I stumbled upon the exact same problem today while moving our site from Lighttpd to nginx.
This is how we solved it:
Link to our protected files look like this:
/pdf/number.pdf/MD5_hash/hex_of_timestamp
and this is our location directive:
[code]
# PDF download
location /pdf {
secure_download on;
secure_download_secret $request_addr;
secure_download_path_mode file;
if ($uri ~ "^/pdf/(.+\.pdf)$") {
set $filename $1;
}
add_header Content-Disposition "attachment; filename=$filename";
}
[/code]
As you can see from the example we are extracting the filename from the request uri and setting the appropriate header.