Hi, I need help please.
I’m running n8n self-hosted using Docker. I’m accessing it via Cloudflare Tunnel and SafeLine WAF.
However, when I click on “Execute workflow” (manual), it is displaying “Lost connection to the server”
And in n8n logs, it is displaying “Invalid origin” and “Origin is undefined” under “rest/push”.
Hi @keene Welcome to the community!
This can happen due to a lot of reasons not specifically n8n, consider upgrading to the latest stable version of n8n and also make sure your webhook URL is working, upgrading should fix this issue.
This is a known issue since n8n v1.87.0 where Cloudflare Tunnel strips the Origin header on websocket connections. You need to go to Cloudflare Dashboard → Rules → Transform Rules and add a “Modify Request Header” rule that sets a static Origin header to https://yourdomain.com for your n8n hostname, and also make sure you have N8N_EDITOR_BASE_URL and N8N_PROTOCOL=https set in your docker env.
Welcome to the community @keene
The issue with the “Lost connection to the server” and the “Invalid origin” in the log is because of the WebSocket connection issues while trying to access n8n via Cloudflare Tunnel and SafeLine WAF. n8n is utilizing WebSocket connections for real-time updates, and the proxy is blocking or failing to forward WebSocket connections properly.
Solutions:
1. Configure n8n Environment Variables
Add these to your Docker configuration to allow your Cloudflare Tunnel domain:
services:
n8n:
image: n8nio/n8n:latest
environment:
- N8N_HOST=your-domain.com # Your Cloudflare Tunnel domain
- N8N_PROTOCOL=https
- WEBHOOK_URL=https://your-domain.com/
- N8N_EDITOR_BASE_URL=https://your-domain.com/
- N8N_ALLOWED_ORIGINS=https://your-domain.com
- VUE_APP_URL_BASE_API=https://your-domain.com/
# ... rest of config
2. Configure Cloudflare Tunnel for WebSockets
In your Cloudflare Tunnel configuration, ensure WebSocket support is enabled:
# cloudflared config.yml
tunnel: <your-tunnel-id>
credentials-file: /path/to/credentials.json
ingress:
- hostname: your-domain.com
service: http://localhost:5678
originRequest:
noTLSVerify: false
connectTimeout: 30s
http2Origin: false # Important for WebSocket compatibility
- service: http_status:404
Or if using the Cloudflare dashboard:
Go to your tunnel settings
Enable “WebSocket” support
Set “HTTP/2” to disabled (use HTTP/1.1 for better WebSocket compatibility)
3. Configure SafeLine WAF
SafeLine WAF might be blocking WebSocket upgrades. You need to:
Whitelist WebSocket paths:
Add /rest/push to allowed paths
Allow WebSocket upgrade headers
Disable inspection for WebSocket traffic:
WebSocket connections can’t be inspected like regular HTTP
Create a rule to bypass WAF for /rest/push endpoint
Allow required headers:
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key
Sec-WebSocket-Version
4. Update Docker Network Configuration
Ensure proper header forwarding:
services:
n8n:
image: n8nio/n8n:latest
environment:
- N8N_HOST=your-domain.com
- N8N_PROTOCOL=https
- WEBHOOK_URL=https://your-domain.com/
- N8N_PUSH_BACKEND=websocket # Explicitly set WebSocket backend
- N8N_ALLOWED_ORIGINS=* # Temporary - for testing only!
# ... rest of config
Note: N8N_ALLOWED_ORIGINS=* allows all origins - use only for testing. Once working, set it to your specific domain.
5. Test WebSocket Connection
After making changes, test if WebSockets work:
Open browser DevTools (F12)
Go to Network tab
Filter by “WS” (WebSocket)
Execute a workflow
You should see a WebSocket connection to /rest/push
If you see:
Status 101 (Switching Protocols) = Working
Status 400/403/502 = Still blocked
6. Alternative: Use Polling Instead of WebSockets
If you can’t get WebSockets working through your proxy setup, switch to polling:
services:
n8n:
image: n8nio/n8n:latest
environment:
- N8N_PUSH_BACKEND=sse # Use Server-Sent Events instead
# ... rest of config
This is less efficient but works better through restrictive proxies.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.