How is the file given?
Based on the assumption that it makes little sense to download a file from the same ip more than once, then the limiting factor will be ip. Then we do this:
To the nginx front, and make a location in which the files are located.

location ^~ /user_files { # Это где реально лежат файлы
        internal;
        root /path/to/folder;
}
location ^~ /userfiles { # Это то, куда указывают ссылки на сайте
        proxy_pass  http://127.0.0.1:80;
}

You process the /userfiles location in php and give the X-Accel-Redirect headers so that Angie gives the static.
Next, how to count.
If there is memcache - do add($fileid.$ip,1) - if the key is already set, add will return false, and the counter should not be increased, if it is not set - it is necessary to increase the counter. The key will then be installed. The counter is incremented accordingly like this: inc("counter/".$fileid,1)
If there is redis - everything is very similar. Do setnx($fileid.$ip,1) - if the key is set, it will return false. If not, the key will be installed. We increase the counter incr("counter/".$fileid,1). But redis can also help save a lot of memory. To do this, you need to use not strings, but hashes. That is, we store the state as hsetnx($fileid,$ip,1). And in this case we store the counter as hincrby("counters", $fileid, 1). This will provide the following advantages over memcache:
1. Dramatic memory savings. Hashes with short keys and values ​​are very memory efficient.
2. Side effect - it's very easy to see from which ip the file was downloaded - hgetall($fileid). If we modify the algorithm a little more like this: hincrby($fileid,$ip,1) - we will get an integer value at the output - the number of downloads from this ip - this way you can burn cheaters and just ban them by ip.
3. Side effect - it's very easy to get a table of all file counters - hgetall("counters").
Well, all this, of course, very quickly. Doing the same in sql database, I think, is a bit complicated. But if you really want to, someone else can get confused and write an algorithm for the muscle. And we will laugh.
If you limit by users (cookies), which in my opinion is not very good, then everything is done exactly the same, only instead of ip we use the id that is recorded in the session. Then using hashes to store the state is not a good idea - you need to store it in strings, and set them to expire - the session lifetime, or, there, a day - whatever.

You can replace the database with Redis (for storing ip and data on downloads), it will be faster and less load.
Alternatively, you can use Evercookie to make it harder for users to clear cookies, and to cut off most of the bots, set test_cookie for nginx. Most of the cheats I think it will be possible to throw off. Hardened with bots emulating browsers will be more difficult to weed out, but if you are smart, you can also give them problems.

Keep ip:state log in memcache - no load, 100% result. The log can be cleared every 24 hours.

• once every N minutes, analyze the web server log with the script, counting the file download records that were successful, and did not break off - and only increase the counters by them
• Limit IP connections for downloaded files - from one IP they will be able to download no more often, for example. 3 per minute

If the statistics are kept in the database, it is possible to check whether this file has already been downloaded (if the user is authorized).
If the user is not authorized, it is possible to write the download status to the session by file ID (eg $_SESSION['file_x'] = 1) after the download, and increment the counter if the value in the session is empty.

insert SMS protection.

put a captcha