id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1959 Unexpected invalidation of embedded variables in ngx_http_ssl_module stevekerrison@… "If certain ssl options are set in an `http` block, and related embedded variables referenced, but then if within a `server` block an option is overridden, previously referenced embedded variables may become null. Skeleton example config: {{{ http { ssl_verify_client on; proxy_set_header X-Client-Verify $ssl_client_verify; server { ssl_verify_client optional; proxy_pass ...; } } }}} Above, if `$ssl_client_verify` is logged by a log_format, it'll have a value, but in upstream servers I'm seeing `X-Client-Verify` as `null`, which presumably means it was never set. However, if I do: {{{ http { ssl_verify_client on; proxy_set_header X-Client-Verify $ssl_client_verify; server { ssl_verify_client optional; proxy_set_header X-Client-Verify $ssl_client_verify; proxy_pass ...; } } }}} Then the header is set as expected. I believe this might be resolvable with a documentation update, as it's behaviour that seems to make sense if you know how nginx works. Indeed, I'd say there have been [https://forum.nginx.org/read.php?2,283505,283510 similar occurrences in other modules]. I think it needs to be made explicit how variables are affected by option scope. Perhaps it is somewhere else and I've missed it? In any case, I'm happy to propose some doc updates if some sort of consensus can be reached on the best way to do it. Best regards, Steve." task closed minor documentation invalid ssl documentation variables scope stevekerrison@… Linux #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.16.1 built by gcc 8.3.0 (Alpine 8.3.0) built with OpenSSL 1.1.1c 28 May 2019 (running with OpenSSL 1.1.1d 10 Sep 2019) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fomit-frame-pointer' --with-ld-opt=-Wl,--as-needed"