Prevent direct access to files but allow download from site

Reinis Rozitis r at
Thu Mar 12 22:30:18 UTC 2020

> The user MUST BE ABLE to download the file from the article pages when
> If the user is NOT LOGGED, he cannot download the file, therefore even
> recovering the url, he must receive an error or any other type of block.

It's rather difficult to achieve that only with a webserver (as typically a webserver itself has no idea about users being logged in or out and just to rely on a cookie is possible but rather weak check). 

While you can use the secure link module ( ) with expiration a more common way would be to implement the download check in the application itself and use the nginx X-Accel-Redirect feature -

Without knowing what kind of app (php/python/js/perl etc) are you running it's hard to give an exact example but the gist of the idea is to:
- place the files outside webroot
- configure the path as an internal nginx location
- the application then checks if the user has an active session, then sends the X-Accel-Redirect header with the particular file to nginx which sends the file to user.

There should be plenty of samples on internet.


More information about the nginx mailing list