services. Unlike traditional TLS where only the server authenticates, mTLS requires <strong>both parties</strong> (client and server) to present valid certificates, creating a much more robust security layer.</p> <p>In this article, I'll show you how to implement mTLS step by step, from certificate generation to configuration in real-world applications.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk81u77ng50omdbsfxaew.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk81u77ng50omdbsfxaew.gif" alt="Architecture savnet.co" width="700" height="394"></a></p> <blockquote> <p>Diagram created with <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> What is mTLS and Why Does It Matter? </h2> <p><strong>mTLS (Mutual TLS)</strong> is an extension of the standard TLS protocol that adds mutual authentication. While in traditional TLS only the server presents a certificate, in mTLS both the client and the server must authenticate each other.</p> <h3> Key Benefits: </h3> <ol> <li> <strong>Strong authentication</strong>: Both ends of the communication are verified</li> <li> <strong>MITM attack prevention</strong>: Makes man-in-the-middle attacks significantly harder</li> <li> <strong>Zero Trust</strong>: Aligns perfectly with Zero Trust architectures</li> <li> <strong>Microservices security</strong>: Ideal for service-to-service communications</li> </ol> <h3> Common Use Cases: </h3> <ul> <li>Internal APIs between microservices</li> <li>Service-to-service communication in Kubernetes</li> <li>Payment system connections</li> <li>Secure B2B communications</li> <li>Sensitive API access</li> </ul> <h2> Step 1: Set Up the Environment </h2> <p>For this tutorial, we'll work on an <strong>Ubuntu server</strong> that will act as our certificate generator and Certificate Authority (CA). We only need a small server with <strong>512MB RAM and 1 CPU</strong>, enough to generate and manage certificates.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5t6eevvmvyxovubsahf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5t6eevvmvyxovubsahf.png" alt="New server" width="800" height="546"></a></p> <p>We'll need some basic tools:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update system</span> <span class="nb">sudo </span>apt update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt upgrade <span class="nt">-y</span> <span class="c"># Install OpenSSL (if not already installed)</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> openssl curl wget <span class="c"># Verify OpenSSL version</span> openssl version </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6l2pfa6l6g9yvk3n9ok5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6l2pfa6l6g9yvk3n9ok5.png" alt="Version OpenSsl" width="800" height="236"></a></p> <p>For other operating systems, make sure OpenSSL is installed.</p> <h2> Step 2: Create the Certificate Authority (CA) </h2> <p>The CA is the entity that will issue and sign all our certificates. Let's create a private CA.</p> <h3> 2.1 Create working directory </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/mtls-ca <span class="nb">cd</span> ~/mtls-ca <span class="nb">mkdir</span> <span class="nt">-p</span> ca/private ca/certs ca/newcerts <span class="nb">mkdir</span> <span class="nt">-p</span> server/private server/certs <span class="nb">mkdir</span> <span class="nt">-p</span> client/private client/certs <span class="c"># Set secure permissions</span> <span class="nb">chmod </span>700 ca/private server/private client/private </code></pre> </div> <h3> 2.2 Generate CA private key and certificate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate CA private key (password-protected)</span> openssl genrsa <span class="nt">-aes256</span> <span class="nt">-out</span> ca/private/ca.key 4096 <span class="c"># Generate self-signed CA certificate</span> openssl req <span class="nt">-new</span> <span class="nt">-x509</span> <span class="nt">-days</span> 7300 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-key</span> ca/private/ca.key <span class="se">\</span> <span class="nt">-out</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=IT/CN=MyCA-Root/emailAddress=admin@mycompany.com"</span> </code></pre> </div> <p><strong>Explanation of the -subj parameter</strong>:</p> <ul> <li> <code>/C=US</code>: Country code (2 letters)</li> <li> <code>/ST=California</code>: State or province</li> <li> <code>/L=San Francisco</code>: Locality or city</li> <li> <code>/O=MyCompany</code>: Your organization name</li> <li> <code>/OU=IT</code>: Organizational unit</li> <li> <code>/CN=MyCA-Root</code>: Common name of the CA</li> <li> <code>/emailAddress=admin@mycompany.com</code>: Contact email</li> </ul> <p><strong>Customize these values</strong> with your actual information.</p> <p>During the process you'll be prompted for:</p> <ul> <li>A password for the private key (store it in a safe place)</li> </ul> <h3> 2.3 Verify the CA certificate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl x509 <span class="nt">-in</span> ca/certs/ca.crt <span class="nt">-text</span> <span class="nt">-noout</span> </code></pre> </div> <p>You should see detailed information about your CA, including:</p> <ul> <li>Issuer: Your own CA</li> <li>Validity: 20 years (7300 days)</li> <li>Key usage: Certifying other keys</li> </ul> <h2> Step 3: Generate Server Certificates </h2> <p>Now let's create certificates for our server.</p> <h3> 3.1 Create server private key and CSR </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/mtls-ca <span class="c"># Generate server private key</span> openssl genrsa <span class="nt">-out</span> server/private/server.key 2048 <span class="c"># Create Certificate Signing Request (CSR)</span> openssl req <span class="nt">-new</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-key</span> server/private/server.key <span class="se">\</span> <span class="nt">-out</span> server/server.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=Web/CN={YOUR DOMAIN OR IP WHERE YOUR WEB APP RUNS}"</span> </code></pre> </div> <p><strong>Customize the -subj parameter</strong>:</p> <ul> <li> <code>/C=US</code>: Your country code</li> <li> <code>/ST=California</code>: Your state or province</li> <li> <code>/L=San Francisco</code>: Your locality or city</li> <li> <code>/O=MyCompany</code>: Your organization</li> <li> <code>/OU=Web</code>: Organizational unit (e.g., Web, API, etc.)</li> <li> <code>/CN=api.mydomain.com</code>: <strong>IMPORTANT</strong>: Your server's domain or IP</li> </ul> <h3> 3.2 Sign the server certificate with the CA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Sign the server certificate</span> openssl x509 <span class="nt">-req</span> <span class="nt">-days</span> 365 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-in</span> server/server.csr <span class="se">\</span> <span class="nt">-CA</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-CAkey</span> ca/private/ca.key <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> server/certs/server.crt <span class="se">\</span> <span class="nt">-extfile</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"basicConstraints=CA:FALSE</span><span class="se">\n</span><span class="s2">keyUsage=digitalSignature,keyEncipherment</span><span class="se">\n</span><span class="s2">extendedKeyUsage=serverAuth"</span><span class="o">)</span> <span class="c"># Verify the signed certificate</span> openssl x509 <span class="nt">-in</span> server/certs/server.crt <span class="nt">-text</span> <span class="nt">-noout</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F735blwhhzixttonlojc8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F735blwhhzixttonlojc8.png" alt="Verificate server certificate" width="800" height="293"></a></p> <h3> 3.3 Create certificate chain file </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create certificate chain for the server</span> <span class="nb">cat </span>server/certs/server.crt ca/certs/ca.crt <span class="o">&gt;</span> server/certs/server-chain.crt </code></pre> </div> <h2> Step 4: Generate Client Certificates </h2> <p>Let's repeat the process for the client.</p> <h3> 4.1 Create client private key and CSR </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate client private key</span> openssl genrsa <span class="nt">-out</span> client/private/client.key 2048 <span class="c"># Create CSR for the client</span> openssl req <span class="nt">-new</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-key</span> client/private/client.key <span class="se">\</span> <span class="nt">-out</span> client/client.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=US/ST=California/L=San Francisco/O=MyCompany/OU=Clients/CN=app-client-01"</span> </code></pre> </div> <p><strong>Customize the -subj parameter</strong>:</p> <ul> <li> <code>/C=US</code>: Your country code</li> <li> <code>/ST=California</code>: Your state or province</li> <li> <code>/L=San Francisco</code>: Your locality or city</li> <li> <code>/O=MyCompany</code>: Your organization</li> <li> <code>/OU=Clients</code>: Organizational unit (e.g., Clients, Apps, etc.)</li> <li> <code>/CN=app-client-01</code>: <strong>IMPORTANT</strong>: Unique client identifier</li> </ul> <h3> 4.2 Sign the client certificate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Sign the client certificate</span> openssl x509 <span class="nt">-req</span> <span class="nt">-days</span> 365 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-in</span> client/client.csr <span class="se">\</span> <span class="nt">-CA</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-CAkey</span> ca/private/ca.key <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> client/certs/client.crt <span class="se">\</span> <span class="nt">-extfile</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"basicConstraints=CA:FALSE</span><span class="se">\n</span><span class="s2">keyUsage=digitalSignature</span><span class="se">\n</span><span class="s2">extendedKeyUsage=clientAuth"</span><span class="o">)</span> <span class="c"># Verify the client certificate</span> openssl x509 <span class="nt">-in</span> client/certs/client.crt <span class="nt">-text</span> <span class="nt">-noout</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxjvfebwc5rcs8sk3z9v2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxjvfebwc5rcs8sk3z9v2.png" alt="Verificate client certificate" width="800" height="176"></a></p> <h3> 4.3 Create PKCS#12 file for the client </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create PKCS#12 (p12/pfx) file for easy import</span> openssl pkcs12 <span class="nt">-export</span> <span class="se">\</span> <span class="nt">-inkey</span> client/private/client.key <span class="se">\</span> <span class="nt">-in</span> client/certs/client.crt <span class="se">\</span> <span class="nt">-certfile</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-out</span> client/certs/client.p12 </code></pre> </div> <h2> Step 5: Deploy a "Hello World" with Docker Compose and mTLS </h2> <p>Let's create a simple example using <strong>Docker Compose</strong> with an Nginx server that responds "Hello World" and is protected with mTLS. Remember, this web app must be deployed using the same domain or IP used when generating the server keys in step 3.1.</p> <h3> 5.1 Project structure </h3> <p>Create the following directory structure on your server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/mtls-demo/nginx <span class="nb">cd</span> ~/mtls-demo </code></pre> </div> <h3> 5.2 Copy the generated certificates </h3> <p>Copy the certificates we generated in the previous steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create certificate directory in the project</span> <span class="nb">mkdir</span> <span class="nt">-p</span> ~/mtls-demo/certs <span class="c"># Copy server certificates (in our case they're on the same server)</span> <span class="nb">cp</span> ~/mtls-ca/server/certs/server-chain.crt ~/mtls-demo/certs/ <span class="nb">cp</span> ~/mtls-ca/server/private/server.key ~/mtls-demo/certs/ <span class="c"># Copy CA (for client verification)</span> <span class="nb">cp</span> ~/mtls-ca/ca/certs/ca.crt ~/mtls-demo/certs/ </code></pre> </div> <h3> 5.3 Create the HTML page </h3> <p>Create the file <code>~/mtls-demo/nginx/index.html</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>mTLS - Hello World<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="s2">'Segoe UI'</span><span class="p">,</span> <span class="n">Tahoma</span><span class="p">,</span> <span class="n">Geneva</span><span class="p">,</span> <span class="n">Verdana</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">justify-content</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">align-items</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="m">100vh</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">linear-gradient</span><span class="p">(</span><span class="m">135deg</span><span class="p">,</span> <span class="m">#667eea</span> <span class="m">0%</span><span class="p">,</span> <span class="m">#764ba2</span> <span class="m">100%</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.container</span> <span class="p">{</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.1</span><span class="p">);</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">3rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="py">backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">10px</span><span class="p">);</span> <span class="nl">box-shadow</span><span class="p">:</span> <span class="m">0</span> <span class="m">8px</span> <span class="m">32px</span> <span class="n">rgba</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0.1</span><span class="p">);</span> <span class="p">}</span> <span class="nt">h1</span> <span class="p">{</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">3rem</span><span class="p">;</span> <span class="nl">margin-bottom</span><span class="p">:</span> <span class="m">0.5rem</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.cert-info</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.15</span><span class="p">);</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">1rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">10px</span><span class="p">;</span> <span class="nl">margin-top</span><span class="p">:</span> <span class="m">1.5rem</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">0.9rem</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.badge</span> <span class="p">{</span> <span class="nl">display</span><span class="p">:</span> <span class="n">inline-block</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#4CAF50</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">0.3rem</span> <span class="m">1rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">0.8rem</span><span class="p">;</span> <span class="nl">margin-top</span><span class="p">:</span> <span class="m">1rem</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span>🔒 Hello World!