Rate limiting in Nginx

Nginx ships with solid built-in tools for keeping traffic under control. Whether you're dealing with abusive clients, protecting a download endpoint, or just trying to keep one user from hogging all the bandwidth — these directives have you covered. Everything lives in your Nginx config file.

1. Limiting the number of simultaneous connections

First, define a shared memory zone in the http block using limit_conn_zone. This is where Nginx tracks connection state per client IP:

http {
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
}

Then, inside the relevant location block, apply the limit by referencing that zone and setting the maximum number of concurrent connections per IP:

location /download/ {
    limit_conn conn_limit_per_ip 5;
}

2. Limiting the request rate

In the http block, use limit_req_zone to define a zone and set an allowed request rate:

http {
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
}

In your location block, reference the zone and define a burst allowance — how many extra requests can queue up before Nginx starts rejecting them:

location /download/ {
    limit_req zone=req_limit_per_ip burst=10;
}

3. Limiting the response transfer speed

The limit_rate directive caps the response speed in bytes per second per connection. Keep in mind: if a client opens two connections simultaneously, their effective throughput will be double the limit.

location /download/ {
    limit_rate 50k;
}

If you'd rather let the initial chunk of data through at full speed before applying the throttle, pair it with limit_rate_after:

location /download/ {
    limit_rate_after 1m;
    limit_rate 50k;
}

In this example, the first megabyte is served at full speed — after that, Nginx kicks in the 50 KB/s cap.