limit_rate dynamically using $arg - security

Jonathan Matthews contact at
Wed Apr 4 21:32:49 UTC 2012

On 4 April 2012 21:40, shoshomiga <nginx-forum at> wrote:
> I've been looking for a way to limit videos to their bitrate to save
> bandwidth and I've come up with this code
>            if ($arg_LIMITSPEED) {
>              set $limit_rate $arg_LIMITSPEED;
>            }
> It works but I would like to know if this code would be secure to use on
> a production server.
> I am not worried about users setting their LIMITSPEED high on their own
> because I am limiting speeds at the network level as well.

To be honest, I'm not sure what definition of "insecure" you could be
thinking of that *isn't* "the user can override it trivially" :-)

If you're doing the rate limiting at the network level properly, then
why duplicate the effort? It's just one more place you have to change
when you upgrade the speed limits.

Personally, I'm prototyping a streaming service at the moment using and a double
proxy_pass (via X-Accel-Redirect to an internal storage proxy_pass).
It all looks like it works nicely, and allows the dumb storage backend
to throw data at the nginx router as fast as nginx accepts it, and for
the first (intelligent) proxy_pass backend to *decide* the bitrate via
X-Accel-Limit-Rate. I'll blog it soonish :-)

Jonathan Matthews
London, Oxford, UK

More information about the nginx mailing list