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Secure connection established via <span class="nt">&lt;strong&gt;</span>mTLS<span class="nt">&lt;/strong&gt;&lt;/p&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"cert-info"</span><span class="nt">&gt;</span> <span class="nt">&lt;p&gt;&lt;strong&gt;</span>Authenticated client:<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;span</span> <span class="na">id=</span><span class="s">"client-cn"</span><span class="nt">&gt;</span>---<span class="nt">&lt;/span&gt;&lt;/p&gt;</span> <span class="nt">&lt;p&gt;&lt;strong&gt;</span>Protocol:<span class="nt">&lt;/strong&gt;</span> TLS 1.3<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"badge"</span><span class="nt">&gt;</span>✅ mTLS Enabled<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> 5.4 Configure Nginx with mTLS </h3> <p>Create the file <code>~/mtls-demo/nginx/default.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">8443</span> <span class="s">ssl</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">localhost</span><span class="p">;</span> <span class="c1"># Server certificates</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/nginx/certs/server-chain.crt</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/nginx/certs/server.key</span><span class="p">;</span> <span class="c1"># Modern SSL configuration</span> <span class="kn">ssl_protocols</span> <span class="s">TLSv1.2</span> <span class="s">TLSv1.3</span><span class="p">;</span> <span class="kn">ssl_ciphers</span> <span class="s">HIGH:!aNULL:!MD5</span><span class="p">;</span> <span class="kn">ssl_prefer_server_ciphers</span> <span class="no">off</span><span class="p">;</span> <span class="kn">ssl_session_cache</span> <span class="s">shared:SSL:10m</span><span class="p">;</span> <span class="kn">ssl_session_timeout</span> <span class="mi">10m</span><span class="p">;</span> <span class="c1"># mTLS: verify client</span> <span class="kn">ssl_client_certificate</span> <span class="n">/etc/nginx/certs/ca.crt</span><span class="p">;</span> <span class="kn">ssl_verify_client</span> <span class="no">on</span><span class="p">;</span> <span class="kn">ssl_verify_depth</span> <span class="mi">2</span><span class="p">;</span> <span class="c1"># Document root</span> <span class="kn">root</span> <span class="n">/usr/share/nginx/html</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.html</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="c1"># Reject if client certificate is not valid</span> <span class="kn">if</span> <span class="s">(</span><span class="nv">$ssl_client_verify</span> <span class="s">!=</span> <span class="s">SUCCESS)</span> <span class="p">{</span> <span class="kn">return</span> <span class="mi">403</span> <span class="s">"Access</span> <span class="s">denied:</span> <span class="s">client</span> <span class="s">certificate</span> <span class="s">required</span><span class="err">\</span><span class="s">n"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Pass client information to the app</span> <span class="kn">add_header</span> <span class="s">X-Client-CN</span> <span class="nv">$ssl_client_s_dn</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Client-Verify</span> <span class="nv">$ssl_client_verify</span> <span class="s">always</span><span class="p">;</span> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="p">=</span><span class="mi">404</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 5.5 Create the Docker Compose file </h3> <p>Create the file <code>~/mtls-demo/docker-compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">mtls-server</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">mtls-nginx</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8443:8443"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro</span> <span class="pi">-</span> <span class="s">./nginx/index.html:/usr/share/nginx/html/index.html:ro</span> <span class="pi">-</span> <span class="s">./certs/server-chain.crt:/etc/nginx/certs/server-chain.crt:ro</span> <span class="pi">-</span> <span class="s">./certs/server.key:/etc/nginx/certs/server.key:ro</span> <span class="pi">-</span> <span class="s">./certs/ca.crt:/etc/nginx/certs/ca.crt:ro</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxnpwph1khau75uvdrj9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxnpwph1khau75uvdrj9.png" alt="Structure website" width="440" height="209"></a></p> <h3> 5.6 Deploy the service </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/mtls-demo <span class="c"># Start the container</span> docker compose up <span class="nt">-d</span> <span class="c"># Verify it's running</span> docker compose ps <span class="c"># View logs</span> docker compose logs <span class="nt">-f</span> <span class="c"># Stop the container</span> docker compose down </code></pre> </div> <h3> 5.7 Verify the deployment </h3> <p>Go to your browser and navigate to <a href="https://YOUR_WEB_IP_OR_DOMAIN:8443" rel="noopener noreferrer">https://YOUR_WEB_IP_OR_DOMAIN:8443</a>. You should see a 400 error since we haven't configured the browser to send the client certificate yet.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7yt5qcq9dmum89ywnid1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7yt5qcq9dmum89ywnid1.png" alt="Website no tls" width="800" height="486"></a></p> <p>If we test with curl, we'll get a similar result:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1q8ffn4bzem0a4dnumpa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1q8ffn4bzem0a4dnumpa.png" alt="Curl no tls" width="592" height="172"></a></p> <h2> Step 6: Successful Tests </h2> <h3> 6.1 CURL with client certificate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="se">\</span> <span class="nt">--cacert</span> ca.crt <span class="se">\</span> <span class="nt">--cert</span> client.crt <span class="se">\</span> <span class="nt">--key</span> client.key <span class="se">\</span> https://YOUR_WEB_IP_OR_DOMAIN:8443/ </code></pre> </div> <p>You need to save these files in the path where you'll run the curl command. You can get them from the following server paths:</p> <ul> <li>ca.crt =&gt; ~/mtls-ca/ca/certs/ca.crt</li> <li>client.crt =&gt; ~/mtls-ca/client/certs/client.crt</li> <li>client.key =&gt; ~/mtls-ca/client/private/client.key</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftnl3jb950v7wsx4cou4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftnl3jb950v7wsx4cou4.png" alt="Curl yes tls" width="800" height="817"></a></p> <h3> 6.2 Chrome with client certificate </h3> <p>Chrome and other browsers can use client certificates for mTLS authentication. To test this, you first need to import the <code>.p12</code> certificate at the <strong>operating system level</strong>, since Chrome no longer allows importing them directly from its settings.</p> <p><strong>Download the certificate from the server:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp root@server_ip:/root/mtls-ca/client/certs/client.p12 ./client.p12 </code></pre> </div> <p><strong>Import according to your operating system:</strong></p> <p><strong>On macOS (Keychain Access):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>open client.p12 </code></pre> </div> <p>Keychain Access will open. Enter the password you set when creating the PKCS#12 file, and the certificate will be available for Chrome.</p> <p><strong>On Windows (Certificate Manager):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>certmgr.msc </code></pre> </div> <ol> <li>Go to <strong>"Personal"</strong> → <strong>"Certificates"</strong> </li> <li>Right-click → <strong>"All Tasks"</strong> → <strong>"Import..."</strong> </li> <li>Select <code>client.p12</code> and enter the password</li> </ol> <p><strong>On Linux:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Convert .p12 to .pem</span> openssl pkcs12 <span class="nt">-in</span> client.p12 <span class="nt">-out</span> client.pem <span class="nt">-nodes</span> <span class="c"># Start Chrome with system certificate support</span> google-chrome <span class="nt">--enable-features</span><span class="o">=</span>PlatformCertificateProvider </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frav52gry9nto5bguzvq2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frav52gry9nto5bguzvq2.png" alt="Firefox import p12" width="800" height="437"></a></p> <p>You might get an error initially, so it's best to test in an incognito tab or restart the browser so it picks up the newly installed certificate.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbx96oytz1n6g1gy2ot3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhbx96oytz1n6g1gy2ot3.png" alt="Firefox yes tls" width="800" height="567"></a></p> <h2> Conclusion </h2> <p>Implementing <strong>mTLS</strong> is one of the best security investments you can make to protect communications between services. With this practical Docker Compose example, you've seen how to:</p> <ol> <li> <strong>Create a private CA</strong> and generate certificates</li> <li> <strong>Configure Nginx</strong> with mTLS in a Docker container</li> <li> <strong>Test with curl</strong> with and without a certificate</li> <li> <strong>Test with Chrome</strong> by importing the client certificate</li> </ol> <p>This same pattern applies to production environments, Kubernetes microservices, internal APIs, and any communication requiring mutual authentication.</p> <h3> Additional Resources </h3> <ul> <li><a href="https://www.openssl.org/docs/" rel="noopener noreferrer">Official OpenSSL documentation</a></li> <li><a href="https://docs.nginx.com/waf/configure/secure-mtls/" rel="noopener noreferrer">mTLS in Nginx</a></li> <li><a href="https://developers.cloudflare.com/ssl/client-certificates/" rel="noopener noreferrer">Cloudflare mTLS guide</a></li> <li><a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04" rel="noopener noreferrer">Docker Compose installation</a></li> </ul> <p><strong>Did you enjoy this tutorial?</strong> Share your experiences implementing mTLS or ask questions in the comments. What other security topics would you like to see in future articles?</p> <p><em>Need a server for testing? You can create a Droplet on DigitalOcean using this link and get additional credit: <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">https://m.do.co/c/2c579acd7121</a></em></p> <p> </p> devops networking security tutorial Cómo asegurar un sistema a través de certificados mTLS (Mutual TLS) Oscar Ricardo Sánche Gutierréz Thu, 23 Apr 2026 19:08:24 +0000 https://dev.to/oscar_ricardosncheguti/como-asegurar-un-sistema-a-traves-de-certificados-mtls-mutual-tls-30g2 https://dev.to/oscar_ricardosncheguti/como-asegurar-un-sistema-a-traves-de-certificados-mtls-mutual-tls-30g2 <p>En el mundo de la seguridad de aplicaciones modernas, <strong>mTLS (Mutual TLS)</strong> se ha convertido en un estándar fundamental para proteger comunicaciones entre servicios. A diferencia del TLS tradicional donde solo el servidor se autentica, mTLS requiere que <strong>ambas partes</strong> (cliente y servidor) presenten certificados válidos, creando una capa de seguridad mucho más robusta.</p> <p>En este artículo te mostraré cómo implementar mTLS paso a paso, desde la generación de certificados hasta la configuración en aplicaciones reales.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkpgpoap1f93cpn6kmig.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkpgpoap1f93cpn6kmig.gif" alt="Architecture savnet.co" width="700" height="394"></a></p> <blockquote> <p>Diagrama realizado con <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> ¿Qué es mTLS y por qué es importante? </h2> <p><strong>mTLS (Mutual TLS)</strong> es una extensión del protocolo TLS estándar que añade autenticación mutua. Mientras que en TLS tradicional solo el servidor presenta un certificado, en mTLS tanto el cliente como el servidor deben autenticarse mutuamente.</p> <h3> Beneficios clave: </h3> <ol> <li> <strong>Autenticación fuerte</strong>: Ambos extremos de la comunicación se verifican</li> <li> <strong>Prevención de ataques MITM</strong>: Dificulta los ataques de intermediario</li> <li> <strong>Zero Trust</strong>: Se alinea perfectamente con arquitecturas Zero Trust</li> <li> <strong>Seguridad en microservicios</strong>: Ideal para comunicaciones entre servicios</li> </ol> <h3> Casos de uso comunes: </h3> <ul> <li>APIs internas entre microservicios</li> <li>Comunicaciones entre servicios en Kubernetes</li> <li>Conexiones entre sistemas de pago</li> <li>Comunicaciones B2B seguras</li> <li>Acceso a APIs sensibles</li> </ul> <h2> Paso 1: Configurar el entorno </h2> <p>Para este tutorial, trabajaremos sobre un <strong>servidor Ubuntu</strong> que funcionará como nuestro generador de certificados y Autoridad Certificadora (CA). Solo necesitamos un pequeño servidor con <strong>512MB de RAM y 1 CPU</strong>, suficiente para generar y gestionar certificados.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3wionjx4ihuuwz1dr4j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3wionjx4ihuuwz1dr4j.png" alt="New server" width="800" height="546"></a></p> <p>Necesitaremos algunas herramientas básicas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Actualizar sistema</span> <span class="nb">sudo </span>apt update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt upgrade <span class="nt">-y</span> <span class="c"># Instalar OpenSSL (si no está instalado)</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> openssl curl wget <span class="c"># Verificar versión de OpenSSL</span> openssl version </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0z7e6dd72ieky2bmvj75.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0z7e6dd72ieky2bmvj75.png" alt="Versión OpenSsl" width="800" height="236"></a></p> <p>Para otros sistemas operativos, asegúrate de tener OpenSSL instalado.</p> <h2> Paso 2: Crear la Autoridad Certificadora (CA) </h2> <p>La CA es la entidad que emitirá y firmará todos nuestros certificados. Vamos a crear una CA privada.