Lost connection to server when self hosting

Jose_Vines_Lopez · September 2, 2025, 7:22am

Bug Description

I get the following error message when trying to use n8n:

Origin header does NOT match the expected origin. (Origin: "n8n.example.com", Expected: "192.168.0.83:5678")

To Reproduce

I’m hosting N8N in my own computer. I use cloudflare tunnels to expose and use Nginx Proxy Manager as the reverse proxy.

This is my compose:

services:
  n8n:
    image: n8nio/n8n:latest
    restart: unless-stopped
    ports:
      - 5678:5678
    environment:
      - GENERIC_TIMEZONE=America/Santiago
      - DB_TYPE=postgresdb
      - DB_POSTGRESDB_DATABASE=n8n_db
      - DB_POSTGRESDB_HOST=postgres
      - DB_POSTGRESDB_PORT=5432
      - DB_POSTGRESDB_USER=${PG_USER}
      - DB_POSTGRESDB_PASSWORD=${PG_PASSWORD}
      - N8N_EXTERNAL_STORAGE_S3_HOST=s3
      - N8N_EXTERNAL_STORAGE_S3_BUCKET_NAME=n8n
      - N8N_EXTERNAL_STORAGE_S3_ACCESS_KEY=${S3_ACCESS_KEY}
      - N8N_EXTERNAL_STORAGE_S3_ACCESS_SECRET=${S3_ACCESS_SECRET}
      - N8N_HOST=n8n.example
      - N8N_EDITOR_BASE_URL=https://n8n.example.com
      - WEBHOOK_URL=https://n8n.example.com
      - N8N_SECURE_COOKIE=false
      - N8N_PROTOCOL=https
      - N8N_PROXY_HOPS=1
    volumes:
      - /path:/home/node/.n8n
      - /another/path:/files
    networks:
      - db_network
networks:
  db_network:
    external: true

This is my config on NPM and I use authentik as an auth with a reverse proxy auth setting.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    proxy_set_header Origin $scheme://$http_host;
    # proxy_set_header Host $host;
    # proxy_set_header ...

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-entitlements $authentik_entitlements;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

    # This section should be uncommented when the "Send HTTP Basic authentication" option
    # is enabled in the proxy provider
    #auth_request_set $authentik_auth $upstream_http_authorization;
    #proxy_set_header Authorization $authentik_auth;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    #proxy_pass              http://authentik.company:9000/outpost.goauthentik.io;
    proxy_pass              http://192.168.0.83:9002/outpost.goauthentik.io;
    # For manual outpost deployments:
    # proxy_pass              http://outpost.company:9000;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path

}

I can login to n8n fine, but when trying to do anything it gives me the aforementioned error.

Also I get these on the logs:

n8n-1  | Permissions 0644 for n8n settings file /home/node/.n8n/config are too wide. This is ignored for now, but in the future n8n will attempt to change the permissions automatically. To automatically enforce correct permissions now set N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true (recommended), or turn this check off set N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=false.
n8n-1  | Initializing n8n process
n8n-1  | n8n ready on ::, port 5678
n8n-1  | 
n8n-1  | There are deprecations related to your environment variables. Please take the recommended actions to update your configuration:
n8n-1  |  - N8N_RUNNERS_ENABLED -> Running n8n without task runners is deprecated. Task runners will be turned on by default in a future version. Please set `N8N_RUNNERS_ENABLED=true` to enable task runners now and avoid potential issues in the future. Learn more: https://docs.n8n.io/hosting/configuration/task-runners/
n8n-1  |  - N8N_BLOCK_ENV_ACCESS_IN_NODE -> The default value of N8N_BLOCK_ENV_ACCESS_IN_NODE will be changed from false to true in a future version. If you need to access environment variables from the Code Node or from expressions, please set N8N_BLOCK_ENV_ACCESS_IN_NODE=false. Learn more: https://docs.n8n.io/hosting/configuration/environment-variables/security/
n8n-1  | 
n8n-1  | Initializing AuthRolesService...
n8n-1  | AuthRolesService initialized successfully.
n8n-1  | [license SDK] Skipping renewal on init: license cert is not due for renewal
n8n-1  | Version: 1.109.1
n8n-1  | 2025-09-02T07:01:01.401Z [Rudder] error: Response error code: ECONNREFUSED
n8n-1  | 
n8n-1  | Editor is now accessible via:
n8n-1  | https://n8n.jvines.cl
n8n-1  | 2025-09-02T07:01:01.614Z [Rudder] error: Response error code: ECONNREFUSED
n8n-1  | 2025-09-02T07:01:02.054Z [Rudder] error: Response error code: ECONNREFUSED
n8n-1  | 2025-09-02T07:01:03.057Z [Rudder] error: Error: ECONNREFUSED
n8n-1  | connect ECONNREFUSED 0.0.0.0:443
n8n-1  | connect ECONNREFUSED 0.0.0.0:443
n8n-1  | connect ECONNREFUSED 0.0.0.0:443
n8n-1  | connect ECONNREFUSED 0.0.0.0:443

Expected behavior

I expect flows to work correctly

##[details=“instance information”]

Debug Info

Debug info

core

n8nVersion: 1.109.1
platform: docker (self-hosted)
nodeJsVersion: 22.17.0
database: postgres
executionMode: regular
concurrency: -1
license: enterprise (production)
consumerId: 7e3d504c-2026-4146-a389-fc30d592605d

storage

success: all
error: all
progress: false
manual: true
binaryMode: memory

pruning

enabled: true
maxAge: 336 hours
maxCount: 10000 executions

client

userAgent: mozilla/5.0 (macintosh; intel mac os x 10.15; rv:141.0) gecko/20100101 firefox/141.0
isTouchDevice: false

security

secureCookie: false

Generated at: 2025-09-02T07:14:08.210Z
[/details]

Operating System

Linux Mint

n8n Version

1.109.1

Node.js Version

22.17.0

Database

PostgreSQL

Execution mode

main (default)

Hosting

self hosted

Kiramat_Khan · September 2, 2025, 7:55am

I’m using Docker Hub as a self hosted and I have no such queries, Initially, it required wsl-update and veritual machine enabling. and then it worked….

shortstacked · September 2, 2025, 8:42am

Hey, from your proxy config it looks like you have:
“proxy_set_header Origin $scheme://$http_host;”
set which shouldn’t be needed - try removing that line entirely.

Also, you’ll want to add WebSocket support. Add this map (outside your server/location block):
map $http_upgrade $connection_upgrade {
default upgrade;
‘’ close;
}

Then add these headers in your location block:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;

This will allow the WebSocket connections to pass through properly.

You can see a complete working nginx configuration example in the n8n test setup here:
packages/testing/containers/n8n-test-container-dependencies.ts

That shows the exact proxy configuration that’s known to work with n8n, including proper WebSocket handling and notably - no Origin header override.