Prevent direct access to files but allow download from site

j94305 nginx-forum at
Thu Mar 12 02:36:06 UTC 2020

I would generally say this is not possible in the way you describe it. There
are two ways, however, this could be implemented:

1. You use one-time links to content files: all content retrieval URLs will
get a parameter expires=X (how long the link should be valid) and a
signature (e.g., an HMAC with a secret only known to the NGINX server).
Retrieval won't go through mere file access, but a handler that verifies the
addtional parameters. If they check out, you redirect to an internal
location serving the file.

2. You use a session context: whenever a page validly serving a link to a
certain content is delivered, you set a cookie. Retrievals to files require
the cookie to be present. No cookie, no access.


Posted at Nginx Forum:,287297,287305#msg-287305

More information about the nginx mailing list