From d3621923e5a53db8cf2a739be5ca964ab443b46a Mon Sep 17 00:00:00 2001
From: usmannasir <usman@cyberpersons.com>
Date: Fri, 28 Nov 2025 14:14:08 +0500
Subject: [PATCH] Fix n8n v1.87.0+ compatibility with OpenLiteSpeed reverse
 proxy

1. Set NODE_ENV=development for n8n Docker deployments to resolve Origin
   header validation failures.

2. Remove ineffective "RequestHeader set Origin" from vhost configuration
   since OpenLiteSpeed cannot override browser Origin headers anyway.

This is required due to an OpenLiteSpeed architectural limitation - OLS
cannot override browser Origin headers, which n8n v1.87.0+ strictly
validates in production mode. Apache and Nginx can override Origin headers
and work in production mode, but this is not possible with OpenLiteSpeed.

Security Note: This change does NOT reduce security:
- User authentication remains enforced
- Password hashing (bcrypt/argon2) still secure
- HTTPS encryption still active
- Session management secure with N8N_SECURE_COOKIE=true
- CSRF protection still active

Only the origin validation check is bypassed, which fails anyway due to
the OLS limitation.

Ticket References: XKTFREZUR, XCGF2HQUH
---
 plogical/DockerSites.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/plogical/DockerSites.py b/plogical/DockerSites.py
index 4e6c8f12d..6c3603ea4 100644
--- a/plogical/DockerSites.py
+++ b/plogical/DockerSites.py
@@ -291,24 +291,26 @@ extprocessor docker{port} {{
 
     @staticmethod
     def SetupN8NVhost(domain, port):
-        """Setup n8n vhost with proper proxy configuration including Origin header"""
+        """Setup n8n vhost with proper proxy configuration for OpenLiteSpeed"""
         try:
             vhost_path = f'/usr/local/lsws/conf/vhosts/{domain}/vhost.conf'
-            
+
             if not os.path.exists(vhost_path):
                 logging.writeToFile(f"Error: Vhost file not found at {vhost_path}")
                 return False
-            
+
             # Read existing vhost configuration
             with open(vhost_path, 'r') as f:
                 content = f.read()
-            
+
             # Check if context already exists
             if 'context / {' in content:
                 logging.writeToFile("Context already exists, skipping...")
                 return True
-            
+
             # Add proxy context with proper headers for n8n
+            # NOTE: Do NOT include "RequestHeader set Origin" - OpenLiteSpeed cannot override
+            # browser Origin headers, which is why NODE_ENV=development is required
             proxy_context = f'''
 
 # N8N Proxy Configuration
@@ -322,7 +324,6 @@ context / {{
   RequestHeader set X-Forwarded-For $ip
   RequestHeader set X-Forwarded-Proto https
   RequestHeader set X-Forwarded-Host "{domain}"
-  RequestHeader set Origin "{domain}, {domain}"
   RequestHeader set Host "{domain}"
   END_extraHeaders
 }}
@@ -1370,7 +1371,7 @@ services:
                 'DB_POSTGRESDB_PASSWORD': self.data['MySQLPassword'],
                 'N8N_HOST': '0.0.0.0',
                 'N8N_PORT': '5678',
-                'NODE_ENV': 'production',
+                'NODE_ENV': 'development',  # Required for OpenLiteSpeed compatibility - OLS cannot override browser Origin headers which n8n v1.87.0+ validates in production mode
                 'N8N_EDITOR_BASE_URL': f"https://{self.data['finalURL']}",
                 'WEBHOOK_URL': f"https://{self.data['finalURL']}",
                 'WEBHOOK_TUNNEL_URL': f"https://{self.data['finalURL']}",