I am running Meteor in a Kerberos SSO environment behind an NginX reverse proxy. NginX handles the Kerberos authentication and fills in a request header field called remote_user.
NginX forwards to the application server over a UNIX domain socket (TCP port would not be secure).
If I want Meteor to be the application server, I have two problems to solve:
- Need to get Meteor to listen on UNIX domain socket instead of TCP port
- Pass the remote_user field in the request header up to Meteor application code
I tried and failed to get help online, even posted to StackOverflow.
- tools/runners/run-proxy.js: changed the server.listen(…) statement to listen to pass a Unix socket file name instead of port num if
- packages/webapp/webapp_server.js: Added a app.use(…) block to set an environment variable which can be read later by application code.
I am especially unhappy with having to do #2. For some reason the request headers don’t seem to get passed up to the app. The meteor doc says “whitelisted” header fields are passed through but I don’t know how to whitelist my custom field.