# HG changeset patch
# User Pavel Pautov <p.pautov@f5.com>
# Date 1652855437 25200
#      Tue May 17 23:30:37 2022 -0700
# Node ID 4d9e78c3ad98d1c473b988d9fcff7ccce5a18884
# Parent  35afae4b3dffff6718c0cab3ceb16b9de207c20a
SSL: reuse parent location context (ticket #1234).

diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -125,6 +125,7 @@ typedef struct {
     ngx_str_t                      ssl_trusted_certificate;
     ngx_str_t                      ssl_crl;
     ngx_array_t                   *ssl_conf_commands;
+    ngx_ssl_t                     *ssl_ctx;
 #endif
 } ngx_http_proxy_loc_conf_t;
 
@@ -3440,6 +3441,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
 
     u_char                     *p;
     size_t                      size;
+    unsigned                    reuse_ssl_ctx;
     ngx_int_t                   rc;
     ngx_hash_init_t             hash;
     ngx_http_core_loc_conf_t   *clcf;
@@ -3720,6 +3722,18 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
 
 #if (NGX_HTTP_SSL)
 
+    reuse_ssl_ctx = conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
+        && conf->ssl_protocols == 0
+        && conf->ssl_ciphers.data == NULL
+        && conf->upstream.ssl_verify == NGX_CONF_UNSET
+        && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
+        && conf->ssl_trusted_certificate.data == NULL
+        && conf->ssl_crl.data == NULL
+        && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
+        && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
+        && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
+        && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR;
+
     ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
                               prev->upstream.ssl_session_reuse, 1);
 
@@ -3752,8 +3766,25 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
     ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
                               prev->ssl_conf_commands, NULL);
 
-    if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
-        return NGX_CONF_ERROR;
+    if (reuse_ssl_ctx) {
+        conf->ssl_ctx = prev->ssl_ctx;
+
+    } else {
+        /* TODO: conf->ssl_ctx = ngx_http_proxy_create_ssl(cf, plcf); */
+        if (ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
+            return NGX_CONF_ERROR;
+        }
+        conf->ssl_ctx = conf->upstream.ssl;
+        conf->upstream.ssl = NULL;
+    }
+
+    if (conf->ssl) {
+        if (conf->ssl_ctx) {
+            conf->upstream.ssl = conf->ssl_ctx;
+
+        } else if (ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
+            return NGX_CONF_ERROR;
+        }
     }
 
 #endif