Limit Conn#

The module is used to limit the number of connections per the defined key, in particular, the number of connections from a single IP address.

Not all connections are counted. A connection is counted only if it has a request being processed by the server and the whole request header has already been read.

Configuration Example#

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;

    ...

    server {

        ...

        location /download/ {
            limit_conn addr 1;
        }

Directives#

limit_conn#

Syntax	`limit_conn` zone number;
Default	—
Context	http, server, location

Sets the shared memory zone and the maximum allowed number of connections for a given key value. When this limit is exceeded, the server will return the error in reply to a request. For example, the directives

limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
    location /download/ {
        limit_conn addr 1;
    }

allow only one connection per an IP address at a time.

Note

In HTTP/2 and SPDY, each concurrent request is considered a separate connection.

There could be several limit_conn directives. For example, the following configuration will limit the number of connections to the server per a client IP and, at the same time, the total number of connections to the virtual server:

limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;

server {
    ...
    limit_conn perip 10;
    limit_conn perserver 100;
}

These directives are inherited from the previous configuration level if and only if there are no limit_conn directives defined on the current level.

limit_conn_dry_run#

Syntax	`limit_conn_dry_run` `on` \| `off`;
Default	`limit_conn_dry_run off;`
Context	http, server, location

Enables the dry run mode. In this mode, the number of connections is not limited, however, in the shared memory zone, the number of excessive connections is accounted as usual.

limit_conn_log_level#

Syntax	`limit_conn_log_level` `info` \| `notice` \| `warn` \| `error`;
Default	`limit_conn_log_level error;`
Context	http, server, location

Sets the desired logging level for cases when the server limits the number of connections.

limit_conn_status#

Syntax	`limit_conn_status` code;
Default	`limit_conn_status 503;`
Context	http, server, location

Sets the status code to return in response to rejected requests.

limit_conn_zone#

Syntax	`limit_conn_zone` key zone = name:size;
Default	—
Context	http

Sets parameters for a shared memory zone that will keep states for various keys. In particular, the state includes the current number of connections. The key can contain text, variables, and their combination. Requests with an empty key value are not accounted.

Usage example:

limit_conn_zone $binary_remote_addr zone=addr:10m;

Here, a client IP address serves as a key. Note that instead of $remote_addr, the $binary_remote_addr variable is used here.

The $remote_addr variable's size can vary from 7 to 15 bytes. The stored state occupies either 32 or 64 bytes of memory on 32-bit platforms and always 64 bytes on 64-bit platforms.

The $binary_remote_addr variable's size is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses. The stored state always occupies 32 or 64 bytes on 32-bit platforms and 64 bytes on 64-bit platforms.

One megabyte zone can keep about 32 thousand 32-byte states or about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return the error to all further requests.

Built-in Variables#

`$limit_conn_status`#

keeps the result of limiting the number of connections: PASSED, REJECTED or REJECTED_DRY_RUN