</p> <h3> 2.1 Crear directorio de trabajo </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/mtls-ca <span class="nb">cd</span> ~/mtls-ca <span class="nb">mkdir</span> <span class="nt">-p</span> ca/private ca/certs ca/newcerts <span class="nb">mkdir</span> <span class="nt">-p</span> server/private server/certs <span class="nb">mkdir</span> <span class="nt">-p</span> client/private client/certs <span class="c"># Configurar permisos seguros</span> <span class="nb">chmod </span>700 ca/private server/private client/private </code></pre> </div> <h3> 2.2 Generar clave privada y certificado de la CA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generar clave privada de la CA (protegida con contraseña)</span> openssl genrsa <span class="nt">-aes256</span> <span class="nt">-out</span> ca/private/ca.key 4096 <span class="c"># Generar certificado autofirmado de la CA</span> openssl req <span class="nt">-new</span> <span class="nt">-x509</span> <span class="nt">-days</span> 7300 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-key</span> ca/private/ca.key <span class="se">\</span> <span class="nt">-out</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=ES/ST=Madrid/L=Madrid/O=MiEmpresa/OU=IT/CN=MiCA-Root/emailAddress=admin@miempresa.com"</span> </code></pre> </div> <p><strong>Explicación del parámetro -subj</strong>:</p> <ul> <li> <code>/C=ES</code>: Código de país (2 letras)</li> <li> <code>/ST=Madrid</code>: Estado o provincia</li> <li> <code>/L=Madrid</code>: Localidad o ciudad</li> <li> <code>/O=MiEmpresa</code>: Nombre de tu organización</li> <li> <code>/OU=IT</code>: Unidad organizativa</li> <li> <code>/CN=MiCA-Root</code>: Nombre común de la CA</li> <li> <code>/emailAddress=admin@miempresa.com</code>: Email de contacto</li> </ul> <p><strong>Personaliza estos valores</strong> con tu información real.</p> <p>Durante el proceso se te pedirá:</p> <ul> <li>Contraseña para la clave privada (guárdala en un lugar seguro)</li> </ul> <h3> 2.3 Verificar el certificado de la CA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl x509 <span class="nt">-in</span> ca/certs/ca.crt <span class="nt">-text</span> <span class="nt">-noout</span> </code></pre> </div> <p>Deberías ver información detallada sobre tu CA, incluyendo:</p> <ul> <li>Emisor: Tu propia CA</li> <li>Validez: 20 años (7300 días)</li> <li>Uso clave: Certificar otras claves</li> </ul> <h2> Paso 3: Generar certificados para el servidor </h2> <p>Ahora crearemos certificados para nuestro servidor.</p> <h3> 3.1 Crear clave privada y CSR del servidor </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/mtls-ca <span class="c"># Generar clave privada del servidor</span> openssl genrsa <span class="nt">-out</span> server/private/server.key 2048 <span class="c"># Crear solicitud de firma de certificado (CSR)</span> openssl req <span class="nt">-new</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-key</span> server/private/server.key <span class="se">\</span> <span class="nt">-out</span> server/server.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=ES/ST=Madrid/L=Madrid/O=MiEmpresa/OU=Web/CN={ACA DOMINIO O IP DONDE ESTA TU APP WEB}"</span> </code></pre> </div> <p><strong>Personaliza el parámetro -subj</strong>:</p> <ul> <li> <code>/C=ES</code>: Tu código de país</li> <li> <code>/ST=Madrid</code>: Tu estado o provincia</li> <li> <code>/L=Madrid</code>: Tu localidad o ciudad</li> <li> <code>/O=MiEmpresa</code>: Tu organización</li> <li> <code>/OU=Web</code>: Unidad organizativa (ej: Web, API, etc.)</li> <li> <code>/CN=api.midominio.com</code>: <strong>IMPORTANTE</strong>: El dominio o IP de tu servidor</li> </ul> <h3> 3.2 Firmar el certificado del servidor con la CA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Firmar el certificado del servidor</span> openssl x509 <span class="nt">-req</span> <span class="nt">-days</span> 365 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-in</span> server/server.csr <span class="se">\</span> <span class="nt">-CA</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-CAkey</span> ca/private/ca.key <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> server/certs/server.crt <span class="se">\</span> <span class="nt">-extfile</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"basicConstraints=CA:FALSE</span><span class="se">\n</span><span class="s2">keyUsage=digitalSignature,keyEncipherment</span><span class="se">\n</span><span class="s2">extendedKeyUsage=serverAuth"</span><span class="o">)</span> <span class="c"># Verificar el certificado firmado</span> openssl x509 <span class="nt">-in</span> server/certs/server.crt <span class="nt">-text</span> <span class="nt">-noout</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F274ihx91zs1tenh8tr8r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F274ihx91zs1tenh8tr8r.png" alt="Verificación certificado server" width="800" height="293"></a></p> <h3> 3.3 Crear archivo de cadena de certificados </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Crear cadena de certificados para el servidor</span> <span class="nb">cat </span>server/certs/server.crt ca/certs/ca.crt <span class="o">&gt;</span> server/certs/server-chain.crt </code></pre> </div> <h2> Paso 4: Generar certificados para el cliente </h2> <p>Repetimos el proceso para el cliente.</p> <h3> 4.1 Crear clave privada y CSR del cliente </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generar clave privada del cliente</span> openssl genrsa <span class="nt">-out</span> client/private/client.key 2048 <span class="c"># Crear CSR para el cliente</span> openssl req <span class="nt">-new</span> <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-key</span> client/private/client.key <span class="se">\</span> <span class="nt">-out</span> client/client.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/C=ES/ST=Madrid/L=Madrid/O=MiEmpresa/OU=Clientes/CN=app-client-01"</span> </code></pre> </div> <p><strong>Personaliza el parámetro -subj</strong>:</p> <ul> <li> <code>/C=ES</code>: Tu código de país</li> <li> <code>/ST=Madrid</code>: Tu estado o provincia</li> <li> <code>/L=Madrid</code>: Tu localidad o ciudad</li> <li> <code>/O=MiEmpresa</code>: Tu organización</li> <li> <code>/OU=Clientes</code>: Unidad organizativa (ej: Clientes, Apps, etc.)</li> <li> <code>/CN=app-client-01</code>: <strong>IMPORTANTE</strong>: Identificador único del cliente</li> </ul> <h3> 4.2 Firmar el certificado del cliente </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Firmar el certificado del cliente</span> openssl x509 <span class="nt">-req</span> <span class="nt">-days</span> 365 <span class="nt">-sha256</span> <span class="se">\</span> <span class="nt">-in</span> client/client.csr <span class="se">\</span> <span class="nt">-CA</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-CAkey</span> ca/private/ca.key <span class="se">\</span> <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> client/certs/client.crt <span class="se">\</span> <span class="nt">-extfile</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"basicConstraints=CA:FALSE</span><span class="se">\n</span><span class="s2">keyUsage=digitalSignature</span><span class="se">\n</span><span class="s2">extendedKeyUsage=clientAuth"</span><span class="o">)</span> <span class="c"># Verificar el certificado del cliente</span> openssl x509 <span class="nt">-in</span> client/certs/client.crt <span class="nt">-text</span> <span class="nt">-noout</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fouk1kvcb7yd9fy0orh88.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fouk1kvcb7yd9fy0orh88.png" alt="Verificar certificado cliente" width="800" height="176"></a></p> <h3> 4.3 Crear archivo PKCS#12 para el cliente </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Crear archivo PKCS#12 (p12/pfx) para fácil importación</span> openssl pkcs12 <span class="nt">-export</span> <span class="se">\</span> <span class="nt">-inkey</span> client/private/client.key <span class="se">\</span> <span class="nt">-in</span> client/certs/client.crt <span class="se">\</span> <span class="nt">-certfile</span> ca/certs/ca.crt <span class="se">\</span> <span class="nt">-out</span> client/certs/client.p12 </code></pre> </div> <h2> Paso 5: Desplegar un "Hola mundo" con Docker Compose y mTLS </h2> <p>Vamos a crear un ejemplo simple de una web usando <strong>Docker Compose</strong> con un servidor Nginx que responde "Hola mundo" y está protegido con mTLS. Recuerda, esta web debe ser desplegada con el mismo dominio o ip que se uso al generar las llaves del server en el punto 3.1.</p> <h3> 5.1 Estructura del proyecto </h3> <p>Crea la siguiente estructura de directorios en tu servidor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/mtls-demo/nginx <span class="nb">cd</span> ~/mtls-demo </code></pre> </div> <h3> 5.2 Copiar los certificados generados </h3> <p>Copia los certificados que generamos en los pasos anteriores:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Crear directorio para certificados en el proyecto</span> <span class="nb">mkdir</span> <span class="nt">-p</span> ~/mtls-demo/certs <span class="c"># Copiar certificados del servidor, en nuestro caso están en el mismo servidor</span> <span class="nb">cp</span> ~/mtls-ca/server/certs/server-chain.crt ~/mtls-demo/certs/ <span class="nb">cp</span> ~/mtls-ca/server/private/server.key ~/mtls-demo/certs/ <span class="c"># Copiar CA (para verificar clientes)</span> <span class="nb">cp</span> ~/mtls-ca/ca/certs/ca.crt ~/mtls-demo/certs/ </code></pre> </div> <h3> 5.3 Crear la página HTML </h3> <p>Crea el archivo <code>~/mtls-demo/nginx/index.html</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"es"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>mTLS - Hola Mundo<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="s2">'Segoe UI'</span><span class="p">,</span> <span class="n">Tahoma</span><span class="p">,</span> <span class="n">Geneva</span><span class="p">,</span> <span class="n">Verdana</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">justify-content</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">align-items</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="m">100vh</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">linear-gradient</span><span class="p">(</span><span class="m">135deg</span><span class="p">,</span> <span class="m">#667eea</span> <span class="m">0%</span><span class="p">,</span> <span class="m">#764ba2</span> <span class="m">100%</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.container</span> <span class="p">{</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.1</span><span class="p">);</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">3rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="py">backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">10px</span><span class="p">);</span> <span class="nl">box-shadow</span><span class="p">:</span> <span class="m">0</span> <span class="m">8px</span> <span class="m">32px</span> <span class="n">rgba</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">0.1</span><span class="p">);</span> <span class="p">}</span> <span class="nt">h1</span> <span class="p">{</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">3rem</span><span class="p">;</span> <span class="nl">margin-bottom</span><span class="p">:</span> <span class="m">0.5rem</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.cert-info</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.15</span><span class="p">);</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">1rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">10px</span><span class="p">;</span> <span class="nl">margin-top</span><span class="p">:</span> <span class="m">1.5rem</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">0.9rem</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.badge</span> <span class="p">{</span> <span class="nl">display</span><span class="p">:</span> <span class="n">inline-block</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#4CAF50</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">0.3rem</span> <span class="m">1rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">0.8rem</span><span class="p">;</span> <span class="nl">margin-top</span><span class="p">:</span> <span class="m">1rem</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span>🔒 ¡Hola Mundo!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Conexión segura establecida mediante <span class="nt">&lt;strong&gt;</span>mTLS<span class="nt">&lt;/strong&gt;&lt;/p&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"cert-info"</span><span class="nt">&gt;</span> <span class="nt">&lt;p&gt;&lt;strong&gt;</span>Cliente autenticado:<span class="nt">&lt;/strong&gt;</span> <span class="nt">&lt;span</span> <span class="na">id=</span><span class="s">"client-cn"</span><span class="nt">&gt;</span>---<span class="nt">&lt;/span&gt;&lt;/p&gt;</span> <span class="nt">&lt;p&gt;&lt;strong&gt;</span>Protocolo:<span class="nt">&lt;/strong&gt;</span> TLS 1.3<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"badge"</span><span class="nt">&gt;</span>✅ mTLS Activado<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> 5.4 Configurar Nginx con mTLS </h3> <p>Crea el archivo <code>~/mtls-demo/nginx/default.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">8443</span> <span class="s">ssl</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">localhost</span><span class="p">;</span> <span class="c1"># Certificados del servidor</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/nginx/certs/server-chain.crt</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/nginx/certs/server.key</span><span class="p">;</span> <span class="c1"># Configuración SSL moderna</span> <span class="kn">ssl_protocols</span> <span class="s">TLSv1.2</span> <span class="s">TLSv1.3</span><span class="p">;</span> <span class="kn">ssl_ciphers</span> <span class="s">HIGH:!aNULL:!MD5</span><span class="p">;</span> <span class="kn">ssl_prefer_server_ciphers</span> <span class="no">off</span><span class="p">;</span> <span class="kn">ssl_session_cache</span> <span class="s">shared:SSL:10m</span><span class="p">;</span> <span class="kn">ssl_session_timeout</span> <span class="mi">10m</span><span class="p">;</span> <span class="c1"># mTLS: verificar cliente</span> <span class="kn">ssl_client_certificate</span> <span class="n">/etc/nginx/certs/ca.crt</span><span class="p">;</span> <span class="kn">ssl_verify_client</span> <span class="no">on</span><span class="p">;</span> <span class="kn">ssl_verify_depth</span> <span class="mi">2</span><span class="p">;</span> <span class="c1"># Raíz de documentos</span> <span class="kn">root</span> <span class="n">/usr/share/nginx/html</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.html</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="c1"># Rechazar si el certificado del cliente no es válido</span> <span class="kn">if</span> <span class="s">(</span><span class="nv">$ssl_client_verify</span> <span class="s">!=</span> <span class="s">SUCCESS)</span> <span class="p">{</span> <span class="kn">return</span> <span class="mi">403</span> <span class="s">"Acceso</span> <span class="s">denegado:</span> <span class="s">certificado</span> <span class="s">de</span> <span class="s">cliente</span> <span class="s">requerido</span><span class="err">\</span><span class="s">n"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Pasar información del cliente a la app</span> <span class="kn">add_header</span> <span class="s">X-Client-CN</span> <span class="nv">$ssl_client_s_dn</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Client-Verify</span> <span class="nv">$ssl_client_verify</span> <span class="s">always</span><span class="p">;</span> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="p">=</span><span class="mi">404</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 5.5 Crear el Docker Compose </h3> <p>Crea el archivo <code>~/mtls-demo/docker-compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">mtls-server</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">mtls-nginx</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8443:8443"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro</span> <span class="pi">-</span> <span class="s">./nginx/index.html:/usr/share/nginx/html/index.html:ro</span> <span class="pi">-</span> <span class="s">./certs/server-chain.crt:/etc/nginx/certs/server-chain.crt:ro</span> <span class="pi">-</span> <span class="s">./certs/server.key:/etc/nginx/certs/server.key:ro</span> <span class="pi">-</span> <span class="s">./certs/ca.crt:/etc/nginx/certs/ca.crt:ro</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3ah7r18dhh4dgdcm09qr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3ah7r18dhh4dgdcm09qr.png" alt="Estructura sitio web" width="440" height="209"></a></p> <h3> 5.6 Desplegar el servicio </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/mtls-demo <span class="c"># Iniciar el contenedor</span> docker compose up <span class="nt">-d</span> <span class="c"># Verificar que está corriendo</span> docker compose ps <span class="c"># Ver logs</span> docker compose logs <span class="nt">-f</span> <span class="c"># Bajar contenedor</span> docker compose down </code></pre> </div> <h3> 5.7 Verificar el despliegue </h3> <p>Ve al navegador e ingresa a <a href="https://IP_O_DOMOINIO_DE_TU_WEB:8443" rel="noopener noreferrer">https://IP_O_DOMOINIO_DE_TU_WEB:8443</a> , deberás ver un error 400 ya que aún no hemos configurado el navegador para enviar el certificado de cliente.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F84c87uterlrfp8v172s5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F84c87uterlrfp8v172s5.png" alt="Sitio web sin tls" width="800" height="486"></a></p> <p>Si probamos con curl nos pasará algo parecido</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvqwtw9scdw94hr9zlz3y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvqwtw9scdw94hr9zlz3y.png" alt="Curl sin tls" width="592" height="172"></a></p> <h2> Paso 6: Pruebas exitosas </h2> <h3> 6.1 CURL Con certificado de cliente </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="se">\</span> <span class="nt">--cacert</span> ca.crt <span class="se">\</span> <span class="nt">--cert</span> client.crt <span class="se">\</span> <span class="nt">--key</span> client.key <span class="se">\</span> https://IP_O_DOMOINIO_DE_TU_WEB:8443/ </code></pre> </div> <p>Los archivos debes guardarlos en la ruta donde ejecutarás el comando curl y los obtienes de las siguientes rutas del servidor:</p> <ul> <li>ca.crt=&gt; ~/mtls-ca/ca/certs/ca.crt</li> <li>client.crt=&gt; ~/mtls-ca/client/certs/client.crt</li> <li>client.key=&gt; ~/mtls-ca/client/private/client.key</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F06y8fou20hlv05m7jtyy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F06y8fou20hlv05m7jtyy.png" alt="Curl con tls" width="800" height="817"></a></p> <h2> 6.2 Chrome Con certificado de cliente </h2> <p>Chrome y otros navegadores pueden usar certificados de cliente para autenticación mTLS. Para probarlo, primero debes importar el certificado <code>.p12</code> a nivel del <strong>sistema operativo</strong>, ya que Chrome ya no permite importarlos directamente desde su configuración.</p> <p><strong>Descargar el certificado desde el servidor:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp root@ip_servidor:/root/mtls-ca/client/certs/client.p12 ./client.p12 </code></pre> </div> <p><strong>Importar según tu sistema operativo:</strong></p> <p><strong>En macOS (Keychain Access):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>open client.p12 </code></pre> </div> <p>Se abrirá Keychain Access. Introduce la contraseña que pusiste al crear el PKCS#12 y el certificado quedará disponible para Chrome.</p> <p><strong>En Windows (Administrador de certificados):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>certmgr.msc </code></pre> </div> <ol> <li>Ve a <strong>"Personal"</strong> → <strong>"Certificados"</strong> </li> <li>Haz clic derecho → <strong>"Todas las tareas"</strong> → <strong>"Importar..."</strong> </li> <li>Selecciona <code>client.p12</code> e introduce la contraseña</li> </ol> <p><strong>En Linux:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Convertir .p12 a .pem</span> openssl pkcs12 <span class="nt">-in</span> client.p12 <span class="nt">-out</span> client.pem <span class="nt">-nodes</span> <span class="c"># Iniciar Chrome con soporte de certificados del sistema</span> google-chrome <span class="nt">--enable-features</span><span class="o">=</span>PlatformCertificateProvider </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw9mp355yx0l6shvykyge.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw9mp355yx0l6shvykyge.png" alt="Importar llave p12 firefox" width="800" height="437"></a></p> <p>Es probable que te genere error al inicio así que lo mejor es probarlo en una pestaña incógnita o reiniciar el navegador para que tome el nuevo certificado instalado.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa3s3jyx8bpjtmq57yvh9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa3s3jyx8bpjtmq57yvh9.png" alt="Firefox con tls" width="800" height="567"></a></p> <h2> Conclusión </h2> <p>Implementar <strong>mTLS</strong> es una de las mejores inversiones en seguridad que puedes hacer para proteger las comunicaciones entre servicios. Con este ejemplo práctico de Docker Compose has visto cómo:</p> <ol> <li> <strong>Crear una CA privada</strong> y generar certificados</li> <li> <strong>Configurar Nginx</strong> con mTLS en un contenedor Docker</li> <li> <strong>Probar desde curl</strong> con y sin certificado</li> <li> <strong>Probar desde Chrome</strong> importando el certificado de cliente</li> </ol> <p>Este mismo patrón se aplica a entornos de producción, microservicios en Kubernetes, APIs internas y cualquier comunicación que requiera autenticación mutua.</p> <h3> Recursos adicionales </h3> <ul> <li><a href="https://www.openssl.org/docs/" rel="noopener noreferrer">Documentación oficial de OpenSSL</a></li> <li><a href="https://docs.nginx.com/waf/configure/secure-mtls/" rel="noopener noreferrer">mTLS en Nginx</a></li> <li><a href="https://developers.cloudflare.com/ssl/client-certificates/" rel="noopener noreferrer">Guía de mTLS de Cloudflare</a></li> <li><a href="https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04" rel="noopener noreferrer">Docker Compose instalación</a></li> </ul> <p><strong>¿Te gustó este tutorial?</strong> Comparte tus experiencias implementando mTLS o haz preguntas en los comentarios. ¿Qué otros temas de seguridad te gustaría ver en futuros artículos?</p> <p><em>¿Necesitas un servidor para tus pruebas? Puedes crear un Droplet en DigitalOcean usando este enlace y obtener crédito adicional: <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">https://m.do.co/c/2c579acd7121</a></em></p> <p> </p> networking security spanish tutorial RustDesk: How to Create a Secure Private Remote Access Network Oscar Ricardo Sánche Gutierréz Tue, 31 Mar 2026 00:47:18 +0000 https://dev.to/oscar_ricardosncheguti/rustdesk-how-to-create-a-secure-private-remote-access-network-1dj4 https://dev.to/oscar_ricardosncheguti/rustdesk-how-to-create-a-secure-private-remote-access-network-1dj4 <p>RustDesk is the perfect solution for secure remote access, open-source and under your complete control. In this article I'll show you how to deploy your own server, configure it as a closed network, and secure it for corporate use.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgctjvatzp24vwqaqafx3.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgctjvatzp24vwqaqafx3.gif" alt="Architecture" width="700" height="395"></a></p> <blockquote> <p>Diagram created with <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <p>RustDesk is an open-source alternative to tools like TeamViewer or AnyDesk, but with a key advantage: <strong>you can self-host it</strong>. This means:</p> <ul> <li> <strong>Complete control</strong> over your data</li> <li><strong>No connection limits</strong></li> <li> <strong>Zero licensing costs</strong> (only server costs)</li> </ul> <h2> Step 1: Prepare the Server </h2> <p>You'll need a Linux server with Ubuntu 22.04 or 24.04 LTS with:</p> <ul> <li> <strong>1 vCPU, 2 GB RAM</strong> (enough for dozens of connections)</li> <li> <strong>Ubuntu 22.04 LTS</strong> or higher</li> <li><strong>Fixed public IP</strong></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc1nozchz2tacuisj03xp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc1nozchz2tacuisj03xp.png" alt="New DigitalOcean server" width="800" height="520"></a></p> <h2> Step 2: Initial Server Configuration </h2> <p>Connect via SSH and update the system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh root@your_server_ip apt update <span class="o">&amp;&amp;</span> apt upgrade <span class="nt">-y</span> timedatectl set-timezone America/New_York <span class="c"># Adjust to your timezone</span> reboot </code></pre> </div> <h2> Step 3: Install Docker and Docker Compose </h2> <p>Follow the official Docker installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install dependencies</span> apt <span class="nb">install</span> <span class="nt">-y</span> ca-certificates curl gnupg <span class="c"># Add official Docker repository</span> <span class="nb">install</span> <span class="nt">-m</span> 0755 <span class="nt">-d</span> /etc/apt/keyrings curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg <span class="nt">-o</span> /etc/apt/keyrings/docker.asc <span class="nb">chmod </span>a+r /etc/apt/keyrings/docker.asc <span class="nb">echo</span> <span class="se">\</span> <span class="s2">"deb [arch=</span><span class="si">$(</span>dpkg <span class="nt">--print-architecture</span><span class="si">)</span><span class="s2"> signed-by=/etc/apt/keyrings/docker.asc] </span><span class="se">\</span><span class="s2"> https://download.docker.com/linux/ubuntu </span><span class="se">\</span><span class="s2"> </span><span class="si">$(</span><span class="nb">.</span> /etc/os-release <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$VERSION_CODENAME</span><span class="s2">"</span><span class="si">)</span><span class="s2"> stable"</span> <span class="se">\</span> | <span class="nb">tee</span> /etc/apt/sources.list.d/docker.list <span class="o">&gt;</span> /dev/null <span class="c"># Install Docker</span> apt update apt <span class="nb">install</span> <span class="nt">-y</span> docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin <span class="c"># Verify installation</span> docker <span class="nt">--version</span> docker compose version </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1avbg4jwfgvd0dd1vz3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1avbg4jwfgvd0dd1vz3.png" alt="Docker versions" width="377" height="134"></a></p> <h2> Step 4: Prepare RustDesk Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /opt/rustdesk-server/data <span class="nb">cd</span> /opt/rustdesk-server </code></pre> </div> <h2> Step 5: Create the docker-compose.yml File </h2> <p>Create <code>nano /opt/rustdesk-server/compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">hbbr</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">hbbr</span> <span class="na">image</span><span class="pi">:</span> <span class="s">rustdesk/rustdesk-server:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="s">hbbr</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data:/root</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">host"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">hbbs</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">hbbs</span> <span class="na">image</span><span class="pi">:</span> <span class="s">rustdesk/rustdesk-server:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="s">hbbs</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data:/root</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">host"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hbbr</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <p><strong>Important</strong>: We use <code>network_mode: "host"</code> because RustDesk needs to see the real host IP to function correctly.</p> <h2> Step 6: Start the Services </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start services</span> docker compose up <span class="nt">-d</span> <span class="c"># Verify they're running</span> docker ps <span class="c"># View logs</span> docker compose logs </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkmx4j1ehfg2x9p1rti10.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkmx4j1ehfg2x9p1rti10.png" alt="Docker services" width="800" height="444"></a></p> <h2> Step 7: Get the Server Public Key </h2> <p>This key is crucial for clients to trust your server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /opt/rustdesk-server/data/id_ed25519.pub <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">""</span> </code></pre> </div> <p>Save the result. It will look something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= </code></pre> </div> <h2> Step 8: Configure the Firewall </h2> <h3> Ports needed for RustDesk OSS: </h3> <ul> <li> <strong>TCP 21115</strong> - Main service</li> <li> <strong>TCP 21116</strong> - ID service</li> <li> <strong>UDP 21116</strong> - For better performance</li> <li> <strong>TCP 21117</strong> - Relay service</li> </ul> <h3> Configure UFW on the server: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install firewall ufw</span> apt <span class="nb">install</span> <span class="nt">-y</span> ufw <span class="c"># Allow SSH from YOUR public IP</span> ufw allow from your_admin_ip to any port 22 <span class="c"># IF YOU DON'T HAVE a public IP, allow any origin with</span> ufw allow 22 <span class="c"># Allow RustDesk ports</span> ufw allow 21115/tcp ufw allow 21116/tcp ufw allow 21116/udp ufw allow 21117/tcp <span class="c"># Enable firewall</span> ufw <span class="nb">enable </span>ufw status verbose </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8bedz4fx07i1dyb5wjj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8bedz4fx07i1dyb5wjj.png" alt="Ufw firewall" width="658" height="311"></a></p> <h3> Configure cloud provider firewall: </h3> <p>In your cloud provider panel, create <strong>Inbound</strong> rules that allow only from your corporate IPs:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw7rgd6qo12hrkpq6pwo1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw7rgd6qo12hrkpq6pwo1.png" alt="DigitalOcean firewall" width="800" height="434"></a></p> <h2> Step 9: Configure Computer/Client </h2> <p>On each computer:</p> <ol> <li>Open RustDesk</li> <li>Go to <strong>Settings → Network</strong> </li> <li>Click <strong>Unlock Network Settings</strong> </li> <li>Go to <strong>Server ID/Relay</strong> </li> <li>Configure: <ul> <li> <strong>ID Server</strong>: <code>YourRustServerIP</code> </li> <li> <strong>Relay Server</strong>: <code>YourRustServerIP</code> </li> <li> <strong>Key</strong>: Paste the public key obtained in step 7</li> <li> <strong>API Server</strong>: Leave empty (only for RustDesk Pro)</li> </ul> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fecxhizufe5wnpnjo2pvj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fecxhizufe5wnpnjo2pvj.png" alt="RustDesk client setup" width="800" height="473"></a></p> <p>If you want to quickly use your configuration, click the copy icon in the top right corner, and the paste icon to import:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8xo5iywnx2lzegfixfta.