not a passenger issue (was: No secure header in meteor)

[rezaxdi]

I'm using Passenger + Nginx + Meteor and inside meteor methods I use this.connection.httpHeaders to get http headers. I want to get client IP and I'm able to use x-forwarded-for to get it. As passenger recommends I want to use the secure header !~Passenger-Client-Address but there is no sign of this header inside this.connection.httpHeaders .

Is there any specific configuration needed for these headers to be available inside a meteor method ?

And by the way here are some version numbers :
Passenger 5.0.30
Nginx 1.10
Meteor 1.4
OS : Debian jessie

[CamJN]

This is not an issue with Passenger, rather with meteor. You can see on this page: https://docs.meteor.com/api/connections.html#Meteor-onConnection that this.connection.httpHeaders only provides headers that are whitelisted by meteor (using sockjs to do the whitelisting behind the scenes), our secure headers are not whitelisted and so aren't available from that object. Unfortunately the sockjs whitelist is hard-coded and not configurable.

You can patch sockjs in order to see that our headers do in fact get passed to meteor. The file to patch in your bundle is: programs/server/npm/node_modules/meteor/ddp-server/node_modules/sockjs/lib/transport.js and you will want to add the string '!~passenger-client-address' to the array on line 168, note the string is lowercase. Afterwards the array will look like this: ref = ['referer', 'x-client-ip', 'x-forwarded-for', 'x-cluster-client-ip', 'via', 'x-real-ip', 'x-forwarded-proto', 'x-ssl', 'host', 'user-agent', 'accept-language','!~passenger-client-address']; after that our header will be available in this.connection.httpHeaders.

It would be a good idea to ask the meteor community for the 'proper' way to allow for custom header whitelisting. As it stands now all I could find was a pull request to allow overriding the sockjs whitelist: sockjs/sockjs-node#202

[dr-dimitru]

Take a look on Meteor.onConnection() docs:

clientAddressString
The IP address of the client in dotted form (such as "127.0.0.1").

If you’re running your Meteor server behind a proxy (so that clients are connecting to the proxy instead of to your server directly), you’ll need to set the HTTP_FORWARDED_COUNT environment variable for the correct IP address to be reported by clientAddress.

Set HTTP_FORWARDED_COUNT to an integer representing the number of proxies in front of your server. For example, you’d set it to "1" when your server was behind one proxy.