Opened 7 months ago

Closed 7 months ago

Last modified 6 months ago

#2531 closed defect (invalid)

You cannot use variables in error_log and ssl_certificate

Reported by: EduardoRuizM@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.25.x
Keywords: error_log ssl_certificate variables Cc:
uname -a: nginx version: nginx/1.25.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 3.1.2 1 Aug 2023
TLS SNI support enabled
configure arguments: --prefix=/olimpo/bin/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-http_mp4_module --with-http_image_filter_module --with-openssl=../openssl-3.1.2 --without-http_autoindex_module

Linux sagan.dataclick.es 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.25.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 3.1.2 1 Aug 2023
TLS SNI support enabled
configure arguments: --prefix=/olimpo/bin/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-http_mp4_module --with-http_image_filter_module --with-openssl=../openssl-3.1.2 --without-http_autoindex_module

Linux sagan.dataclick.es 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Description (last modified by EduardoRuizM@…)

Variables defined by SET are not processed internally

SAMPLE:

set $DOMAIN "mydomain.com";
error_log /mypath/$DOMAIN/logs/error.log;
ssl_certificate /mycerts/$DOMAIN/fullchain.cer
ssl_certificate_key /mycerts/$DOMAIN/$DOMAIN.key;

No problem with access_log and you can use:
access_log /mypath/$DOMAIN/logs/access.log main;

Change History (3)

comment:1 by EduardoRuizM@…, 7 months ago

Description: modified (diff)

comment:2 by Maxim Dounin, 7 months ago

Resolution: invalid
Status: newclosed

Short answer:

Variables are not macros, see FAQ for details.

Long answer:

The set directive is evaluated during request handling when looking for a configuration to process a request, see here for details. As such, variable value set by the set directive is not available when evaluating the ssl_certificate directive during an SSL handshake. If you want to use variables in the ssl_certificate directive, consider using variables which are always available, such as $ssl_server_name from the SSL handshake or provided by map.

Further, the error_log directive does not support variables at all. Error logs are to be evaluated in case of errors, in particular, when memory allocation fails, hence there are no plans to introduce variables support in the error_log directive. See #2307 for additional details.

comment:3 by Maxim Dounin, 6 months ago

See also #2533.

Note: See TracTickets for help on using tickets.