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8xo5iywnx2lzegfixfta.png" alt="RustDesk client export/import" width="800" height="219"></a></p> <h2> Ways to Improve Your RustDesk Client Security </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fke9a0hzzqwqxt4xe0118.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fke9a0hzzqwqxt4xe0118.png" alt="Security RustDesk client" width="760" height="992"></a></p> <p>RustDesk offers multiple authentication methods to securely control remote access. Here I explain each option:</p> <h3> 1. <strong>One-time password</strong> </h3> <ul> <li>Automatically generated for each session and the user must provide it to the remote technician to connect</li> <li>Length options: 6, 8, or 10 digits</li> <li>The key changes with each session</li> <li> <strong>Ideal use</strong>: Temporary technical support or occasional access</li> </ul> <h3> 2. <strong>Permanent password</strong> </h3> <ul> <li>Key you specify manually that doesn't change between sessions</li> <li>Allows continuous access without needing to share new keys</li> <li> <strong>Ideal use</strong>: Frequent remote access to your own computer</li> </ul> <h3> 3. <strong>Both passwords</strong> </h3> <ul> <li>Flexibility to use temporary OR permanent password</li> <li> <strong>Ideal use</strong>: Mixed scenarios (personal use + occasional support)</li> </ul> <h3> 4. <strong>Two-Factor Authentication (2FA)</strong> </h3> <ul> <li>Additional security layer</li> <li>Options: codes from authenticator app or Telegram bot integration</li> <li> <strong>Ideal use</strong>: Computers accessible from public internet</li> </ul> <h3> 5. <strong>Trusted devices</strong> </h3> <ul> <li>Only applies when using 2FA</li> <li>Mark specific devices as trusted</li> <li>Avoids requesting 2FA on each connection from those devices</li> <li>Improves convenience while maintaining security</li> </ul> <h3> 6. <strong>Additional Security Settings</strong> </h3> <ul> <li> <strong>Password length</strong>: Configurable based on security needs</li> <li> <strong>Expiration time</strong>: For temporary passwords</li> <li> <strong>Audit logging</strong>: Access monitoring</li> </ul> <h2> Practical Recommendations: </h2> <p><strong>For frequent personal use</strong>: Permanent password + optional 2FA<br><br> <strong>For technical support</strong>: One-time password<br><br> <strong>For corporate environments</strong>: Mandatory 2FA + trusted devices<br><br> <strong>For maximum security</strong>: Combination of methods + audit logging </p> <p>These methods allow you to balance security and convenience according to your specific needs.</p> <h2> How to Make This a Truly Closed Network </h2> <h3> 1. Block Access from Public Internet on the RustDesk Server </h3> <p>Don't allow access from any IP in the firewall ufw rules or cloud provider rules. Only allow:</p> <ul> <li>Your office IPs</li> <li>Your corporate VPN IP</li> <li>Specific authorized ranges</li> </ul> <h3> 2. Implement VPN for Remote Access </h3> <p>The most secure way: remote users first connect to the corporate VPN, then access RustDesk.</p> <h3> 3. Create Administrative User Without Root: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>adduser adminops usermod <span class="nt">-aG</span> <span class="nb">sudo </span>adminops <span class="nb">mkdir</span> <span class="nt">-p</span> /home/adminops/.ssh <span class="nb">cp</span> /root/.ssh/authorized_keys /home/adminops/.ssh/authorized_keys <span class="nb">chown</span> <span class="nt">-R</span> adminops:adminops /home/adminops/.ssh <span class="nb">chmod </span>700 /home/adminops/.ssh <span class="nb">chmod </span>600 /home/adminops/.ssh/authorized_keys <span class="c"># Disable root SSH</span> <span class="k">if </span><span class="nb">grep</span> <span class="nt">-q</span> <span class="s1">'^PermitRootLogin'</span> /etc/ssh/sshd_config<span class="p">;</span> <span class="k">then </span><span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/^PermitRootLogin.*/PermitRootLogin no/'</span> /etc/ssh/sshd_config <span class="k">else </span><span class="nb">echo</span> <span class="s1">'PermitRootLogin no'</span> <span class="o">&gt;&gt;</span> /etc/ssh/sshd_config <span class="k">fi </span>sshd <span class="nt">-t</span> <span class="o">&amp;&amp;</span> systemctl restart ssh </code></pre> </div> <h2> RustDesk Pro: For Advanced Enterprise Needs </h2> <p>The RustDesk version we've configured is excellent for basic remote access, but if you need advanced enterprise features, RustDesk offers a Pro version with additional capabilities:</p> <ul> <li><strong>Centralized user and group management</strong></li> <li> <strong>Granular access control</strong> (role-based permissions)</li> <li><strong>LDAP/Active Directory authentication</strong></li> <li><strong>Detailed auditing and logs</strong></li> <li><strong>Priority technical support</strong></li> <li><strong>Mass management functions</strong></li> </ul> <p>For these organizations, you can check the Pro plans at <a href="https://rustdesk.com/pricing/" rel="noopener noreferrer">https://rustdesk.com/pricing/</a>.</p> <p><strong>Need a cloud server?</strong> You can get an Ubuntu Droplet on DigitalOcean using our <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">referral link</a> and receive initial credits to try this tutorial.</p> <p>Have you implemented RustDesk in your organization? Share your experience in the comments!</p> rustdesk remotedesktop selfhosted opensource RustDesk: Cómo crear una red de acceso remoto segura y privada Oscar Ricardo Sánche Gutierréz Tue, 31 Mar 2026 00:35:54 +0000 https://dev.to/oscar_ricardosncheguti/rustdesk-como-crear-una-red-de-acceso-remoto-segura-y-privada-50df https://dev.to/oscar_ricardosncheguti/rustdesk-como-crear-una-red-de-acceso-remoto-segura-y-privada-50df <p>RustDesk es la solución perfecta para acceso remoto seguro, de código abierto y bajo tu control completo. En este artículo te mostraré cómo desplegar tu propio servidor, configurarlo como una red cerrada y asegurarlo para uso corporativo.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi38r6i6fxppelpaqzhpa.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi38r6i6fxppelpaqzhpa.gif" alt="Architecture" width="700" height="395"></a></p> <blockquote> <p>Diagrama realizado con <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <p>RustDesk es una alternativa de código abierto a herramientas como TeamViewer o AnyDesk, pero con una ventaja clave: <strong>puedes autoalojarlo</strong>. Esto significa:</p> <ul> <li> <strong>Control total</strong> sobre tus datos</li> <li> <strong>Sin límites</strong> de conexión</li> <li> <strong>Costo cero</strong> en licencias (solo el servidor)</li> </ul> <h2> Paso 1: Preparar el servidor </h2> <p>Necesitarás un servidor Linux con Ubuntu 22.04 o 24.04 LTS con:</p> <ul> <li> <strong>1 vCPU, 2 GB RAM</strong> (suficiente para decenas de conexiones)</li> <li> <strong>Ubuntu 22.04 LTS</strong> o superior</li> <li><strong>IP pública fija</strong></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0nrxitd5jg1qxzapucor.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0nrxitd5jg1qxzapucor.png" alt="New DigitalOcean Server" width="800" height="520"></a></p> <h2> Paso 2: Configuración inicial del servidor </h2> <p>Conéctate por SSH y actualiza el sistema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh root@tu_ip_servidor apt update <span class="o">&amp;&amp;</span> apt upgrade <span class="nt">-y</span> timedatectl set-timezone America/Bogota <span class="c"># Ajusta a tu zona horaria</span> reboot </code></pre> </div> <h2> Paso 3: Instalar Docker y Docker Compose </h2> <p>Sigue la instalación oficial de Docker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Instalar dependencias</span> apt <span class="nb">install</span> <span class="nt">-y</span> ca-certificates curl gnupg <span class="c"># Agregar repositorio oficial de Docker</span> <span class="nb">install</span> <span class="nt">-m</span> 0755 <span class="nt">-d</span> /etc/apt/keyrings curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg <span class="nt">-o</span> /etc/apt/keyrings/docker.asc <span class="nb">chmod </span>a+r /etc/apt/keyrings/docker.asc <span class="nb">echo</span> <span class="se">\</span> <span class="s2">"deb [arch=</span><span class="si">$(</span>dpkg <span class="nt">--print-architecture</span><span class="si">)</span><span class="s2"> signed-by=/etc/apt/keyrings/docker.asc] </span><span class="se">\</span><span class="s2"> https://download.docker.com/linux/ubuntu </span><span class="se">\</span><span class="s2"> </span><span class="si">$(</span><span class="nb">.</span> /etc/os-release <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$VERSION_CODENAME</span><span class="s2">"</span><span class="si">)</span><span class="s2"> stable"</span> <span class="se">\</span> | <span class="nb">tee</span> /etc/apt/sources.list.d/docker.list <span class="o">&gt;</span> /dev/null <span class="c"># Instalar Docker</span> apt update apt <span class="nb">install</span> <span class="nt">-y</span> docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin <span class="c"># Verificar instalación</span> docker <span class="nt">--version</span> docker compose version </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo6pn1ggqqirum8e9u2r4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo6pn1ggqqirum8e9u2r4.png" alt="Versiones docker" width="377" height="134"></a></p> <h2> Paso 4: Preparar la estructura de RustDesk </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /opt/rustdesk-server/data <span class="nb">cd</span> /opt/rustdesk-server </code></pre> </div> <h2> Paso 5: Crear el archivo docker-compose.yml </h2> <p>Crea <code>nano /opt/rustdesk-server/compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">hbbr</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">hbbr</span> <span class="na">image</span><span class="pi">:</span> <span class="s">rustdesk/rustdesk-server:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="s">hbbr</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data:/root</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">host"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">hbbs</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">hbbs</span> <span class="na">image</span><span class="pi">:</span> <span class="s">rustdesk/rustdesk-server:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="s">hbbs</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data:/root</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">host"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hbbr</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <p><strong>Importante</strong>: Usamos <code>network_mode: "host"</code> porque RustDesk necesita ver la IP real del host para funcionar correctamente.</p> <h2> Paso 6: Levantar los servicios </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Levantar servicios</span> docker compose up <span class="nt">-d</span> <span class="c"># Verificar que estén corriendo</span> docker ps <span class="c"># Ver logs</span> docker compose logs </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F939r0p4g61pmlkc6c1ss.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F939r0p4g61pmlkc6c1ss.png" alt="Servicios docker" width="800" height="444"></a></p> <h2> Paso 7: Obtener la clave pública del servidor </h2> <p>Esta clave es crucial para que los clientes confíen en tu servidor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /opt/rustdesk-server/data/id_ed25519.pub <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">""</span> </code></pre> </div> <p>Guarda el resultado. Se verá algo como:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= </code></pre> </div> <h2> Paso 8: Configurar el firewall </h2> <h3> Puertos necesarios para RustDesk OSS: </h3> <ul> <li> <strong>TCP 21115</strong> - Servicio principal</li> <li> <strong>TCP 21116</strong> - Servicio de ID</li> <li> <strong>UDP 21116</strong> - Para mejor rendimiento</li> <li> <strong>TCP 21117</strong> - Servicio de relay</li> </ul> <h3> Configurar UFW en el servidor: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Instalar firewall ufw</span> apt <span class="nb">install</span> <span class="nt">-y</span> ufw <span class="c"># Permitir SSH desde TU IP pública</span> ufw allow from tu_ip_admin to any port 22 <span class="c"># SI NO TIENES IP pública, permite cualquier origen con</span> ufw allow 22 <span class="c"># Permitir puertos de RustDesk</span> ufw allow 21115/tcp ufw allow 21116/tcp ufw allow 21116/udp ufw allow 21117/tcp <span class="c"># Activar firewall</span> ufw <span class="nb">enable </span>ufw status verbose </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2t0jrrgs9ozzj3tss1z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2t0jrrgs9ozzj3tss1z.png" alt="Firewall ufw" width="658" height="311"></a></p> <h3> Configurar firewall del proveedor cloud: </h3> <p>En el panel de tu proveedor cloud, crea reglas <strong>Inbound</strong> que permitan solo desde tus IPs corporativas:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv9dt0ytzh0h2d3g8lu7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv9dt0ytzh0h2d3g8lu7.png" alt="Firewall DigitalOcean" width="800" height="434"></a></p> <h2> Paso 9: Configurar computador/cliente </h2> <p>En cada equipo:</p> <ol> <li>Abre RustDesk</li> <li>Ve a <strong>Settings → Network</strong> </li> <li>Haz click en <strong>Unlock Network Settings</strong> </li> <li>Ve a <strong>Servidor ID/Relay</strong> </li> <li>Configura: <ul> <li> <strong>ID Server</strong>: <code>IpServidorRust</code> </li> <li> <strong>Relay Server</strong>: <code>IpServidorRust</code> </li> <li> <strong>Key</strong>: Pega la clave pública obtenida en el paso 7</li> <li> <strong>API Server</strong>: Déjalo vacío (solo para RustDesk Pro)</li> </ul> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb5yb7rwtyhmmggqph587.