Prevent direct access to files but allow download from site

[lsces]

MAXMAXarena Wrote:
-------------------------------------------------------
> How can I find out with Nginx if the username and password are real or
> that the user/unique_value is still active?
> Should I somehow access the database or am I wrong?

MAXMAXarena I've just come across this thread looking to answer almost the
same question. In my situation I am running the website on PHP using a
framework called bitweaver. This handles the user login to the dynamic pages
and downloading images and pdf files via the framework, but the thumbnail
images are linked to directly by nginx and can be viewed even if not logged
in. 
I've spent the last couple of days playing with http_auth_request_module and
the auth_request entry. I've got it crudely working and I can manually
switch the access on and off using the auth.php script which has access to
the database, but I've hit a snag I'm still trying to crack. The storage
structure is /storage/515/1515/thumbs/ where the second number is the file I
want to access ( the first number just breaks down the storage into smaller
groups of folders ) ... What I'm stuck with is how to get the file number
into auth.php so I can sort out if the current user ID has access to that
file, allowing 'anonymous' users to see as subset of files. You can probably
get away without that bit and just confirm the user ID and at the moment I'd
be happy with just that as well but I'm missing something when nginx runs
auth.php :(

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287297,287559#msg-287559