id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1459	Can't vary on request headers set by proxy_set_header (rev. proxy mode)	Neil Craig		"Hi

We're using NGINX in reverse proxy mode for an internal traffic management service and I noticed that NGINX doesn't vary the cached object on request headers which we calculate and add in NGINX itself via proxy_set_header. This causes a major problem for our service as it's multi-tenant. I think it'd be logical and expected if NGINX ''did'' vary on request headers set by proxy_set_header. I have tested and setting the headers via more_set_input_headers and by setting the variable directly (and in Lua) but these also don't work, sadly. 

I have included a reduced test case which hopefully illustrates the situation (a few comments help explain). Output from testing (against local/Docker) is:

{{{
# curl -k https://127.0.0.1:8443/a\?vv1\=1 -i
HTTP/1.1 200 OK
Server: nginx/1.13.8
Date: Mon, 15 Jan 2018 14:33:54 GMT
Content-Type: text/plain
Content-Length: 25
Connection: keep-alive
Cache-Control: public,max-age=30
Vary: vvrh1
vvrh1-val-rec: val is 1
Edge-Cache-Status: EXPIRED
Origin-Response-Status: 200
Origin-IP: 127.0.0.1:9000

2018-01-15T14:33:54+00:00%                                                                                                                                                               

# curl -k https://127.0.0.1:8443/a\?vv1\=1 -i
HTTP/1.1 200 OK
Server: nginx/1.13.8
Date: Mon, 15 Jan 2018 14:33:55 GMT
Content-Type: text/plain
Content-Length: 25
Connection: keep-alive
Cache-Control: public,max-age=30
Vary: vvrh1
vvrh1-val-rec: val is 1
Edge-Cache-Status: HIT

2018-01-15T14:33:54+00:00%                                                                                                                                                               

# curl -k https://127.0.0.1:8443/a\?vv1\=2 -i
HTTP/1.1 200 OK
Server: nginx/1.13.8
Date: Mon, 15 Jan 2018 14:33:58 GMT
Content-Type: text/plain
Content-Length: 25
Connection: keep-alive
Cache-Control: public,max-age=30
Vary: vvrh1
vvrh1-val-rec: val is 1
Edge-Cache-Status: HIT

2018-01-15T14:33:54+00:00%
}}}

I'd expect a cache miss on the final response because the query string argument ""vv1"" has changed and this would mean that proxy_request_header would set a different value for the ""vvrh1"" request header. To illustrate that this mechanism works, once the cached object has expired, we see:

{{{
# curl -k https://127.0.0.1:8443/a\?vv1\=2 -i
HTTP/1.1 200 OK
Server: nginx/1.13.8
Date: Mon, 15 Jan 2018 14:39:12 GMT
Content-Type: text/plain
Content-Length: 25
Connection: keep-alive
Cache-Control: public,max-age=30
Vary: vvrh1
vvrh1-val-rec: val is 2
Edge-Cache-Status: val EXPIRED
Origin-Response-Status: 200
Origin-IP: 127.0.0.1:9000

2018-01-15T14:39:12+00:00%                                                                                                                                                               

# curl -k https://127.0.0.1:8443/a\?vv1\=2 -i
HTTP/1.1 200 OK
Server: nginx/1.13.8
Date: Mon, 15 Jan 2018 14:39:15 GMT
Content-Type: text/plain
Content-Length: 25
Connection: keep-alive
Cache-Control: public,max-age=30
Vary: vvrh1
vvrh1-val-rec: val is 2
Edge-Cache-Status: val HIT

2018-01-15T14:39:12+00:00%
}}}

Might this be something which could be fixed (if not, is there a workaround you can think of? Or have I made a mistake?

Cheers"	enhancement	accepted	minor		nginx-core	1.13.x		proxy_set_header vary cache		Linux 9acd833e6438 4.9.60-linuxkit-aufs #1 SMP Mon Nov 6 16:00:12 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.13.8 (BBC GTM)
built with OpenSSL 1.0.2n  7 Dec 2017
TLS SNI support enabled
configure arguments: --build='BBC GTM' --prefix=/etc/nginx/current --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/current/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/default-error.log --http-log-path=/var/log/nginx/default-access.log --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=gtmdaemon --group=gtmdaemon --with-http_realip_module --with-http_v2_module --with-http_ssl_module --with-http_geoip_module --with-pcre-jit --with-ipv6 --with-file-aio --with-threads --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' --add-module=/builddir/build/BUILD/nginx-1.13.8/headers-more-nginx-module-0.33 --add-module=/builddir/build/BUILD/nginx-1.13.8/naxsi-0.55.3/naxsi_src --add-module=/builddir/build/BUILD/nginx-1.13.8/nginx-module-vts-0.1.15 --with-openssl=/builddir/build/BUILD/nginx-1.13.8/openssl-OpenSSL_1_0_2n --add-module=/builddir/build/BUILD/nginx-1.13.8/ngx_devel_kit-0.3.0 --add-module=/builddir/build/BUILD/nginx-1.13.8/lua-nginx-module-0.10.11"