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb5yb7rwtyhmmggqph587.png" alt="Configuración cliente Rust" width="800" height="473"></a></p> <p>Si quieres usar rápidamente tu configuración da click en el icono de copiar en la parte superior derecha, y el icono de pegar para importar:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbgjimz6pmo0cffgaeuqv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbgjimz6pmo0cffgaeuqv.png" alt="Export/Import cliente RustDesk" width="800" height="219"></a></p> <h2> Formas de mejorar la seguridad de tu computador/cliente RustDesk </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6fson7mgpdnrdwh7kvii.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6fson7mgpdnrdwh7kvii.png" alt="Configuración seguridad cliente RustDesk" width="760" height="992"></a></p> <p>RustDesk ofrece múltiples métodos de autenticación para controlar el acceso remoto de forma segura. Aquí te explico cada opción:</p> <h3> 1. <strong>Contraseña de un solo uso (One-time password)</strong> </h3> <ul> <li>Se genera automáticamente en cada sesión y el usuario debe suministrarla al técnico remoto para que pueda conectarse.</li> <li>Opciones de longitud: 6, 8 o 10 dígitos</li> <li>La clave cambia en cada sesión.</li> <li> <strong>Uso ideal</strong>: Soporte técnico puntual o accesos temporales</li> </ul> <h3> 2. <strong>Contraseña permanente (Permanent password)</strong> </h3> <ul> <li>Clave que especificas manualmente y no cambia entre sesiones</li> <li>Permite acceso continuo sin necesidad de compartir nuevas claves</li> <li> <strong>Uso ideal</strong>: Acceso remoto frecuente a tu propio equipo</li> </ul> <h3> 3. <strong>Combinación de ambos métodos (Both passwords)</strong> </h3> <ul> <li>Flexibilidad para usar contraseña temporal O permanente</li> <li> <strong>Uso ideal</strong>: Escenarios mixtos (uso personal + soporte ocasional)</li> </ul> <h3> 4. <strong>Autenticación en dos factores (2FA)</strong> </h3> <ul> <li>Capa adicional de seguridad</li> <li>Opciones: códigos desde app autenticadora o integración con bot de Telegram</li> <li> <strong>Uso ideal</strong>: Equipos accesibles desde internet público</li> </ul> <h3> 5. <strong>Dispositivos de confianza (Trusted devices)</strong> </h3> <ul> <li>Solo aplica cuando usas 2FA</li> <li>Marcar dispositivos específicos como confiables</li> <li>Evita solicitar 2FA en cada conexión desde esos dispositivos</li> <li>Mejora la comodidad manteniendo seguridad</li> </ul> <h3> 6. <strong>Configuraciones de seguridad adicionales</strong> </h3> <ul> <li> <strong>Longitud de contraseña</strong>: Configurable según necesidades de seguridad</li> <li> <strong>Tiempo de expiración</strong>: Para contraseñas temporales</li> <li> <strong>Registro de auditoría</strong>: Monitoreo de accesos</li> </ul> <h2> Recomendaciones prácticas: </h2> <p><strong>Para uso personal frecuente</strong>: Contraseña permanente + 2FA opcional<br><br> <strong>Para soporte técnico</strong>: Contraseña de un solo uso<br><br> <strong>Para entornos corporativos</strong>: 2FA obligatorio + dispositivos de confianza<br><br> <strong>Para máxima seguridad</strong>: Combinación de métodos + registro de auditoría </p> <p>Estos métodos te permiten balancear seguridad y conveniencia según tus necesidades específicas.</p> <h2> Cómo convertir esto en una red realmente cerrada </h2> <h3> 1. Bloquear acceso desde Internet público del servidor RustDesk </h3> <p>No permitas acceso a cualquier ip en las reglas del firewall ufw o del operador cloud. Solo permite:</p> <ul> <li>IPs de tus oficinas</li> <li>IP de tu VPN corporativa</li> <li>Rangos específicos autorizados</li> </ul> <h3> 2. Implementar VPN para acceso remoto </h3> <p>La forma más segura: usuarios remotos primero se conectan a la VPN corporativa, luego acceden a RustDesk.</p> <h3> 3. Crear usuario administrativo sin root: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>adduser adminops usermod <span class="nt">-aG</span> <span class="nb">sudo </span>adminops <span class="nb">mkdir</span> <span class="nt">-p</span> /home/adminops/.ssh <span class="nb">cp</span> /root/.ssh/authorized_keys /home/adminops/.ssh/authorized_keys <span class="nb">chown</span> <span class="nt">-R</span> adminops:adminops /home/adminops/.ssh <span class="nb">chmod </span>700 /home/adminops/.ssh <span class="nb">chmod </span>600 /home/adminops/.ssh/authorized_keys <span class="c"># Deshabilitar root por SSH</span> <span class="k">if </span><span class="nb">grep</span> <span class="nt">-q</span> <span class="s1">'^PermitRootLogin'</span> /etc/ssh/sshd_config<span class="p">;</span> <span class="k">then </span><span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/^PermitRootLogin.*/PermitRootLogin no/'</span> /etc/ssh/sshd_config <span class="k">else </span><span class="nb">echo</span> <span class="s1">'PermitRootLogin no'</span> <span class="o">&gt;&gt;</span> /etc/ssh/sshd_config <span class="k">fi </span>sshd <span class="nt">-t</span> <span class="o">&amp;&amp;</span> systemctl restart ssh </code></pre> </div> <h2> RustDesk Pro: Para necesidades empresariales avanzadas </h2> <p>La versión RustDesk que hemos configurado es excelente para acceso remoto básico, pero si necesitas funcionalidades empresariales avanzadas, RustDesk ofrece una versión Pro con características adicionales:</p> <ul> <li><strong>Gestión centralizada de usuarios y grupos</strong></li> <li> <strong>Control de acceso granular</strong> (permisos por rol)</li> <li><strong>Autenticación LDAP/Active Directory</strong></li> <li><strong>Auditoría y logs detallados</strong></li> <li><strong>Soporte técnico prioritario</strong></li> <li><strong>Funciones de administración masiva</strong></li> </ul> <p>Para estas organizaciones puedes consultar los planes Pro en <a href="https://rustdesk.com/pricing/" rel="noopener noreferrer">https://rustdesk.com/pricing/</a>.</p> <p><strong>¿Necesitas un servidor en la nube?</strong> Puedes obtener un Droplet Ubuntu en DigitalOcean usando nuestro <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">enlace de referido</a> y recibir créditos iniciales para probar este tutorial.</p> <p>¿Has implementado RustDesk en tu organización? ¡Comparte tu experiencia en los comentarios!</p> rustdesk remotedesktop selfhosted opensource How to Deploy Dokploy on an Ubuntu Server and Create Your First "Hello World" in Node.js Oscar Ricardo Sánche Gutierréz Fri, 27 Mar 2026 22:41:28 +0000 https://dev.to/oscar_ricardosncheguti/how-to-deploy-dokploy-on-an-ubuntu-server-and-create-your-first-hello-world-in-nodejs-lg2 https://dev.to/oscar_ricardosncheguti/how-to-deploy-dokploy-on-an-ubuntu-server-and-create-your-first-hello-world-in-nodejs-lg2 <h2> Introduction </h2> <p>Dokploy is a self-hosted deployment platform that simplifies containerized application management using Docker Swarm. In this comprehensive tutorial, I'll show you how to install Dokploy on an <strong>Ubuntu server</strong>, configure security with firewalls, deploy your first Node.js application, and follow production best practices.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jvvlixnrkljsaanq0x3.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jvvlixnrkljsaanq0x3.gif" alt="Architecture" width="700" height="395"></a></p> <blockquote> <p>Diagram created with <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> What You'll Need </h2> <p>Before starting, make sure you have:</p> <ul> <li>An <strong>Ubuntu 24.04 LTS server</strong> (minimum 2 GB RAM for testing)</li> <li> <strong>SSH access</strong> with configured keys</li> <li>A <strong>domain or subdomain</strong> (optional but recommended for HTTPS)</li> <li>Basic terminal and Docker knowledge</li> </ul> <h2> Step 1: Prepare Your Ubuntu Server </h2> <p>If you already have an Ubuntu 24.04 LTS server with SSH access, you can skip this step. If you need to create one, follow these recommendations:</p> <ol> <li> <strong>Choose a cloud or VPS provider</strong> that offers Ubuntu 24.04 LTS</li> <li> <strong>Select a plan</strong> with at least 2 GB of RAM for testing</li> <li> <strong>Configure SSH key access</strong> instead of password (more secure)</li> <li> <strong>Consider enabling backups and monitoring</strong> for production</li> <li> <strong>Note the public IP</strong> of your server</li> </ol> <p>If your provider has an integrated firewall (like DigitalOcean Cloud Firewall, AWS Security Groups, etc.), configure the necessary rules from the control panel.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0o655rkgi11xk9gqelp2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0o655rkgi11xk9gqelp2.png" alt="New Server DigitalOcean" width="800" height="446"></a></p> <h2> Step 2: Initial Server Configuration </h2> <p>Connect to the server via SSH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh root@YOUR_PUBLIC_IP </code></pre> </div> <h3> Update system and install utilities </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt update <span class="o">&amp;&amp;</span> apt upgrade <span class="nt">-y</span> apt <span class="nb">install</span> <span class="nt">-y</span> curl wget git ufw ca-certificates gnupg lsb-release </code></pre> </div> <h3> Create administrator user (recommended) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>adduser deploy usermod <span class="nt">-aG</span> <span class="nb">sudo </span>deploy rsync <span class="nt">--archive</span> <span class="nt">--chown</span><span class="o">=</span>deploy:deploy ~/.ssh /home/deploy </code></pre> </div> <p>Now you can connect with the new user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh deploy@YOUR_PUBLIC_IP </code></pre> </div> <h2> Step 3: Configure Firewall with UFW </h2> <p>Dokploy needs specific ports open. Configure UFW properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Allow SSH first to avoid locking ourselves out</span> <span class="nb">sudo </span>ufw allow OpenSSH <span class="c"># Open ports needed for Dokploy and applications</span> <span class="nb">sudo </span>ufw allow 80/tcp <span class="c"># HTTP for Traefik</span> <span class="nb">sudo </span>ufw allow 443/tcp <span class="c"># HTTPS for Traefik</span> <span class="nb">sudo </span>ufw allow 443/udp <span class="c"># HTTPS UDP for Traefik</span> <span class="nb">sudo </span>ufw allow 3000/tcp <span class="c"># Dokploy panel (temporary only)</span> <span class="c"># Enable firewall</span> <span class="nb">sudo </span>ufw <span class="nb">enable sudo </span>ufw status numbered </code></pre> </div> <p><strong>Important</strong>: Docker can bypass UFW rules because it manipulates <code>iptables</code> directly. If your cloud provider offers an integrated firewall (like DigitalOcean Cloud Firewall, AWS Security Groups, etc.), we recommend configuring it as an additional security layer.</p> <p>Configure the same firewall rules in your provider's panel:</p> <ul> <li> <strong>22/TCP</strong> from your IP or trusted range (SSH)</li> <li> <strong>80/TCP</strong> from Anywhere (HTTP)</li> <li> <strong>443/TCP</strong> from Anywhere (HTTPS)</li> <li> <strong>443/UDP</strong> from Anywhere (HTTPS UDP)</li> <li> <strong>3000/TCP</strong> temporarily from your IP only (for initial setup)</li> </ul> <blockquote> <p>assets/dropplet-firewall.png</p> </blockquote> <h2> Step 4: Install Dokploy </h2> <p>The official Dokploy installation is straightforward with their script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sSL</span> https://dokploy.com/install.sh | <span class="nb">sudo </span>sh </code></pre> </div> <p>This script automatically:</p> <ul> <li>Installs Docker if not present</li> <li>Initializes Docker Swarm</li> <li>Creates the overlay network <code>dokploy-network</code> </li> <li>Deploys Postgres, Redis, and Dokploy services</li> <li>Launches Traefik as reverse proxy</li> <li>Publishes the panel on port 3000</li> </ul> <h2> Step 5: Verify the Installation </h2> <p>Check that everything is working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View Docker Swarm services</span> docker service <span class="nb">ls</span> <span class="c"># View running containers</span> docker ps <span class="c"># Verify ports are listening</span> ss <span class="nt">-lntup</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'(:80|:443|:3000)'</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81yncuovtp3fgsxjdp01.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81yncuovtp3fgsxjdp01.png" alt="Console up services" width="800" height="329"></a></p> <p>Now open your browser and access the Dokploy panel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://YOUR_PUBLIC_IP:3000 </code></pre> </div> <p>Complete the initial setup wizard by creating your administrator account.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7dzlkajpvs6xif8zvy8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7dzlkajpvs6xif8zvy8.png" alt="Dashboard Home" width="800" height="421"></a></p> <h2> Step 6: Configure Domain and HTTPS (optional but recommended) </h2> <p>To access your applications with your own domain and HTTPS:</p> <ol> <li>In your DNS provider's panel (Cloudflare, DigitalOcean, AWS Route53, etc.), add your domain if you haven't already.</li> <li>Create DNS records: <ul> <li> <strong>A</strong> record for <code>@</code> pointing to your server IP</li> <li> <strong>A</strong> record for <code>www</code> pointing to your server IP</li> <li>Or a subdomain like <code>dokploy.yourdomain.com</code> </li> </ul> </li> </ol> <p>Wait for DNS propagation (may take a few minutes).</p> <h3> Restrict access to port 3000 </h3> <p>For security, once Dokploy is configured, restrict access to port 3000:</p> <ul> <li>In your cloud provider's firewall, limit it to your IP only if you need administrative access</li> </ul> <p> </p> <h2> Step 7: Deploy Your First "Hello World" Application in Node.js </h2> <p>Let's create a simple Node.js application and deploy it to Dokploy.</p> <h3> 7.1 Create the project locally </h3> <p>Create a folder for your project with the following files:</p> <p><strong>package.json</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hello-world-dokploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Hello World application for Dokploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"app.