Attaching POC patch for https://trac.nginx.org/nginx/ticket/1234.
At very least, ngx_http_proxy_set_ssl() needs to be converted into ngx_http_proxy_create_ssl(). But there are also a couple of things to discuss:
1. Patch uses pretty straightforward reuse criteria (absence of directives), but shall we go further, say, compare directive arguments (with special treatment of complex values with variables)?
2. Since similar change also makes sense for "grpc", "uwsgi" (and may be "stream proxy") modules, perhaps it's time to factor out SSL upstream settings code for all these modules to avoid copypasting of above patch? We can introduce something like "ngx_ssl_upstream_conf_t" to keep shared SSL settings and unite ngx_http_(proxy|grpc|uwsgi)_set_ssl functions. Config merge logic (together with attached patch) can be moved to something like ngx_ssl_upstream_conf_merge. Optionally, ngx_http_upstream_conf_t can be updated to contain ngx_ssl_upstream_conf_t.
We use nginx as the cluster ingress provider, and hit the case when:
1. enabled proxy_cache, and the specific cache is expired
2. nginx is reloading config
then for incoming request, the backend servers can still receive the request and send back response to nginx, while client will receive "curl: (52) Empty reply from server".
It seems nginx reload may cause the connection break?
attached debug log below: