The ngx_http_limit_conn_module module allows to limit the number of connections per defined key, in particular, the number of connections from a single IP address.

Not all connections are counted; only those that have requests currently being processed by the server, in which request header has been fully read.

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;

    ...

    server {

        ...

        location /download/ {
            limit_conn addr 1;
        }

Sets a shared memory zone and the maximum allowed number of connections for a given key value. When this limit is exceeded, the server will return error 503 (Service Temporarily Unavailable) in reply to a request. For example, the directives

limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
    location /download/ {
        limit_conn addr 1;
    }

allow for only a single connection at a time, per unique IP address.

When several limit_conn directives are specified, any configured limit will apply. For example, the following configuration will limit the number of connections to the server per client IP and at the same time will limit the total number of connections to the virtual host:

limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;

server {
    ...
    limit_conn perip 10;
    limit_conn perserver 100;
}

These directives are inherited from the previous level if and only if there are no limit_conn directives on the current level.

limit_conn_log_level error;

Sets the desired logging level for cases when the server limits the number of connections.

Sets parameters of a shared memory zone that keeps states for various keys. This state stores the current number of connections in particular. The key is any non-empty value of the specified variable (empty values are not accounted). Example usage:

limit_conn_zone $binary_remote_addr zone=addr:10m;

Here, an IP address of the client serves as a key. Note that instead of $remote_addr, the $binary_remote_addr variable is used here. The length of the $remote_addr variable’s value can range from 7 to 15 bytes, and the stored state occupies either 32 or 64 bytes of memory on 32-bit platforms, and always 64 bytes on 64-bit platforms. The length of the $binary_remote_addr variable’s value is always 4 bytes, and the stored state always occupies 32 bytes on 32-bit platforms, and 64 bytes on 64-bit platforms. One megabyte zone can keep about 32 thousand 32-byte states, and about 16 thousand 64-byte states. If the storage for a zone is exhausted, the server will return error 503 (Service Temporarily Unavailable) to all further requests.

This directive is made obsolete in version 1.1.8, an equivalent limit_conn_zone directive with a changed syntax should be used instead:

limit_conn_zone $variable zone=name:size;