Welcome! Log In Create A New Profile

Advanced

Re: limit_rate dynamically using $arg - security

April 05, 2012 07:26AM
Jonathan Matthews Wrote:
-------------------------------------------------------
> On 4 April 2012 21:40, shoshomiga
> <nginx-forum@nginx.us> wrote:
> > I've been looking for a way to limit videos to
> their bitrate to save
> > bandwidth and I've come up with this code
> >
> >            if ($arg_LIMITSPEED) {
> >              set $limit_rate
> $arg_LIMITSPEED;
> >            }
> >
> > It works but I would like to know if this code
> would be secure to use on
> > a production server.
> >
> > I am not worried about users setting their
> LIMITSPEED high on their own
> > because I am limiting speeds at the network
> level as well.
>
> To be honest, I'm not sure what definition of
> "insecure" you could be
> thinking of that *isn't* "the user can override it
> trivially" :-)
>
> If you're doing the rate limiting at the network
> level properly, then
> why duplicate the effort? It's just one more place
> you have to change
> when you upgrade the speed limits.
>
> Personally, I'm prototyping a streaming service at
> the moment using
> http://wiki.nginx.org/X-accel#X-Accel-Limit-Rate
> and a double
> proxy_pass (via X-Accel-Redirect to an internal
> storage proxy_pass).
> It all looks like it works nicely, and allows the
> dumb storage backend
> to throw data at the nginx router as fast as nginx
> accepts it, and for
> the first (intelligent) proxy_pass backend to
> *decide* the bitrate via
> X-Accel-Limit-Rate. I'll blog it soonish :-)
>
> Jonathan
> --
> Jonathan Matthews
> London, Oxford, UK
> http://www.jpluscplusm.com/contact.html
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

By security I meant vulnerability to buffer overflows and other exploits since limit_rate is probably not meant to recieve that kind of unsanitized input.
Subject Author Posted

limit_rate dynamically using $arg - security

shoshomiga April 04, 2012 04:40PM

Re: limit_rate dynamically using $arg - security

Jonathan Matthews April 04, 2012 05:34PM

Re: limit_rate dynamically using $arg - security

shoshomiga April 05, 2012 07:26AM

Re: limit_rate dynamically using $arg - security

Maxim Dounin April 05, 2012 10:46AM

Re: limit_rate dynamically using $arg - security

shoshomiga April 05, 2012 11:06AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 316
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready