The following patch series is expected to resolve issues with multiple headers with identical names. In particular, the following Trac tickets are fixed:
https://trac.nginx.org/nginx/ticket/1724 Nginx doesn't sanitize and is inconsistent with multiple, repeated input headers
https://trac.nginx.org/nginx/ticket/1316 $http_ variables only contain the first field-value
https://trac.nginx.org/nginx/ticket/1843 $upstream_http_set_cookie includes only first cookie
https://trac.nginx.org/nginx/ticket/1423 response vary headers not used in the cache key
https://trac.nginx.org/nginx/ticket/485 Multiple WWW-Authenticate headers
The basic idea is that all headers are linked lists now, which makes it possible to easily concatenate multiple headers without introducing arrays, as it was previously done with Cookie and X-Forwarded-For request headers and Cache-Control, Link, and Set-Cookie response headers.
Futher, such approach makes it possible to easily concatenate unknown headers at runtime, so it makes it possible to properly merge headers passed to CGI-like backends.
Review and testing appreciated.