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node app.js"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"express"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.18.2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>app.js</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Hello World from Dokploy!</span><span class="dl">'</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">OK</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Server running on port </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>Dockerfile</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="nt">--omit</span><span class="o">=</span>dev <span class="k">COPY</span><span class="s"> . .</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">USER</span><span class="s"> node</span> <span class="k">CMD</span><span class="s"> ["node", "app.js"]</span> </code></pre> </div> <p><strong>docker-compose.yml</strong> (for reference):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NODE_ENV=staging</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <h3> 7.2 Deploy to Dokploy </h3> <h4> Deploy part 1 </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fei5sgxaa5p58rgg5sqgp.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fei5sgxaa5p58rgg5sqgp.gif" alt="Deploy part 1" width="600" height="338"></a></p> <h4> Deploy part 2 </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk437rlxfxy662zubyddy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk437rlxfxy662zubyddy.gif" alt="Deploy part 2" width="720" height="406"></a></p> <ol> <li>In the Dokploy panel, click <strong>Create Project</strong> </li> <li>Give your project a name (e.g., "Tests")</li> <li>In the project panel, click <strong>Create Service</strong> and select Application</li> <li>Name your application: <strong>Hello World</strong> </li> <li>Then access your application and in the bottom section <strong>Build Type</strong> select Dockerfile and then Save.</li> <li>In the top section you have <strong>Provider</strong>. For this test we'll select the Drop type, however for real cases the best option is through git repository.</li> <li>Once Drop is selected, drag to the <strong>Zip file</strong> area the zip with the code we specified in point 7.1.</li> <li>Click the <strong>Deploy</strong> button</li> <li>Once deployment is complete, it will show the <strong>Deployments</strong> tab where you should see a green dot and <strong>Done</strong> indicating the process was successful. You can click <strong>View</strong> to verify the process.</li> <li>Now, to deploy our Hello World, go to the <strong>Domains</strong> tab.</li> <li>For this test we'll use a free Traefik domain by clicking on the dice icon, specify that the <strong>Container Port</strong> is 3000 and enable HTTPS with Let's Encrypt provider.</li> <li>Then click the <strong>Create</strong> button</li> <li>When finished, it will give us a URL where we can enter and see our web. Important: since we're using a test domain it will give security warnings. For production environments use your own domain.</li> </ol> <h3> 7.3 Verify the deployment </h3> <p>Once deployment is complete, access your application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://tests-hello-world-puloud-d13d9c-167-172-as2dsaccc234-151.traefik.me/ </code></pre> </div> <p>You should see the JSON "Hello World" message.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo1t1gls363gjabhue4xk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo1t1gls363gjabhue4xk.png" alt="Browser Helo App" width="784" height="303"></a></p> <h2> Step 8: Production Best Practices </h2> <h3> 1. Don't build on production server </h3> <p>Dokploy recommends building Docker images in CI/CD (GitHub Actions, GitLab CI) and then deploying the pre-built image. This saves resources and reduces downtime risk.</p> <h3> 2. Use health checks </h3> <p>Configure health checks in your applications (like the <code>/health</code> endpoint in our example) so Docker Swarm can monitor status.</p> <h3> 3. Configure backups </h3> <ul> <li> <strong>Configure regular server backups</strong> (if your provider offers this feature)</li> <li>Configure regular database backups</li> <li>Use <code>docker volume</code> for persistent data</li> </ul> <h3> 4. Monitoring and logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View Dokploy logs</span> docker service logs dokploy <span class="nt">--tail</span> 100 <span class="nt">-f</span> <span class="c"># View application logs</span> docker service logs hello-world_app <span class="nt">--tail</span> 100 <span class="nt">-f</span> <span class="c"># View service status</span> docker service ps hello-world_app </code></pre> </div> <h2> Conclusion </h2> <p>Dokploy offers a robust, self-hosted solution for deploying applications on Docker Swarm. By implementing it on an Ubuntu server, you get a scalable, secure, and professional infrastructure at an accessible cost.</p> <p><strong>Need a cloud server?</strong> You can get an Ubuntu Droplet on DigitalOcean using our <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">referral link</a> and receive initial credits to try this tutorial.</p> <h2> Additional Resources </h2> <ul> <li><a href="https://docs.dokploy.com" rel="noopener noreferrer">Official Dokploy Documentation</a></li> <li><a href="https://docs.dokploy.com/docs/core/remote-servers/security" rel="noopener noreferrer">Dokploy Security Guide</a></li> <li><a href="https://docs.digitalocean.com/products/networking/firewalls/" rel="noopener noreferrer">DigitalOcean Firewall Documentation</a></li> <li><a href="https://github.com/dokploy/dokploy" rel="noopener noreferrer">Dokploy GitHub Repository</a></li> <li><a href="https://discord.gg/dokploy" rel="noopener noreferrer">Dokploy Discord Community</a></li> </ul> <p><strong>Enjoyed this tutorial?</strong> Share your experiences deploying applications with Dokploy in the comments or suggest topics for future articles.</p> devops dokploy node tutorial Cómo desplegar Dokploy en un servidor Ubuntu y crear tu primer "Hola Mundo" en Node.js Oscar Ricardo Sánche Gutierréz Fri, 27 Mar 2026 22:38:03 +0000 https://dev.to/oscar_ricardosncheguti/como-desplegar-dokploy-en-un-servidor-ubuntu-y-crear-tu-primer-hola-mundo-en-nodejs-14b8 https://dev.to/oscar_ricardosncheguti/como-desplegar-dokploy-en-un-servidor-ubuntu-y-crear-tu-primer-hola-mundo-en-nodejs-14b8 <h2> Introducción </h2> <p>Dokploy es una plataforma de despliegue auto-hospedada que simplifica la gestión de aplicaciones en contenedores Docker usando Docker Swarm. En este tutorial completo, te mostraré cómo instalar Dokploy en un <strong>servidor Ubuntu</strong>, configurar seguridad con firewall, desplegar tu primera aplicación Node.js y seguir las mejores prácticas para producción.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F85bwgux6b6zb9kbrh6s3.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F85bwgux6b6zb9kbrh6s3.gif" alt="Arquitectura" width="700" height="395"></a></p> <blockquote> <p>Diagrama realizado con <a href="https://savnet.co" rel="noopener noreferrer">https://savnet.co</a></p> </blockquote> <h2> ¿Qué necesitas? </h2> <p>Antes de comenzar, asegúrate de tener:</p> <ul> <li>Un <strong>servidor con Ubuntu 24.04 LTS</strong> (2 GB de RAM mínimo para pruebas)</li> <li>Acceso por <strong>SSH</strong> con claves configuradas</li> <li>Un <strong>dominio o subdominio</strong> (opcional, pero recomendado para HTTPS)</li> <li>Conocimientos básicos de terminal y Docker</li> </ul> <h2> Paso 1: Preparar tu servidor Ubuntu </h2> <p>Si ya tienes un servidor Ubuntu 24.04 LTS con acceso SSH, puedes saltar este paso. Si necesitas crear uno, sigue estas recomendaciones:</p> <ol> <li> <strong>Elige un proveedor de cloud o VPS</strong> que ofrezca Ubuntu 24.04 LTS</li> <li> <strong>Selecciona un plan</strong> con al menos 2 GB de RAM para pruebas</li> <li> <strong>Configura acceso SSH con claves</strong> en lugar de contraseña (más seguro)</li> <li> <strong>Considera activar backups y monitoreo</strong> si es para producción</li> <li> <strong>Anota la IP pública</strong> de tu servidor</li> </ol> <p>Si usas un proveedor con firewall integrado (como Cloud Firewall de DigitalOcean, Security Groups de AWS, etc.), configura las reglas necesarias desde el panel de control.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fku8nrc9a6pjt628k29w4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fku8nrc9a6pjt628k29w4.png" alt="Servidor DitialOcean" width="800" height="446"></a></p> <h2> Paso 2: Configuración inicial del servidor </h2> <p>Conéctate al servidor por SSH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh root@TU_IP_PUBLICA </code></pre> </div> <h3> Actualizar sistema e instalar utilidades </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt update <span class="o">&amp;&amp;</span> apt upgrade <span class="nt">-y</span> apt <span class="nb">install</span> <span class="nt">-y</span> curl wget git ufw ca-certificates gnupg lsb-release </code></pre> </div> <h3> Crear usuario administrador (recomendado) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>adduser deploy usermod <span class="nt">-aG</span> <span class="nb">sudo </span>deploy rsync <span class="nt">--archive</span> <span class="nt">--chown</span><span class="o">=</span>deploy:deploy ~/.ssh /home/deploy </code></pre> </div> <p>Ahora puedes conectarte con el nuevo usuario:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh deploy@TU_IP_PUBLICA </code></pre> </div> <h2> Paso 3: Configurar firewall con UFW </h2> <p>Dokploy necesita puertos específicos abiertos. Configura UFW correctamente:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Permitir SSH primero para no bloquearnos</span> <span class="nb">sudo </span>ufw allow OpenSSH <span class="c"># Abrir puertos necesarios para Dokploy y aplicaciones</span> <span class="nb">sudo </span>ufw allow 80/tcp <span class="c"># HTTP para Traefik</span> <span class="nb">sudo </span>ufw allow 443/tcp <span class="c"># HTTPS para Traefik</span> <span class="nb">sudo </span>ufw allow 443/udp <span class="c"># HTTPS UDP para Traefik</span> <span class="nb">sudo </span>ufw allow 3000/tcp <span class="c"># Panel de Dokploy (solo temporal)</span> <span class="c"># Activar firewall</span> <span class="nb">sudo </span>ufw <span class="nb">enable sudo </span>ufw status numbered </code></pre> </div> <p><strong>Importante</strong>: Docker puede saltarse reglas de UFW porque manipula <code>iptables</code> directamente. Si tu proveedor de cloud ofrece firewall integrado (como Cloud Firewall de DigitalOcean, Security Groups de AWS, etc.), te recomendamos configurarlo también como capa adicional de seguridad.</p> <p>Configura las mismas reglas de firewall en el panel de tu proveedor:</p> <ul> <li> <strong>22/TCP</strong> desde tu IP o rango de confianza (SSH)</li> <li> <strong>80/TCP</strong> desde Anywhere (HTTP)</li> <li> <strong>443/TCP</strong> desde Anywhere (HTTPS)</li> <li> <strong>443/UDP</strong> desde Anywhere (HTTPS UDP)</li> <li> <strong>3000/TCP</strong> temporalmente desde tu IP (solo para configuración inicial)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F68fg2sgmhbws48kp8hqv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F68fg2sgmhbws48kp8hqv.png" alt="Firewall de servidor" width="800" height="208"></a></p> <h2> Paso 4: Instalar Dokploy </h2> <p>La instalación oficial de Dokploy es sencilla con su script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sSL</span> https://dokploy.com/install.sh | <span class="nb">sudo </span>sh </code></pre> </div> <p>Este script automáticamente:</p> <ul> <li>Instala Docker si no está presente</li> <li>Inicializa Docker Swarm</li> <li>Crea la red overlay <code>dokploy-network</code> </li> <li>Despliega servicios de Postgres, Redis y Dokploy</li> <li>Levanta Traefik como reverse proxy</li> <li>Publica el panel en el puerto 3000</li> </ul> <h2> Paso 5: Verificar la instalación </h2> <p>Comprueba que todo esté funcionando:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ver servicios de Docker Swarm</span> docker service <span class="nb">ls</span> <span class="c"># Ver contenedores en ejecución</span> docker ps <span class="c"># Verificar que los puertos estén escuchando</span> ss <span class="nt">-lntup</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'(:80|:443|:3000)'</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8yyavlrgbn1qy9h58g8l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8yyavlrgbn1qy9h58g8l.png" alt="Dashboard Dokploy" width="800" height="329"></a></p> <p>Ahora abre tu navegador y accede al panel de Dokploy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://TU_IP_PUBLICA:3000 </code></pre> </div> <p>Completa el asistente inicial creando tu cuenta de administrador.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13s0ydlj7piamh37mmbg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13s0ydlj7piamh37mmbg.png" alt="Home dokploy" width="800" height="421"></a></p> <h2> Paso 6: Configurar dominio y HTTPS (opcional pero recomendado) </h2> <p>Para acceder a tus aplicaciones con dominio propio y HTTPS:</p> <ol> <li>En el panel de DNS de tu proveedor (Cloudflare, DigitalOcean, AWS Route53, etc.), añade tu dominio si no lo tienes ya.</li> <li>Crea registros DNS: <ul> <li> <strong>A</strong> record para <code>@</code> apuntando a la IP de tu servidor</li> <li> <strong>A</strong> record para <code>www</code> apuntando a la IP de tu servidor</li> <li>O un subdominio como <code>dokploy.tudominio.com</code> </li> </ul> </li> </ol> <p>Espera la propagación DNS (puede tomar unos minutos).</p> <h3> Restringir acceso al puerto 3000 </h3> <p>Por seguridad, una vez configurado Dokploy, restringe el acceso al puerto 3000:</p> <ul> <li>En el firewall de tu proveedor de cloud, limítala solo a tu IP si necesitas acceso administrativo.</li> </ul> <h2> Paso 7: Desplegar tu primera aplicación "Hola Mundo" en Node.js </h2> <p>Vamos a crear una aplicación Node.js simple y desplegarla en Dokploy.</p> <h3> 7.1 Crear el proyecto localmente </h3> <p>Crea una carpeta para tu proyecto y los siguientes archivos:</p> <p><strong>package.json</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hola-mundo-dokploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Aplicación Hola Mundo para Dokploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"app.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node app.js"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"express"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.18.2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>app.js</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">¡Hola Mundo desde Dokploy!</span><span class="dl">'</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">OK</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Servidor corriendo en puerto </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>Dockerfile</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="nt">--omit</span><span class="o">=</span>dev <span class="k">COPY</span><span class="s"> . .</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">USER</span><span class="s"> node</span> <span class="k">CMD</span><span class="s"> ["node", "app.js"]</span> </code></pre> </div> <p><strong>docker-compose.yml</strong> (para referencia):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NODE_ENV=staging</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <h3> 7.2 Desplegar en Dokploy </h3> <h4> Despliegue parte 1 </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foo2i64a6w4f9i3jnoix3.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foo2i64a6w4f9i3jnoix3.gif" alt="Despliegue parte 1" width="600" height="338"></a></p> <h4> Despliegue parte 2 </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsxwo1zm9ub2ywxa11jmz.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsxwo1zm9ub2ywxa11jmz.gif" alt="Despliegue parte 2" width="720" height="406"></a></p> <ol> <li>En el panel de Dokploy, haz clic en <strong>Create Project</strong> </li> <li>Dale un nombre a tu proyecto (ej: "Tests")</li> <li>En el panel de proyecto, haz click en <strong>Create Service</strong> y selecciona Application</li> <li>Dale un nombre a tu aplicación: <strong>Hello World</strong> </li> <li>Luego accede a tu aplicación y en la sección inferior <strong>Build Type</strong> selecciona Dockerfile y luego Save.</li> <li>En la parte superior cuentas con la sección <strong>Provider</strong>. Para esta prueba seleccionaremos el tipo Drop, sin embargo para casos reales la mejor opción es a través de repositorio git.</li> <li>Una vez seleccionado Drop, arrastra al área <strong>Zip file</strong> el zip con el código que especificamos en el punto 7.1.</li> <li>Haz clic en el botón <strong>Deploy</strong> </li> <li>Una vez terminado el despliegue, te mostrará la pestaña <strong>Deployments</strong> en la cual deberás ver un punto verde y <strong>Done</strong> que indica que el proceso fue exitoso. Puedes hacer clic en <strong>View</strong> para verificar el proceso.</li> <li>Ahora, para desplegar nuestro Hola Mundo, ve a la pestaña <strong>Domains</strong>.</li> <li>Para esta prueba usaremos un dominio gratuito de Traefik haciendo click en el icono de un par de dados, especificamos que el <strong>Container Port</strong> es 3000 y habilitamos el HTTPS con proveedor Let's Encrypt.</li> <li>Luego haz clic en el botón <strong>Create</strong> </li> <li>Al terminar nos dará una URL a la cual podremos ingresar y ver nuestra web. Importante: como estamos usando un dominio de prueba nos dará advertencia de seguridad. Para entornos de producción usa un dominio propio.</li> </ol> <h3> 7.3 Verificar el despliegue </h3> <p>Una vez completado el despliegue, accede a tu aplicación:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://tests-hello-world-puloud-d13d9c-167-172-as2dsaccc234-151.traefik.me/ </code></pre> </div> <p>Deberías ver el mensaje JSON de "Hola Mundo".</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0m7kcndy3bhchw2c4ous.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0m7kcndy3bhchw2c4ous.png" alt=" " width="784" height="303"></a></p> <h2> Paso 8: Buenas prácticas para producción </h2> <h3> 1. No compilar en el servidor de producción </h3> <p>Dokploy recomienda construir las imágenes Docker en CI/CD (GitHub Actions, GitLab CI) y luego desplegar la imagen ya construida. Esto ahorra recursos y reduce riesgo de downtime.</p> <h3> 2. Usar health checks </h3> <p>Configura health checks en tus aplicaciones (como el endpoint <code>/health</code> en nuestro ejemplo) para que Docker Swarm pueda monitorear el estado.</p> <h3> 3. Configurar backups </h3> <ul> <li> <strong>Configura backups regulares</strong> de tu servidor (si tu proveedor ofrece esta funcionalidad)</li> <li>Configura backups de bases de datos regularmente</li> <li>Usa <code>docker volume</code> para datos persistentes</li> </ul> <h3> 4. Monitoreo y logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ver logs de Dokploy</span> docker service logs dokploy <span class="nt">--tail</span> 100 <span class="nt">-f</span> <span class="c"># Ver logs de tu aplicación</span> docker service logs hola-mundo_app <span class="nt">--tail</span> 100 <span class="nt">-f</span> <span class="c"># Ver estado de los servicios</span> docker service ps hola-mundo_app </code></pre> </div> <h2> Conclusión </h2> <p>Dokploy ofrece una solución robusta y auto-hospedada para el despliegue de aplicaciones en Docker Swarm. Al implementarlo en un servidor Ubuntu, obtienes una infraestructura escalable, segura y profesional a un costo accesible.</p> <p><strong>¿Necesitas un servidor en la nube?</strong> Puedes obtener un Droplet Ubuntu en DigitalOcean usando nuestro <a href="https://m.do.co/c/2c579acd7121" rel="noopener noreferrer">enlace de referido</a> y recibir créditos iniciales para probar este tutorial.</p> <h2> Recursos adicionales </h2> <ul> <li><a href="https://docs.dokploy.com" rel="noopener noreferrer">Documentación oficial de Dokploy</a></li> <li><a href="https://docs.dokploy.com/docs/core/remote-servers/security" rel="noopener noreferrer">Guía de seguridad de Dokploy</a></li> <li><a href="https://docs.digitalocean.com/products/networking/firewalls/" rel="noopener noreferrer">Documentación de DigitalOcean sobre firewalls</a></li> <li><a href="https://github.com/dokploy/dokploy" rel="noopener noreferrer">Repositorio GitHub de Dokploy</a></li> <li><a href="https://discord.gg/dokploy" rel="noopener noreferrer">Comunidad Discord de Dokploy</a></li> </ul> <p><strong>¿Te gustó este tutorial?</strong> Comparte tus experiencias desplegando aplicaciones con Dokploy en los comentarios o sugiere temas para futuros artículos.</p> devops dokploy node tutorial Basic Load Balancing for a Web System on DigitalOcean Oscar Ricardo Sánche Gutierréz Fri, 06 Mar 2026 20:43:27 +0000 https://dev.to/oscar_ricardosncheguti/basic-load-balancing-for-a-web-system-on-digitalocean-2hf7 https://dev.to/oscar_ricardosncheguti/basic-load-balancing-for-a-web-system-on-digitalocean-2hf7 <p>In this article we’ll build a <strong>simple and inexpensive load-balanced web setup on DigitalOcean</strong>.</p> <p>The architecture is intentionally minimal:</p> <ul> <li>1 DigitalOcean Load Balancer</li> <li>2 small droplets</li> <li>A lightweight web app running with <strong>Docker + PHP + Nginx</strong> </li> </ul> <p>The goal is to show how quickly you can build a <strong>basic scalable web entry point</strong> without complex infrastructure.</p> <p>Architecture diagram created with <strong><a href="https://savnet.co" rel="noopener noreferrer">savnet.co</a></strong>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1yoatkmjtxd5u51jmo92.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1yoatkmjtxd5u51jmo92.gif" alt="architecture" width="962" height="690"></a></p> <h1> Creating the first server </h1> <p>Go to your <strong>DigitalOcean account</strong> and create a small droplet.</p> <p>Configuration used in this guide:</p> <ul> <li>Image: <strong>Docker latest on Ubuntu 22.04</strong> </li> <li>Region: choose the closest to your users</li> <li>Authentication: <strong>SSH recommended</strong> (Password also works)</li> <li>Hostname: <code>WebServer-1</code> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2wj8xt2x7tox1kmq5683.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2wj8xt2x7tox1kmq5683.gif" alt="create-server-1" width="720" height="404"></a></p> <p>Once the droplet is ready, connect to the server.</p> <h1> Preparing the server </h1> <h2> 1. Create a user </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>adduser web_app usermod <span class="nt">-aG</span> <span class="nb">sudo </span>web_app <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker web_app su - web_app </code></pre> </div> <p>This user will run the application and manage Docker.</p> <h2> 2. Create the application folder </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/app <span class="nb">cd</span> ~/app </code></pre> </div> <h2> 3. Create the application files </h2> <h3> <code>index.php</code> </h3> <p>A very small script that prints the server IP responding to the request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">echo</span> <span class="s1">'Hi. From ip '</span><span class="mf">.</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">'SERVER_ADDR'</span><span class="p">];</span> </code></pre> </div> <h3> <code>nginx.conf</code> </h3> <p>Basic Nginx configuration to serve PHP via PHP-FPM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">localhost</span><span class="p">;</span> <span class="kn">root</span> <span class="n">/var/www/html</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.php</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="p">=</span><span class="mi">404</span><span class="p">;</span> <span class="p">}</span> <span class="kn">location</span> <span class="p">~</span> <span class="sr">\.php$</span> <span class="p">{</span> <span class="kn">fastcgi_pass</span> <span class="nf">127.0.0.1</span><span class="p">:</span><span class="mi">9000</span><span class="p">;</span> <span class="kn">fastcgi_index</span> <span class="s">index.php</span><span class="p">;</span> <span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$document_root$fastcgi_script_name</span><span class="p">;</span> <span class="kn">include</span> <span class="s">fastcgi_params</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> <code>docker-compose.yml</code> </h3> <p>This setup runs <strong>Nginx + PHP-FPM</strong> using Docker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">nginx-web</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s">host</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./:/var/www/html</span> <span class="pi">-</span> <span class="s">./nginx.conf:/etc/nginx/conf.d/default.conf</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">php-fpm</span> <span class="na">php-fpm</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">php:8.2-fpm</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">php-app</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s">host</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./:/var/www/html</span> </code></pre> </div> <h2> 4. Start the application </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up </code></pre> </div> <p>If everything is correct you should see the containers starting.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ebfgjd2nbkb3i8cxmgu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ebfgjd2nbkb3i8cxmgu.png" alt="app-start" width="800" height="354"></a></p> <p>Open the <strong>server IP in your browser</strong>.</p> <p>You should see something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hi. From ip 10.x.x.x </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6q5s7v1ykntmpwgwrze0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6q5s7v1ykntmpwgwrze0.png" alt="app-running" width="446" height="275"></a></p> <h1> Creating the Load Balancer </h1> <p>Now we create the <strong>DigitalOcean Load Balancer</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1cbsc6m7jfhakj3kmpjv.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1cbsc6m7jfhakj3kmpjv.gif" alt="load-balancer" width="600" height="588"></a></p> <p>Configure:</p> <ul> <li>HTTP forwarding</li> <li>Attach <strong>WebServer-1</strong> </li> </ul> <p>Once created, open the <strong>load balancer IP</strong>.</p> <p>You’ll see something similar to this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fljl8v6qz9wpe63dxr9qz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fljl8v6qz9wpe63dxr9qz.png" alt="lb-response" width="395" height="192"></a></p> <p>Notice that the response shows an <strong>internal server IP</strong>, because traffic between the load balancer and droplets happens inside DigitalOcean’s network.</p> <h1> Creating the second server faster </h1> <p>Instead of repeating the setup manually, we can <strong>create a snapshot</strong> of the first droplet.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawsi0hnl7so42xc3ilhv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawsi0hnl7so42xc3ilhv.png" alt="snapshot" width="800" height="491"></a></p> <p>Then create a <strong>new droplet from that snapshot</strong> in the same region.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaxczvla64clgpfqmr9a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaxczvla64clgpfqmr9a.png" alt="snapshot-server" width="800" height="347"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4ac3ds1ktk5xo3mrzh2.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4ac3ds1ktk5xo3mrzh2.gif" alt=" " width="600" height="589"></a></p> <h1> Adding the new node to the Load Balancer </h1> <p>Go back to the Load Balancer configuration and attach the second server.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft44g2ezvux5imh69t98b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft44g2ezvux5imh69t98b.png" alt="attach-node" width="800" height="338"></a></p> <p>After about a minute, DigitalOcean will mark the droplet as <strong>healthy</strong>.</p> <p>Now refresh the Load Balancer IP multiple times.</p> <p>You should see responses coming from <strong>different internal IPs</strong>, meaning traffic is being distributed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpcbf7jyehw5d1934bm47.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpcbf7jyehw5d1934bm47.png" alt="node1" width="800" height="474"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo5ofclo5h1h1gr4jp5lc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo5ofclo5h1h1gr4jp5lc.png" alt="node2" width="616" height="327"></a></p> <h1> Security recommendations </h1> <p>This example focuses on the <strong>basic load balancing setup</strong>, but in a real environment you should also:</p> <ul> <li>Add a <strong>DigitalOcean firewall</strong> </li> <li>Restrict droplets so they are <strong>only reachable from the load balancer</strong> </li> <li>Enable <strong>HTTPS</strong> </li> <li>Configure <strong>health checks</strong> </li> </ul> <p>These small changes significantly improve the security of the system.</p> <h1> Tools used </h1> <ul> <li> <strong>OBS</strong> – screen recording</li> <li> <strong>Kdenlive</strong> – video editing</li> <li> <strong><a href="https://savnet.co" rel="noopener noreferrer">savnet.co</a></strong> – architecture diagrams used in this article</li> </ul> beginners cloud devops tutorial